SlideShare una empresa de Scribd logo

Ispe Article

D
David Stephenson
1 de 9
Descargar para leer sin conexión
IT Infrastructure Qualification This article Reprinted from The Official Journal of ISPE describes a PHARMACEUTICAL ENGINEERING® September/October 2005, Vol. 25 No. 5 method for the An Approach to IT Infrastructure qualification of IT infrastructure that can be scaled down to fit multiple Qualification organizations, by David Stephenson whether small or large. M Introduction infrastructure. While the principles for accom- any pharmaceutical manufacturing plishing this are becoming more widely under- organizations are currently strug- stood, pragmatic guidance is lacking for those gling to establish a cost effective, organizations wishing to develop a pragmatic efficient, and regulatory compliant and holistic approach. approach to managing their enterprise-wide IT This article describes a pragmatic approach, Table A. GxP regulations FDA Short Rule Section and guidance Regulation Description appertaining to IT infrastructure. 21 CFR 211.25 Personnel Training shall be in the particular operations that the employee performs and in Qualifications current good manufacturing practice (including the current good manufacturing practice regulations in this chapter and written procedures required by these regulations) as they relate to the employee’s functions. 21 CFR 211.63 Equipment Equipment used in the manufacture, processing, packing, or holding of a drug product Design shall be of appropriate design, adequate size, and suitably located to facilitate operations for its intended use and for its cleaning and maintenance. 21 CFR 211.68 Automatic, Appropriate controls shall be exercised over computer or related systems. If such mechanical, and equipment is so used, it shall be routinely calibrated, inspected, or checked according electronic to a written program designed to assure proper performance. equipment Guidance for Systems Systems documentation should be readily available at the site where clinical trials are Industry Documentation conducted. Such documentation should provide an overall description of computerized Computerized systems and the relationship of hardware, software, and physical environment. Systems Used in Clinical Trials (Section VIII:A) April 1999 Guidance to Diagrams For each significant computerized system, it may be helpful to prepare an OED Inspection of schematic drawing of the attendant hardware. The drawing need only include major Computerized input devices, output devices, signal converters, Central Processing Unit (CPU), Systems in Drug distribution systems, significant peripheral devices and how they are linked. Processing (Section III) February 1983 Guidance to Distributed The interconnection of two or more computers... also known as distributed Inspection of Processing processing. A large CPU may also act as a “host” for one or more other CPUs. When Computerized such inspections are encountered during an inspection, it is important to know the Systems in Drug configuration of the system and exactly what command and information can be Processing relayed amongst the computers. (Section III:A:5) February 1983 Guidance to Electromagnetic Excessive Distances between CPU and Peripheral Devices. Excessively long low Inspection of Interference voltage electrical lines... are vulnerable to electromagnetic interference. This may Computerized result in inaccurate or distorted input data to the computer. In a particularly “noisy” Systems in Drug electronic environment, this problem might be solved by the use of fiber-optic lines to Processing convey digital signals. (Section III:B:1:b) February 1983 ©Copyright ISPE 2005 SEPTEMBER/OCTOBER 2005 PHARMACEUTICAL ENGINEERING 1
IT Infrastructure Qualification which minimizes qualification/validation effort (by utilizing Each of these areas requires processes and procedures to be a risk-based approach combined with a layering/partitioning established and followed in order to be considered compliant. methodology) while at the same time being sufficiently ro- bust to meet the requirements of regulatory inspection. What is Required of the Infrastructure? IT Infrastructure is generally accepted as a commodity that What is IT Infrastructure? exists to perform the required functions for all available and IT infrastructure is the collection of the computer systems in authorized users. It is therefore required to be potentially use, combined with their hardware, software (excluding busi- fault free and continuously available, almost like the electric ness applications), network components, and associated pro- and gas utilities that are part of our everyday life. In order to cesses and procedures used to run the business in question. achieve a high level of fault tolerance and availability, we This can be broken down into four specific areas: must strive to bring our infrastructure up to a certain level of compliance and demonstrated control. This is best achieved • Servers by implementing and executing a planned qualification pro- - Hardware cess, reinforced by a set of procedures that will ensure - Operating systems ongoing compliance following completion of the qualification - Support applications (virus, backup/tools, etc.) exercise. • Networks - Intelligent devices (routers and switches, etc.) Regulations Surrounding IT Infrastructure - Cabling infrastructure (copper and fiber) When we start to consider IT infrastructure qualification and - Support applications (network management/security, what it will involve, we must look closely at the reasons why etc.) we are doing it, and what the end result will be. Are we doing • Desktop it because: everyone else is doing it; fear of a regulatory - Hardware inspection; or we want to get control over our infrastructure? - Operating systems There is probably a certain amount of each of the above in - Support applications (virus, etc.) the decision making process; therefore, we need to consider • Management Applications all of the aforementioned criteria. - Security If everyone else is doing it, then surely there must be a - Network management/performance reason behind it; the pharmaceutical industry does not spend Figure 1. Infrastructure layer boundaries. 2 PHARMACEUTICAL ENGINEERING SEPTEMBER/OCTOBER 2005 ©Copyright ISPE 2005
IT Infrastructure Qualification money on testing and documentation for no reason. combined approach that not only answers the regulatory Regulatory inspection is becoming more of a common requirements, but provides a known and trusted framework, occurrence for IT departments in the pharmaceutical indus- which the IT departments themselves can benefit from. This try. It is not usually the case that IT departments are failing then will give an added dimension to the exercise, which in their duties; often this is very far from the truth. However, should help to get the buy-in of the IT community. it is quite common that the IT department does not document The process explained below covers all aspects of the who, what, where, when, and how in a manner that is easily infrastructure and describes documents that have been de- verifiable for the regulatory inspectors. Therefore, what we signed to meet the requirements of the System Development are usually faced with is a documentation exercise aimed at Life Cycle, but also takes into account the recommendations bringing all of the various existing processes and procedures set down in ITIL (covered in the SOP section). It also has an together, and filling any gaps. approach to testing, which can be utilized to meet the require- There are many cGxP regulations and guides that explic- ments of both a large-scale organization, and those of a small itly or implicitly relate to the qualification of IT infrastruc- single-site organization. ture. Some examples are shown in Table A. In order to understand these processes, we must first We have so far looked at the infrastructure, what it understand the boundaries that they encompass. consists of, what is expected of it, and why we qualify it. The Therefore, we must define the infrastructure clearly, tak- next step is how do we do it? ing into consideration the scope of the formal infrastructure qualification (i.e., what to qualify). Based upon experience Methodology Background there are two main approaches: The following methodology is one that has been used over a number of sites throughout Europe. It has been developed • Partition the infrastructure into GxP and non-GxP critical through both consultation with clients and with a weather components. Qualify only the GxP critical components and eye on the quality and regulatory expectations surrounding use good IT practices to commission and maintain the non- IT infrastructure. GxP critical components. This methodology was set up to provide both compliance and practicality. In order to achieve this, there are some very • Take a blanket approach and qualify all components. basic requirements that must be met: Because of the broader business needs to qualify infrastruc- • We must produce a comprehensive yet manageable docu- ture, most medium and large size organizations are leaning ment set, which will be easy to maintain and understand. toward qualification of the entire infrastructure. Partition- ing will be less appropriate in the case of large multinationals • We must not overburden the qualification exercise with with an integrated IT infrastructure. unnecessary testing and documentation. (We must carry In addition, different types of components will require out the correct level of qualification on a case by case basis, different approaches to qualification, and similar compo- justified by a documented, risk-based rationale.) nents will have the same basic requirements to achieve a qualified status, e.g., a network switch may be configured • The infrastructure qualification status must be controlled differently to another switch (since the infrastructure is so that ongoing changes do not affect the qualification ‘common’ to all applications, the risk can be assumed to be status. common) but will have the same level of verification, testing, and controls applied to it. • We must ensure that the processes are easily operable on We can categorize components into infrastructure layers a day to day basis by the local site IT department, minimiz- based on the type of service or function they provide within ing the ongoing maintenance burden. the infrastructure. Components in the same layer will re- quire the same basic qualification activities. If we now consider the last bullet point from the previous Figure 1 illustrates the boundaries within IT infrastructure section, “We want control over our infrastructure,” this and demonstrates that the IT infrastructure not only supports can be achieved by a pragmatic qualification of the existing the business applications, but also is critical for maintaining infrastructure, while tying in a quality service framework the overall and ongoing compliance of the system. (see ITIL) that will keep the infrastructure both compliant Figure 1 shows a representation of the layers defined for and efficient as it moves through its working life.1,2,3 This will infrastructure. A description of these layers is provided ensure that the infrastructure qualification is understand- below. able and compliant, and conforms to the local quality pro- cesses and procedures. Network Links The following discussion will expand on the basic require- This layer defines the network hardware that physically ments of the cGxP regulations, and include the type of connects the network (e.g., copper cable/optical fiber, outlets, industry standard, service framework as set down by such patch cables, repeaters, hubs, Network Interface Cards, and bodies as IT Infrastructure Library (ITIL) and provide a device drivers). ©Copyright ISPE 2005 SEPTEMBER/OCTOBER 2005 PHARMACEUTICAL ENGINEERING 3
IT Infrastructure Qualification Network Hardware servers to support the performance, integrity, and availabil- This layer is used for basic communication, addressing and ity of the service. routing, and includes switches, routers, hardware Uninterruptible Power Supplies (UPSs), and firewalls. Servers and other Higher Platform Devices Servers, printers, pagers can be considered within this layer. Lower Network Services Pagers and cellular mobile phones are possible vectors for This layer includes items such as operating system, Virtual system alert messaging. This is for sending alerts related to, Private Networks (VPNs), DNS, or file system managers. for example, capacity management or intrusion detection to an engineer. Components such as BMC Patrol utilize this Infrastructure Services technology and correct configuration of these components There are a number of components that will be installed on enabling communication to the devices should be qualified. Layer Minimum Definition Minimum Testing Minimum Control Requirements Requirements Requirements Network Links • Standard technical • Basic connection/power test • Network Diagram (down to low level – e.g., specifications for labelling of network access point and patch component requisitioning panels) • Inventory management recording configuration details for applicable components (e.g., device drivers) • Ongoing monitoring of performance Network Hardware • Configuration specification • Testing instructions and results for • Inventory management recording configuration and installation instructions initial item of each type (carried out details (item number, location, with each item for all hardware items by within a controlled testing environment), identified on network schematic) type based on supplier including performance testing against • Ongoing monitoring of performance documentation requirements • Basic installation testing for subsequent items of type tested Lower Network Services • Configuration specification • Software updates/patches to be • Inventory Management (e.g., license numbers, and Installation instructions installed into a controlled test install location) (as part of server build), environment and monitored for a defined • Privileged access usage procedures (e.g., for based upon supplier period prior to installation to production system admin [root] access) documentation • Ongoing monitoring of performance Infrastructure Services Partial Lifecycle: • Performance Testing based on • Inventory Management (e.g., license numbers, • Definition of service requirements install location) requirements • Change Management (to control software • Configuration specification updates) and Installation Instructions • Ongoing monitoring of performance based on vendor-supplied documentation Servers and other higher • Configuration specification • Testing instructions and results for • Inventory management recording configuration platform devices and installation instructions initial item of each type (carried out details (includes log of installed items, including for all hardware items by with a controlled test environment), all installed services and applications) type based upon vendor- including performance testing against • Ongoing monitoring of performance supplied instructions requirements, based on supplier guidance • Limited installation testing for subsequent items of type tested Infrastructure Framework Full Lifecycle Documentation: Full Qualification: • Software Change Control Components • URS • IQ • Ongoing monitoring of performance (In-house developed) • FS • Unit Test • SDS • Functional Test • DQ • Integration Test Infrastructure Framework Partial Lifecycle: • Performance Testing based on • Software Change Control Components • Requirements definition requirements • Ongoing monitoring of performance (third-party) • Installation and Configuration Instructions based on vendor-supplied documentation Client Devices • Installation and • Operability test • Restrict user modification of system configuration Configuration Instructions (e.g., system clock, ability to install/uninstall for standard PC build programs) • Inventory management recording configuration details (e.g., location, RAM, processor) • Ongoing monitoring of performance Table B. Layer qualification activities. 4 PHARMACEUTICAL ENGINEERING SEPTEMBER/OCTOBER 2005 ©Copyright ISPE 2005
