Blog

Documenting a Network Infrastructure

Network Qualification – What You Need To Know

Qualified Infrastructure is a must for hosting any validated cGxP system; Network Qualification is a fundamental component of any Infrastructure.  Networks are complicated and not many people really know about them, but how complex are they?

To qualify a network, the first task is to perform an assessment of the network or networks on a given facility.  Usually, in the Pharmaceutical industry each site will have multiple networks:  Site Network (Enterprise LAN), Laboratory Network, Process Network, Building Management System and so on.  It’s both rare and bad practice to have all of these on the same segment for many reasons including:

  • Separate Networks support the closed system requirements of FDA in the 21 CFR Part 11 ruling.
  • Segmented networks provide for an overall reduction in broadcast traffic which could potentially slow down a network.
  • If a virus or malware finds its way onto your network, it can be isolated much easier if everything isn’t connected on a permit any traffic to anywhere basis.

The outcome of this assessment is a system boundary document that contains a system boundary diagram.  From this document, the disparate parts of the network can be broken down and the qualification strategy derived relatively painlessly; break it into smaller, manageable chunks to make it look and feel like a simpler, less daunting task.

Intelligence

Networks consist of switches and routers as the intelligent devices that facilitate communications and  cabling (both horizontal and vertical) that joins the network devices to various workstations, servers, printers, controllers, etc.  Networks can be qualified either locally (LANs) or on a wide area basis (WANs).  The system boundary document should describe what is within the scope of the qualification and what is outside of the scope.  Often corporations like to qualify the WAN for the entire business leaving the local sites to quality the LANs.  This may not always be the case but the system boundary document should nevertheless make this clear.

Intelligent devices are VERY intelligent, the amount of processing that these pieces of kit are tasked with is phenomenal; it would be unrealistic to try and document everything so the approach is to document the main characteristics of the devices and to ensure that each piece of kit is configured and installed in a consistent fashion, e.g. everything would be configured the same except the hostname and IP address (and subnet mask and default gateway as applicable) in many cases.  If, for example a switch that had both Layer 2 and Layer 3 functionality was under qualification and routing functions weren’t required then the qualification of the Layer 2 components would only be in scope.

Behind the Walls Stuff

Cabling is the next most crucial item on the agenda, there aren’t any networks without cables – even wireless networks are wired somewhere, with a cable.  Horizontal cabling is the backbone stuff – the fibres that join building and the copper that runs from patch panels in communications room to wall outlets in offices and the factory floor.  Vertical cabling is for example the patching of servers to switches, workstations to wall outlets.

It is quite acceptable to only qualify important or critical vertical cabling, for example many companies qualify connections from servers to switches and monitor the health of these connections, however qualifying non-critical workstations doesn’t serve much purpose.  We care if a server fails, but do we want to know about 400 workstations closing down at 5pm?  Keep it to the point – if a workstation or something no so critical fails it can usually be easily replaced or a substitute is nearby.

There are an array of standards that must be followed when installing / qualifying cabling including maximum and minimum distances for optimum performance and terminations types.

When installing fibre optic networks especially, but for all networks in general it is important to consider how the diverse cable routes will flow – for example if a network between two buildings is designed to not have a single point of failure, it wouldn’t make any sense to have these buildings connected up twice with the fibre cables in the same tray under the road.  Why?  Because if a digger comes along and cuts the cable, they both get cut and there is no network.  Diverse routes should be different, thus going the other way.

Using Control as a Tool

So how is this actually qualified?  Qualification in this sense is demonstrating control of the system (the network) and showing that it is thoroughly designed and documented.  Architecture drawings should be produced for each network and it’s associated interconnections, wall outlets should be labelled clearly and non-ambiguously as should their associated patch panels.  A minimum level of testing should be carried out when installing equipment – basically, the application of due diligence serves will make the job easier.

Logical diagrams should be produced to show inter-site connections and boundaries as well as any interfaces that exist.

A lot of effort?  Not really because a well defined network qualification project’s end product will be a suite of documents and drawings that will also act as an engineering tool.  Any changes can be planned at the desk and the drawings marked up and revised as part any subsequent change control; any faults or network problems can be investigated easier as the documents and diagrams contain all information required to identify and isolate issues as well as being the starting point for initiating changes or disaster recovery as necessary.  Similarly, when expanding or upgrading parts of a network the framework exists and the planning can simply commence without worrying what is correct and what is not.

The network qualification exercise will help to create a baseline of the minimum network requirements together with a system for documenting the network, both textually and pictorially.  An approved qualification plan will allow for devices, cables, LANs, WANs, interfaces and boundaries to be listed out and tackled on a scalable basis (allowing for flexibility depending on size and complexity), monitoring can be added to the network to provide for useful statistical management information to be gathered in order to proactively determine where problems might occur and where assistance is required, similarly, when users complain that the network is slow it is possible to prove quite easily that the network is fine and that the problem is with the servers (or elsewhere).

Summary

In summary, we have identified the components of the network and discussed breaking them down into manageable chunks for the purposes of qualification and management alike.  Even though this work seems daunting, a good engineering tool is the ultimate deliverable which also serves well during regulatory inspections to prove that the platform hosting so many critical applications, systems and processes is actually qualified and verified to be fit for purpose.  Network qualification performed properly is a good job well done and ticks a lot of boxes, in addition post-qualification the network is in a healthy, manageable condition ready to be given back to the helpdesk to maintain.

Suggested Additional Reading

http://kestrelsciences.co.uk/benefits-of-proceduralised-systems

 

Author:

Mark Richardson
Director of Operations
Kestrel Life Sciences
———————————————————–
———————————————————–
t: +44 (0) 1670 543837
f: +44 (0) 1670 551050
———————————————————–
 

2 Responses to Documenting a Network Infrastructure

  1. Jerrold says:

    Enjoy the new design. I was pleased with the information. Bless you for a useful blog.

  2. Nancy says:

    It is usually difficult to get qualified persons about this matter, however you seem like you know what you are posting about! With thanks


Looking for something?

Use the form below to search the site:


Still not finding what you're looking for?
Drop a comment on a post or contact us so we can take care of it!