Server/computer qualification -- common practice?

We are having a lot of debate around whether or not to qualify servers.

My opinion is that the server is a critical part of the system (which includes the application, operating system, storage devices, etc.) and must be qualified and placed under control. Any changes made to the server, such as firmware upgrades, O/S patches, or replacement of a hard drive have the potential to affect the system’s ability to function and must be done under change management.

The other side of this debate is that servers don’t need to be qualified, because the server’s ability to function correctly is implicitly verified when you validate the software that resides on it.

I would like to hear from others on this topic, and would like to know if qualification of computers and storage devices is a common practice now in regulated companies.


Its a very topical question at the moment and I would also be very interested to hear other view points.

I’ve worked in large multi-nationals where servers where qualified and others where they were not. When servers for qualified however risk assessments where never performed when patches where added etc…it was a one time effort.

If using an external storage company I would push for them to qualify each server and keep them in-control.

Looking forward to seeing how this topic unfolds.

Sorry for jumping in late.

I would not want to defend that claiming the server is validated based on application software using it is not a valid argument.

Servers are going to have more functionality than storage. I would expect that there’s mirroring or some kind of redundancy. Those aspects wouldn’t be assessed as part of application software validations - at least not on a server-wide scale.

Presumably there are multiple applications / uses for the server. How does th server handle the anticipated (and beyond) load?

I think you’re spot on with (re-validation needs assessment when actions like disk replacement, OS upgrade, etc. occur.

Of course, if you’re not using the server for anything critical, then validation / qualification may not be necessary.


What is we having server in data centre? How to organize the qualification? Should we include essential points into Vendor (data centre) questionnaire?

Some companies regard servers as part of infrastructure and qualified servers within qualification of IT-IS.

Nevertheless, just qualifying applications running on servers is not good enough, cause there a a lot of aspects which cannot be covered just by application validation like: bandwith (globally used servers od local used servers, storage, e.g. if you are running applications having audit trail implemented (e.g. MES) you have to calculate more storage than for other smaller applicatons.

Also regarding business continuity and data recovery… you have to show that this functionalties are working properly. In my opinion there is no way out to qualify servers.

@ sorriso: yes you have to do that because you are rsponsible for your processes and your business, even the respective applications behind are hosted on servers outside your company. A supplier audit cannot be avoided.