IT Infrastructure Qualification Infrastructure Framework Components (In-House Developed) These can be both in-house developed and third-party. Sys- tem frameworks perform low-level functionality on behalf of the caller and interact with the infrastructure services to realize the request. They serve as a bridge between the business service and the infrastructure service. This can be achieved using standard code or custom developed code and the supporting procedures and standard required to develop it. Client Devices These are services across the business that allow mainte- nance and control of the infrastructure. Examples include personal computers, laptops, PDAs, mobile RFI terminals, etc. Horizontal Business Services (Package Figure 2. Factors influencing qualification level. (Microsoft SMS), In-House Developed (Custom Code), In-House Developed (where service core functions of the UNIX operating system due to the consists of configured framework components) confidence we have in Hewlett-Packard to produce the prod- These are the infrastructure applications which provide uct correctly (Supplier Quality), it has a tried and tested company wide services, e-mail, SMS, print services, etc. install process (Implementer Expertise) and it is used with- out problem throughout industry (Component Reliability). Layer Qualification Activities Therefore, there are three primary factors to consider The baseline qualification activities that should be per- when deciding on a pragmatic level of qualification - Figure formed for a component assigned to a particular infrastruc- 2. ture layer are described in Table C. In general, qualification The higher the confidence and trust we have in each of activities increase as we go up through the layers. This these factors, the lower the qualification burden on the reflects the fact that higher layers of the model will be more company. functional and will have more interaction with regulated Assessing these factors allows us to reduce the qualifica- applications than lower layers. It must be appreciated that tion activities required where appropriate, and also apply a this is one approach to defining qualification activities and detailed risk assessment when necessary, bearing in mind organizations must define their own, specific to their indi- that there is always a risk that a component may directly vidual needs. impact data that can affect the quality of the product or the safety of the consumer. Qualification Level Determination Therefore, this must be assessed where appropriate by In drug manufacture, companies will often use raw materials performing a detailed risk assessment on a particular compo- from a supplier with minimal or no testing, accepting the nent, thus identifying its functions and/or operations that are manufacturers test evidence as quality of the material. This at risk of failure and allowing us to quantify that risk and is based on the trust the company has in the supplier to provide for risk mitigation. consistently provide quality raw materials. This trust is supported and evidenced by a combination of historic experi- Assessing Qualification Level ence (what has the supplier provided in the past), supplier As shown above, assessing the key factors of Component audit, and periodic monitoring of the material quality. Reliability, Supplier Quality, and Implementer Expertise Infrastructure components can be seen as analogous to allows a pragmatic level of qualification to be determined pharmaceutical raw materials in this respect as they are: based on the baseline activities described in Table C. Following the decision tree illustrated in Figure 3 allows • basic building blocks of the final product or system this qualification level to be achieved. The qualification level • simple compared with the final product or system can be used to modify the baseline set of qualification activi- • often produced in a highly repeatable and consistent ties, providing a pragmatic set of activities for the component. process Figure 4 describes the risk-based modification of the baseline qualification activities. In addition, infrastructure components are often used exten- The infrastructure layer where the component resides sively throughout the business world. This can provide us provides a baseline set of qualification activities as defined in with a degree of confidence in the component that mitigates Table B. The qualification level determined for the compo- the need for high levels of qualification. nent in Table C modifies this set of activities to allow for the For example, we do not perform functional testing on the possible risk derived from Component Reliability, Supplier ©Copyright ISPE 2005 SEPTEMBER/OCTOBER 2005 PHARMACEUTICAL ENGINEERING 5
IT Infrastructure Qualification Figure 3. Qualification level decision tree. Quality, and Implementer Expertise, as described in Figure 2. Production of a Traceability Matrix 2. This may indicate the requirement for a formal risk 3. Production of Installation Qualification/Operational Quali- assessment. However, it must be stated that we are not fication (IQ/OQ) Protocols, including (but not limited to) looking to put in place a big complex risk assessment meth- the following: odology, but a risk-based framework that leverages (docu- • Switches and Routers mented) good suppliers, quality products, etc. • Network Link (Cabling) If we consider the NIST SP 800-30 approach, we can allow • Network Management Applications (If Utilized) for many generic risks as part of the design process, and • Servers H/W and Operating Systems therefore, it is not necessary to perform a separate risk • Desktop Applications and Configuration assessment so long as design documents identify which 4. Review/Update of Standard Operating Procedures design elements address various risk scenarios. 5. Production of IQ/OQ Reports for the Executed Protocols Figure 4 shows the process for determining the final set of 6. Production of a Qualification Summary Report activities required for qualifying an infrastructure compo- nent. These deliverables are expanded below: The final set of activities will be documented in a Qualification Plan (including required remediation of legacy As-Built Specification infrastructure). This will detail the specific activities to be This document will be written in order to detail the ‘as-built’ performed, including a rationale that justifies those activi- functional and design specification for network infrastruc- ties and will identify the deliverables that will be produced as ture (in line with client standards). It will define how the part of the qualification. network infrastructure is configured and functions for both This plan could include the following activities dependant hardware and software and its interaction with other sys- on the result of the process carried out: tems. The document will typically contain the configuration items for each of the devices on the network, how they are 1. Production of an As-Built Specification for the whole IT interconnected, and which IT industry standards they com- infrastructure ply with. Thus, it provides a reference document that could be 6 PHARMACEUTICAL ENGINEERING SEPTEMBER/OCTOBER 2005 ©Copyright ISPE 2005
IT Infrastructure Qualification used to assist in the rebuilding of the infrastructure following Level Details a disaster if required (each device is represented as an attachment to the main document, which sets out the stan- 0 The company will apply the Definition and Control activities described in Table B. The implementer will perform testing dards required for new equipment). Following qualification, activities. (Note: the implementer may also provide some Control this document will be maintained throughout the life of the requirements.) system with any updates being fed into it via a formalized IT 1 Refer to Table B. configuration management and change control process. 2 Refer to Table B with the addition of documented data to show the general acceptance of the component within industry. If this is Traceability Matrix unavailable (e.g., innovative component) go to Level 4. As in all qualification exercises, there is a fundamental need 3 Activities defined in Table B with the addition of Supplier Audit. to provide traceability from the requirements through to the The result of Supplier Audit may require additional qualification testing. In the case of the infrastructure that already exists, activities as determined by risk assessment. traceability is provided from the system functionality through 4 Activities defined in Table B with additional qualification activities to the design (as detailed in the as-built specification). We as determined by risk assessment, e.g., redundancy testing of RAID configuration supporting GxP critical data. also can include at this point, the business requirements that are expected of the infrastructure. All areas are verified by * Appropriate documented evidence (e.g., implementer audit) is required to prove the expertise and previous experience of the testing that will be carried out during execution of the implementer with component type. relevant IQ/OQ protocols. In addition to the obvious trace- Table C. Qualification level activities - refer to Figure 3. ability provided between the IT infrastructure and GxP Critical Applications, this collection of information may be • Desktop Configuration Protocols advantageous in providing an overview of the impact of failure in the case of dedicated components (i.e., which appli- In general, these can be written as generic protocols (per cations will fail if a server fails). device type), which can be used across all of the devices being tested. They will typically contain attachments, which will IQ/OQ Protocols cover the various types of devices and operating systems These will be written to include all of the infrastructure utilized. devices and could include: Each of the protocols will have associated attachments containing test cases, which are used to capture information, • Switch/Router Protocols and test functionality of the components. (In order to reduce • Server Protocols testing at OQ, “type testing” could be utilized.) These test • Network Management Application Protocols cases could typically include: GAMP® Section Title ITIL Section Title 7.11 Maintaining the Validated State 7.11.1 Operational Plans and Procedures Throughout All 7.11.2 Training 4.4.11 (SS) Identifying Training Needs 5.5.3 (SS) Possible Problem Areas 7.11.3 Problem Management and Resolution 6 (SS) Problem Management 7.11.4 Service Level Agreements 4 (SD) Service Level Management 7.11.5 System Management 7 (SD) IT Service Continuity Management 7.11.6 Backup and Recovery 7.3.2 (SD) Requirements Analysis and Strategy 8.5.4 (SD) Definition Designing for Recovery 7.11.7 Configuration Management 7 (SS) Configuration Management 7.11.8 Operational Change Control 8 (SS) Change Management 9 (SS) Release Management 7.11.9 Security Management ALL (SM) Best Practice for Security Management 7.11.10 Performance Monitoring 8 (SD) Availability Management 7.11.11 Record Retention, Archiving, and Retrieval 7.3.3 (SD) (Service Continuity Management) Implementation 7.11.12 Business Continuity Planning 7.3 (SD) The Business Continuity Lifecycle 7.11.13 Periodic Review 7.3.4 (SD) Stage 4 Operational Management 7.11.14 System Retirement Legend: (SS) Best Practice for Service Support (SD) Best Practice for Service Delivery Table D. Cross reference of ITIL to GAMP 4, section 7.11. ©Copyright ISPE 2005 SEPTEMBER/OCTOBER 2005 PHARMACEUTICAL ENGINEERING 7
IT Infrastructure Qualification GAMP® 4 section 7.11 “Maintaining the Validated State:”5 If we approach the subject of SOPs, with reference to both GAMP® and ITIL, combining their approaches, we can pro- duce an approach that is both compliant and efficient when utilized in support of the IT infrastructure. IQ/OQ Reports An IQ/OQ report will be written against all of the protocols that were executed. It will verify and record that cabling, routers, switches, servers, desktops, and applications (where applicable), installed as part of the site network infrastruc- ture, have been assembled, installed, and tested in accor- Figure 4. Overview of qualification activity determination. dance with design criteria and the manufacturers recommen- • Configuration Items dations. These reports once written can be brought together • Physical and Logical Security Checks in a cohesive package, containing: • Utilities, Services and Support Applications • Network Connectivity • the original signed protocol • Documentation • the executed protocol attachments • the recorded evidence (screen captures) Fiber and UTP/STP Cable Protocol • the protocol report Within these protocols, test cases are used to verify the following: Qualification Summary Report The final step is to combine the documents together and wrap • the cable possessed a valid Test Certificate (to TSB 67, ISO up the qualification exercise in a final summary report, which 11801 or another valid standard) should detail the following: • all Network Infrastructure documentation affected by the • verification of the qualification deliverables project had been updated (including topology and site • verification of the protocols executed and the test data cabling schematics) produced • explanation of any exceptions/deviations recorded and • the cables have been installed and labelled in accordance how they were resolved with the site standards • verification of SOP creation and testing • verification that all documents and electronic files have Standard Operating Procedures been stored in a secure location As we are looking directly at the operational management of • verification that processes have been put into place to the whole IT infrastructure, there is need to create/review the ensure that ongoing compliance will be maintained existing SOPs against the framework for operational man- agement set up in ITIL, and the framework for compliance Conclusion specified in GAMP® 4. In conclusion, my experience is that IT infrastructure can be Figure 5 represents the framework for operational man- qualified and controlled in a pragmatic and cost effective agement (Service Support and Service Delivery), taken from manner. The approach to infrastructure qualification de- ITIL. These areas can map across to the sections specified in tailed above is one where: • The infrastructure hierarchy is defined with respect to layers and components within these layers. • A clear, enterprise-wide decision is taken on whether or not to segregate the infrastructure into GxP and non-GxP segments. Minimum qualification requirements are defined for each layer, based upon a series of documented risk assessments • Appropriate documentation is developed (processes, poli- cies, procedures, work instructions, and checklists) to support the above decisions and the qualification activi- ties. Figure 5. ITIL framework for operational management. 8 PHARMACEUTICAL ENGINEERING SEPTEMBER/OCTOBER 2005 ©Copyright ISPE 2005
IT Infrastructure Qualification • Risk assessment is used to identify where additional References qualification/validation is required. 1. ITIL Best Practice for Service Delivery, third impression 2002. This approach has been demonstrated to be scalable in terms 2. ITIL Best Practice for Service Support, seventh impres- of organization size and infrastructure technology and to sion 2004. provide a method by which the cost of IT infrastructure 3. ITIL Best Practice for Security Management, seventh qualification and on-going control can be reduced to an impression 2004. acceptable minimum. 4. ISPE GAMP Forum, “Risk Assessment for Use of Auto- mated Systems Supporting Manufacturing Processes, Part Acronyms and Abbreviations 1 - Functional Risk,” Pharmaceutical Engineering, May/ DDS - Detailed Design Specification June 2003, pp. 16-26. 5. GAMP® 4, Good Automated Manufacturing Practice FRS - Functional Requirements Specification (GAMP®) Guide for Validation of Automated Systems, ISPE, Fourth Edition, December 2001, www.ispe.org. ITIL - IT Infrastructure Library 6. GAMP Good Practice Guide: IT Infrastructure Control and Compliance, ISPE, First Edition, August 2005, LAN - Local Area Network www.ispe.org. Multi-Mode Fiber - Optical fiber supporting propagation of About the Author multiple frequencies of light Multi-mode fibers have rela- David Stephenson joined the Life Sciences tively thick core that reflects light at many angles. Multi- Division of Mi Services in 2004 where he is mode transmitters usually use LEDs as a light source and a Head of IS Compliance. During his 15 years photodiode detector to translate light signals into electrical in the pharmaceutical industry, he has signals. worked for Mi Services, ABB, and GSK in computer systems validation, network man- Router - A device that connects two networks and allows agement and administration, and computer packets to be transmitted and received between them. access and security. Now focused on infra- structure qualification, he is a member of the GAMP® Infra- Single Mode Fiber - Optical fiber with a narrow core that structure Special Interest Group (SIG), whose Good Practice allows light to enter at a single angle only. This type of fiber Guide: IT Infrastructure Control and Compliance was has higher bandwidth than multi-mode fiber. Also known as launched in August 2005. During 2003/2004, he has been monomode fiber. leading the qualification effort for the IT network infrastruc- ture at various pharmaceutical manufacturing sites in Eu- STP - Shielded Twisted Pair. A four pair medium used in a rope, including the qualification of Cisco equipment (routers/ variety of networks. switches, etc.), site servers, network management applica- tions, physical layer connectivity (fiber and copper cabling), Specifications - Describes the requirements and design of a and the provision of procedural controls. He has presented at system. CSV conferences on the subjects of network qualification and the impact of SOPs on IT departments. Within ABB and Mi Switch - A logical device which connects multiple segments Services, he has been developing a common methodology for of a network together and passes data on to the required both retrospective and prospective IT network qualification, recipient. including the production of guidance and associated training packages. He is a member of ISPE and the Institute of UTP - Unshielded Twisted Pair. A four pair medium used in Leadership and Management (MinstLM). a variety of networks. Mi Services Group Ltd., 7 Camberwell Way, Doxford International Business Park, Sunderland, Tyne and Wear SR3 3XN, United Kingdom. ©Copyright ISPE 2005 SEPTEMBER/OCTOBER 2005 PHARMACEUTICAL ENGINEERING 9

