Navigation
Home About Blog Cloud Contact
Products
Oasis-LIMS Enterprise Oasis-LIMS Professional LIMZ RD (Research & Development) True LIMZ (Public Test Labs) Stabi-M (Stability Studies Management) O-Link Server (Instruments Integration) Trend Analysis Vendor Rating / Qualification Integrated Stability Studies Control Sample Management Reference Working Standards Equipment Calibration Management Chemicals / Reagents Management Columns Management Microbial / Media Management Volumetric Solutions Change Control Deviation Management CAPA Auditing Management TMS (Training Management System) Complaints Management Oasis APQR CrisCon ERP (Enterprise Resource Planning) Oasis EBR (Electronic Batch Records) EMS (Equipment Management System) Oasis Clinical Trials EWM (Environment Water Management System) DMS (Documents Management System)
Industries
Industry Specific Solutions Pharmaceuticals and API Manufacturing Research and Developments Chemicals, Agriculture Chemicals, Oil/Gas, Petrochemicals Food & Beverage Industry Environment and Water Laboratory
Company
FAQs Request a Demo →
Compliance Knowledge Centre

LIMS Compliance & Regulations

Understand how OasisLIMS is designed to meet regulatory requirements — from FDA 21 CFR Part 11 and EU GMP Annex 11 to ISO 9001 and ISO 17025 — keeping your laboratory audit-ready and data-reliable.

GxP Compliant 21 CFR Part 11 EU GMP Annex 11 ISO 9001 & 17025
01

What is Compliance?

Regulatory Conformity — Quality, Standards & Governance

Compliance is about being compliant with specification, policy, standard or law. Also, regulatory compliance for an organization describes the goal to achieve in their efforts to display that they are in conformity with the established regulations, guidelines or specification and government legislation. Quality, on the other hand, is defined as products and services that deliver intended performance consistently based on the customer requirement. In fact, compliance and quality as they complement each other.

Compliance is about being compliant with specification, policy, standard or law. Also, regulatory compliance for an organization describes the goal to achieve in their efforts to display that they are in conformity with the established regulations, guidelines or specification and government legislation.

Quality, on the other hand, is defined as products and services that deliver intended performance consistently based on the customer requirement. In fact, compliance and quality as they complement each other.

Governing Bodies

For regulated industries, the regulations and guidelines for Quality System are set forth by the governing bodies such as but not limited to:

  • Food and Drug Administration (US FDA) – 21 CFR Part 11
  • International Organization for Standardization (ISO) – ISO 9001, ISO 17025
  • Pharmaceuticals and Medical Devices Agency (PMDA)
  • Therapeutic Goods Administration (TGA)
  • MHRA, Euro Annexure 11, 15

Besides these there are several other governing bodies that define the regulations and guidelines for the industry vertical that they represent.

02

How to Comply

Four Pillars of Laboratory Compliance — Systems, People & Process

Achieving compliance is not a one-time event — it requires validated systems, qualified personnel, documented processes, and continuous monitoring. These four pillars form the foundation of a compliant laboratory operation.

Most of the organization develops their own in-house procedures, work instruction, training, etc., based on the regulations that govern their business. That is why having a procedure up to date and following it helps the organization in solidifying the compliance in their respective fields.

Having a well-integrated quality management system in place helps an organization in the compliance arena. Additionally, a well-defined document management system helps to keep track of all the procedures and efficiently control the revision as the regulation changes.

Implementing a well defined internal audit management system to pulse check your compliance with procedures, work instructions, standards. Similarly, with nonconformance management system, documenting and trending quality incidents for early signals of major issues.

CAPA management to perform effective root cause analysis and put in the action plans to resolve major issues. Sound training management to keep track of training requirements and to ensure that personnel are trained competently to their role.

Oasis solutions are designed over years of experience in industry best practices and offer an out-of-the-box functionality to meet requirements defined by regulatory bodies such as FDA, ISO and support your in-house procedures.

Key Points for Compliance

Confirm the Specification Requirements

It is important that the specification requirements meet the demands on the system and operating environment, and also incorporate the technical elements to satisfy part 11. The documentation of plans procedures, and reports and appropriate review, approval, and management.

Effective User Management

O-link user administration comprises of the setting of rights group and assignment of rights to users, it enables easy setting of user access rights as well as rights group matched to each user's required task. Functions such as these achieve effective user administration matched to laboratory operations from managerial tasks to data acquisition operations.

Firm Security

Features functions for setting an audit trail to ensure data reliability and security features include various settings, such as setting the length, expiration date and complexity of passwords for user accounts, setting the lockout function to prevent illegal access, and registering settings for the deletion and alteration of registered users, to enable highly secure system operation.

