Regulatory Issues
Qualification of Network
Ludwig Huber and
Rory Budihandojo
To comply with 21 CFR Part 11,
your networked systems require
the same validation and
qualification steps as those for a
single computer. Shared servers
and multiple access also add
requirements that are unique to
networks.
Italicized words in this article are
defined in “The Glossary” of the
article’s online version at
www.biopharm-mag.com.
Ludwig Huber is worldwide product manager for
pharmaceutical solutions at Agilent Technologies
GmbH, PO Box 1280 D-76337, Waldbronn,
Germany, +49.7243.602.209,
fax +49.7243.602.501, [email protected], group at the Good Automated
www.agilent.com. Rory Budihandojo is head of
R&D for IT quality and testing at the Centre of
Excellence, GlaxoSmithKline, Collegeville, PA
19426.
18 BioPharm OCTOBER 2001
Components and Validation of
Networked Systems
etworked systems with integrated or
N distributed databases are increasingly
used in the pharmaceutical industry,
and like all computerized systems,
they must be qualified and validated to
demonstrate their suitability for their intended
use. Although the validation of stand-alone
computer systems is well described (1), many
companies are still uncertain about how to
qualify networks and networked systems. But
FDA is increasingly looking into such
systems, as evidenced by recent warning
letters and inspection reports. Networked
systems and their applications need to be
validated for compliance reasons, but that
validation is also important for business
reasons. Missing data in an electronic batch
record or laboratory information system or
lost data from a research project can be
disastrous for a company and its employees.
Production delays caused by network failures
are also costly.
We will highlight the qualification of
network components (switches, hubs,
routers, software) and the validation of
networked systems, assuming that readers
are already familiar with the principles of
computer system validation and with
network technology. (Reference 1 is a good
source for beginners on the subject of
computer validation; network technology
and terminology can be found in reference 2
and similar books.)
Network quality assurance has been
addressed by Crosson, Campbell, and
Noonan who recommend that a network be
qualified (because it is a piece of equipment)
and then managed through documented
control (3). Olthof discussed information
technology (IT) quality in a paper at the
ECA conference (4). A special interest
significant changes and modification[s] that
Manufacturing Practice (GAMP) forum (5)
emphasized that quality assurance principles
are critical to the management of the IT
infrastructure. That group recommended
bringing IT infrastructure into initial
compliance with established standards
through planned qualification processes.
Once in compliance, the infrastructure
should be maintained using documented
standard processes and quality assurance
activities. The effectiveness of the program
should be periodically audited.
Ongoing updates on recent developments
in network validation and compliance can be
found on the web sites of FDA (www.fda.
gov), the GAMP forum (www.gamp.org), and
PDA (www.pda.org), as well as some private
sites such as www.labcompliance. com and
www.computervalidation.com. Our objective
is to provide practical recommendations for
qualifying individual network components
and validating networked systems (as part of
the validation of the applications that are
supported by the network).
FDA Expectations
FDA is inspecting networked systems and
has issued related warning letters and 483s
or inspectional observation reports. Studying
such letters and reports is instructive
because they highlight what inspectors are
looking for and what mistakes others are
making. The following excerpts are from
warning letters available publicly on the
FDA web site.
Two network-oriented warning letters
issued this year contain information for
laboratory information management systems
and stability test programs. The second letter
also contains information on databases.
The network program lacked adequate validation
and/or documentation controls. For example:
v The system design documentation has not been
maintained or updated throughout the life of the
. . . software dating back to 1985 despite
have taken place. These include program code,
functional/structural design, diagrams,
specifications, and text descriptions of other
programs that interfere with [this program].
 v The software validation documentation failed
to adequately define, update, and control
significant elements customized to configure the
system for the specific needs of the operations.
v Validation documentation failed to include
complete and updated design documentation,
and complete wiring/network diagrams to
identify all computers and devices connected to
the . . . system.
v The QCU [Quality Control Unit] failed to
ensure that adequate procedures were put in
place to define and control computerized
production operations, equipment qualifications,
documentation review, and laboratory
operations. (6)
The . . . computer system that is accessed by
personnel from various departments to include
manufacturing, testing laboratory, and Quality
Assurance lacked the following:
v Audit trail function of the database to ensure
against possible deletion and loss of records.
v Absence of documentation defining the
database, operating system, location of files, and
security access to database.
