Document Control (Metadata)

Table of Contents

• Section 1 - Family Summary
• Section 2 - Purpose, Scope & Regulatory Anchors
• Section 3 - General Training Requirements
• Section 4 - Unified Responsibility & High-Level Control Mapping
• Section 5 - Required AAs & Traceability Matrix
• Section 6 - AA Deliverable Requirements
• Section 7 - WIN Layer (High-Level Operational HOW)
• Section 8 - Governance Inheritance

Quality Unit Authority, Electronic Systems Control Framework, & Governance Inheritance

This Information Technology (IT) Family Pack operates under the authority of the Sawgrass Nutra Labs Quality Management System (QMS) and the Quality Unit (QU).

In accordance with 21 CFR Part 11 and 21 CFR Part 111, the Quality Unit (QU) retains final, non-delegable authority over all GMP-impacting computerized systems, electronic records, and electronic signature controls, including:

• Approval of computerized system validation strategy and lifecycle documentation
• Approval of validated state and authorization of system release for GMP use
• Approval of changes impacting validated systems, electronic records, or data integrity
• Disposition of data integrity events, security breaches, and system control failures
• Stop-use authority for any system presenting compliance or data integrity risk

IT operates as a GMP-Enabling Control Domain. IT executes defined controls for system access management, electronic signature configuration, audit trail preservation, backup integrity, cybersecurity protections, and system validation lifecycle management. IT does not independently authorize release of product, deviation closure, CAPA approval, or final quality disposition decisions.

The Electronic Systems Control Framework represents the governance structure established under QU authority, including: validation requirements, access control rules, audit trail expectations, segregation of duties, backup verification, and data integrity safeguards. IT implements and maintains this framework but does not supersede Quality Unit authority.

System validation gaps, unauthorized access events, audit trail anomalies, data integrity concerns, cybersecurity incidents, or backup failures shall be escalated through the QA-owned QMS workflow (e.g., WIN-QA-EXCEPTION-ESCALATION) prior to continued GMP reliance where required.

In the event of any conflict between operational system management and Quality Unit authority, Quality Unit authority prevails.

Section 1 - Family Summary

This Family inherits enterprise governance requirements defined in the L0 Unified Governance Document (L0-QMS-UGD), including the Quality Manual, Risk Management Program (RMP), Internal Audit Program (IAP), and QA-administered escalation controls. All IT responsibilities and WINs operate fully within these L0 authorities.

The Information Technology (IT) Process Family defines WHAT-level controls ensuring that computerized systems used within the Quality Management System (QMS) remain secure, validated, reliable, and compliant. IT establishes governance controls necessary to maintain system integrity, electronic record authenticity, access security, data protection, and validated system performance.

IT governance includes controls for:

• User access management and role-based authorization
• Electronic signature configuration and authentication integrity
• Audit trail protection and monitoring expectations
• Computer system validation (CSV) and lifecycle control
• Data integrity safeguards aligned with ALCOA+ principles
• Backup management and restoration verification
• Cybersecurity and infrastructure protections
• Controlled system change management

As a GMP-Enabling Control Domain, IT ensures that:

• Electronic records remain accurate, complete, and tamper-evident
• Electronic signatures are attributable and Part 11 compliant
• System access is authorized, restricted, and traceable
• Validated systems remain in a validated state throughout their lifecycle
• Backup and restoration capabilities are tested and reliable

IT controls support compliance with:

• 21 CFR Part 11 — Electronic records and electronic signatures
• 21 CFR Part 111 — Data integrity, record accuracy, and traceability
• NSF/ANSI 455-2 — Secure, validated, and controlled system requirements

Risk Tier Classification: HIGH. Failures in IT controls can compromise electronic data integrity, record authenticity, system availability, and enterprise-wide regulatory compliance. Because computerized systems support all Process Families, IT control failures create cross-functional compliance exposure.

Section 2 — Purpose, Scope & Regulatory Anchors

Section 5 — Required AAs & Traceability Matrix

Section 6 — AA Deliverables

AA-IT-ACCESS-CHK

Access approval verification record...

AA-IT-ACCESS-LOG

Access lifecycle log...

AA-IT-ESIG-AUTH

Signature authorization record...

AA-IT-ESIG-AUDIT

Signature audit evidence...

AA-IT-BACKUP-LOG

Backup execution log...

AA-IT-RESTORE-REC

Restore verification record...

AA-IT-VAL-APPROVAL

Validation approval record...

AA-IT-VAL-SUMMARY

Validation summary record...

Section 7 — Execution (WIN)

WIN-IT-ACCESS

Trigger Event: Access request or personnel change...

WIN-IT-ESIG

Trigger Event: Signature authorization...

WIN-IT-BACKUP

Trigger Event: Scheduled backup...

WIN-IT-VALIDATE

Trigger Event: Validation lifecycle...

Section 8 - Governance Inheritance

This Family Pack inherits all enterprise-level governance defined in the L0 Unified Governance Document (L0-QMS-UGD), which serves as the authoritative source for quality management, documentation control, data integrity, electronic systems governance, and enterprise-wide control architecture.

All SOPs, WINs, and Auditable Artifacts (AAs) within this Family shall be created, maintained, executed, and periodically reviewed in full alignment with L0 governance requirements, including:

• Enterprise documentation control, change control, and record-lifecycle governance
• ALCOA+ data integrity principles governing all GMP data
• 21 CFR Part 11 electronic records and electronic signature requirements, including periodic review and re-validation of electronic systems to ensure continued compliance, access control integrity, and data reliability
• Defined role-based authorization, qualification, and oversight requirements
• System-of-Record expectations for creation, retention, protection, and retrieval of evidence
• Enterprise escalation pathways administered under QA governance
• Risk-tier classification and governance inheritance rules

Quality Unit Authority

The Quality Unit (QU) retains final, non-delegable authority over quality-related decisions affecting compliance, authorization, system controls, and escalation pathways.

• Approval of quality system standards and control frameworks
• Authorization of independent GMP-impacting activities
• Suspension or restriction of activities when compliance risk exists
• Approval and oversight of electronic systems impacting GMP records
• Escalation and disposition of systemic control failures

Governance Supremacy Clause

L0 governance requirements apply uniformly and supersede all Family-level content. This Family Pack does not replace, dilute, or modify enterprise governance and operates fully within the enterprise-wide QMS architecture.