Recomendados

Agile Computer System Validation of software products
Agile Computer System Validation of software productsAgile Computer System Validation of software products
Agile Computer System Validation of software productsWolfgang Kuchinke
 
Equipment qualification
Equipment qualificationEquipment qualification
Equipment qualificationInstitute of Validation Technology
 
1 5 equipment-qualification
1 5 equipment-qualification1 5 equipment-qualification
1 5 equipment-qualificationMalla Reddy College of Pharmacy
 
Quality assurance road map
Quality assurance road mapQuality assurance road map
Quality assurance road maprajeshsinghsitarganj
 
GMP
GMP GMP
GMP Rungta college of Pharmaceutical science
 
Computerized system validation_final
Computerized system validation_finalComputerized system validation_final
Computerized system validation_finalDuy Tan Geek
 
Anvisa Vs WHO guidelines
Anvisa Vs WHO guidelinesAnvisa Vs WHO guidelines
Anvisa Vs WHO guidelinesNayan Jha
 
Computer System Validation
Computer System ValidationComputer System Validation
Computer System ValidationGMP EDUCATION : Not for Profit Organization
 

Recomendados

Agile Computer System Validation of software products
Agile Computer System Validation of software productsAgile Computer System Validation of software products
Agile Computer System Validation of software productsWolfgang Kuchinke
 
Equipment qualification
Equipment qualificationEquipment qualification
Equipment qualificationInstitute of Validation Technology
 
1 5 equipment-qualification
1 5 equipment-qualification1 5 equipment-qualification
1 5 equipment-qualificationMalla Reddy College of Pharmacy
 
Quality assurance road map
Quality assurance road mapQuality assurance road map
Quality assurance road maprajeshsinghsitarganj
 
GMP
GMP GMP
GMP Rungta college of Pharmaceutical science
 
Computerized system validation_final
Computerized system validation_finalComputerized system validation_final
Computerized system validation_finalDuy Tan Geek
 
Anvisa Vs WHO guidelines
Anvisa Vs WHO guidelinesAnvisa Vs WHO guidelines
Anvisa Vs WHO guidelinesNayan Jha
 
Computer System Validation
Computer System ValidationComputer System Validation
Computer System ValidationGMP EDUCATION : Not for Profit Organization
 
cGMP AS PER USFDA
cGMP AS PER USFDAcGMP AS PER USFDA
cGMP AS PER USFDAsrikrupa institute of pharmaceutical analysis
 