[. . . .]
Your response fails to discuss extending the
retrospective evaluation to other elements of the
system needing to be defined and controlled as
part of the overall configuration management. (7)
An FDA 483 from July 2000 cited a
company for insufficiently documented
training records:
There are no records to document that the
Information Technology (IT) service provider
staff personnel have received training that
includes current good manufacturing practice
regulations and written procedures referred to by
the regulations. (8)
FDA’s warnings and inspection reports
repeatedly emphasize controlled updates, a
focus of this article. Additional examples
and updates of extracts from warning letters
related to computer and network compliance
can be found at the Labcompliance web
site (9).
What to Validate
Networks are systems connecting several
computers and peripheral devices. The main
purpose of a network is to transport and
control data traffic. Whether data are stored
on the network servers or elsewhere, a
network must provide assurance that data
integrity and security have been maintained
during the transport and traffic control
functions. Data integrity and security are
ensured by controlled and properly managed
network access and by appropriate security
for data stored within the network.
Computer systems used in regulated
environments must be qualified and
validated to demonstrate suitability for their
intended use. That means all systems
(including networks) used for work
regulated by Good Laboratory Practices,
Good Clinical Practices, and Good
Manufacturing Practices (together referred
to as GXPs) must be validated. The
electronic record regulations in 21 CFR
Part 11 give more detail on which computer
systems are regulated: all systems that
create, modify, maintain, archive, retrieve,
or distribute electronic records (10). To
ensure compliance, we recommend that you
analyze all information that FDA may
request during an inspection. If documents
or data ever went through a computer or
other device with the possibility of being
modified, then that computer or device
should be validated.
Validation is therefore necessary for
computers that acquire and evaluate critical
data from measurement systems in plant
control and also for office computers that
generate reports submitted to FDA. Word
processing systems that generate standard
operating procedures (SOPs) also must be
validated; and frequently, the computers
running them are connected through
networks. In addition to meeting regulatory
requirements, it is simply good business
Office
Mail File
Server Server
Computer
Room
WAN
Figure 1. Example of client/server networked system (4)
practice to validate all computer systems used
for generating and evaluating critical data.
Networked Systems
The diagram in Figure 1 shows a typical
client/server networked system connecting
client computers in a laboratory and offices
to a server located in a computer room. The
computer room also hosts mail servers.
Laboratory computers with data system
applications software acquire data using
TCP/IP protocols and control equipment
with built-in local area network (LAN) cards.
Application software on the client computers
is also used for data evaluation. Computers
are connected to servers through a hub. Each
server uses a relational database (such as
that from Oracle, www.oracle.com) with
customized applications for data
management; for control charting and other
statistical evaluation; for review, backup,
archiving, and retrieval of data; and for
generating electronic signatures compliant
with 21 CFR Part 11.
Other examples of networked systems
frequently used in the biopharmaceutical
industry include enterprise asset
management (EAM) systems, manufacturing
resource planning (MRP) systems,
manufacturing execution systems (MES)
with electronic batch record functionality,
and electronic document management
systems (EDMS). The arrangement can be
the same for these systems as shown in
Figure 1; validation requirements can be the
same as well.
Laboratory
HPLC HPLC
GC
LAN
Application
Server
Hub
Database
BioPharm OCTOBER 2001 19
Regulatory Issues
Design Qualification
Validation Plan
Installation Qualification
Operational Qualification
Performance Qualification
Figure 2. The 4Q model qualification phases of networked systems
Validating a networked system requires
qualifying its individual components (such
as the applications running on each
computer) and authorized access to the
system, as well as qualifying data transfer
between the related computers (that is, the
interfaces of the components at both sites).
The whole system, including the network
itself, is validated by running typical daily
applications under normal and worst-case
conditions and then verifying that the system
and its functions are meeting previously
specified criteria.
Both for qualifying the components and
for validating the complete system, it is
important to define a validation box. The
goal of a validation box is achieved by
subdividing the network into subnetworks
(or sub-LANs) containing network
components that are used by each
application. A validation box helps define
which parts of the complete network must
be qualified and which are unaffected. The
validation box for the laboratory data system
in Figure 1 would include the lab computers,
the file server, the applications server, and
the database. Limiting the network
qualification tasks to those components used
by the network applications saves time.
