Upload
r
View
218
Download
1
Embed Size (px)
Citation preview
ISBT Science Series (2013) 8, 70–72
STATE OF THE ART 1D-H07-03 © 2013 The Author(s).ISBT Science Series © 2013 International Society of Blood Transfusion
Application validation versus infrastructure qualificationR. HullemanIT Architect & IT Security Officer, Sanquin Blood Supply, Utrecht, the Netherlands
An often used method for application validation is the “black box” approach.The functionality or application is tested against predefined protocols and theresults are compared to also predefined expected results. The underlying infra-structure is automatically validated in combination with the application.
Audit Authorities and GMP regulations (Annex 11, GAMP) ask for a QualifiedInfrastructure nowadays.
An IT infrastructure is a complex system of IT components working togetherto enable the user to “use the applications” that run on it.
To qualify an infrastructure the infrastructure has to be split up in parts; the“infrastructure components”. The process of building and changing these compo-nents has to follow strict Quality requirements.
Key words: annex 11, architecture, GMP, infrastructure, qualified infrastructure.
An IT infrastructure is a complex system of IT compo-
nents working together to enable the user to ‘use the
applications’ that run on it. As a result, there can be
many stakeholders involved in this process. Each stake-
holder has their own ‘truth’ or ‘view’ of the infrastructure
(Fig. 1). Fig. 1 shows a general overview of these stake-
holders and their views, although this will be different for
each organization.
There are many tools to manage these different views,
such as BPM (Business Process Management) for the Busi-
ness, Document Management for QA or a CMDB (Config-
uration Management Database) for the Service desk. In
general, these tools will cover more than one view, but
not all views. An EAMT (Enterprise Architecture Manage-
ment Tool) covers all views and the relationships both
within and between views.
Stakeholders are often not aware of other stakeholders’
views.
How does this relate to application validation and
infrastructure qualification?
An often used method of validation is the ‘black box’
approach. The functionality or application is tested
against predefined protocols and the results are compared
with the predefined expected results. The underlying
infrastructure is automatically validated in combination
with the application. This has an impact on different
stakeholders and their responsibilities.
An R&I (Risk and Impact) process as part of the Infra-
structure Change procedure must determine whether a
change has an impact on validated infrastructure compo-
nents. If this is the case, the application owner has to be
informed and he has to decide (again, often based on an
R&I) whether a re-validation is necessary and if so, the
extent of it.
However, Audit Authorities and GMP regulations
(Annex 11, GAMP) ask for a Qualified Infrastructure
nowadays. To qualify an infrastructure, the infrastruc-
ture has to be split up in parts, called components.
There is no standard definition of such an infrastruc-
ture component available today. The process of building
these components has to follow the Quality require-
ments (Fig. 2):
Furthermore, for each validated application there has
to be a list of all qualified components that are used for
that application.
Changes within the qualified components have to fol-
low a re-qualifying procedure before these components
can be used in production environments. This approach
limits the risks of unwanted and/or unknown infrastruc-
tural changes within validated systems and decreases the
amount of effort required for validation as a result of in-
frastructural changes.
Correspondence: R. Hulleman, IT Architect & IT Security Officer,Sanquin Blood Supply, Lundlaan 8, 3584 EA, Utrecht, the NetherlandsE-mail: [email protected]
70
QACompliensproceduresaudits
UserMy devicesare always connected
AdministratorStatusconfigurationdetails
Architect
ElementsRelationsConstrainsAttributes
Service desk
WhoWhatWhereTicketsStatus
Manager
NumbersmoneycontractsSLA’s
EnterpriseVisionstrategypolicy’s
BusinessEmployeesprocessesproducts
Fig. 1 Stakeholders views on infrastructure.
© 2013 The Author(s).ISBT Science Series © 2013 International Society of Blood Transfusion, ISBT Science Series (2013) 8, 70–72
Application validation versus infrastructure qualification 71
On the other hand, the management of a qualified
infrastructure creates new stakeholders and views as
defined in Fig. 1.
The Application Owner wants to be aware of all the
components that are used while running his application
(Fig. 3):
QA wants proof of the qualifying status of all compo-
nents in use (Fig. 4):
Ideally both views are managed using appropriate tooling.
Disclosure
The author has no conflicts of interest to declare.
Requirementspecification
High level design
Low level design
Installation guide
Component installation
Installation qualification
Operation qualification
Fig. 2 Component Qualification V-Model.
Applicationowner Components
Fig. 3 Application Owner view on Qualified Infrastructure.
QA Componentsstatus
Fig. 4 Application Owner view on Qualified Infrastructure.
© 2013 The Author(s).ISBT Science Series © 2013 International Society of Blood Transfusion, ISBT Science Series (2013) 8, 70–72
72 R. Hulleman