Quality standards as per iso
Quality standards as per isoQuality standards as per iso
Quality standards as per isoSIBENDU SURAJEET JENA
 
BPR review and batch release
BPR review and batch release BPR review and batch release
BPR review and batch release Dr. Amsavel A
 
TRS 957 (2010) - Annex 3 - WHO GMP for pharmaceutical products containing haz...
TRS 957 (2010) - Annex 3 - WHO GMP for pharmaceutical products containing haz...TRS 957 (2010) - Annex 3 - WHO GMP for pharmaceutical products containing haz...
TRS 957 (2010) - Annex 3 - WHO GMP for pharmaceutical products containing haz...Công ty cổ phần GMPc Việt Nam | Tư vấn GMP, HS GMP, CGMP ASEAN, EU GMP, WHO GMP
 
Computer system validation
Computer system validationComputer system validation
Computer system validationGaurav Kr
 
Computer system validation
Computer system validation Computer system validation
Computer system validation ShameerAbid
 
GMP Introduction
GMP IntroductionGMP Introduction
GMP IntroductionRajendra Sadare
 
Corrective Action & Preventive Action
Corrective Action & Preventive ActionCorrective Action & Preventive Action
Corrective Action & Preventive ActionGMP EDUCATION : Not for Profit Organization
 
Quality Facilities HVAC and Water Systems
Quality Facilities HVAC and Water SystemsQuality Facilities HVAC and Water Systems
Quality Facilities HVAC and Water SystemsInstitute of Validation Technology
 
Gamp 5 overview by jaya prakash ra
Gamp 5 overview by jaya prakash raGamp 5 overview by jaya prakash ra
Gamp 5 overview by jaya prakash raJAYA PRAKASH VELUCHURI
 
21 cfr-part-820
21 cfr-part-82021 cfr-part-820
21 cfr-part-820RichardNguyen92
 
GMP Training: Handling of deviation
GMP Training: Handling of deviationGMP Training: Handling of deviation
GMP Training: Handling of deviationDr. Amsavel A
 
Good Manufacturing Practices For Quality Control
Good Manufacturing Practices For Quality ControlGood Manufacturing Practices For Quality Control
Good Manufacturing Practices For Quality ControlDr Rajendra Patel
 
Vendor validation,requirement for vendor validation.
Vendor validation,requirement for vendor validation.Vendor validation,requirement for vendor validation.
Vendor validation,requirement for vendor validation.Time Pharmaceutical P.Ltd
 
Cross contamination
Cross contaminationCross contamination
Cross contaminationkiranreddy munnangi
 
Gmp checklist
Gmp checklistGmp checklist
Gmp checklistCCL Pharmaceuticals
 
Handling of waste and Scrap disposal
Handling of waste and Scrap disposalHandling of waste and Scrap disposal
Handling of waste and Scrap disposalganpat420
 
Cleaning validation
Cleaning validationCleaning validation
Cleaning validationShoab Malek (Certified Quality Auditor)
 
Hazard and risk management
Hazard and risk managementHazard and risk management
Hazard and risk managementshreyashChaudhari6
 
quality assurance audits
quality assurance audits quality assurance audits
quality assurance audits rasikawalunj
 
Network Infrastructure Validation Conference @UPRA (2003)
Network Infrastructure Validation Conference @UPRA (2003)Network Infrastructure Validation Conference @UPRA (2003)
Network Infrastructure Validation Conference @UPRA (2003)Raul Soto
 
Virtual infrastructure qualification
Virtual infrastructure qualificationVirtual infrastructure qualification
Virtual infrastructure qualificationUS Data Management LLC
 

Más contenido relacionado

La actualidad más candente

BPR review and batch release
BPR review and batch release BPR review and batch release
BPR review and batch release Dr. Amsavel A
 
Computer system validation
Computer system validationComputer system validation
Computer system validationGaurav Kr
 
Computer system validation
Computer system validation Computer system validation
Computer system validation ShameerAbid
 
GMP Training: Handling of deviation
GMP Training: Handling of deviationGMP Training: Handling of deviation
GMP Training: Handling of deviationDr. Amsavel A
 
Good Manufacturing Practices For Quality Control
Good Manufacturing Practices For Quality ControlGood Manufacturing Practices For Quality Control
Good Manufacturing Practices For Quality ControlDr Rajendra Patel
 
Vendor validation,requirement for vendor validation.
Vendor validation,requirement for vendor validation.Vendor validation,requirement for vendor validation.
Vendor validation,requirement for vendor validation.Time Pharmaceutical P.Ltd
 
Handling of waste and Scrap disposal
Handling of waste and Scrap disposalHandling of waste and Scrap disposal
Handling of waste and Scrap disposalganpat420
 
quality assurance audits
quality assurance audits quality assurance audits
quality assurance audits rasikawalunj
 

La actualidad más candente (20)

cGMP AS PER USFDA
cGMP AS PER USFDAcGMP AS PER USFDA
cGMP AS PER USFDA
 
Quality standards as per iso
Quality standards as per isoQuality standards as per iso
Quality standards as per iso
 
BPR review and batch release
BPR review and batch release BPR review and batch release
BPR review and batch release
 
TRS 957 (2010) - Annex 3 - WHO GMP for pharmaceutical products containing haz...
TRS 957 (2010) - Annex 3 - WHO GMP for pharmaceutical products containing haz...TRS 957 (2010) - Annex 3 - WHO GMP for pharmaceutical products containing haz...
TRS 957 (2010) - Annex 3 - WHO GMP for pharmaceutical products containing haz...
 
Computer system validation
Computer system validationComputer system validation
Computer system validation
 
Computer system validation
Computer system validation Computer system validation
Computer system validation
 
GMP Introduction
GMP IntroductionGMP Introduction
GMP Introduction
 
Corrective Action & Preventive Action
Corrective Action & Preventive ActionCorrective Action & Preventive Action
Corrective Action & Preventive Action
 
Quality Facilities HVAC and Water Systems
Quality Facilities HVAC and Water SystemsQuality Facilities HVAC and Water Systems
Quality Facilities HVAC and Water Systems
 
Gamp 5 overview by jaya prakash ra
Gamp 5 overview by jaya prakash raGamp 5 overview by jaya prakash ra
Gamp 5 overview by jaya prakash ra
 
21 cfr-part-820
21 cfr-part-82021 cfr-part-820
21 cfr-part-820
 
GMP Training: Handling of deviation
GMP Training: Handling of deviationGMP Training: Handling of deviation
GMP Training: Handling of deviation
 
Good Manufacturing Practices For Quality Control
Good Manufacturing Practices For Quality ControlGood Manufacturing Practices For Quality Control
Good Manufacturing Practices For Quality Control
 
Vendor validation,requirement for vendor validation.
Vendor validation,requirement for vendor validation.Vendor validation,requirement for vendor validation.
Vendor validation,requirement for vendor validation.
 
Cross contamination
Cross contaminationCross contamination
Cross contamination
 
Gmp checklist
Gmp checklistGmp checklist
Gmp checklist
 
Handling of waste and Scrap disposal
Handling of waste and Scrap disposalHandling of waste and Scrap disposal
Handling of waste and Scrap disposal
 
Cleaning validation
Cleaning validationCleaning validation
Cleaning validation
 
Hazard and risk management
Hazard and risk managementHazard and risk management
Hazard and risk management
 
quality assurance audits
quality assurance audits quality assurance audits
quality assurance audits
 

Destacado

Network Infrastructure Validation Conference @UPRA (2003)
Network Infrastructure Validation Conference @UPRA (2003)Network Infrastructure Validation Conference @UPRA (2003)
Network Infrastructure Validation Conference @UPRA (2003)Raul Soto
 
Regulatory Considerations for use of Cloud Computing and SaaS Environments
Regulatory Considerations for use of Cloud Computing and SaaS EnvironmentsRegulatory Considerations for use of Cloud Computing and SaaS Environments
Regulatory Considerations for use of Cloud Computing and SaaS EnvironmentsInstitute of Validation Technology
 
IT Validation Training
IT Validation TrainingIT Validation Training
IT Validation TrainingRobert Sturm
 
Computer System Validation
Computer System ValidationComputer System Validation
Computer System ValidationEric Silva
 
Overview of Computerized Systems Compliance Using the GAMP® 5 Guide
Overview of Computerized Systems Compliance Using the GAMP® 5 GuideOverview of Computerized Systems Compliance Using the GAMP® 5 Guide
Overview of Computerized Systems Compliance Using the GAMP® 5 GuideProPharma Group
 
Robert Morgan TRAINING report
Robert Morgan TRAINING reportRobert Morgan TRAINING report
Robert Morgan TRAINING reportMark Morgan
 
CW - SaaS Implementation - Software Timeline & HR Change Management
CW - SaaS Implementation - Software Timeline & HR Change ManagementCW - SaaS Implementation - Software Timeline & HR Change Management
CW - SaaS Implementation - Software Timeline & HR Change ManagementChristopher Wien, CCP, PHR
 
FDA Data Integrity Issues - DMS hot fixes
FDA Data Integrity Issues - DMS hot fixesFDA Data Integrity Issues - DMS hot fixes
FDA Data Integrity Issues - DMS hot fixesVidyasagar P
 
Cybersecurity Skills Audit
Cybersecurity Skills AuditCybersecurity Skills Audit
Cybersecurity Skills AuditVilius Benetis
 
A Year of Cloud First: Lessons Learned
A Year of Cloud First: Lessons LearnedA Year of Cloud First: Lessons Learned
A Year of Cloud First: Lessons LearnedMike Chapple
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controlsEnclaveSecurity
 
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB
 
Myths of validation
Myths of validationMyths of validation
Myths of validationJeff Thomas
 
