Qualification of FTP Tool?

If we are moving validated data to and from qualified servers using an ftp tool, does that tool have to be validated?

Prem Iyangar

I am assuming this is transferring GMP data between the servers. What is the business and regulatory risk associated with this data transfer is something I would look at.
If the business risk is high then I would qualify the tool chosen and verify data integrity in terms of file size, number of files and access to the ftp tool.
In case the data is not GMP data and the risk is low, then a simple verification should be enough.
1 hour ago• Like

David Stokes

FTP is used quite significantly in the GCP area for transferring clinical data sets and best practice there is to use secure FTP (sFTP - i.e. without data transfer is encrypted). Given the criticality of such data a risk assessment would indicate that validation is appropriate and depending upon the software being used this can be categorised as GAMP category 3 or category 4 software.

Testing the basic functionality would require just a small number of functional test cases to be developed but additional test cases should be developed to assure data security and data integrity i.e. to verify that only approved and authenticated users can upload and download the data files and access them while they are on the FTP server, and that the contents of the file before upload are the same as that download (using checksums etc).

My experience is that the flexibility inherent within GAMP (to combine the content of documents) can be leveraged to and this is possible to develop all of the validation documentation and complete the validation in just a couple of weeks.

Yves Samson

Whatever you are using as FTP-tool, you can consider it as Category 1 software. But …
you should do (and document) following:
1/ to define the information security requirements
2/ to specify the technical requirements of the data to be transferred (format, size, …)
3/ to define the appropriate parameter setting for the tool
4/ to verify that the parameters are set correctly (based on your specification)
5/ to perform “worst case” transfer tests: big files, interrupted transmission, etc.
6/ to verify the integrity of the transferred data; e.g. using MD5

Even if FTP is a reliable communication protocol, it is important to qualify/validate such data transfer (see Annex 11, 4.8 and 5) … according to a risk-based approach.


Is this a one-time move or an on-going process. I think the answer differs based on intended use.