Manual 070 Information Technology Infrastructure Qualification

1 Purpose
This Guideline provides guidance on the qualification requirements to be applied to
the Information Technology infrastructure. The establishment and maintenance of a
qualified infrastructure for any regulated company is fundamental to meeting current
business and regulatory requirements in respect of systems stability, reliability and
security.

2 Scope and Applicability

This guideline applies to all business functions and contracted third parties who
install, operate, manage or maintain the infrastructure. The requirement for
qualification applies to all components of the infrastructure. This is necessary
because of the interconnectivity of the network (a fundamental design requirement)
and possible (unwanted) interactions that might ensue without conformance to the
minimum standards contained in this Guideline.

The following infrastructure elements are covered by this guideline:

· Local and wide area networks (e.g. data transmission cabling, hubs,
routers, bridges and switches, etc.).
· Servers and mainframe computers (and their operating systems and
supporting software products).
· Clients (and their operating systems).
· Peripheral equipment (e.g. networked printers and storage devices)
· Electrical power supply and heating, ventilating and air conditioning
equipment for server rooms and data centers.
· Server rooms and data centers.
· Infrastructure monitoring, management and maintenance systems.
· Middleware or enabling software., e.g. Oracle, SQL etc.)

3 Definitions

3.1 Installation Qualification

Documented verification that all physical aspects of a facility or system, which

affect product quality, adhere to the approved specification and are correctly
installed.

3.2 Operational Qualification

Documented verification that all functional aspects of a facility or system, which

affect product quality, perform as intended throughout all anticipated operating
ranges.

3.3 Change Request

This is a collective name for a ‘Request for Change’ form.

Copyright©www.gmpsop.com. All rights reserved

Unauthorized copying, publishing, transmission and distribution of any part of the content by
electronic means are strictly prohibited. Page 2 of 10
 Manual 070 Information Technology Infrastructure Qualification

4.1 Infrastructure Owner

A person, or persons, who is/are ‘accountable’ for the provision, operation, and
management of the infrastructure. This position could have a business wide remit
or a local accountability for the infrastructure present on the site. Ultimate
accountability for the status of the application lies with the System Owner, and this
includes the relevant infrastructure.

4.2 Infrastructure Manager

A person, or persons, who is/are delegated by the Infrastructure Owner to be

responsible for the day-to-day management of the infrastructure. A third party
may perform this role.

4.3 Network Manager

A person, or persons, who is/are delegated by the Infrastructure Manager to be

responsible for the day-to-day operation of network components, e.g. data
transmission equipment, cabling, routers, switches and hubs, etc. A third party
may perform this role.

4.4 IS Quality Manager

The IS Quality Manager assures that the IS unit operates a documented quality
management system and processes to implement the company IS Quality
Policy and Principles.

4.5 Functional Quality Assurance

Functional Quality Assurance will assure that regulated processes and supporting
IS and IT systems remain compliant. For further guidance, please refer to ‘Roles

4.6 IS Security Manager

The IS Security Manager will advise on all aspects about the security of the
infrastructure.

5 Guideline

5.1 Company Quality, Compliance and Security Standards

The standards applied to the management of the infrastructure must meet IS Quality,
Compliance and Security policies and standards and the requirements of
regulatory agencies (health, financial, etc.).

5.2 Infrastructure Life cycle

For infrastructure development a life cycle model must be used. To maintain

the logical order, the deliverables from each stage of the life cycle must be
approved before the next stage is commenced. A stage in the life cycle is

Copyright©www.gmpsop.com. All rights reserved

Unauthorized copying, publishing, transmission and distribution of any part of the content by
electronic means are strictly prohibited. Page 4 of 10
 Manual 070 Information Technology Infrastructure Qualification

5.3.2 Development Environments

In the special case of ‘thrash and crash’ environments, e.g. ‘sandboxes’ and
other development regions of the infrastructure, the interactions, if any, between the
development region and the wider infrastructure (if a connection exists between the
two regions) must be formally assessed for any security and compliance risks and
qualification process must be followed.

5.3.3 Qualification Documentation

Adequate documentation is an essential part of the qualification and infrastructure

management processes and all deliverables must be documented. Lack of adequate
records will cause costly delays, errors and in some cases possible unwanted actions
from regulators.

The documented evidence that is necessary to demonstrate qualification of

infrastructure components can be seen in table 1 below. Each deliverable may
be a separate document or combined for routine and simple changes and may
cover one component which itself may be representative of a class of components.

Qualification of common and routine changes may be covered by a pre-determined

change procedure and the qualification deliverables documented on the change
request documentation.

5.3.3.1 Qualification Deliverables Flow

The illustration “Qualification Deliverable Flow” describes the order in which the
deliverables should be produced from planning to completed qualification.

· Work on the Qualification Plan may start after the feasibility and/or
initiating stage is finished.

· Work on Requirements specification also starts at this point, butthe RS

must be completed prior to, or at the latest in parallel with the QP.

· For the actual planning of the qualification work to take place (writing the
Test Plan), Functional Specifications, Technical Specifications and Design
Specifications are to be completed, so that the correct acceptance criteria can
be entered into the Test Plan.
· Input documents to the QP as well as documents created after completion of
the QP are to be appropriately signed, dated and approved. After completion
of a QP, tests are to be performed signed and dated. Version control must be
used for all documents. All changes must be traceable. All documents,
including test results, should be easily made available. These documents will
also be used during an audit or inspection

Copyright©www.gmpsop.com. All rights reserved

Unauthorized copying, publishing, transmission and distribution of any part of the content by
electronic means are strictly prohibited. Page 6 of 10
 Manual 070 Information Technology Infrastructure Qualification

5.3.3.2 Deliverables Description

Figure: Deliverables Description

Copyright©www.gmpsop.com. All rights reserved

Unauthorized copying, publishing, transmission and distribution of any part of the content by
electronic means are strictly prohibited. Page 8 of 10