Computer System Validation Then and Now — Learning Management in the Cloud
Computer System Validation Then and Now — Learning Management in the CloudComputer System Validation Then and Now — Learning Management in the Cloud
Computer System Validation Then and Now — Learning Management in the CloudInstitute of Validation Technology
 
Meet You GxP Compliance in the Cloud
Meet You GxP Compliance in the CloudMeet You GxP Compliance in the Cloud
Meet You GxP Compliance in the CloudAppian
 
ACI's Global Encryption, Cloud & Cybersecurity Controls
ACI's Global Encryption, Cloud & Cybersecurity Controls ACI's Global Encryption, Cloud & Cybersecurity Controls
ACI's Global Encryption, Cloud & Cybersecurity Controls Dyan Cornacchio
 
Cybersecurity: Connectivity, Collaboration and Security Controls
Cybersecurity: Connectivity, Collaboration and Security ControlsCybersecurity: Connectivity, Collaboration and Security Controls
Cybersecurity: Connectivity, Collaboration and Security ControlsKristian Alisasis Pura
 
Critical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachCritical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachTeri Radichel
 

Destacado (20)

Network Infrastructure Validation Conference @UPRA (2003)
Network Infrastructure Validation Conference @UPRA (2003)Network Infrastructure Validation Conference @UPRA (2003)
Network Infrastructure Validation Conference @UPRA (2003)
 
Virtual infrastructure qualification
Virtual infrastructure qualificationVirtual infrastructure qualification
Virtual infrastructure qualification
 
Regulatory Considerations for use of Cloud Computing and SaaS Environments
Regulatory Considerations for use of Cloud Computing and SaaS EnvironmentsRegulatory Considerations for use of Cloud Computing and SaaS Environments
Regulatory Considerations for use of Cloud Computing and SaaS Environments
 
IT Validation Training
IT Validation TrainingIT Validation Training
IT Validation Training
 
Computer System Validation
Computer System ValidationComputer System Validation
Computer System Validation
 
Overview of Computerized Systems Compliance Using the GAMP® 5 Guide
Overview of Computerized Systems Compliance Using the GAMP® 5 GuideOverview of Computerized Systems Compliance Using the GAMP® 5 Guide
Overview of Computerized Systems Compliance Using the GAMP® 5 Guide
 
Robert Morgan TRAINING report
Robert Morgan TRAINING reportRobert Morgan TRAINING report
Robert Morgan TRAINING report
 
CW - SaaS Implementation - Software Timeline & HR Change Management
CW - SaaS Implementation - Software Timeline & HR Change ManagementCW - SaaS Implementation - Software Timeline & HR Change Management
CW - SaaS Implementation - Software Timeline & HR Change Management
 
FDA Data Integrity Issues - DMS hot fixes
FDA Data Integrity Issues - DMS hot fixesFDA Data Integrity Issues - DMS hot fixes
FDA Data Integrity Issues - DMS hot fixes
 
Cybersecurity Skills Audit
Cybersecurity Skills AuditCybersecurity Skills Audit
Cybersecurity Skills Audit
 
A Year of Cloud First: Lessons Learned
A Year of Cloud First: Lessons LearnedA Year of Cloud First: Lessons Learned
A Year of Cloud First: Lessons Learned
 
Company Product Sheet
Company Product SheetCompany Product Sheet
Company Product Sheet
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controls
 
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
 
Myths of validation
Myths of validationMyths of validation
Myths of validation
 
Computer System Validation Then and Now — Learning Management in the Cloud
Computer System Validation Then and Now — Learning Management in the CloudComputer System Validation Then and Now — Learning Management in the Cloud
Computer System Validation Then and Now — Learning Management in the Cloud
 
Meet You GxP Compliance in the Cloud
Meet You GxP Compliance in the CloudMeet You GxP Compliance in the Cloud
Meet You GxP Compliance in the Cloud
 
ACI's Global Encryption, Cloud & Cybersecurity Controls
ACI's Global Encryption, Cloud & Cybersecurity Controls ACI's Global Encryption, Cloud & Cybersecurity Controls
ACI's Global Encryption, Cloud & Cybersecurity Controls
 
Cybersecurity: Connectivity, Collaboration and Security Controls
Cybersecurity: Connectivity, Collaboration and Security ControlsCybersecurity: Connectivity, Collaboration and Security Controls
Cybersecurity: Connectivity, Collaboration and Security Controls
 
Critical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachCritical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target Breach
 

Similar a Ispe Article

Renovo CE IT White Paper
Renovo CE IT White PaperRenovo CE IT White Paper
Renovo CE IT White Papermattforrest47
 
Renovo Ce It White Paper Ism
Renovo Ce It White Paper IsmRenovo Ce It White Paper Ism
Renovo Ce It White Paper IsmAnne Granum
 
Renovo CE IT Live White Paper
Renovo CE IT Live White PaperRenovo CE IT Live White Paper
Renovo CE IT Live White Papersmthornburg55
 
NetSpi Whitepaper: Hardening Critical Systems At Electrical Utilities
NetSpi Whitepaper: Hardening Critical Systems At Electrical UtilitiesNetSpi Whitepaper: Hardening Critical Systems At Electrical Utilities
NetSpi Whitepaper: Hardening Critical Systems At Electrical UtilitiesCoreTrace Corporation
 
Imax real time data management platform for w ww (1)
Imax real time data management platform for w ww (1)Imax real time data management platform for w ww (1)
Imax real time data management platform for w ww (1)ISATECK
 
Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...
Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...
Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...ESS BILBAO
 
Technology audit
Technology auditTechnology audit
Technology auditArish Roy
 
IRJET- Analysis of Micro Inversion to Improve Fault Tolerance in High Spe...
IRJET- Analysis of Micro Inversion to Improve Fault Tolerance in High Spe...IRJET- Analysis of Micro Inversion to Improve Fault Tolerance in High Spe...
IRJET- Analysis of Micro Inversion to Improve Fault Tolerance in High Spe...IRJET Journal
 
Experience with Hydro Generator Expert Systems
Experience with Hydro Generator Expert SystemsExperience with Hydro Generator Expert Systems
Experience with Hydro Generator Expert SystemsGE Measurement & Control
 
Norman Patch and Remediation
Norman Patch and RemediationNorman Patch and Remediation
Norman Patch and RemediationKavlieBorge
 
Ieeepro techno solutions 2013 ieee embedded project an integrated design fr...
Ieeepro techno solutions 2013 ieee embedded project an integrated design fr...Ieeepro techno solutions 2013 ieee embedded project an integrated design fr...
Ieeepro techno solutions 2013 ieee embedded project an integrated design fr...srinivasanece7
 
VAL-210-Computer-Validati-Plan-sample.pdf
VAL-210-Computer-Validati-Plan-sample.pdfVAL-210-Computer-Validati-Plan-sample.pdf
VAL-210-Computer-Validati-Plan-sample.pdfSamehMostafa33
 
Embedded Systems and Software: Enabling Innovation in the Digital Age
Embedded Systems and Software: Enabling Innovation in the Digital AgeEmbedded Systems and Software: Enabling Innovation in the Digital Age
Embedded Systems and Software: Enabling Innovation in the Digital AgeIJCSEA Journal
 
EMBEDDED SYSTEMS AND SOFTWARE: ENABLING INNOVATION IN THE DIGITAL AGE
EMBEDDED SYSTEMS AND SOFTWARE: ENABLING INNOVATION IN THE DIGITAL AGEEMBEDDED SYSTEMS AND SOFTWARE: ENABLING INNOVATION IN THE DIGITAL AGE
EMBEDDED SYSTEMS AND SOFTWARE: ENABLING INNOVATION IN THE DIGITAL AGEIJCSEA Journal
 
International Journal of Computer Science, Engineering and Applications (IJCSEA)
International Journal of Computer Science, Engineering and Applications (IJCSEA)International Journal of Computer Science, Engineering and Applications (IJCSEA)
International Journal of Computer Science, Engineering and Applications (IJCSEA)IJCSEA Journal
 
International Journal of Computer Science, Engineering and Applications (IJCSEA)
International Journal of Computer Science, Engineering and Applications (IJCSEA)International Journal of Computer Science, Engineering and Applications (IJCSEA)
International Journal of Computer Science, Engineering and Applications (IJCSEA)IJCSEA Journal
 

Similar a Ispe Article (20)

347 352
347 352347 352
347 352
 
Embedded operating systems
Embedded operating systemsEmbedded operating systems
Embedded operating systems
 
Renovo CE IT White Paper
Renovo CE IT White PaperRenovo CE IT White Paper
Renovo CE IT White Paper
 
Renovo Ce It White Paper Ism
Renovo Ce It White Paper IsmRenovo Ce It White Paper Ism
Renovo Ce It White Paper Ism
 
Renovo CE IT Live White Paper
Renovo CE IT Live White PaperRenovo CE IT Live White Paper
Renovo CE IT Live White Paper
 
NetSpi Whitepaper: Hardening Critical Systems At Electrical Utilities
NetSpi Whitepaper: Hardening Critical Systems At Electrical UtilitiesNetSpi Whitepaper: Hardening Critical Systems At Electrical Utilities
NetSpi Whitepaper: Hardening Critical Systems At Electrical Utilities
 
Imax real time data management platform for w ww (1)
Imax real time data management platform for w ww (1)Imax real time data management platform for w ww (1)
Imax real time data management platform for w ww (1)
 
Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...
Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...
Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...
 
Technology audit
Technology auditTechnology audit
Technology audit
 
IRJET- Analysis of Micro Inversion to Improve Fault Tolerance in High Spe...
IRJET- Analysis of Micro Inversion to Improve Fault Tolerance in High Spe...IRJET- Analysis of Micro Inversion to Improve Fault Tolerance in High Spe...
IRJET- Analysis of Micro Inversion to Improve Fault Tolerance in High Spe...
 