The 4Q Model
Validation of networked systems should, in
principle, follow the validation practices of
all other computer systems. Everything that
is important in validating a single computer
is also important in validating a network.
Network validation activities should follow a
validation plan. If such a plan already exists
20 BioPharm OCTOBER 2001
• List user requirement specifications
• Determine functional (design) specifications
• Perform vendor qualification
• Check complete arrival as purchased
• Check correct installation of computer
and network hardware and software
• Test key operational functions of hardware
and software
• Test security functions
• Test system for specified application
• Establish preventive maintenance routine
• Determine backup and contingency
planning procedures
• Establish change control and security
maintenance protocols
for other components, then the validation of
network-specific tasks should be added to the
validation plan. A networked component
should be treated like any other piece of
equipment that is installed and qualified.
A network component should be treated
like a piece of equipment, which is installed
and qualified (for example, chromatography
software functions such as peak integration
and quantitation). Typical network functions
such as limited access and network
transactions should be qualified. Because of
the complex nature of a network, a cross-
functional team should control validation
activities. For the validation of the network,
any structured approach (such as a life cycle
model) should be followed; see, for
example, the 4Q model in Figure 2. It
involves design, installation, operational,
and performance qualification.
Design qualification (DQ) is the first step,
ensuring that the design of a network meets
the user’s requirements. In this phase, the
user requirements for each function are
specified. For example, a user requirement
could state, “There should be limited access
to the networked system.” The required
function to ensure that requirement could be
stated, “There should be user ID and
password entry fields when entering the
system.” The computer system vendor
should be qualified during the DQ phase.
Installation qualification (IQ) is the second
phase. An individual checks whether an
instrument arrives as purchased, installs
network components, and completes the
necessary documentation.
Operational qualification (OQ) is the third
step, when critical key functions are tested.
Testing always should follow a test plan and
be compared against previously specified
acceptance criteria.
Performance qualification (PQ) is the last
phase, which includes testing the entire
system for specific application performance.
PQ could involve a complete analysis using
sample equipment for specific hardware,
accessories, and software. It also includes
preventive maintenance. For example, PQ
would include both regular disk
maintenance and change control.
Specific Requirements
Network computer systems have some
specific characteristics that differ from
standalone equipment and need to be
addressed during validation. Unlike stand-
alone computer systems, which consist of
homogeneous hardware and software,
networks are heterogeneous. They usually
include a variety of hardware components,
several software applications, and
communication protocols. A change to one
component can influence many other
components and applications.
Cabling designs and specifications are as
important as the hardware and software in a
networked system — mainly because network
components can be far away from each other.
Many people and departments often access
the network as a common resource, so
security issues are quite important. Networks
can include both components that must
comply with regulations and those that aren’t
regulated. IT personnel have not always been
trained in the GXPs.
Validation Plans and Teams
Validation master plans are not required by
regulation, but FDA inspectors may ask for
an explanation of your company’s approach
toward validation. The master plan is a good
tool for demonstrating that approach, and
plans should be available for both multisite
and single-site companies. Validation master
plans help ensure consistent and efficient
implementation of validation throughout a
site and throughout a company. If already
available, such plans can be extended easily
to include networks and networked systems.
We recommend starting with a generic plan
and adding network specifics. For example,
include network terms in the glossary.
Generic network specifications (such as
cabling, security, and vendor qualification)
should be part of the master plan. It should
Regulatory Issues
include recommendations for backup,
contingency planning, disaster recovery,
change control, validation reports, and
archiving. The plan also should include
naming conventions, which make it easier to
identify components and track data flow
within a network. Templates for daily
operations should be included as appendices
for consistent implementation, and reference
should be made to existing SOPs. The
master plan will be a good foundation for
individual project validation plans.
Validation teams can coordinate validation
activities for networked systems. The
complexity of networks requires more than
one expert for definitions, qualifications,
and (most important) change control. The
validation team should include expert IT
professionals. They can best describe what
might go wrong with a system and how
individual network components can affect
each other.
