RefWork:LIMS Buyer’s Guide for Cannabis Testing Laboratories/An RFI for evaluating cannabis testing LIMS vendors

From CannaQAWiki
Jump to navigationJump to search
-----Return to the beginning of this guide-----

5. An RFI for evaluating cannabis testing LIMS vendors

Whether conducting the request for information (RFI) or request for proposal (RFP) process, a quality set of questions for potential laboratory information management system (LIMS) vendors to respond to provides a solid base for helping evaluate and narrow down potential vendors. The RFI in particular is good for this sort of "fact finding," acting as an ideal means for learning more about a potential cannabis testing LIMS solution and how it can solve your laboratory's problems, or when you're not even sure how to solve those problem yet. However, the RFI should not be unduly long and tedious to complete for prospective vendors; it should be concise, direct, and honest. This means not only presenting a clear and humble vision of your own organization and its testing and informatics goals, but also asking just the right amount of questions to allow potential vendors to demonstrate their expertise and provide a clearer picture of who they are. Some take a technical approach to an RFI, using dense language and complicated spreadsheets for fact finding. However, vendors appreciate a slightly more inviting approach, with practical questions or requests that are carefully chosen because they matter to you and your laboratory.[1]

What follows are a carefully selected set of "questions" for cannabis testing LIMS vendors posed as, well, requests for information. This collection of questions is admittedly long. Keeping with advice about maintaining a concise RFI, you may not use all of these as part of your RFI process. Remember that an RFI is not meant to answer all of your questions, but rather is meant as a means to help narrow down your search to a few quality candidates while learning more about each other.[1] Feel free to narrow this list down to those questions that are most important to your laboratory as part of this fact finding mission.

The primary source used to compile this selection of RFI questions is the LIMSpec for Cannabis Testing. That specification document was designed specifically to take a regulatory-, standards-, and guidance-based approach to how laboratory informatics systems should address the needs of cannabis testing laboratories. As such, LIMSpec for Cannabis Testing turns to ASTM E1578-18 Standard Guide for Laboratory Informatics at its core, as well as more than 70 different regulations, standards, and guidance documents. Additionally, many elements from the "LIMS functionality requirements specific to cannabis testing" section of Chapter 1 are also tapped into. Other sources used to build this RFI include:

  • Most of the sources cited in the RFI questionnaires in Appendix 3 of the upcoming Choosing and Implementing a Cloud-based Service for your Laboratory
  • A solicitation document by the Oklahoma State Department of Health[2]
  • A Labcompare article about LIMS and cannabis testing[3]

The ordering of the RFI questionnaire is as follows:

RFI introduction
Organization basics
LIMS: Primary cannabis testing workflow
LIMS: Workflow and operations maintenance and support
LIMS: Interoperability and system performance
LIMS: Software security, data integrity, and related policies
Cloud infrastructure, security, and related policies
Account management and support
License agreements, service level agreements (SLAs), and contracts
Service implementation

RFI introduction

If you're conducting a full RFI, you're going to lead with the standard components of an RFI, including:

  • a table of contents;
  • an honest introduction and overview of your organization, its goals and problems, and the services sought to solve them;
  • details on how the RFI evaluation process will be conducted;
  • the calendar schedule (including times) for related events;
  • how to submit the document and any related questions about it, including response format; and
  • your organization's background, business requirements, and current technical environment.

Organization basics

Primary business objectives

Please describe the primary business objectives for your organization.

Organization history

Please give some background on your organization's history, including how long it has been offering a cannabis testing LIMS.

Financial stability

Please provide information concerning the financial stability of your organization. If your organization is public, please include relevant documents such as annual reports and supporting financial statements. If private, please include documentation that supports the representation of your organization as a stable, profitable, and sustainable one. If not profitable, please provide details about your organization's path towards profitability.

Software and services offered

Please describe the primary LIMS solution(s) offered by your organization, particularly those which may be relevant based upon our company's stated cannabis testing needs. If the software is offered as a service or the software functionality is unlocked based upon subscriber tiers, explain the different tiers of service or functionality provided and any significant exceptions and differences separating the tier levels.