Experience with Hydro Generator Expert Systems
Experience with Hydro Generator Expert SystemsExperience with Hydro Generator Expert Systems
Experience with Hydro Generator Expert Systems
 
Norman Patch and Remediation
Norman Patch and RemediationNorman Patch and Remediation
Norman Patch and Remediation
 
Testability
TestabilityTestability
Testability
 
Ieeepro techno solutions 2013 ieee embedded project an integrated design fr...
Ieeepro techno solutions 2013 ieee embedded project an integrated design fr...Ieeepro techno solutions 2013 ieee embedded project an integrated design fr...
Ieeepro techno solutions 2013 ieee embedded project an integrated design fr...
 
Industrial networks safety & security - e+h june 2018 ben murphy
Industrial networks safety & security - e+h june 2018 ben murphyIndustrial networks safety & security - e+h june 2018 ben murphy
Industrial networks safety & security - e+h june 2018 ben murphy
 
VAL-210-Computer-Validati-Plan-sample.pdf
VAL-210-Computer-Validati-Plan-sample.pdfVAL-210-Computer-Validati-Plan-sample.pdf
VAL-210-Computer-Validati-Plan-sample.pdf
 
Embedded Systems and Software: Enabling Innovation in the Digital Age
Embedded Systems and Software: Enabling Innovation in the Digital AgeEmbedded Systems and Software: Enabling Innovation in the Digital Age
Embedded Systems and Software: Enabling Innovation in the Digital Age
 
EMBEDDED SYSTEMS AND SOFTWARE: ENABLING INNOVATION IN THE DIGITAL AGE
EMBEDDED SYSTEMS AND SOFTWARE: ENABLING INNOVATION IN THE DIGITAL AGEEMBEDDED SYSTEMS AND SOFTWARE: ENABLING INNOVATION IN THE DIGITAL AGE
EMBEDDED SYSTEMS AND SOFTWARE: ENABLING INNOVATION IN THE DIGITAL AGE
 
International Journal of Computer Science, Engineering and Applications (IJCSEA)
International Journal of Computer Science, Engineering and Applications (IJCSEA)International Journal of Computer Science, Engineering and Applications (IJCSEA)
International Journal of Computer Science, Engineering and Applications (IJCSEA)
 
International Journal of Computer Science, Engineering and Applications (IJCSEA)
International Journal of Computer Science, Engineering and Applications (IJCSEA)International Journal of Computer Science, Engineering and Applications (IJCSEA)
International Journal of Computer Science, Engineering and Applications (IJCSEA)
 

