CONTENTS

List of TablesList of FiguresPreface

1 Introduction 1

2 Infrastructure Lifecycle ApproachRecommendation and ConceptualizationDesignDesign ReviewsDevelopment and IntegrationImplementationRelease for UseOperational LifeRetirementRetaining Project and Qualification-Related DeliverablesChapter 2 Summary

3 Infrastructure Qualification OverviewWhat is Infrastructure?What is Infrastructure Qualification?Why Qualify the Computer Infrastructure?Introduction to the Infrastructure Qualification ProcessAll Together

4 FDA EnforcementIntroductionFDA Computer Systems EnforcementGanes Chemicals (483 — 1999)Eli Lilly & Company (483 — 2001)

iii

Prelims 25/7/06 1:49 pm Page iii

www.pda.org/bookstore

Pharmacia Corporation (483 — 2000 and Warning Letter — 2001)Novartis Pharma GmbH (483 — 2002)Skele Tech (483 — 2003)Company Unknown (483 — 20904)Company Unknown (Warning Letter — 2004)International Pharm & Biotech Labs (EIR — June 2003)

5 Regulatory RequirementsIntroductionPotential Regulatory ConsequencesUS FDA Regulatory RequirementsEU Regulatory Guidance

6 21 CFR Part 11IntroductionLAN/WANServer Hardware and Service ComponentsSystem-level Software

7 Procedural Controls

8 Computer Infrastructure SecurityPhysical SecurityNetwork SecurityOther Key Security Elements

OSI Model Security ServicesAuthentication

Protection of Records and Audit TrailsProtection of RecordsAudit Trails

9 Infrastructure Qualification PlanningIntroductionQualification Project PlanProject Schedule

10 Qualification TestingIntroductionQualification Testing Lifecycle

Test PlanProtocolSummary (Analysis) Report

CommissioningSample Qualification Testing/Commissioning Test Cases

System-level SoftwareApplication ServersService ComponentsLAN/WAN

Infrastructure Qualification in the FDA Regulated Industryiv

Prelims 25/7/06 1:49 pm Page iv

www.pda.org/bookstore

Miscellaneous EquipmentNetwork Centers

11 Qualification Testing System-level SoftwareIntroductionServer and Controllers Operating Systems

Qualification Testing Practices for Operating SystemsPart 11 Areas of Interest

Network Operating SystemsQualification Testing Practices for Operating SystemsQualification Testing Practices for FirmwarePart 11 Areas of Interest

Security, Diagnostic and Monitoring ToolsQualification Testing Practices for Standard Software PackagesPart 11 Areas of Interest

Desktop ImagesScripts

Qualification Testing Practices for ScriptsPart 11 Areas of Interest

File and Database ManagementMiddleware

Part 11 Areas of Interest

12 Qualification Testing Application Servers and Service ComponentsInstallation QualificationOperational Qualification

13 Qualification Testing LAN DevicesSwitchRouterQualification of Other LAN Devices

HubGatewaysRepeatersBridgesBrouter

14 Qualification Testing WAN DevicesExternal RouterWAN LinksFirewallVPN SwitchesLoad Balancing DevicesIntrusion Detection Devices

15 Qualification Testing WAN/LAN System

Contents v

Prelims 25/7/06 1:49 pm Page v

www.pda.org/bookstore

16 Qualification Testing the Storage Area NetworksIntroductionQualification StrategyPart 11

17 Qualification Wireless ServicesWLAN Devices

Access PointVPN ServerLAN Switch

WLAN System Qualification

18 Qualification Testing Network CentersIntroductionQualification TestingInstallation QualificationOperational Qualification

19 Qualification Testing Database ManagerIntroductionDatabase Server — Single or ClusterDatabase Server SoftwareCritical Database Server IssuesPart 11 ConsiderationsQualification Testing

20 Change ManagementIntroductionType of ChangeChange Management ProcessEmergency ChangesPart 11 and Infrastructure Related Change

21 Training

22 Remediation ProjectIntroductionInfrastructure EvaluationCorrective Action Planning

InterpretationImpact AssessmentTrainingSuppliers Qualification Program

RemediationRemediation Project Report

23 Maintaining the State of QualificationIntroduction

Infrastructure Qualification in the FDA Regulated Industryvi

Prelims 25/7/06 1:49 pm Page vi

www.pda.org/bookstore

SecurityOperational ManagementOperational Network ManagementBusiness ContinuityProblem ReportingControl of ChangesPeriodic ReviewRetirementOn-going Verification Program

Appendix A Glossary of TermsAppendix B Abbreviations and/or AcronymsAppendix C Infrastructure BasicsAppendix D Compliance Policy GuidesAppendix E Documentation: Brief DescriptionAppendix F OSI and TCP/IP Network ModelsAppendix G ReferencesAppendix H Qualification of Computer NetworksAppendix I Words Signifying the Requirements in SpecificationAppendix J Case Study: A Network Upgrade