Details about those LIMS solutions and services

Please provide details about:

  • number of clients specifically using your organization's LIMS solution(s) and related services;
  • how long each of those solutions and services has been offered;
  • the growth rate of those solutions and services over the prior fiscal year;
  • the average historical downtime, if the LIMS is offered as a cloud-based service;
  • how those solutions and services or your organization overall is ranked by market researchers and media organizations; and
  • any awards received for your organization's LIMS solution(s) and related services.

Vision and investment in those LIMS solutions and services

Please provide details about the vision and future direction for choosing, developing, and implementing new technologies, development methods, and security protocols as part of your organization's product development and maintenance initiative. Additionally, discuss the level of investment made by your organization towards maintaining, updating, and upgrading those LIMS solutions and services going forward.

Experience and references

Please provide details on:

  • how many clients you provide (or have provided) LIMS solutions and services to in the cannabis testing industry;
  • whether any of them are willing to act as references for your solutions and services;
  • what experience your organization has in meeting the unique regulatory requirements of the cannabis testing industry;
  • any examples of past issues and risks that were mitigated in prior LIMS implementation efforts;
  • any examples of clients being a learning source for improving your solutions and services; and
  • any whitepapers, reports, etc. authored by your organization that are relevant to clients in the cannabis testing industry.

LIMS: Primary cannabis testing workflow

Sample registration and management

Please describe how your cannabis testing LIMS helps laboratories securely and efficiently facilitate the registration, tracking, and management of cannabis and other related sample types. Describe what metadata and identifiers are supported for registered samples, including lot number, field number, client demographics, sampling point, random selection process used, and other cannabis-specific identifiers. Additionally, briefly explain any other configurable sample registration preferences available, the level of chain-of-custody tracking provided (ideally at every single step), and sample statuses supported (e.g., does the LIMS manage sample weight reconciliation as sample material moves throughout the lab?).

Core laboratory testing - Basics

Please describe how your cannabis testing LIMS facilitates the rapid and error-free testing of cannabis-related samples. Describe the types of pre-loaded state- and local-compliant cannabis testing protocols in the system, as well as their degree of configurable measurement units and substrates/matrices. Does the same level of configurability of pre-defined test protocols apply to any client-creatable test protocols? Verify that pre-loaded protocols include testing for acid and neutral forms of cannabinoids, potency testing, strain identification, water activity, moisture content, pesticides, solvents, heavy metals, microbiological contaminates, fungi, mycotoxins, and foreign matter.

Core laboratory testing - Advanced

Please describe the level of support your cannabis testing LIMS provides in regards to unique forms of sampling and testing such as representative sampling, calibration testing, quality control testing, preventative maintenance testing, stability testing, sterility testing, compatibility testing, identity testing, proficiency testing, and service-event-related testing. Is retest workflow fully supported?

Review, verification, approval, and rejection

Please explain in brief the review, verification, approval, and rejection processes for test results built into your cannabis testing LIMS. Which of those processes can be automated and customized? Also address how flexible specification limits are within the system.


Keeping in mind the importance of accurate and timely results reporting for cannabis testing laboratories, please describe how your LIMS facilitates such reporting. Explain the level of customization reports, including certificates of analysis, have in the LIMS. Does the system come with pre-loaded report templates based on state and local regulations affecting the lab? Additionally, describe the level of automation applied to results reporting, including feeding results to customers via email or secure web portal. If additional reporting dashboard tools for benchmarking, variance reporting, visualization are available, highlight those as well.

LIMS: Workflow and operations maintenance and support

Document and compliance management

Please describe how your cannabis testing LIMS helps clients better manage their industry- and regulation-specific compliance documentation responsibilities and requirements. Provide details about LIMS mechanisms such as document management and storage, versioning, approval and rejection, validation, auditing, signing, and disposition in relation to better meeting those compliance efforts.

Resource and inventory management

Please describe how your cannabis testing LIMS helps clients better manage their laboratory's resources (e.g., time, training, and money) and inventory (e.g., equipment, test samples, reagents, and standards). What makes your LIMS solution stand out about resource and inventory management for cannabis testing laboratories? For example, describe special features like sample weight reconciliation, disposition management, training and certification management, configurable schedulers, and cannabis-related billing management that are important to a cannabis testing laboratory.

