Standard Operating Procedure

Risk Based Qualification of Network

Infrastructure

This is an example of a Standard Operating Procedure. It is a proposal and starting

point only. The type and extent of documentation depends on the process environment.
The proposed documentation should be adapted accordingly and should be based on
individual risk assessments. There is no guarantee that this document will pass a
regulatory inspection.

Publication from
www.labcompliance.com
Global on-line resource for validation and compliance

Copyright by Labcompliance. This document may only be saved and viewed or printed
for personal use. Users may not transmit or duplicate this document in whole or in part,
in any medium. Additional copies and licenses for department, site or corporate use can
be ordered from www.labcompliance.com/solutions.
While every effort has been made to ensure the accuracy of information contained in
this document, Labcompliance accepts no responsibility for errors or omissions. No
liability can be accepted in any way.

Labcompliance offers books, master plans, complete

Quality Packages with validation procedures, scripts
and examples, SOPs, publications, training and
presentation material, user club membership with
more than 300 downloads and audio/web seminars.
For more information and ordering, visit
www.labcompliance.com/solutions
STANDARD OPERATING PROCEDURE Page 2 of 10
Document Number: S-285 Version Beta
Title: Risk Based Qualification of Network Infrastructure
Company Name:

Controls

Superseded document: N/A, new

Reason for Revision N/A

Effective Date: Jan 1, 2004

Signatures

Author I indicate that I have authored or updated this SOP according to

applicable business requirements and our company procedure:
Preparing and Updating Standard Operating Procedures.
Name: ________________________________
Signature: ________________________________
Date: ________________________________

Approver I indicate that I have reviewed this SOP, and find it meets all
applicable business requirements and that it reflects the
procedure described. I approve it for use.
Name: ________________________________
Signature: ________________________________
Date: ________________________________

Reviewer I indicate that I have reviewed this SOP and find that it meets all
applicable quality requirements and company standards. I
approve it for use.
Name: ________________________________
Signature: ________________________________
Date: ________________________________

www.labcompliance.com (replace with Your Company’s Name) FOR INTERNAL USE

STANDARD OPERATING PROCEDURE Page 3 of 10
Document Number: S-285 Version Beta
Title: Risk Based Qualification of Network Infrastructure

1. PURPOSE

Network infrastructure should be validated for compliance and business reasons.

The extent of qualification depends on the risk the infrastructure can have on
product quality and safety and on the complexity. This SOP gives guidelines on
what the extent of qualification should be for risk categories as defined by the SOP
in reference 4.2

2. SCOPE

Risk based qualification of network infrastructure. Under the scope are also security
controls, system audits and change control.

3. GLOSSARY/DEFINITIONS

Item Explanation
GAMP Good Automated Manufacturing Practice (Forum).
The GAMP Forum exists to promote the understanding of the
regulation and use of computer and control systems within the
pharmaceutical manufacturing industry.
GAMP Standard software package. All applications problems are solved
Category 3 with standard functions. However, typically not all available
functions are exercised by the user’s application.
GAMP Configurable software package. Provide standard interfaces and
Category 4 functions that enable configuration of user specific applications.
GAMP Custom software package. Developed to meet specific needs of
Category 5 an application. Custom software may be a complete system or
add on to a standard package. Custom software may be
developed and supported in-house or by an external supplier.
Standard Function that comes with software GAMP Category 3
function
Critical Requirement that the user determines to be critical for the
Requirement effective use of the infrastructure

Note: For other definitions, see www.labcompliance.com/glossary

www.labcompliance.com (replace with Your Company’s Name) FOR INTERNAL USE

STANDARD OPERATING PROCEDURE Page 4 of 10
Document Number: S-285 Version Beta
Title: Risk Based Qualification of Network Infrastructure
4. REFERENCE DOCUMENTS

4.1. GAMP 4 Guide: Validation of Automated Systems, ISPE, Brussels, 2001 (order
from www.ispe.org)
4.2. SOP #### “Risk Assessment for Systems Used in GxP Environments”

5. RESPONSIBILITIES

5.1. System owner

5.1.1. Owns the process to define and document extent of validation for a
specific system.
5.1.2. Drafts documentation.
5.2. IT
5.2.1. Reviews and approves documentation.
5.3. Quality assurance
5.3.1. Advice on regulations and guidelines related to GxP and 21 CFR Part11.
5.3.2. Review documentation for compliance with internal policies and
guidelines.
5.3.3. Approve documentation.

6. FREQUENCY OF USE

6.1. Initially whenever infrastructure is qualified.

6.2. After infrastructure updates or other changes and the change indicates that
extent of qualification or validation may need to be changed.
6.3. Whenever system reviews indicate that the extent of qualification or validation
may need to be changed.

www.labcompliance.com (replace with Your Company’s Name) FOR INTERNAL USE

STANDARD OPERATING PROCEDURE Page 5 of 10
Document Number: S-285 Version Beta
Title: Risk Based Qualification of Network Infrastructure

7. PROCEDURE

7.1. System owner defines qualification steps for life cycle phases and tasks using
tables 7.1.1 to 7.1.9 as guidelines.
7.1.1. Planning

Qualification Steps – Planning

System GAMP 3 GAMP 4 GAMP 5

High Risk Detailed validation Detailed validation plan Detailed validation plan
plan with all activities, with all activities, with all activities,
deliverables, owners, deliverables, owners, deliverables, owners,
and time tables. and time tables. and time tables.

