Section 1 - Family Summary

This Family inherits the governance requirements defined in the Unified Governance Manual (SOP-QMS-GOV), including the Quality Manual, Risk Management Program (RMP), Internal Audit Program (IAP), and Material Review Board (MRB) governance (SOP-QA-MRB). All IT responsibilities and WINs must align with these L2 authorities.

The Information Technology (IT) Process Family governs all WHAT-level controls ensuring that computerized systems used within the Quality Management System (QMS) remain secure, accurate, reliable, validated, and compliant. IT establishes the controls needed to maintain system access security, electronic record integrity, electronic signature authenticity, backup and recovery reliability, and proper performance of all regulated applications.

IT provides WHAT-level governance for:

User access provisioning, role control, and traceability
Electronic signature authenticity and attribution
Data integrity controls for capture, storage, and retrieval
System validation and qualification for intended use
Audit trail controls and monitoring expectations
Backup and restoration testing and documentation
Protection against unauthorized access or data manipulation
Secure change management for computerized systems

As a critical GMP support Family, IT ensures that:

Personnel access is authorized, restricted, and traceable
Electronic signatures meet regulatory requirements
Backups are complete, preserved, and recoverable
Computerized systems are validated for intended use
Electronic records remain accurate, complete, and tamper-evident

IT controls support:

21 CFR Part 11 — Electronic records and electronic signatures
21 CFR 111 — Data integrity, record accuracy, and traceability
NSF/ANSI 455-2 — Requirements for secure, validated, and controlled systems

Effective IT controls prevent:

Data loss or corruption
Unauthorized access or privilege escalation
Invalid or unverifiable electronic signatures
Incomplete or missing backups
Unvalidated systems or uncontrolled system changes
Audit trail failures or data-integrity gaps

IT interacts with all other Process Families—including QA, QCL, QCP, PROD, PKG, WH, MNT, SAN, PROC, and Document Control—by providing:

System access management
Data protection and integrity controls
Computerized system validation (CSV) support
System backup and recovery oversight
Security and infrastructure controls

Risk Tier Classification: HIGH. Failures in IT controls can compromise electronic data integrity, record authenticity, system availability, and GMP compliance. Because IT systems support every Family, failures create enterprise-wide regulatory exposure.

Section 2 - Purpose, Scope & Regulatory Anchors

SOP ID	SOP Title	Purpose (Control Intent)	Scope (Operational Boundary)	Regulatory Anchors
SOP-IT-ACCESS	System Access Control	Establishes WHAT-level controls for creating, modifying, disabling, and managing system access to ensure only authorized and trained personnel can access computerized systems used for GMP activities and decision-making.	Applies to all computerized systems, applications, servers, cloud services, and equipment that store, process, or produce GMP-relevant data. Includes user provisioning, access removal, role- based access control, and periodic access reviews.	21 CFR: 11.10(d), 11.300(a); 111.105, 111.140. NSF/ANSI 455-2: 4.9.1, 4.9.2 (system access & security).
SOP-IT-ESIG	Electronic Signatures	Defines WHAT-level controls for creation, use, authentication, and protection of electronic signatures used within GMP systems to ensure signatures are attributable, secure, and compliant.	Applies to all electronic systems where signatures represent approval, review, verification, or decision-making related to GMP records, including QA approval, QC review, training completions, and batch record executions.	21 CFR: 11.50, 11.100, 11.200. NSF/ANSI 455-2: 4.9.3 (electronic records & signatures).
SOP-IT-BACKUP	Backup Management	Establishes WHAT-level controls for backing up, protecting, storing, and restoring GMP data to ensure data integrity, availability, and business continuity.	Applies to all servers, systems, applications, databases, and GMP-relevant data repositories that require retention, restoration, or preservation to support quality and compliance needs.	21 CFR: 11.10(c), 111.605, 111.610. NSF/ANSI 455-2: 4.9.2 (data protection & retention).
SOP-IT-VALIDATE	Computer System Validation	Defines WHAT-level controls to ensure computerized systems used for GMP activities are validated for intended use, function as designed, and remain in a validated state throughout their lifecycle.	Applies to all GMP-relevant computerized systems requiring validation, including LIMS, QMS, LMS, ERP, laboratory instruments with software, and data management systems.	21 CFR: 11.10(a), 11.10(k); 111.503. NSF/ANSI 455-2: 4.9.4 (computer validation requirements).

AA Type–Specific Execution Requirements

Check (CHK) Requirements

Checks (CHK) are verification activities used to confirm that required, GMP-critical actions, reviews, or prerequisites have been completed in accordance with the governing SOP or WIN. Checks do not instruct how to perform tasks; they verify that required conditions or outcomes have been met.