Miscellaneous activity management

Please describe in brief any additional noteworthy functionality in your cannabis testing LIMS (outside of what has been mentioned so far) that supports the operations and workflow of a cannabis testing laboratory. This includes, but is not limited to, instrument maintenance and management, calibration scheduling, batch and lot management, and alarm and alert management.

Quality management

Please describe how your cannabis testing LIMS helps clients improve the quality of their processes, data, and test results. Address critical functionality such as out-of-specification (OOS) and out-of-trend (OOT) identification, nonconformance and deviation tracking, corrective action documentation and management, and quality management system documentation and management.

LIMS: Interoperability and system performance

Expected level of integration or interoperability

Please describe how you anticipate your cannabis testing LIMS solution(s) being able to readily integrate or have base interoperability with a client's other software systems, business processes, and existing data while making it easier for the client to perform their laboratory's tasks. What is the broad approach to data exchange and integration in the LIMS, including data integration concerns you expect to arise when moving client data into your system? Include information about specific software integrations (e.g., to enterprise resource planning, seed-to-sale, or other state-specific reporting systems), as well as instrument data systems connectivity for instrument systems common to cannabis testing, including chromatography, spectroscopy, spectrometry, and polymerase chain reaction systems. If possible, provide a list of specifically supported software and instrument systems.

System performance and smart systems

Please elaborate on how your cannabis testing LIMS performs under a variety of workload conditions, from a handful of samples using several integrations to large quantities of samples using 10 or more integrations. In other words, how scalable is the system? Describe what additional smart components are available—including artificial intelligence, machine learning, predictive maintenance, and monitoring components—in the LIMS to help cannabis testing labs further improve laboratory workflow and overall system performance.

LIMS: Software security, data integrity, and related policies

Internal security policy and procedures

Please describe your internal policy and procedure (P&P) regarding security within your organization, including any standards your organization has adopted as part of that P&P. Address any ancillary security policies regarding, e.g., acceptable use of technology, remote and from-home work, and security awareness training.

Software security policy and procedures

Please describe your organization's P&P regarding implementing security and data integrity mechanisms within the software it develops, particularly in regards to your cannabis testing LIMS solution. Address any ancillary security policies regarding, e.g., system validation and commission and information privacy for the LIMS and its development and implementation. Be sure to address system characteristics such as audit trails and versioning, as well as how that and other related functionality support ALCOA principles.

Administrational security configurations

Please provide details regarding how your organization's cannabis testing LIMS allows for flexible yet robust configuration of security controls within system. Be sure to address configurable elements such as granular access controls, inactivity timeouts, password requirements, authentication rules, validation rules, etc. as they relate to the LIMS.

Cybersecurity and information privacy

Please describe how your cannabis testing LIMS helps users better meet their organizational cybersecurity requirements. Discuss any relevant communication and encryption protocols, authentication mechanisms, access prevention mechanisms, de-identification tools, etc. that are embedded into the offering. If an organization stores personal health information or other sensitive data in your LIMS, how is its reception and transmission protected using these and other mechanisms, particularly in light of the regulatory requirements affecting cannabis testing labs?

Cloud infrastructure, security, and related policies

Note: This section applies only to those vendors offering their cannabis testing LIMS using the software as a service (SaaS) model, providing it via the cloud using their own cloud infrastructure or a third party's cloud infrastructure.

Cloud host security policy and procedures

Please describe the cloud host's—whether it be your organization or a third-party organization—internal policy and procedure (P&P) regarding in-house security, including any standards the organization has adopted as part of that P&P. Address any ancillary security policies regarding, e.g., acceptable use of technology, remote and from-home work, and security awareness training.

Business continuity and disaster recovery policy

Please describe the cloud host's—whether it be your organization or a third-party organization—P&P regarding business continuity and disaster recovery.