Laboratory personnel (or others who will
use the network) should be part of the team
because they should be aware of possible
22 BioPharm OCTOBER 2001
problems at the application level. End users
also should be able to determine whether a
network continues to operate effectively
after the validation activities are complete.
QA personnel should be part of the
validation team to ensure that documentation,
control, and use are in compliance with
regulations and company policies. The
software engineering department should be
involved if all or part of the software has been
developed in house. Otherwise, vendor
representatives can be included. Consultants
can be brought onto the team if necessary;
they can be a great help with initial, big
network validation projects.
Types of Specifications
All validation activities should begin with the
single most important step: setting
specifications. Good specifications can be
used throughout validation activities. User
requirements set as specifications define what
users intend to do with the networked system.
Typical requirements for networks include
sharing and printing files and determining
Info #20
how many concurrent users can work on the
network. Another user requirement is limiting
and authorizing access to the system.
Functional specifications define what
functions the system or its components will
need to meet those goals.
Two other types of specifications to
include in a validation master plan are
design and environmental specifications.
Design specifications, which can be
included as part of the functional
specifications, specify the design of the
computer hardware, software, connectors,
and cables necessary to meet specific
functional specifications and to ground
electrical connections adequately.
Environmental specifications detail the
environmental conditions (such as
temperature or humidity) under which the
network will be expected to operate.
When establishing network
specifications, be sure to answer these
questions: How much traffic will the
network carry, especially under highest-load
or worst-case conditions? What is the
Info #4
Regulatory Issues
Project-Specific Documentation
Project-specific documentation must be
reviewed periodically and updated if
necessary. Include the following
documents in your project-specific
documentation:
Acceptance testing protocols or
operational qualification protocols
Backup requirements
Disaster-recovery planning procedures
Installation qualification documents
Logbook with changes
Maintenance procedures
Network components master list (for
example, components that are deemed
critical for network operation)
Project plans
Report summaries
Risk assessments for testing, backup,
and contingency planning
System and network diagrams (for
example, floor plans, topological
diagrams, and cabling diagrams)
Training records related to specific
computer systems
User requirements (functional, design,
and environmental specifications)
Vendor assessments
maximum actual distance between
individual network components? How many
users will be on the network concurrently?
What are the risks and impacts of a server
failure? How often will backup and
archiving be performed? Under what
environmental conditions will the network
operate? What protocols will be used
(GPIB-IEEE or TCP/IP, for instance)? Will
the workstations currently in place be
adequate for the networked activity, or
should they be replaced by or augmented
with new ones?
Each of those questions and their answers
are important when setting specifications.
The anticipated users should answer
questions appropriate to them, and each
question should be discussed by members of
the validation team.
24 BioPharm OCTOBER 2001
Installation
The steps for installing a network are similar
to those for installing other computer systems.
Check whether the equipment (the computer
hardware, the software, the network hardware,
cables, and operating manuals) arrived as
purchased. Determine whether all equipment
and accompanying materials are undamaged
and clean. Verify that the environmental
tolerances are as specified (including
temperature, humidity, radio frequency, and
electromagnetic interference). Determine
whether physical security specifications have
been met (for example, lockable hardware
should prevent unauthorized access to the
server’s RAID system).
Install components according to the
vendor’s recommendations. Configure and
document all network settings (such as the
router settings). Give a unique identifier to
all parts: hardware, software, cables,
firmware, and operating systems. Also
record the version numbers of network-
specific software and firmware and of the
hardware, software, and cables that are part
of the network infrastructure master list.
Version numbers can be more easily tracked
if entered into a database or an appropriate
network configuration management tool.
Diagrams. Create system drawings and
diagrams as part of the installation process.
Such drawings are essential for setting up a
network or networked systems, but they are
even more important for maintaining those
systems. The diagrams should be kept with
other IQ documents and include physical
diagrams (such as component locations and
cabling) and logical diagrams (such as
TCP/IP schemes and how components
interrelate with each other). In the case of
dynamic IP addressing systems, the
diagrams should indicate how dynamic IP
addressing will be used (including the
procedure for submasking IP addresses).
Diagrams will enable IT personnel and
inspectors to trace data and traffic flow,
ensuring data integrity and security. Networks
change frequently, so maintaining the
diagrams with documented version control is
important. We recommend procedures for
regular (perhaps quarterly) review.