Medium Risk High level plan with High level plan with key High level plan with key
key activities. activities. activities.

Low Risk No specific plan High level plan with key High level plan with key
activities. activities.

www.labcompliance.com (replace with Your Company’s Name) FOR INTERNAL USE

STANDARD OPERATING PROCEDURE Page 6 of 10
Document Number: S-285 Version Beta
Title: Risk Based Qualification of Network Infrastructure

7.1.2. Setting Specifications

Qualification Steps – Setting Specifications

High Risk Document all requirements

Uniquely number all requirements
Define critical vs. non-critical

Medium Risk Document all requirements

Uniquely number all requirements
Define critical vs. non-critical

Low Risk Define and document all requirements

7.1.3. Vendor Assessment

Qualification Steps – Vendor Assessment

High Risk Review and vendor Vendor audit Vendor audit

documentation

Medium Risk Document Review vendor Vendor audit

experience with documentation
vendor and system

Low Risk None None None

www.labcompliance.com (replace with Your Company’s Name) FOR INTERNAL USE

STANDARD OPERATING PROCEDURE Page 7 of 10
Document Number: S-285 Version Beta
Title: Risk Based Qualification of Network Infrastructure

7.1.4. Installation

Qualification Steps – Installation

System GAMP 3 GAMP 4 GAMP 5

High Risk Verify correct Verify correct software Verify correct software
software installation installation installation
Document system Document system and Document system and
and all components all components and all components and
and configurations configurations configurations
Document software Document software Document software
versions versions versions

Medium Risk Document system Document system and Document system and
and all components all components and all components and
and configurations configurations configurations
Document software Document software Document software
versions versions versions

Low Risk Document system Document system and Document system and
and all components all components and all components and
and configurations configurations configurations
Document software Document software Document software
versions versions versions

7.1.5. Functional Testing

Qualification Steps – Functional Testing

System GAMP 3 GAMP 4 GAMP 5

High Risk Test critical functions Test critical standard Test critical standard
functions functions
Link tests to
requirements Test all non-standard Test all non-standard
functions functions
Link tests to Link tests to
requirements requirements

Medium Risk Test critical functions Test all critical standard Test critical standard
and non-standard functions
functions
Test all non-standard
Link tests to functions
requirements
Link tests to

www.labcompliance.com (replace with Your Company’s Name) FOR INTERNAL USE

STANDARD OPERATING PROCEDURE Page 8 of 10
Document Number: S-285 Version Beta
Title: Risk Based Qualification of Network Infrastructure
requirements

Low Risk No testing Test critical non- Test critical non-

standard functions standard functions

7.1.6. On-going maintenance and performance control

Qualification Steps – On-going Control

High Risk On-going monitoring of network traffic and connectivity.

On-going monitoring of data transmission accuracy
Documentation and follow up on irregular events

Medium Risk Regular monitoring of data transmission accuracy

Documentation and follow up on irregular events

Low Risk Documentation and follow up on irregular events

7.1.7. Security controls

Qualification – Security Controls

High Risk Regular review of user access lists

Regular check of access controls

Medium Risk Regular review of user access lists

Low Risk Regular review of user access lists

www.labcompliance.com (replace with Your Company’s Name) FOR INTERNAL USE

STANDARD OPERATING PROCEDURE Page 9 of 10
Document Number: S-285 Version Beta
Title: Risk Based Qualification of Network Infrastructure

7.1.8. Change Control

Qualification Steps – Change Control

High Risk All changes approved by system owner and QA

Medium Risk All changes approved by system owner

Low Risk All changes documented by user

7.1.9. Audits

Qualification Steps – Audits

High Risk Regular audit of system and subsystems.

Regular review of the audit plan.

Medium Risk ‘For cause’ audits in case of problems

Low Risk None

www.labcompliance.com (replace with Your Company’s Name) FOR INTERNAL USE

STANDARD OPERATING PROCEDURE Page 10 of 10
Document Number: S-285 Version Beta
Title: Risk Based Qualification of Network Infrastructure

7.2. Review and Approval

7.2.1. The documents as developed in sections 7.1.1 to 7.1.9 are reviewed and
approved by IT for compliance with IT practices.
7.2.2. The documents as developed in sections 7.1.1 to 7.1.9 are reviewed and
approved by the QA Management for compliance with regulations and
internal standards and guidelines.
7.3. Regular review and updates
7.3.1. Definition of qualification steps is an on-going process. The system owner
reviews tables 7.1.1 to 7.1.9 every year and updates the tables, if
necessary.
7.3.2. Updates from 7.3.1 are reviewed and approved following sections 7.2.1
and 7.2.2

www.labcompliance.com (replace with Your Company’s Name) FOR INTERNAL USE