Data centers and related infrastructure

Please describe how the cloud host—whether it be your organization or a third-party organization—organizes its data centers and related infrastructure to optimally provide its cloud computing and cloud-related services. Additionally, address concerns about:

  • whether or not the organization owns and manages the data centers;
  • where those data centers are located;
  • where our data will be located;
  • what specifications and encryption types are used for in-transit and at-rest data;
  • what level of availability is guaranteed for each data center;
  • what level of redundancy is implemented within the data centers;
  • what disposal and data destruction policies are in place for end-of-life equipment;
  • how that redundancy limits service interruptions should a particular data center go offline;
  • what level of cloud-based scalability is available to clients with growth or contraction states; and
  • what qualifications and certifications apply to each data center.

Physical security at data centers

Please describe the physical security (e.g., locks, badges, physical security perimeters, surveillance systems, etc.) and continuity (e.g., fire suppression, backup power, etc.) measures put in place at the cloud host's—whether it be your organization or a third-party organization—data centers. Also address visitor procedures and how they are conducted. How are unauthorized access attempts at data centers responded to?

Staffing at data centers

Please describe the staffing procedures at these data centers, including what percentage of overall staff will actually have authorized access to client data. Clearly define any implemented classifications of staff based on level of support or data sensitivity, as well as any related certifications and training required at each support or data sensitivity level. Are contractors treated any differently? Finally, describe what background checks or screening procedures, if any, are implemented towards any organizational personnel and third-parties (e.g., contractors, service technicians) interacting with systems containing client data.

Independent infrastructure review

If the cloud host—whether it be your organization or a third-party organization—has received an independent review of its cloud infrastructure and services (e.g., SOC 2), please provide details of this review, preferably with the full report, but if not, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If the cloud host has not completed such an independent review, please provide details of any plans or ongoing efforts towards such a review.

Internal infrastructure review

If the cloud host—whether it be your organization or a third-party organization—has performed an internal review of its cloud infrastructure and services, please provide details of this review, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If the cloud host has not completed such an internal review, please provide details of any plans or ongoing efforts towards such a review. If the cloud host conducts internal "red team" or "attack-and-defense" exercises, describe them, their frequency, and how resulting information is acted upon.

Auditing of your operations

If the results of the cloud host's—whether it be your organization or a third-party organization—independent and/or internal review cannot be shared, will the cloud host allow us to—on our own or through a third party—audit cloud host operations, with the goal of determining the appropriateness of the cloud host's implemented safeguards?

Auditing of client data

Please describe how the cloud host—whether it be your organization or a third-party organization—handles requests from outside entities for client data and notifies clients when such requests are made. If subpoenas, court orders, search warrants, or other law enforcement actions were to take place, describe how the cloud host would maintain any privileged, confidential, or otherwise sensitive information as being protected. Does the cloud host have legal representation should these issues arise?

Extraction of client data

Please explain how clients may extract data from the cloud host's—whether it be your organization or a third-party organization—service (i.e., address data portability) on-demand, including particulars about data formats and transfer methods.

Account management and support

Account management basics

Please describe how accounts are established with your organization and what level of visibility clients and their authorized users will have into account details, including service metrics, security metrics, and various account logs.

Support basics

Please describe your organizational approach to client support and how that support is structured, including the processes and mechanisms for handling client inquiries and issues. Describe the communication mechanisms primarily and secondarily used for support, including mailed documentation, phone calls, electronic communication, and face-to-face communication. Explain how the escalation process for inquiries and reported issues should be handled.

Help desk and support ticketing

Please indicate what help desk or ticketing functionality is available for clients having issues with the LIMS solution and any related services (e.g., if SaaS). Describe how clients should go about using such tools to initiate the support process. Do clients receive comprehensive downtime support in the case of solution or service downtime?

Availability, provisioning, and responsiveness

Please indicate the availability of your organization's support services, including hours offered. Also indicate who is provisioning the service, whether it's in-house or a third party, and from where the service is provisioned. Note whether or not support services change hands at any point. Finally, describe how support quality is guaranteed at all times, including any guarantees on responsiveness.

Client satisfaction

Please describe how your organization measures and reports (including frequency) client satisfaction with support, account, and overall services. Describe how deficiencies in client satisfaction are addressed and resolved within the organization.