Index

Contents vii

Prelims 25/7/06 1:49 pm Page vii

www.pda.org/bookstore

Prelims 25/7/06 1:49 pm Page viii

www.pda.org/bookstore

LIST OF TABLES

5.1 cGMPs Regulations Application to Computer Systems5.2 Comparison GMPs, EU Annex 11 and Part 118.1 Part 11 Security Related Requirements/Controls12.1 Category of Servers23.1 Period/Events Computer Systems Operational LifeH1 NEED CAPTION

ix

Prelims 25/7/06 1:49 pm Page ix

www.pda.org/bookstore

Prelims 25/7/06 1:49 pm Page x

www.pda.org/bookstore

LIST OF FIGURES

2.1 Infrastructure Qualification Lifecycle2.2 Conceptualization2.3 Design Evaluation Cycle2.4 Design2.5 Design Reviews2.6 Development and Integration2.7 Implementation2.8 Release for Use2.9 Operational Life3.1 A Computer System and the Operating Environment3.2 Application/Infrastructure Development and Installation Correlation8.1 Security Issues to Consider8.2 Security Services Provided by OSI Layers8.3 SSL 3.0 Protocol9.1 Systems Development Distribution11.1 OSI and the TCP/IP Reference Models17.1 NEED CAPTION22.1 Complete Part 11 Remediation ProjectFI The Seven Layers of OSIF2 Comparison between OSI and TCP/IP ModelsH1 System Block DiagramJ1 Previous “Hub and Spoke” TechnologyJ2 New “Ring” TechnologyJ3 Project Plan Table of ContentsJ4 Sample Installation Checklist

xi

Prelims 25/7/06 1:49 pm Page xi

www.pda.org/bookstore

Prelims 25/7/06 1:49 pm Page xii

www.pda.org/bookstore

PREFACE

The need to validate computerised systems supporting the development, manufacture, andsupply of medicinal products is well understood. The validation of applications has been theprimary focus and quite rightly too with the impact these systems can have on the quality,safety and efficacy of drug products. Now however with modern IT solutions there is a growingdependency on robust and secure infrastructure [1,2]. Deficiencies in the IT infrastructure (egvirus protection, persoßnal identity authentication, password management, and electronicrecords management) will compromise the validate status of computerised systems. It isimportant therefore that IT infrastructure is developed and maintained to support the regulatorycompliance of the applications they support. Desktop configuration, networks design andmanagement, and the use of internet/intranet/extranets are just some of the topics that need tobe addressed.

It is important to appreciate that IT infrastructure has its own special character. It is moreorganic than computer applications in the sense that it grows and evolves to meet the changingneeds of the multitude of applications being supported. It cannot be thought of as a discreteelement like an individual computer application. This is often reflected by the organisation of theIT department responsible for IT infrastructure. A different approach and procedures is required.

Regulatory authorities have made numerous citations for what they consider non-compliant IT infrastructure [2]. Regulatory expectations for IT infrastructure however are notexplicitly defined although some regulatory guidance does exist [3]. ISPE/GAMP has beenworking on the topic of IT infrastructure for many years to clarify requirements and hasdeveloped some guidance material [4]. PDA has also developed some guidance material [5].The definition of requirements to date however largely presents principles rather than a workingmanual for compliance.

The management and controls for IT infrastructure must always be cognisant of therelative risk posed to patients. IT infrastructure will normally be considered as having anindirect impact on patient safety. Consequently IT infrastructure does not normally require thesame validation approach adopted for computerised systems with a direct impact on patient

xiii

Prelims 25/7/06 1:49 pm Page xiii

www.pda.org/bookstore

safety. This is not to undermine the key role infrastructure plays to assuring the reliableoperation and record integrity required by applications. However care must be taken not toinadvertently over-engineer solutions on the basis of perceived regulatory compliance. Whatever is done needs to be done on the basis of tangible benefits.

This book presents some of the latest thinking on how to tackle what can often be quitedaunting questions on how to assure IT infrastructure for regulatory compliance. OrlandoLopez gives clear direction on how to approach IT Infrastructure based on personal experienceand industry discussions. The principles behind the guidance given in this book are consistentwith the latest edition of the GAMP4 Guide [6]. Lopez takes these principles into practice witha working level of detail that will be welcomed by practitioners. Inexperienced and experiencedpractitioners alike will find valuable insights into how best to address IT Infrastructure.

References

[1] Wingate, G.A.S. (2000) Validating Corporate Computer Systems: Good IT Practice forPharmaceutical Manufacturers, Interpharm Press.

[2] Wingate, G.A.S. (2004) Computer Systems Validation: Quality Assurance, RiskManagement and Regulatory Compliance for Pharmaceutical and Healthcare CompaniesInterpharm Press.

[3] Pharmaceutical Inspection Co-operation Scheme (2005) Good Practices forComputerised Systems in Regulated GxP Environments, Pharmaceutical InspectionConvention, PI 011-1, Geneva.

[4] GAMP Forum (2004) GAMP Good Practice Guide for IT Infrastructure Control andCompliance, published by International Society for Pharmaceutical Engineering(www.ispe.org).

[5] Crosson, J.E., Campbell, M.W., Noonan, T. (2000) Network Management in an FDA-Regulated Environment, PDA Journal of Pharmaceutical Science and Technology.

[6] GAMP Forum (2001) GAMP Guide for Validation of Automated Systems (known asGAMP4), published by International Society for Pharmaceutical Engineering(www.ispe.org).

Infrastructure Qualification in the FDA Regulated Industryxiv

Prelims 25/7/06 1:49 pm Page xiv

www.pda.org/bookstore