Audit Trail for Achieving Change History Management

The changes history of method files is managed by the audit trail, application of audit trail to all methods can also be set in security policy settings. This prevents inconsistencies in compliance with regulations.

03

21 CFR Part 11

FDA Regulation — Electronic Records & Electronic Signatures

21 CFR Part 11 is the FDA regulation that sets the criteria under which electronic records and electronic signatures are considered equivalent to paper records and handwritten signatures — enabling fully paperless, compliant laboratory operations in the United States.

21 CFR Part 11 is a US FDA Code of Federal Regulations (CFR) guideline for a computer system that is used to manage and store electronic records and electronic signatures. It helps companies to define the rules under which electronic signatures and records are considered to be original, accurate, trustworthy, confidential, reliable and equivalent to paper records and handwritten signature.

21 CFR Part 11 Requirements
  • The system must be capable to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying.
  • Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.
  • Limiting system access to authorized individuals.
  • Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available.
  • Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.
  • Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.

Signed electronic records shall contain information associated with the signing that clearly indicates all of the following:

  • The printed name of the signer;
  • The date and time when the signature was executed; and
  • The meaning (such as review, approval, responsibility, or authorship) associated with the signature.
04

EU GMP Annex 11

European Regulatory Guidance — Computerised Systems in GMP Environments

EU GMP Annex 11 is the European regulatory guidance governing computerised systems used in GMP-regulated manufacturing and laboratory environments. It defines requirements for validation, data integrity, audit trails, and electronic signatures across the entire system lifecycle — from project phase through to decommissioning.

Computerized system shall be assessed for compliance with EU GMP Annex 11 requirements by comprehensive assessment check list addressing all the clauses (as described below) as applicable. Following is the Matrix of Annexure 11 EU GMP that provides essential information for you to understand how Oasis Solutions can help meeting compliance:

S No.ClauseDescription
1Risk AssessmentRisk management should be applied throughout the lifecycle of the computerized system taking into account patient safety, data integrity and product quality. As part of a risk management system, decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computerized system.
2PersonnelThere should be close cooperation between all relevant personnel such as Process Owner, System Owner, Qualified Persons and IT. All personnel should have appropriate qualifications, level of access and defined responsibilities to carry out their assigned duties.
3Suppliers and Service Provider3.1. When third parties (e.g. suppliers, service providers) are used e.g. to provide, install, configure, integrate, validate, maintain (e.g. via remote access), modify or retain a computerized system or related service or for data processing, formal agreements must exist between the manufacturer and any third parties, and these agreements should include clear statements of the responsibilities of the third party. IT-departments should be considered analogous.

3.2. The competence and reliability of a supplier are key factors when selecting a product or service provider. The need for an audit should be based on a risk assessment.

3.3. Documentation supplied with commercial off-the-shelf products should be reviewed by regulated users to check that user requirements are fulfilled.

3.4. Quality system and audit information relating to suppliers or developers of software and implemented systems should be made available to inspectors on request.
4Project Phase Validation4.1. The validation documentation and reports should cover the relevant steps of the life cycle. Manufacturers should be able to justify their standards, protocols, acceptance criteria, procedures and records based on their risk assessment.

4.2. Validation documentation should include change control records (if applicable) and Reports on any deviations observed during the validation process.

4.3. An up to date listing of all relevant systems and their GMP functionality (inventory) should be available. For critical systems an up to date system description detailing the physical and logical arrangements, data flows and interfaces with other systems or processes, any hardware and software pre-requisites, and security measures should be available.

4.4. User Requirements Specifications should describe the required functions of the computerized system and be based on documented risk assessment and GMP impact. User requirements should be traceable throughout the life-cycle.

4.5. The regulated user should take all reasonable steps, to ensure that the system has been developed in accordance with an appropriate quality management system. The supplier should be assessed appropriately.

4.6. For the validation of bespoke or customized computerized systems there should be a process in place that ensures the formal assessment and reporting of quality and performance measures for all the life-cycle stages of the system.

4.7. Evidence of appropriate test methods and test scenarios should be demonstrated. Particularly, system (process) parameter limits, data limits and error handling should be considered. Automated testing tools and test environments should have documented assessments for their adequacy.

4.8. If data are transferred to another data format or system, validation should include checks that data are not altered in value and/or meaning during this migration process.
5Operational Phase DataComputerized systems exchanging data electronically with other systems should include appropriate built-in checks for the correct and secure entry and processing of data, in order to minimize the risks.
6Accuracy ChecksFor critical data entered manually, there should be an additional check on the accuracy of the data. This check may be done by a second operator or by validated electronic means. The criticality and the potential consequences of erroneous or incorrectly entered data to a system should be covered by risk management.
7Data Storage7.1. Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability and accuracy. Access to data should be ensured throughout the retention period.