Ancillary services

Please indicate whether or not your organization provides value-added support services, and if so what type. Can a dedicated account manager with sufficient technical knowledge be provided, and if so, at what cost?

License agreements, service level agreements (SLAs), and contracts

License and SLA basics

Please describe the details of any applicable license agreements and SLAs (e.g., if SaaS) for the various LIMS products and services you provide, including any negotiable aspects of those agreements. Provide examples. Any relevant measurements and ranges for work performed by you (e.g., response times, accuracy) should also be clearly defined and stated. Explain what the cost implications related to any differing license or service levels are. Finally, explain whether or not your organization provides clients with a 30-day proof of concept test of the LIMS and any related services to ensure your organization can prove its marketing and operational claims.

SLAs for SaaS

In the case of SaaS-related LIMS cloud agreements (if applicable) with your organization, please explain how software customization, upgrades, testing, and versioning are addressed in such agreements.

Agreement failure

Please explain how your organization monitors and measures its compliance with agreements, as well as client compliance with agreements. Describe what options are available to clients and your organization upon the other party failing to meet an agreed-upon term.

Business associate agreements

If your organization's cannabis testing LIMS is offered via the cloud, state whether or not the hosting organization—whether it be your organization or a third-party organization—will sign a business associate agreement or addendum for purposes of ensuring the hosting organization appropriately safeguards protected health information, as dictated by the Health Insurance Portability and Accountability Act (HIPAA).

Contract termination

Please describe what happens with a client and their data at contract termination. If the cannabis testing LIMS is a cloud solution, the hosting provider—whether it be your organization or a third-party organization—should be able to explain their policy on archiving, deleting, and helping transition client data from any of their systems upon contract termination, including particulars about data formats, deletion methodologies, and transfer methods. Any explanation should include the respective termination rights of both the organization and the client.

Organization termination or catastrophic loss

Please describe what would happen to a client's LIMS and associated data in the event of your organization going out of business or suffering a catastrophic loss.

Service implementation

Implementation basics

Please describe your approach to implementing your on-premises or cloud-based cannabis testing LIMS for clients. You should address:

  • the standard timeframe for implementation and onboarding (overall average or last 10 customers);
  • whether or not a dedicated point of contact will be maintained throughout implementation, to the end of the contract;
  • what resources clients will require to support the implementation and throughout the contract's duration;
  • what client processes and procedures your organization has found to be vital to optimal implementation and operation;
  • what device and database integrations are supported in an implementation;
  • whether or not unsupported devices and databases can be added for support;
  • how the impact or disruption of client resources is minimized during implementation; and
  • what your normalization and fine-tuning procedures are.

Completion and handoff

Please describe what steps are taken to ensure the implementation is complete, as well as how the software or service is handed off to the client afterwards. If your organization provides training and documentation at handoff, describe how this training and documentation is administered, and at what additional cost, if any.

Multi-site implementations

Please describe the process used when implementing a LIMS solution or service to a client with many geographically dispersed facilities.

Updates and releases

Please describe the expected frequency and approach to providing and implementing security updates and versioned releases for your LIMS.


Pricing basics

Please describe how your company's pricing and payment models meet industry standard practices (e.g., payment per actual services consumed, per GB of storage, per server, per annual subscription, per user etc.). Provide pricing estimates and examples based upon the various services provided using a current published catalog, standard market pricing, and/or web enabled price calculators. Explain how any metered services are clearly reported and billed. Ensure all costs are accurately reflected, including any:

  • underlying "implied" costs,
  • initial "stand up" costs,
  • ongoing maintenance or subscription costs,
  • renewal-related price increases
  • data download costs, and
  • termination costs.


-----Go to the next chapter of this guide-----

Citation information for this chapter

Chapter: 5. An RFI for evaluating cannabis testing LIMS vendors

Edition: Summer 2021

Title: LIMS Buyer’s Guide for Cannabis Testing Laboratories

Author for citation: Shawn E. Douglas

License for content: Creative Commons Attribution-ShareAlike 4.0 International

Publication date: August 2021