Verify completion of discrete, GMP-critical requirements or conditions.
Use objective, binary responses (Yes/No, Pass/Fail, Accept/Reject).
Require completion of all verification points unless “N/A” is explicitly defined by procedure.
Be completed contemporaneously at the point of verification.
Trigger immediate escalation and QA notification if any verification point is not met.
Include clear operator verification and independent review or approval where required.

Log (LG) Requirements

Logs provide chronological documentation of repeated or ongoing monitoring activities. Logs in this Process Family must:

Capture each entry with date, time, and operator initials.
Be completed in real time at the point the activity occurs.
Maintain continuous entries without overwriting or removal.
Support auditability, trending, and long-term traceability.

Template (TMP) Requirements

Templates provide standardized data fields for recording measurements, quantities, equipment settings, sampling results, or other structured GMP data. Templates in this Process Family must:

Include all required fields with no blanks unless marked “N/A.”
Capture data exactly as performed or measured.
Be embedded in Batch Records, sampling sheets, or standalone as required.

Record / Form (FRM) Requirements

Records (FRMs) capture the finalized GMP evidence for this Process Family. All Records must comply with ALCOA+, GDP, Part 11 requirements for electronic records, and the metadata and retention standards defined in L0 Section 16 — AA Governance. Records may incorporate Checks, Logs, and Templates as embedded evidence.

Citations above support WHAT requirements; compliance traceability is maintained at the L0 level.

Section 3 - General Training Requirements

Personnel must understand the importance of system access controls and why unauthorized access to GMP systems is prohibited.
Personnel must understand how electronic signatures are used within the QMS and the expectation that they are equivalent to handwritten signatures under 21 CFR Part 11.
Personnel must understand the requirement to protect individual login credentials, including passwords, multi-factor authentication tokens, and access badges.
Personnel must understand that system accounts are assigned based on job role and must not be shared or transferred between individuals.
Personnel must understand how to identify and report access discrepancies, such as incorrect permissions, accounts not removed after termination, or unauthorized users.
Personnel must understand backup requirements, including the need to preserve GMP data, protect data from loss or corruption, and support restoration during system failures.
Personnel must understand basic expectations for business continuity during IT-related issues and the importance of prompt communication with the IT team.
Personnel must understand what computer system validation (CSV) means, why validation is required for GMP systems, and the risks associated with unvalidated systems.
Personnel must understand that any changes to validated systems must follow approved change control and may require revalidation.
Personnel must understand how to recognize potential data integrity risks in electronic systems, including audit trail concerns, missing data, or inconsistencies.
Personnel must understand ALCOA+ principles as they apply to electronic data (attributable, legible, contemporaneous, original, accurate, complete, consistent, enduring, and available).
Personnel must understand how to properly use electronic systems assigned to them and must receive training prior to gaining access.
Personnel must understand escalation expectations for suspected security incidents, unauthorized access attempts, or system integrity concerns.
Personnel must understand how IT-controlled systems interact with other GMP Families (QCP, QCL, QA, TAL, DOC, WH, PRO, PKG) and how their use affects quality records.
Personnel must understand record retention and retrieval requirements for electronic data and system-specific storage rules.