7.2. Regular back-ups of all relevant data should be done. Integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically.
8Printout8.1. It should be possible to obtain clear printed copies of electronically stored data.

8.2. For records supporting batch release it should be possible to generate printouts indicating if any of the data has been changed since the original entry.
9Audit TrailsConsideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated "audit trail"). For change or deletion of GMP-relevant data the reason should be documented. Audit trails need to be available and convertible to a generally intelligible form and regularly reviewed.
10Change and Configuration ManagementAny changes to a computerized system including system configurations should only be made in a controlled manner in accordance with a defined procedure.
11Periodic EvaluationComputerized systems should be periodically evaluated to confirm that they remain in a valid state and are compliant with GMP. Such evaluations should include, where appropriate, the current range of functionality, deviation records, incidents, problems, upgrade history, performance, reliability, security and validation status reports.
12Security12.1. Physical and/or logical controls should be in place to restrict access to computerized system to authorized persons. Suitable methods of preventing unauthorized entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, restricted access to computer equipment and data storage areas.

12.2. The extent of security controls depends on the criticality of the computerized system.

12.3. Creation, change, and cancellation of access authorizations should be recorded.

12.4. Management systems for data and for documents should be designed to record the identity of operators entering, changing, confirming or deleting data including date and time.
13Incident ManagementAll incidents, not only system failures and data errors, should be reported and assessed. The root cause of a critical incident should be identified and should form the basis of corrective and preventive actions.
14Electronic SignatureElectronic records may be signed electronically. Electronic signatures are expected to: a) have the same impact as hand-written signatures within the boundaries of the company, b) be permanently linked to their respective record, c) include the time and date that they were applied.
15Batch ReleaseWhen a computerized system is used for recording certification and batch release, the system should allow only Qualified Persons to certify the release of the batches and it should clearly identify and record the person releasing or certifying the batches. This should be performed using an electronic signature.
16Business ContinuityFor the availability of computerized systems supporting critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (e.g. a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and appropriate for a particular system and the business process it supports. These arrangements should be adequately documented and tested.
17ArchivingData may be archived. This data should be checked for accessibility, readability and integrity. If relevant changes are to be made to the system (e.g. computer equipment or programs), then the ability to retrieve the data should be ensured and tested.
05

Regulations

Global Standards — ISO, GMP, GAMP & Regulatory Bodies

OasisLIMS is built to support compliance with a wide range of international regulatory standards — from quality management and testing laboratory accreditation to pharmaceutical manufacturing and automated system governance.

For quality control laboratories, there can be quite a few regulations to follow depending on the industry you serve. We have outlined below common regulations of the pharma industry with their requirements and guidelines describing some areas that should be assessed when implementing and maintaining a LIMS for your laboratory operations.

ISO 9001

Laboratories operating to ISO 9001 standards will have a general framework in place for quality management which helps them deliver a consistent product and service enhancing their customer satisfaction. This standard is generic and is not specific for laboratories; however, there will be some requirements of the standard you should consider when implementing a LIMS:

Resources;

Your organization is required to determine and provide resources needed. This also includes identifying those resources that are obtained from external providers.

Documented Information;

As a LIMS is used to store documented information, be sure that the access, storage, retrieval, control of changes, retention and disposition of data within the system is aligned with the requirements of your quality management system.

Control of externally provided processes, products and services;

Where your LIMS is a hosted solution, be sure to have a documented contract or SLA in place that details your requirements for their service and their responsibilities. As good practice, you should define criteria for evaluation, selection, monitoring of performance and re-evaluation of your suppliers.

ISO 17025

The ISO 17025 standard is designed specifically for quality management for laboratories of all types. Where a lab complies with ISO 17025, they will operate a quality management system that also meets the requirements of ISO 9001. Therefore, highlighted below are some key areas of this standard which are different to those of 9001 that should be considered when using a LIMS:

Document Control;

There are specific requirements regarding changes to documentation. You should have procedures that detail how changes in documentation that is maintained within a computerized system such as a LIMS are created and controlled.

Control of Records;

Laboratories should maintain a procedure for identification, collections, indexing, access, filing, storage, maintenance and disposal of quality and technical records. As a LIMS is used to record and store records, you should ensure your procedures cover the use of your LIMS. It would be beneficial to describe where and how records are held secure and in confidence, and also how records stored electronically are backed-up and data integrity is maintained. Further requirements are specified for technical records. These requirements would also apply to the functionality with your LIMS.

