Blog

The 5 Stages of Qualifying & Validating a Virtual Environment | IVT

Courtesy of Getty Images
The 5 Stages of Qualifying & Validating a Virtual Environment

A virtual environment is a combination of hardware and software that works in tandem to simulate a real world computer infrastructure. Virtual environments function by a combination of virtual machines (i.e., complex files) that provide applications and services, real world infrastructure that provides the platform for operation, and operators who manage the environment. Because of the intricate nature of virtual environments and the multiple stakeholders involved, many pharmaceutical and medical device companies are at loss when they need to validate and qualify the system. Adapted from Alexander Meissner’s presentation at Validation Week Canada, a summary of the five stages for virtual environment qualification and validation is presented.

1. Elicitation Information from Virtual Environment Stakeholders

Before undergoing qualification and validation, you will need to gather information on the virtual environment from information technology (IT), developers/vendors, quality assurance, and regulatory affairs. The questions and information you must look for from each department are outlined in Table I.

Table I: Eliciting Virtual Environment Stakeholders

Group

Questions to Ask

What to Look For

Information Technology

  • Have you selected a vendor? 
  • What features of the software or limitations made your choice?
  • Local VE - How much infrastructure do you plan to commit to the VE? Is an SLA in place?
  • Explanatory Diagrams
  • Supporting Infrastructure
  • Qualified Personnel
  • Resource Availability
  • Configuration 

Developers/Vendors

  • Cloud:  How will our employees interact with your environment?  How much control do we have?
  • Local VE: Does your software support an audit trail?
  • Explanatory Diagrams
  • Quality Driven Attitude
  • Similar Industry Experience
  • Configurations
  • Resource Availability

Quality Assurance Requirements

  • Do you anticipate any SOP policy conflicts with the VE?  How many would be impacted?
  • What is the process behind training staff on the VE? 
  • Relevant Process Workflows?
  • Training
  • Standard Operating Procedures
  • Needs 

Regulatory Affairs

  • Can the proposed VE functions satisfy predicate rules?
  • Will the system be responsible for storing electronic documentation?
  • System Assessments
  • Risk Assessments
  • Predicate Rules
  • Part 11 Rules

2. Planning

There are three interlocking plans that compose the “planning” stage of virtual environment qualification and validation. These are the quality plan, project plan, and validation plan. The quality plan will compose of responsibility matrices (i.e., RACI), a high-level list of quality deliverables (i.e., validation plan, project plan, protocols etc.), and a discussion of any business quality objectives. Then, the project plan will consist of a description of specific time, resource, and budget risks/constraints, and the resources required to ensure your VE implementation will be successful (i.e., developer, consultants, in-house expertise, other SME’s, sponsors). Finally, the validation plan will consist of an infrastructure system description, virtual system description, regulatory impact explanation, and outline of roles and responsibilities (see Table II). The validation plan is especially important as it will lead to establishing user requirements, function, and design specifications as well as the remaining validation deliverables.

Table II: Validation Plan Components

Validation Plan

Infrastructure System Description

  • Hardware Redundancy
  • Supporting Infrastructure
  • Hardware Communications
  • Data Archiving
  • Security
  • Discrepancy Monitoring.

Virtual System Description

  • VE Software Interfaces
  • VM Management
  • Internal & External Interfacing
  • Software Deployment
  • ER/ES: even if they’re not being used.

Regulatory Impact

  • Housed GAMP5 Classes of Systems
  • Validated State Outlook
  • Disaster Recovery.

Roles and Responsibilities

  • Phase/ Sponsor RACI
  • Deliverables RACI

3. Validation Deliverables

There are critical elements of a virtual environment that need to be addressed when creating your validation deliverable package; they are summarized in Table III.

Table III: Validation Deliverables Package Requirements

Validation Deliverable Package

Identify

  • User Requirements Specification (Draft)
  • Vendor Selection
  • Vendor Assessment
  • Suitability Assessment.

Plan

  • Quality Plan
  • Project Plan
  • Validation Plan
  • User Requirements Specification (Final)
  • Qualification Protocols
  • Test Plan
  • Test Scripts.

Execute

  • Test Execution
  • Test Summary Reports
  • Conditional Release
  • System Release.

Close/Control

  • Validation Summary Report
  • Certificate of Validation
  • Change Controls
  • Change/ Configuration Records.