Ispe Article

  • 1. IT Infrastructure Qualification This article Reprinted from The Official Journal of ISPE describes a PHARMACEUTICAL ENGINEERING® September/October 2005, Vol. 25 No. 5 method for the An Approach to IT Infrastructure qualification of IT infrastructure that can be scaled down to fit multiple Qualification organizations, by David Stephenson whether small or large. M Introduction infrastructure. While the principles for accom- any pharmaceutical manufacturing plishing this are becoming more widely under- organizations are currently strug- stood, pragmatic guidance is lacking for those gling to establish a cost effective, organizations wishing to develop a pragmatic efficient, and regulatory compliant and holistic approach. approach to managing their enterprise-wide IT This article describes a pragmatic approach, Table A. GxP regulations FDA Short Rule Section and guidance Regulation Description appertaining to IT infrastructure. 21 CFR 211.25 Personnel Training shall be in the particular operations that the employee performs and in Qualifications current good manufacturing practice (including the current good manufacturing practice regulations in this chapter and written procedures required by these regulations) as they relate to the employee’s functions. 21 CFR 211.63 Equipment Equipment used in the manufacture, processing, packing, or holding of a drug product Design shall be of appropriate design, adequate size, and suitably located to facilitate operations for its intended use and for its cleaning and maintenance. 21 CFR 211.68 Automatic, Appropriate controls shall be exercised over computer or related systems. If such mechanical, and equipment is so used, it shall be routinely calibrated, inspected, or checked according electronic to a written program designed to assure proper performance. equipment Guidance for Systems Systems documentation should be readily available at the site where clinical trials are Industry Documentation conducted. Such documentation should provide an overall description of computerized Computerized systems and the relationship of hardware, software, and physical environment. Systems Used in Clinical Trials (Section VIII:A) April 1999 Guidance to Diagrams For each significant computerized system, it may be helpful to prepare an OED Inspection of schematic drawing of the attendant hardware. The drawing need only include major Computerized input devices, output devices, signal converters, Central Processing Unit (CPU), Systems in Drug distribution systems, significant peripheral devices and how they are linked. Processing (Section III) February 1983 Guidance to Distributed The interconnection of two or more computers... also known as distributed Inspection of Processing processing. A large CPU may also act as a “host” for one or more other CPUs. When Computerized such inspections are encountered during an inspection, it is important to know the Systems in Drug configuration of the system and exactly what command and information can be Processing relayed amongst the computers. (Section III:A:5) February 1983 Guidance to Electromagnetic Excessive Distances between CPU and Peripheral Devices. Excessively long low Inspection of Interference voltage electrical lines... are vulnerable to electromagnetic interference. This may Computerized result in inaccurate or distorted input data to the computer. In a particularly “noisy” Systems in Drug electronic environment, this problem might be solved by the use of fiber-optic lines to Processing convey digital signals. (Section III:B:1:b) February 1983 ©Copyright ISPE 2005 SEPTEMBER/OCTOBER 2005 PHARMACEUTICAL ENGINEERING 1
  • 2. IT Infrastructure Qualification which minimizes qualification/validation effort (by utilizing Each of these areas requires processes and procedures to be a risk-based approach combined with a layering/partitioning established and followed in order to be considered compliant. methodology) while at the same time being sufficiently ro- bust to meet the requirements of regulatory inspection. What is Required of the Infrastructure? IT Infrastructure is generally accepted as a commodity that What is IT Infrastructure? exists to perform the required functions for all available and IT infrastructure is the collection of the computer systems in authorized users. It is therefore required to be potentially use, combined with their hardware, software (excluding busi- fault free and continuously available, almost like the electric ness applications), network components, and associated pro- and gas utilities that are part of our everyday life. In order to cesses and procedures used to run the business in question. achieve a high level of fault tolerance and availability, we This can be broken down into four specific areas: must strive to bring our infrastructure up to a certain level of compliance and demonstrated control. This is best achieved • Servers by implementing and executing a planned qualification pro- - Hardware cess, reinforced by a set of procedures that will ensure - Operating systems ongoing compliance following completion of the qualification - Support applications (virus, backup/tools, etc.) exercise. • Networks - Intelligent devices (routers and switches, etc.) Regulations Surrounding IT Infrastructure - Cabling infrastructure (copper and fiber) When we start to consider IT infrastructure qualification and - Support applications (network management/security, what it will involve, we must look closely at the reasons why etc.) we are doing it, and what the end result will be. Are we doing • Desktop it because: everyone else is doing it; fear of a regulatory - Hardware inspection; or we want to get control over our infrastructure? - Operating systems There is probably a certain amount of each of the above in - Support applications (virus, etc.) the decision making process; therefore, we need to consider • Management Applications all of the aforementioned criteria. - Security If everyone else is doing it, then surely there must be a - Network management/performance reason behind it; the pharmaceutical industry does not spend Figure 1. Infrastructure layer boundaries. 2 PHARMACEUTICAL ENGINEERING SEPTEMBER/OCTOBER 2005 ©Copyright ISPE 2005
  • 3. IT Infrastructure Qualification money on testing and documentation for no reason. combined approach that not only answers the regulatory Regulatory inspection is becoming more of a common requirements, but provides a known and trusted framework, occurrence for IT departments in the pharmaceutical indus- which the IT departments themselves can benefit from. This try. It is not usually the case that IT departments are failing then will give an added dimension to the exercise, which in their duties; often this is very far from the truth. However, should help to get the buy-in of the IT community. it is quite common that the IT department does not document The process explained below covers all aspects of the who, what, where, when, and how in a manner that is easily infrastructure and describes documents that have been de- verifiable for the regulatory inspectors. Therefore, what we signed to meet the requirements of the System Development are usually faced with is a documentation exercise aimed at Life Cycle, but also takes into account the recommendations bringing all of the various existing processes and procedures set down in ITIL (covered in the SOP section). It also has an together, and filling any gaps. approach to testing, which can be utilized to meet the require- There are many cGxP regulations and guides that explic- ments of both a large-scale organization, and those of a small itly or implicitly relate to the qualification of IT infrastruc- single-site organization. ture. Some examples are shown in Table A. In order to understand these processes, we must first We have so far looked at the infrastructure, what it understand the boundaries that they encompass. consists of, what is expected of it, and why we qualify it. The Therefore, we must define the infrastructure clearly, tak- next step is how do we do it? ing into consideration the scope of the formal infrastructure qualification (i.e., what to qualify). Based upon experience Methodology Background there are two main approaches: The following methodology is one that has been used over a number of sites throughout Europe. It has been developed • Partition the infrastructure into GxP and non-GxP critical through both consultation with clients and with a weather components. Qualify only the GxP critical components and eye on the quality and regulatory expectations surrounding use good IT practices to commission and maintain the non- IT infrastructure. GxP critical components. This methodology was set up to provide both compliance and practicality. In order to achieve this, there are some very • Take a blanket approach and qualify all components. basic requirements that must be met: Because of the broader business needs to qualify infrastruc- • We must produce a comprehensive yet manageable docu- ture, most medium and large size organizations are leaning ment set, which will be easy to maintain and understand. toward qualification of the entire infrastructure. Partition- ing will be less appropriate in the case of large multinationals • We must not overburden the qualification exercise with with an integrated IT infrastructure. unnecessary testing and documentation. (We must carry In addition, different types of components will require out the correct level of qualification on a case by case basis, different approaches to qualification, and similar compo- justified by a documented, risk-based rationale.) nents will have the same basic requirements to achieve a qualified status, e.g., a network switch may be configured • The infrastructure qualification status must be controlled differently to another switch (since the infrastructure is so that ongoing changes do not affect the qualification ‘common’ to all applications, the risk can be assumed to be status. common) but will have the same level of verification, testing, and controls applied to it. • We must ensure that the processes are easily operable on We can categorize components into infrastructure layers a day to day basis by the local site IT department, minimiz- based on the type of service or function they provide within ing the ongoing maintenance burden. the infrastructure. Components in the same layer will re- quire the same basic qualification activities. If we now consider the last bullet point from the previous Figure 1 illustrates the boundaries within IT infrastructure section, “We want control over our infrastructure,” this and demonstrates that the IT infrastructure not only supports can be achieved by a pragmatic qualification of the existing the business applications, but also is critical for maintaining infrastructure, while tying in a quality service framework the overall and ongoing compliance of the system. (see ITIL) that will keep the infrastructure both compliant Figure 1 shows a representation of the layers defined for and efficient as it moves through its working life.1,2,3 This will infrastructure. A description of these layers is provided ensure that the infrastructure qualification is understand- below. able and compliant, and conforms to the local quality pro- cesses and procedures. Network Links The following discussion will expand on the basic require- This layer defines the network hardware that physically ments of the cGxP regulations, and include the type of connects the network (e.g., copper cable/optical fiber, outlets, industry standard, service framework as set down by such patch cables, repeaters, hubs, Network Interface Cards, and bodies as IT Infrastructure Library (ITIL) and provide a device drivers). ©Copyright ISPE 2005 SEPTEMBER/OCTOBER 2005 PHARMACEUTICAL ENGINEERING 3
  • 4. IT Infrastructure Qualification Network Hardware servers to support the performance, integrity, and availabil- This layer is used for basic communication, addressing and ity of the service. routing, and includes switches, routers, hardware Uninterruptible Power Supplies (UPSs), and firewalls. Servers and other Higher Platform Devices Servers, printers, pagers can be considered within this layer. Lower Network Services Pagers and cellular mobile phones are possible vectors for This layer includes items such as operating system, Virtual system alert messaging. This is for sending alerts related to, Private Networks (VPNs), DNS, or file system managers. for example, capacity management or intrusion detection to an engineer. Components such as BMC Patrol utilize this Infrastructure Services technology and correct configuration of these components There are a number of components that will be installed on enabling communication to the devices should be qualified. Layer Minimum Definition Minimum Testing Minimum Control Requirements Requirements Requirements Network Links • Standard technical • Basic connection/power test • Network Diagram (down to low level – e.g., specifications for labelling of network access point and patch component requisitioning panels) • Inventory management recording configuration details for applicable components (e.g., device drivers) • Ongoing monitoring of performance Network Hardware • Configuration specification • Testing instructions and results for • Inventory management recording configuration and installation instructions initial item of each type (carried out details (item number, location, with each item for all hardware items by within a controlled testing environment), identified on network schematic) type based on supplier including performance testing against • Ongoing monitoring of performance documentation requirements • Basic installation testing for subsequent items of type tested Lower Network Services • Configuration specification • Software updates/patches to be • Inventory Management (e.g., license numbers, and Installation instructions installed into a controlled test install location) (as part of server build), environment and monitored for a defined • Privileged access usage procedures (e.g., for based upon supplier period prior to installation to production system admin [root] access) documentation • Ongoing monitoring of performance Infrastructure Services Partial Lifecycle: • Performance Testing based on • Inventory Management (e.g., license numbers, • Definition of service requirements install location) requirements • Change Management (to control software • Configuration specification updates) and Installation Instructions • Ongoing monitoring of performance based on vendor-supplied documentation Servers and other higher • Configuration specification • Testing instructions and results for • Inventory management recording configuration platform devices and installation instructions initial item of each type (carried out details (includes log of installed items, including for all hardware items by with a controlled test environment), all installed services and applications) type based upon vendor- including performance testing against • Ongoing monitoring of performance supplied instructions requirements, based on supplier guidance • Limited installation testing for subsequent items of type tested Infrastructure Framework Full Lifecycle Documentation: Full Qualification: • Software Change Control Components • URS • IQ • Ongoing monitoring of performance (In-house developed) • FS • Unit Test • SDS • Functional Test • DQ • Integration Test Infrastructure Framework Partial Lifecycle: • Performance Testing based on • Software Change Control Components • Requirements definition requirements • Ongoing monitoring of performance (third-party) • Installation and Configuration Instructions based on vendor-supplied documentation Client Devices • Installation and • Operability test • Restrict user modification of system configuration Configuration Instructions (e.g., system clock, ability to install/uninstall for standard PC build programs) • Inventory management recording configuration details (e.g., location, RAM, processor) • Ongoing monitoring of performance Table B. Layer qualification activities. 4 PHARMACEUTICAL ENGINEERING SEPTEMBER/OCTOBER 2005 ©Copyright ISPE 2005