For example, observations, data and calculation shall be recorded at the time they are made and identifiable to a specific task. This could be translated to the recording of test results via equipment integration for a sample against a particular test method in your LIMS. In addition, where mistakes occur, the original record should not be erased or deleted. This should be key functionality in your LIMS to ensure edits do not overwrite original data entries.

Control of Data;

Where computer software is used for processing, recording, storage and retrieval of test data, the laboratory must ensure that the software is fit for purpose and can maintain the integrity of test data. Bespoke software developed by the laboratory itself should be suitably validated as being adequate for use. Commercial off the shelf software (COTS) may be considered sufficiently validated; however, the laboratory should validate the configuration. Procedures should also be implemented for protecting data integrity, confidentiality, entry, storage, transmission and processing. Where any of the above is completed by the supplier as part of a hosted solution, a contract or SLA should be in place to detail the responsibilities of your supplier.

Reporting Results;

Your LIMS may automate results reporting for you. Therefore, you should ensure your LIMS has the functionality to meet the requirements of this standard. Most LIMS have a reporting package that allows you to customise reports. As a guideline, your LIMS should include the following on your electronically generated Test Reports:

  • A title
  • The name and address of the laboratory
  • Unique identifier and page number
  • The name and address of the customer
  • Identification of the method used
  • A description of the items tested
  • The date of receipt of the test items
  • Reference to the sampling plan and procedures used by the laboratory
  • The test results
  • The name, function and signature of the person authorising the report
  • Where relevant, a statement to the effect that the results relate to only the items tested
  • Interpretations of the results where applicable/necessary
  • Results of sampling where necessary for the interpretation of the results

GMP and GAMP

GMP, known as Good Manufacturing Practice, is the generic practice for the manufacture of pharmaceuticals and is enforced by different regulatory bodies for each country across the world (e.g. the MHRA in the UK and the FDA in the US). Each regulatory body may also publish their own respective guidelines for companies to implement GMP to assure products are manufactured to a high quality and do not pose a risk to consumers or patients. Example guidelines are the Orange Guide by the MHRA and 21 Code of Federal Regulations (CFR) by the FDA.

GAMP, known as Good Automated Manufacturing Practice, is a publication to provide guidance to achieve computerized systems that are fit for intended use and meet current GxP regulatory requirements ('x' can be interchanged with acronyms other than 'M' such as 'C' for Clinical or 'D' for Distribution).

Annex 11 of the Orange Guide describes the UK GMP guidance for the use of Computerized Systems, and 21 CFR Part 11 details the US FDA regulations on electronic records and signatures. In the section below, we highlight a few key areas for consideration when implementing and maintaining a LIMS in a GMP environment. Please refer to your relevant regulatory authority GMP guidelines for full details.

Project Phase

LIMS used as part of GMP regulated activities should be validated. The validation process should be based on a risk assessment and would generally include the following documentation providing evidence your LIMS is fit for purpose:

  • Traceable user requirements which describe the required function of the system based on risk and GMP impact.
  • Suppliers should be assessed to ensure the system has been developed in accordance with an appropriate quality management system.
  • Evidence of test methods and test scenarios should be documented, especially around parameter limits, data limits and error handling.
  • Any changes or deviations during the validation process must be recorded and documented.
  • Where data is migrated, validation should include checks to ensure data integrity has been maintained.

Operational Phase

The guidance detailed for the operational phase for your LIMS focuses both on functionality required of the system as well as processes and documentation you should have in place to maintain your LIMS throughout its lifecycle. We have summarised five areas of guidance below:

  • Accuracy Checks – The functionality within your LIMS should include additional checks on the accuracy of data. It should be done by an independent and secondary operator by validated electronic means (typically using electronic signatures).
  • Data Storage – Whether you have an in-house or hosted solution, the data within your LIMS should be secured by both physical and electronic means. Regular back-ups should be performed and the integrity of the back-up data should be checked during validation and periodically throughout the lifetime of your LIMS.
  • Audit Trails – GMP-relevant changes and deletions should be recorded in a system generated "audit trail" which is not editable. These audit trails should be available and regularly reviewed.
  • Security – Many LIMS have user account functionality to restrict access to authorized persons. This is a key requirement of GMP where the extent of the security controls in place are appropriate to the criticality of the data being accessed. Creation, change or cancellation of access should also be recorded, and because LIMS is designed to manage GMP critical data, the system should record the identity of operators entering, changing, confirming or deleting data including date and time.
  • Electronic Signature – Your LIMS should have electronic signature functionality which is permanently linked to their respective record, include the time and date it was applied and has the same impact as a hand-written signature within your company. There is further detailed requirements of electronic records and signatures in 21 CFR Part 11 that is also recognized by regulatory bodies other than the US FDA.