When assessing a vendor, whether they provide a cloud or software platform will determine the characteristics you must evaluate. In regards to legitimacy, quality, timeliness, Table IV outlines the vendor qualities to investigate.

Table IV: Vendor Assessment

Focus

Cloud

Software Vendor

Legitimacy

  • Industry Testimonials
  • Site Visit
  • Whitepapers
  • Industry Testimonials
  • On-site Demo
  • Help files

Quality System

  • Quality System Certification
  • Coding Practice

Timeliness

  • Service Level Agreements
  • Average Ticket Turnaround

 The user requirement specifications will assist with the system suitability assessment and risk analysis, which must also be completed in this stage. Potential risky scenarios and mitigation strategies are presented in Table V below.

Table V: Virtual Environment Risk Analysis

Example Risks

Mitigation Strategies

  • System security is vulnerable after a critical patch is issued but not implemented.
  • The administrator account becomes accidentally locked out.
  • Storage resources become critically low.
  • An urgent, high-priority change control to implement the patch and resolve deliverables as soon as possible.
  • Open a change control and contact vendor for 4h service (per SLA)
  • Design the system to have redundancy (i.e., +20% storage)

A Virtual Environment Management SOP will be expounded in this stage. This SOP must consist of a definition of the virtual environment functions you will use as actions, work instruction references, a description of the feature frequency, change control activities, and periodic review activities.

The priorities for qualification and validation, also developed in this stage, can be scaled on a one to five range, with one being the highest priority. Example priorities can be shown in Table VI below.

Table VI: Validation and Qualification Priorities

Level

Activities

Priority 1

  • Build VM
  • Commission VM
  • VE Maintenance
  • Incident Response
  • Vendor Assist

Priority 2

  • Add LUN
  • Patch Template
  • Create Snapshot
  • Revert Snapshot
  • VM Troubleshooting

Priority 3

  • Disk Add
  • Disk Expand
  • Hot Migrate
  • Build ESX
  • Commission ESX

Priority 4

  • Cold Migrate
  • Test SAN
  • Test NIC
  • Test Network

Priority 5

  • Decommission VM
  • Disk Remove
  • Disk Contract

The action items for Installation Qualification, Operation Qualification, and Performance Qualification will be determined in this stage. For qualifying and validating a virtual environment, the activities are explained in Table VII.

Table VII: Installation Qualification, Operation Qualification, and Performance Qualification

Installation Qualification

Operation Qualification

Performance Qualification

  • HW & SW Setup
  • Commissioning
  • Vendor Execution/Support
  • Supporting Services
  • Environmental Considerations
  • Redundancy Configuration
  • VM Import & Export
  • VM Configuration
  • Reports & Logs
  • Automated or Manual Resource
  • Management
  • Snapshots
  • Control Interface
  • VM SW Tools
  • Resource Monitoring
  • Log Production
  • SOP Verification
  • Training Verification

4. Test Boundaries

You should test for functions that have incoming or outgoing impact on other systems or are directly related to them. You can exclude tests for functions related to other systems and services or functions related to support infrastructure.

5. Maintaining Control

When in control of virtualized environment, routine maintenance and change control activities are best practices for maintaining the validated state. The specific areas for routine maintenance and change control can be seen in Table VIII; procedures or work instructions will aid in future qualification and validation activities.

Table VIII: Obstacles to Maintaining Control

Routine Maintenance

Change Controls for Virtual Machines

  • VE Maintenance
  • Test SAN
  • Test NIC
  • Test Network
  • Incident Response
  • Vendor Assist
  • Build VM
  • Commission VM
  • Add LUN
  • Patch Template
  • Create Snapshot
  • Revert Snapshot
  • VM Troubleshooting
  • Disk Add
  • Disk Expand
  • Hot Migrate
  • Build ESX
  • Commission ESX
  • Cold Migrate
  • Decommission VM
  • Disk Remove
  • Disk Contract



Product Added Successfully

This product has been added to your account and you can access it from your dashboard. As a member, you are entitled to a total of 0 products.

Do you want access to more of our products? Upgrade your membership now!

Your Product count is over the limit

Do you want access to more of our products? Upgrade your membership now!

Product added to cart successfully.

You can continue shopping or proceed to checkout.

Comments (0)

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
  • Use to create page breaks.
Image CAPTCHA
Enter the characters shown in the image.