IT Infrastructure in GMP Inspections
Recommendation
11-13 December 2024
By now, the inspection of IT infrastructure by the authorities has become an important subject area as part of the inspection of computer-based systems. A broad spectrum is available to the inspector here. The following are just a few points that can be addressed: Cabling, network cabinets and connectors, active network components, peripheral devices, buildings and premises, responsibilities and personnel, system and data security, backup and archiving, network and system management including change management, maintenance (remote maintenance), virus protection concept, performance monitoring, help desk, outsourcing (infrastructure as a service - IaaS). And this list is not exhaustive.
Regulatory Basis
The legal basis is clear. EU GMP Annex 11: "The application should be validated, IT infrastructure should be qualified."
Guidance on how to perform qualifications is given in EU GMP Annex 15, with particular reference to the following points:
Annex 15, 3.1 "Qualification activities should consider all stages from initial development of the user requirement specification through to the end of use of equipment, facility, utility or system."
Thus, qualification always includes DQ, IQ, OQ, and PQ. An attempt to apply the system to the infrastructure causes problems, especially with PQ. There is certainly no such thing as a classic PQ as otherwise.
The inspector is assisted in the inspection by some guidance from the authority and industry:
- AIM der EFG 11 Überwachung computergestützter Systeme (only available in German)
- PIC/S PI 011 und PI 041
- IT Grundschutzkompendium (BSI)
- GAMP® GPG IT Infrastructure Control and Compliance
The document PIC/S PI 041-1 contains several notes on the subject of IT infrastructure. Most of the notes can be found in section - 9.2 Qualification and validation of computerised systems and 9.5 System security for computerised systems.
Inspection Practice
The topic of passive network components is to be addressed here as an example. Passive network components are all network components that do not require their own main power supply. These include cables, distribution cabinets, patch panels and connectors.
The following questions, taken from the GAMP® GPG IT Infrastructure, were asked during five GMP inspections:
- Question 1: Are (internal or external) standards used to define cable requirements?
- Question 2: Are cabling diagrams or specifications in place?
- Question 3: Are cables tagged or labeled to aid identification?
Following the summarized results:
Question 1 | Question 2 | Question 3 | |
Company 1 | ? | ? | ? |
Company 2 | It was known which cables had been laid at least in part. | Answer Yes, but no documentation was found. | Sockets were labeled, Cable diagrams with designations were not available |
Company 3 | The network application class was defined. | Drawing representation of the wiring was available. | Identification partially possible. |
Company 4 | The network application class was defined. | Yes | Tabular overview available (designation, specification of end points, number of fibers, cable type - (UTP, S/UTP, STP, S/STP, optical fiber). |
Company 5 | Network application class E had been defined. However, measurement protocols had shown that this class is not achieved everywhere. | Yes | As company 4 |
Notes on the table
Company 1 could not answer the questions. There was no expert personnel on site.
Company 5: The problem was with the plugs. Actually, a category 5 plug is sufficient for class E. However, it has been shown in practice that a category 6 plug is safer.