  • 5. IT Infrastructure Qualification Infrastructure Framework Components (In-House Developed) These can be both in-house developed and third-party. Sys- tem frameworks perform low-level functionality on behalf of the caller and interact with the infrastructure services to realize the request. They serve as a bridge between the business service and the infrastructure service. This can be achieved using standard code or custom developed code and the supporting procedures and standard required to develop it. Client Devices These are services across the business that allow mainte- nance and control of the infrastructure. Examples include personal computers, laptops, PDAs, mobile RFI terminals, etc. Horizontal Business Services (Package Figure 2. Factors influencing qualification level. (Microsoft SMS), In-House Developed (Custom Code), In-House Developed (where service core functions of the UNIX operating system due to the consists of configured framework components) confidence we have in Hewlett-Packard to produce the prod- These are the infrastructure applications which provide uct correctly (Supplier Quality), it has a tried and tested company wide services, e-mail, SMS, print services, etc. install process (Implementer Expertise) and it is used with- out problem throughout industry (Component Reliability). Layer Qualification Activities Therefore, there are three primary factors to consider The baseline qualification activities that should be per- when deciding on a pragmatic level of qualification - Figure formed for a component assigned to a particular infrastruc- 2. ture layer are described in Table C. In general, qualification The higher the confidence and trust we have in each of activities increase as we go up through the layers. This these factors, the lower the qualification burden on the reflects the fact that higher layers of the model will be more company. functional and will have more interaction with regulated Assessing these factors allows us to reduce the qualifica- applications than lower layers. It must be appreciated that tion activities required where appropriate, and also apply a this is one approach to defining qualification activities and detailed risk assessment when necessary, bearing in mind organizations must define their own, specific to their indi- that there is always a risk that a component may directly vidual needs. impact data that can affect the quality of the product or the safety of the consumer. Qualification Level Determination Therefore, this must be assessed where appropriate by In drug manufacture, companies will often use raw materials performing a detailed risk assessment on a particular compo- from a supplier with minimal or no testing, accepting the nent, thus identifying its functions and/or operations that are manufacturers test evidence as quality of the material. This at risk of failure and allowing us to quantify that risk and is based on the trust the company has in the supplier to provide for risk mitigation. consistently provide quality raw materials. This trust is supported and evidenced by a combination of historic experi- Assessing Qualification Level ence (what has the supplier provided in the past), supplier As shown above, assessing the key factors of Component audit, and periodic monitoring of the material quality. Reliability, Supplier Quality, and Implementer Expertise Infrastructure components can be seen as analogous to allows a pragmatic level of qualification to be determined pharmaceutical raw materials in this respect as they are: based on the baseline activities described in Table C. Following the decision tree illustrated in Figure 3 allows • basic building blocks of the final product or system this qualification level to be achieved. The qualification level • simple compared with the final product or system can be used to modify the baseline set of qualification activi- • often produced in a highly repeatable and consistent ties, providing a pragmatic set of activities for the component. process Figure 4 describes the risk-based modification of the baseline qualification activities. In addition, infrastructure components are often used exten- The infrastructure layer where the component resides sively throughout the business world. This can provide us provides a baseline set of qualification activities as defined in with a degree of confidence in the component that mitigates Table B. The qualification level determined for the compo- the need for high levels of qualification. nent in Table C modifies this set of activities to allow for the For example, we do not perform functional testing on the possible risk derived from Component Reliability, Supplier ©Copyright ISPE 2005 SEPTEMBER/OCTOBER 2005 PHARMACEUTICAL ENGINEERING 5
  • 6. IT Infrastructure Qualification Figure 3. Qualification level decision tree. Quality, and Implementer Expertise, as described in Figure 2. Production of a Traceability Matrix 2. This may indicate the requirement for a formal risk 3. Production of Installation Qualification/Operational Quali- assessment. However, it must be stated that we are not fication (IQ/OQ) Protocols, including (but not limited to) looking to put in place a big complex risk assessment meth- the following: odology, but a risk-based framework that leverages (docu- • Switches and Routers mented) good suppliers, quality products, etc. • Network Link (Cabling) If we consider the NIST SP 800-30 approach, we can allow • Network Management Applications (If Utilized) for many generic risks as part of the design process, and • Servers H/W and Operating Systems therefore, it is not necessary to perform a separate risk • Desktop Applications and Configuration assessment so long as design documents identify which 4. Review/Update of Standard Operating Procedures design elements address various risk scenarios. 5. Production of IQ/OQ Reports for the Executed Protocols Figure 4 shows the process for determining the final set of 6. Production of a Qualification Summary Report activities required for qualifying an infrastructure compo- nent. These deliverables are expanded below: The final set of activities will be documented in a Qualification Plan (including required remediation of legacy As-Built Specification infrastructure). This will detail the specific activities to be This document will be written in order to detail the ‘as-built’ performed, including a rationale that justifies those activi- functional and design specification for network infrastruc- ties and will identify the deliverables that will be produced as ture (in line with client standards). It will define how the part of the qualification. network infrastructure is configured and functions for both This plan could include the following activities dependant hardware and software and its interaction with other sys- on the result of the process carried out: tems. The document will typically contain the configuration items for each of the devices on the network, how they are 1. Production of an As-Built Specification for the whole IT interconnected, and which IT industry standards they com- infrastructure ply with. Thus, it provides a reference document that could be 6 PHARMACEUTICAL ENGINEERING SEPTEMBER/OCTOBER 2005 ©Copyright ISPE 2005
  • 7. IT Infrastructure Qualification used to assist in the rebuilding of the infrastructure following Level Details a disaster if required (each device is represented as an attachment to the main document, which sets out the stan- 0 The company will apply the Definition and Control activities described in Table B. The implementer will perform testing dards required for new equipment). Following qualification, activities. (Note: the implementer may also provide some Control this document will be maintained throughout the life of the requirements.) system with any updates being fed into it via a formalized IT 1 Refer to Table B. configuration management and change control process. 2 Refer to Table B with the addition of documented data to show the general acceptance of the component within industry. If this is Traceability Matrix unavailable (e.g., innovative component) go to Level 4. As in all qualification exercises, there is a fundamental need 3 Activities defined in Table B with the addition of Supplier Audit. to provide traceability from the requirements through to the The result of Supplier Audit may require additional qualification testing. In the case of the infrastructure that already exists, activities as determined by risk assessment. traceability is provided from the system functionality through 4 Activities defined in Table B with additional qualification activities to the design (as detailed in the as-built specification). We as determined by risk assessment, e.g., redundancy testing of RAID configuration supporting GxP critical data. also can include at this point, the business requirements that are expected of the infrastructure. All areas are verified by * Appropriate documented evidence (e.g., implementer audit) is required to prove the expertise and previous experience of the testing that will be carried out during execution of the implementer with component type. relevant IQ/OQ protocols. In addition to the obvious trace- Table C. Qualification level activities - refer to Figure 3. ability provided between the IT infrastructure and GxP Critical Applications, this collection of information may be • Desktop Configuration Protocols advantageous in providing an overview of the impact of failure in the case of dedicated components (i.e., which appli- In general, these can be written as generic protocols (per cations will fail if a server fails). device type), which can be used across all of the devices being tested. They will typically contain attachments, which will IQ/OQ Protocols cover the various types of devices and operating systems These will be written to include all of the infrastructure utilized. devices and could include: Each of the protocols will have associated attachments containing test cases, which are used to capture information, • Switch/Router Protocols and test functionality of the components. (In order to reduce • Server Protocols testing at OQ, “type testing” could be utilized.) These test • Network Management Application Protocols cases could typically include: GAMP® Section Title ITIL Section Title 7.11 Maintaining the Validated State 7.11.1 Operational Plans and Procedures Throughout All 7.11.2 Training 4.4.11 (SS) Identifying Training Needs 5.5.3 (SS) Possible Problem Areas 7.11.3 Problem Management and Resolution 6 (SS) Problem Management 7.11.4 Service Level Agreements 4 (SD) Service Level Management 7.11.5 System Management 7 (SD) IT Service Continuity Management 7.11.6 Backup and Recovery 7.3.2 (SD) Requirements Analysis and Strategy 8.5.4 (SD) Definition Designing for Recovery 7.11.7 Configuration Management 7 (SS) Configuration Management 7.11.8 Operational Change Control 8 (SS) Change Management 9 (SS) Release Management 7.11.9 Security Management ALL (SM) Best Practice for Security Management 7.11.10 Performance Monitoring 8 (SD) Availability Management 7.11.11 Record Retention, Archiving, and Retrieval 7.3.3 (SD) (Service Continuity Management) Implementation 7.11.12 Business Continuity Planning 7.3 (SD) The Business Continuity Lifecycle 7.11.13 Periodic Review 7.3.4 (SD) Stage 4 Operational Management 7.11.14 System Retirement Legend: (SS) Best Practice for Service Support (SD) Best Practice for Service Delivery Table D. Cross reference of ITIL to GAMP 4, section 7.11. ©Copyright ISPE 2005 SEPTEMBER/OCTOBER 2005 PHARMACEUTICAL ENGINEERING 7
  • 8. IT Infrastructure Qualification GAMP® 4 section 7.11 “Maintaining the Validated State:”5 If we approach the subject of SOPs, with reference to both GAMP® and ITIL, combining their approaches, we can pro- duce an approach that is both compliant and efficient when utilized in support of the IT infrastructure. IQ/OQ Reports An IQ/OQ report will be written against all of the protocols that were executed. It will verify and record that cabling, routers, switches, servers, desktops, and applications (where applicable), installed as part of the site network infrastruc- ture, have been assembled, installed, and tested in accor- Figure 4. Overview of qualification activity determination. dance with design criteria and the manufacturers recommen- • Configuration Items dations. These reports once written can be brought together • Physical and Logical Security Checks in a cohesive package, containing: • Utilities, Services and Support Applications • Network Connectivity • the original signed protocol • Documentation • the executed protocol attachments • the recorded evidence (screen captures) Fiber and UTP/STP Cable Protocol • the protocol report Within these protocols, test cases are used to verify the following: Qualification Summary Report The final step is to combine the documents together and wrap • the cable possessed a valid Test Certificate (to TSB 67, ISO up the qualification exercise in a final summary report, which 11801 or another valid standard) should detail the following: • all Network Infrastructure documentation affected by the • verification of the qualification deliverables project had been updated (including topology and site • verification of the protocols executed and the test data cabling schematics) produced • explanation of any exceptions/deviations recorded and • the cables have been installed and labelled in accordance how they were resolved with the site standards • verification of SOP creation and testing • verification that all documents and electronic files have Standard Operating Procedures been stored in a secure location As we are looking directly at the operational management of • verification that processes have been put into place to the whole IT infrastructure, there is need to create/review the ensure that ongoing compliance will be maintained existing SOPs against the framework for operational man- agement set up in ITIL, and the framework for compliance Conclusion specified in GAMP® 4. In conclusion, my experience is that IT infrastructure can be Figure 5 represents the framework for operational man- qualified and controlled in a pragmatic and cost effective agement (Service Support and Service Delivery), taken from manner. The approach to infrastructure qualification de- ITIL. These areas can map across to the sections specified in tailed above is one where: • The infrastructure hierarchy is defined with respect to layers and components within these layers. • A clear, enterprise-wide decision is taken on whether or not to segregate the infrastructure into GxP and non-GxP segments. Minimum qualification requirements are defined for each layer, based upon a series of documented risk assessments • Appropriate documentation is developed (processes, poli- cies, procedures, work instructions, and checklists) to support the above decisions and the qualification activi- ties. Figure 5. ITIL framework for operational management. 8 PHARMACEUTICAL ENGINEERING SEPTEMBER/OCTOBER 2005 ©Copyright ISPE 2005
  • 9. IT Infrastructure Qualification • Risk assessment is used to identify where additional References qualification/validation is required. 1. ITIL Best Practice for Service Delivery, third impression 2002. This approach has been demonstrated to be scalable in terms 2. ITIL Best Practice for Service Support, seventh impres- of organization size and infrastructure technology and to sion 2004. provide a method by which the cost of IT infrastructure 3. ITIL Best Practice for Security Management, seventh qualification and on-going control can be reduced to an impression 2004. acceptable minimum. 4. ISPE GAMP Forum, “Risk Assessment for Use of Auto- mated Systems Supporting Manufacturing Processes, Part Acronyms and Abbreviations 1 - Functional Risk,” Pharmaceutical Engineering, May/ DDS - Detailed Design Specification June 2003, pp. 16-26. 5. GAMP® 4, Good Automated Manufacturing Practice FRS - Functional Requirements Specification (GAMP®) Guide for Validation of Automated Systems, ISPE, Fourth Edition, December 2001, www.ispe.org. ITIL - IT Infrastructure Library 6. GAMP Good Practice Guide: IT Infrastructure Control and Compliance, ISPE, First Edition, August 2005, LAN - Local Area Network www.ispe.org. Multi-Mode Fiber - Optical fiber supporting propagation of About the Author multiple frequencies of light Multi-mode fibers have rela- David Stephenson joined the Life Sciences tively thick core that reflects light at many angles. Multi- Division of Mi Services in 2004 where he is mode transmitters usually use LEDs as a light source and a Head of IS Compliance. During his 15 years photodiode detector to translate light signals into electrical in the pharmaceutical industry, he has signals. worked for Mi Services, ABB, and GSK in computer systems validation, network man- Router - A device that connects two networks and allows agement and administration, and computer packets to be transmitted and received between them. access and security. Now focused on infra- structure qualification, he is a member of the GAMP® Infra- Single Mode Fiber - Optical fiber with a narrow core that structure Special Interest Group (SIG), whose Good Practice allows light to enter at a single angle only. This type of fiber Guide: IT Infrastructure Control and Compliance was has higher bandwidth than multi-mode fiber. Also known as launched in August 2005. During 2003/2004, he has been monomode fiber. leading the qualification effort for the IT network infrastruc- ture at various pharmaceutical manufacturing sites in Eu- STP - Shielded Twisted Pair. A four pair medium used in a rope, including the qualification of Cisco equipment (routers/ variety of networks. switches, etc.), site servers, network management applica- tions, physical layer connectivity (fiber and copper cabling), Specifications - Describes the requirements and design of a and the provision of procedural controls. He has presented at system. CSV conferences on the subjects of network qualification and the impact of SOPs on IT departments. Within ABB and Mi Switch - A logical device which connects multiple segments Services, he has been developing a common methodology for of a network together and passes data on to the required both retrospective and prospective IT network qualification, recipient. including the production of guidance and associated training packages. He is a member of ISPE and the Institute of UTP - Unshielded Twisted Pair. A four pair medium used in Leadership and Management (MinstLM). a variety of networks. Mi Services Group Ltd., 7 Camberwell Way, Doxford International Business Park, Sunderland, Tyne and Wear SR3 3XN, United Kingdom. ©Copyright ISPE 2005 SEPTEMBER/OCTOBER 2005 PHARMACEUTICAL ENGINEERING 9