Testing
Networks should be tested in the
development environment by the supplier,
but they should also be tested in the user’s
environment as part of the acceptance
testing and/or OQ process. Test modules and
systems after installation, after changes, and
at regular maintenance intervals. When a
change is made, the changed component
should be tested to see whether it still works
in the system, but other components also
should be tested because they may be
affected by the change. Testing requires
written test plans with set parameters and
acceptance criteria. A test plan must be
approved before a test starts.
Critical functions should be checked
regularly. For example, some devices have
checks required by 21 CFR Part 11, and the
accuracy of network transactions needs to be
checked as well. Besides the generic tests
applicable to all computers, some tests are
specific to networks. See the “Network-
Specific Testing” box for recommendations.
The accuracy of networking transactions
should be checked. Make sure that data are
safely transported between client and server
computers. That should be verified as part of
normal OQ, but technology is also available
to automate this verification by regularly
calculating checksums or hash values for
each file, attaching those numbers to the
files, recalculating the numbers after a data
transaction, and comparing the new values
with the previous ones still attached. Those
steps should be automatically executed by
software without requiring manual
interaction. Software should automatically
report and document errors. Hash
algorithms are commercially available, such
as MD5 software from RSA (www.rsa.com).
If the checksums or hash algorithms are
implemented correctly, calculations are done
so fast that they have no measurable impact
on the performance of the system.
If multiple clients use exactly the same
hardware and software configuration, you
may question whether it is necessary to test
each one separately. The answer to that
question should be based on the risk
assessment: the impact each client could
have on product quality and the probability
of client-specific errors. In most cases, the
risk incurred by testing only a percentage of
clients is acceptable.
Most of the above suggestions test the
networked system itself or applications
running on that network (for example,
transactions between two or more system
components). Some testing of critical
components could also be done. For
instance, one test could check a switch
buffer to ensure that no data are lost.
Data Backup and Contingency Planning
Procedures should be in place for backup and
recovery of data. Risk assessment determines
the timing of backups — frequency increases
for more critical data and with the increased
likelihood of data loss. Hardware and
software are commercially available, but
individual devices should be qualified and
validated for backup and restoration. In the
event of total destruction of a server, you
should be able to completely recover its
database to another server without data loss,
and that too should be validated.
Networked systems can fail for a variety
of reasons. Badly designed applications
running on a network can fail, and single
components can also fail. When designing
the network, the following questions should
be answered: Will processes continue when
one or more single components fail? How
will that affect the course of business? What
is the likelihood of failure? How will data be
recovered once the network is again
available? Your company’s answers to those
questions will determine the stringency of its
contingency plan (to continue network
operation if one or more components cease
to function). Such a plan is equally important
for regulatory and for business reasons.
Contingency planning should start with
risk assessment: How much will it cost
when data are lost? How does the risk of
data loss compare with the cost of a
contingency plan?
Validated redundancy systems can help
keep a system operable. Other types of
network contingency plans can include the
use of a hot site. Because time is critical in
recovering network operations,
consideration should be given to the type or
set of qualifications run at the hot site;
sometimes it may not be feasible to run a
full set of qualifications. Practice the plan
before disaster strikes, of course, and ensure
that it is safely stored and can be retrieved
easily in the event of trouble.
Maintaining Security
Networks change frequently, whether
changes are made to hardware, software, or
both. All changes should be managed,
controlled, and documented. In some cases
revalidation may be required, which can be a
huge effort. Before deciding to change
Network-Specific Testing
Start up and shut down networked
systems (document messages that
reflect that the network was successfully
started or shut down). Switch off and on
network components (for example,
hubs, routers, and switches), and note
the impact of the action on the network
operation.
Conduct security tests, such as by
logging on with both correct and
incorrect passwords. Grant
administrator-level access, and assure
that administration personnel are aware
of functions they can and cannot do in a
regulated network environment. Check
that password administration works
correctly. For example, check that
passwords of four characters have been
tried when the password policy specifies
minimum password lengths of six
characters.
Verify that sessions unlock and that
user-specific automated time outs, if
any, work. Verify access to task and file
permissions. For example, if an operator
has permission to review data, try
modifying such data to see whether the
system behaves as expected. Check
that network backup and restoration of
data work correctly.
