Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Why do we have to qualify IT infrastructure

Discussion in 'Qualification & Validation (Also 21 CFR Part 11)' started by Speedfan, Jan 15, 2020.

  1. Speedfan

    Speedfan New Member

    Jan 15, 2020
    Likes Received:
    Trophy Points:
    Hello everyone,

    I just have one question about infrastructure qualification.
    By "infrastructure qualification" I mean :
    - Servers,
    - Switch,
    - Firewall,
    - ect..

    Indeed, if I'm right, this infrastructure need to be qualified according the 21 CFR part 11.

    But there is one thing I don't understand.

    For me, the system who need to be qualified are system who have an impact with :
    • Product quality,
    • Patient consequences,
    • Data integrity,
    I could see that because the IT infrastructure is used by computerized system who are validated, it has to be qualified too.

    Here is the thing I don't understand.

    Why do we need to qualified a switch ? A firewall, or a server who do not have a direct quality impact.

    If my switch power off or crash, what is the risk behind this ?
    My validated application is offline (for example), data can't transite but it's a business impact, not quality or data integrity.

    Same for a RDS server for example.
    I have a farm of 3 RDS server, who are just use by users for Office 2016 and chrome application.
    Why do I need to qualified this ?

    Same for a firewall.
    If the firewall is down, what is the quality impact ?

    I don't know if I'm clear.
    And sorry for my english ;)

  2. yodon

    yodon Well-Known Member

    Aug 3, 2015
    Likes Received:
    Trophy Points:
    No worries about your English, you were perfectly clear!

    Let me turn the question around on you just a bit: what do you believe is required for qualification of the infrastructure?

    If you don't have your servers properly configured (e.g., for access control), you could lose regulatory data / records. Same if the firewall is down and your security is breached. The problem is magnified if you have any protected health information.
  3. Speedfan

    Speedfan New Member

    Jan 15, 2020
    Likes Received:
    Trophy Points:

    Thank for your reply.

    For information, I'm network/system administrator by studies and helper on computerized system validation.

    "If you don't have your servers properly configured (e.g., for access control), you could lose regulatory data / records.

    I'm totally agree with this but here is the way I see this :

    - The server is the platform where the application for access control is installed,
    - The access control application need to be validated because it's her who have settings like user administration, audit trail, data backup, etc..

    For me, all the regulatory tests who are required are executed on the access control application.

    If the server crash, what is the quality impact ? In my opinion, it's none.
    I have tests for all my servers, but it's IT tests I ran to be sure that my system is OK in case of crash to limit the off time.

    But in the idea, if I didn't have this, it's just a business impact because all the raw data are backup with the tests who are executed when the access control application was installed.

    (for my servers, I test, for example, backup, power redondancy, monitoring, access control, ect. But it's not quality test, it's IT test).
    Second time I don't know if it's clear :eek:

    Same if the firewall is down and your security is breached. The problem is magnified if you have any protected health information."

    Yes, but the logic is the same that the servers.
    If the firewall is down, the internet network cannot be reach, it's a business impact.