Verify how the system behaves and
recovers from system failures, triggering
failures through disconnecting and
reconnecting network components. Test
error messages and the actions required
for specific ones as part of this task.
Check that the audit trail of network
transactions is correct. Verify that
correct data are transferred under
normal and high-traffic conditions.
Check that individual software modules
and systems are free from virus
infections. Form a system integrity
response team (SIRT), whose function
is to provide damage assessment in
case of an external or internal breach.
something, you need to ask yourself several
questions. Is the change really needed?
Compare benefits and costs. Cost
calculations should not only include those
for purchasing but also validation, which
can be higher. How will the change affect
Info #17 BioPharm OCTOBER 2001 25
Regulatory Issues
the system and its components? What will
need to be tested and documented after the
change? Who should be informed about it?
Those questions must be answered by a
validation team rather than an individual. A
chemist in the laboratory can hardly estimate
the impact of adding another client to an
already busy network. But IT specialists can
do that best when informed by that chemist
as to the potential data traffic coming from
the new computer.
Requalify network components after each
change, with qualification results
documented. Update the contents of
equipment databases and drawings after the
change. Limited access to computer rooms,
computer hardware, network hardware, and
selected tasks and data should be checked
regularly. Maintain access rights and update
those rights when employees change jobs.
Documentation
All validation activities, including
qualification and validation plans and results
for networked systems and databases, should
be documented. Two types of documents
26 BioPharm OCTOBER 2001
should be present: project specific plan, or add network-specific information to
documentation describing validation for an existing computer validation master plan.
each project and generic documentation Form a project-specific validation team.
describing policies, master plans, and Develop user requirements along with
processes. Templates can facilitate functional and design specifications.
consistent implementation and use. Good Treat each network component like a
documentation is very important for piece of equipment, which must be
troubleshooting. qualified, but qualify only those that are
Generic documentation should include the used when running applications. Install
validation master plan and additions to individual components and test components
existing computer validation master plans and (qualification). Integrate components and
procedures for adding and removing network test them. Validate the networked system by
components; connecting to the network; running complete applications. For complex
controlling network security, including networks, don’t test everything; be selective.
physical and logical security, password Use risk assessment. If you have 20 identical
policies, and administration procedures; clients with identical software, testing two
network management between multiple sites; or three of those clients can be enough.
configuration management; change control For changes, evaluate whether each
procedures (equipment, hardware, software, change is really needed and assess whether
firmware, cables, connectors), and training it makes good business sense to implement.
records for GXP regulations. After you have made a change, test its
All procedures should be reviewed yearly effects on other components. Don’t assume
with regular confirmation that they are being that everything else still works as before
followed. Practice version control for when a change has been made. Don’t forget
changes. Project-specific documentation to continue qualification through all change
must be reviewed periodically and updated control procedures.
if necessary. See the Develop backup, contingency, and
“Project-Specific disaster-recovery plans. Documentation
Documentation” must be in order: SOPs, templates,
box for a list of maintenance logs, and so on. And train
what to include. people — even your IT staff — on
techniques and operations, but also on the
Implementation regulations.
In summary, the
qualification of References
network (1) L. Huber, Validation of Computerized
Analytical Instruments (Interpharm Press, Inc.,
components and Buffalo Grove, IL, May 1995).
validation of (2) N. Jenkins and S. Schatt, Understanding Local
networked systems Area Networks: Easy Introduction to Network
are equally Concepts and Products (SAMS Publishing,
Indianapolis, 1998).
important for (3) J.E. Crosson, M.W. Campbell, and T. Noonan,
meeting regulations “Network Management in an FDA-Regulated
and business Environment,” PDA Journal 53(6), 280–286
requirements. We (1999).
(4) H. Olthof, “GXP Requirements for IT
recommend Infrastructure,” presented at the ECA
following a stepwise conference: FDA 21 CFR Part 11 Compliance
approach. for Pharmaceutical Laboratories (European
Follow good Compliance Academy, Copenhagen,
Denmark), October 2000.
computer validation (5) IT Infrastructure Special Interest Group,
practices. It is most Quality Assurance (GAMP, Tampa, FL, 2000),
important to follow draft document.
(6) J.C. Famulare, Warning Letter #320-01-08
life cycle procedures (Center for Drug Evaluation and Research,
in validation and 11 January 2001). Available at
qualification. www.fda.gov/foi/warning_letters/m5056n.pdf.
Develop a network (7) J.C. Famulare, Warning Letter #320-01-07
(Center for Drug Evaluation and Research,
qualification master
Continued on page 46
Info #16
Glossary
bus An electronic pathway along which
signals are sent from one part of a
computer to another. A PC contains
several buses, each used for a different
purpose. The address bus allocates
memory addresses. A data bus carries
data between the processor and the
memory. The control bus carries signals
from the control unit.
checksum A record of the number of bits
transmitted and included with a
transmission so that the receiving
program can determine whether the same
number of bits arrived. If the counts
match, it’s assumed that the complete
transmission was received.
client/server A network architecture in
which each computer or process on the
network is either a client or a server.
Servers are powerful computers or
processors dedicated to managing disk
drives (file servers), printers (print
servers), or network traffic (network
servers). Clients (PCs or workstations on
which users run applications) rely on
servers for resources such as files,
devices, and even processing power.
data flow Movement of information
between clients and servers that is
tracked to ensure accuracy and security.
data system applications software The software
that controls equipment, such as
chromatographs, and acquires, evaluates,
prints, and stores data.
distributed databases Computing is said to be
“distributed” when the programming and
the data that computers work on are
spread out over more than one computer,
usually over a network.
electronic document management system (EDMS) A
system for tracking and locating electronic
documents and for managing them
throughout their life cycle.
enterprise asset management (EAM) Knowledge
within a company exists in many forms: in
databases, knowledge bases, filing
cabinets, and peoples’ heads. All too
often one part of an enterprise repeats the
work of another part simply because that
knowledge is poorly tracked. EAMs allow
companies to manage legacy and object
components, inventorying assets (what
46 BioPharm OCTOBER 2001
they are, where they are located, and how
they are used).
fault tolerance The ability of a system to
respond gracefully to unexpected
hardware or software failures. The lowest
level of fault tolerance is an ability to
continue operation in the event of a power
failure. Many fault-tolerant computer
systems mirror all operations — that is,
perform each on two or more duplicate
systems — so that if one fails the other
can take over.
File transfer protocol (FTP) The TCP/IP Internet
protocol used when transferring single or
multiple files from one computer to
another.
GPIB-IEEE A general purpose interface bus
standard from the Institute of Electrical
and Electronic Engineers, which develops
standards for computers and the
electronics industry. This standard allows
up to 15 intelligent devices to share a
single bus, with the slowest device
participating in the control and data
transfer handshakes to drive the speed of
the transaction.
GXP All of the regulations that apply to
Good Laboratory Practices, Good Clinical
Practices, and Good Manufacturing
Practices, taken as a whole.
handshake Requires the recipient of a data
record to acknowledge to the sender that
the record has been received.
hash algorithms (hash values) A hash value is
an algorithmic method. Sometimes called
the “digest” of a document in digital form,
a number is generated from a string of
text. The hash is substantially smaller
than the text itself, generated by a formula
that makes it extremely unlikely for some
other text to produce the same value.
Hashes are used in security systems to
ensure that transmitted messages have
not been tampered with. The sender
generates a hash of the message,
encrypts it, and sends it with the message
itself. The recipient then decrypts both the
message and the hash, produces another
hash from the received message, and
compares the two. If they’re the same, it
is highly probable that the message was
transmitted intact.
Network Qualification continued from page 26
11 January 2001). Available at www.fda.gov/
foi/warning_letters/m5057n.pdf.
(8) “FDA 483 Observations Related to IT”
(Labcompliance, July 2000). Available at
www.labcompliance.com/publications/
lit-references.htm.
(9) “FDA 483 Inspectional Observations and
Warning Letters Related to Computers”
(Labcompliance web site). Available at
www.labcompliance.com/computer/
fda-observations.htm.
(10) Code of Federal Regulations, Food and
Drugs, “Electronic Records; Electronic
Signatures,” Title 21, Part 11 (U.S.
Government Printing Office, Washington DC),
issued March 2000. Also Federal Register
62(54), 13429–13466. Available at
www.fda.gov/ora/compliance_ref/ part11. BP
hot site A site designated to operate a
network if the normal operation center
fails (for example, in case of a natural
disaster or fire).
hub A common connection point for
devices in a network, such as a LAN. A
hub contains multiple ports. When a
packet of data arrives at one port, it is
copied to the other ports so that all
segments of the LAN can see all packets.
A passive hub serves simply as a conduit
for data, enabling it to go from one device
(or segment) to another. So-called
intelligent hubs (or manageable hubs)
include additional features that enable an
administrator to monitor traffic passing
through the hub and configure each port.
A third type of hub, called a switching
hub, actually reads the destination
address of each packet and forwards it to
the correct port.
information technology (IT) The broad area
concerned with all aspects of managing
and processing electronic and
computerized information. Some
companies refer to the department as
information services (IS) or management
information services (MIS).
integrated databases Databases that have
two or more components merged together
into a single system. Increasingly, the
term “integrated” is reserved for software
that combines word processing, database
management, spreadsheet functions, and
communications into a single package.
local-area networks (LANs) Networks with
computers geographically close together
Glossary
(in the same building). Wide-area networks
(WANs) have computers farther apart,
connected by telephone lines or radio
waves.
mail server A mail server handles incoming
and outgoing email for Internet users. Most
mainframes, minicomputers, and computer
networks have an e-mail system. Some
electronic-mail systems are confined to a
single computer system or network, but
most have gateways to others, enabling
users to send electronic mail anywhere in
the world.
manufacturing execution system (MES) A system
that delivers information on plant
production activities. MES programs guide,
initiate, respond to, and report on plant
activities as they occur, resulting in rapid
response to changing conditions.
manufacturing resource planning systems (MRP)
Production tracking systems used primarily
in the 1980s, which are now being primarily
replaced by EAMs.
MD5 A digital signature algorithm used to
verify data integrity that is claimed to be as
unique to that specific data as a fingerprint.
Developed by Ronald L. Rivest of MIT,
MD5 creates a digital signature, requiring
that large files be compressed by a secure
method before being encrypted with a
secret key. MD5 is a one-way hash
function, meaning that it takes a message
and converts it into a fixed string of digits,
also called a message digest. When using
a one-way hash function, one can compare
a calculated message digest against the
message digest that is decrypted with a
public key to verify that the message hasn’t
been tampered with. This comparison is
called a hash check.
networked systems (networks) A group of two or
more computer systems (hardware,
software, and peripherals) linked together.
Computers on a network are sometimes
called nodes. Computers and devices that
allocate resources for a network are called
servers.
node Any device attached to the network
that is capable of communicating with other
network devices.. A node can be a
computer or some other device, such as a
printer. Every node has a unique network
address.
RAID Short for redundant array of
independent (originally inexpensive) disks,
RAID is a way of storing the same data in
different places (thus, redundantly) on
multiple hard disks. By placing data on
multiple disks, input and output operations
can overlap in balance, improving
performance. Since multiple disks increase
the mean time between failure (MTBF),
storing data redundantly also increases
fault tolerance.
relational database A type of database that
stores data in related tables. A relational
database is powerful because it doesn’t
assume how data are related or how they
will be extracted. As a result, the same
database can be viewed in many different
ways.
routers Devices that connect any number of
LANs and use headers and forwarding
tables to determine where packets go.
Routers use ICMP, an extension of IP, to
communicate with each other and
configure the best route between any two
hosts. Very little data filtering is done
through routers.
submasking Masks are filters that selectively
include or exclude certain values. For
example, when defining a database field, it
is possible to assign a mask that indicates
what sort of value the field should hold.
Values that do not conform to that mask
cannot be entered. Masks are hierarchical,
and submasks are filters within filters.
subnetworks (sub-LANS) Within a network,
subnetworks are another name for nodes.
switch In networks, a device that filters and
forwards a packet to its next destination. A
switch may also include the function of a
router in a generally simpler and faster
mechanism.
TCP/IP Transmission control
protocol/Internet protocol, enables devices
to exchange information over a network.
validation box Defines a set of network
components that are required on the
network — for example, a networked
chromatography data system.
BioPharm OCTOBER 2001 47