Section 4 - Unified Responsibility & High-Level Control Mapping

Role	Primary Responsibilities (WHAT)	High-Level Controls (WHAT Requirements)
IT	• Maintain system access controls and ensure access is granted only to authorized and trained personnel. • Manage user provisioning, role assignments, password policies, and access removal. • Maintain electronic signature configurations, authentication methods, and audit trail protections. • Oversee backup creation, storage, restoration testing, and integrity validation. • Own computer system validation lifecycle activities across GMP-relevant systems. • Escalate system security issues, data integrity concerns, or validation gaps.	• Enforce secure, role-based access aligned with training and job responsibilities. • Maintain data integrity and ALCOA+ controls for electronic systems. • Ensure validated status of computerized systems used for GMP work. • Maintain secure and retrievable backups for regulated data. • Preserve audit trails, electronic signature mappings, and authentication configurations.
QA	• Approve IT-controlled procedures affecting electronic records and signature integrity. • Review and approve validation documentation and change control for regulated systems. • Verify that electronic signatures and audit trails meet GMP expectations. • Review backup, restoration evidence, and IT compliance documentation during audits and investigations.	• Ensure compliance with 21 CFR Part 11 and electronic record requirements. • Approve validation approaches, protocols, and reports. • Apply independent review of system access lists and periodic access reviews. • Enforce alignment between IT controls and corporate QMS requirements.
QA-SOD	• Independently verify IT-controlled actions that require second-level approval, including electronic signature assignments, validation steps, or access removals. • Review discrepancies or exceptions flagged during IT security, validation, or access monitoring.	• Apply independent verification controls to ensure system integrity and security. • Ensure impartial review of access rights, audit trails, and validation evidence. • Confirm documentation completeness and data integrity for IT-controlled activities.
QC	• Use validated systems for data entry, review, testing documentation, and record approval. • Report system access issues, data integrity concerns, or electronic signature anomalies. • Comply with password, access, and security expectations for electronic systems.	• Ensure data entered in systems meets ALCOA+ principles. • Maintain security of login credentials. • Support audit readiness through complete and accurate electronic records. • Escalate system or data discrepancies to IT and QA.
Functional Supervisors (WH, PRO, PKG, SAN, ENG)	• Identify access needs for personnel in their departments. • Ensure personnel complete system training prior to requesting access. • Notify IT and QA when personnel roles change or access must be removed. • Support validation activities requiring functional SMEs.	• Maintain accurate mapping of system access to job responsibilities. • Ensure system users maintain required qualifications. • Support periodic access reviews and remediation. • Provide functional input during validation or change control.
Document Control	• Maintain controlled versions of IT-relevant SOPs, WINs, and validation documents. • Ensure electronic forms and templates are controlled and published through approved systems. • Support retrieval of electronic and validation records during audits.	• Ensure document lifecycle is synchronized with validated system changes. • Maintain traceability for controlled electronic document revisions. • Prevent use of outdated or uncontrolled electronic documentation.
Training & Competency	• Maintain training assignments for system-specific use, validation awareness, and Part 11 compliance. • Ensure users complete required training before IT grants access. • Maintain traceable system-training records for audits and inspections.	• Ensure training aligns with system functionality and security requirements. • Maintain ALCOA+ integrity of training records. • Support periodic retraining if system functionality or procedures change.
HR	• Provide IT and QA with updates on personnel status changes (new hires, role changes, terminations). • Support identity verification processes for account provisioning. • Maintain personnel records that affect access eligibility.	• Ensure access removal triggers are accurately communicated to IT. • Support validation or audit inquiries regarding employment history. • Maintain alignment between HR data and system access requirements.
BRM	• Maintain governance alignment across all systems and ensure IT controls integrate with enterprise workflows. • Identify cross-family risks related to electronic systems, validation, or data integrity. • Support harmonization of IT controls with L0 and enterprise processes.	• Validate consistency in IT-related requirements across all Families. • Support evaluation of changes affecting IT systems or electronic record processes. • Maintain visibility into IT impacts on cross-functional operations.
BPO	• Own governance of IT-related quality processes and ensure SOP alignment with L0 requirements. • Maintain oversight of validation strategy, system risk classification, and electronic data integrity controls. • Escalate systemic risks involving electronic systems or data security.	• Ensure IT Family Pack compliance with L0 governance and regulatory expectations. • Validate enterprise-wide consistency of IT controls. • Support audits, assessments, and regulatory inspections involving computerized systems.

Section 5 - Required AAs & Traceability Matrix (IT)

This section defines the authoritative Auditable Artifacts (AAs) required to demonstrate execution of Information Technology (IT) controls governing system access, electronic signatures, backup management, and computer system validation. All AAs listed below provide objective L4 evidence supporting Part 11, 21 CFR 111, and NSF/ANSI 455-2 requirements.

SOP	WIN	AA Doc ID	AA Name	Type	Purpose
SOP-IT-ACCESS	WIN-IT-ACCESS	AA-CHK-IT-ACCESS-APR	System Access Approval Checklist	CHK	Verifies QA-approved provisioning, modification, or removal of system access.
SOP-IT-ACCESS	WIN-IT-ACCESS	AA-LOG-IT-ACCESS-REL	User Access Change Log	LOG	Chronological record of all user access lifecycle events.
SOP-IT-ESIG	WIN-IT-ESIG	AA-FRM-IT-ESIG-REL	Electronic Signature Authorization Form	FRM	Authorizes users for compliant electronic signature use.
SOP-IT-ESIG	WIN-IT-ESIG	AA-REC-IT-ESIG-EVT	Electronic Signature Audit Record	REC	Provides objective evidence of Part 11–compliant e-signature execution.
SOP-IT-BACKUP	WIN-IT-BACKUP	AA-LOG-IT-BACKUP-DLY	System Backup Execution Log	LOG	Documents successful execution of scheduled system backups.
SOP-IT-BACKUP	WIN-IT-BACKUP	AA-REC-IT-RESTORE-EVT	Backup Restore Test Record	REC	Demonstrates verified system data restoration capability.
SOP-IT-VALIDATE	WIN-IT-VALIDATE	AA-FRM-IT-VAL-APR	Validation Approval Form	FRM	Documents QA approval of system validation lifecycle activities.
SOP-IT-VALIDATE	WIN-IT-VALIDATE	AA-REC-IT-VAL-REL	Validation Summary Report	REC	Confirms validated state and fitness for intended system use.

Authoritative, version-controlled instances of these AAs are maintained in the Enterprise Artifact System of Record (SOR) governed at the L0 level.

Section 6 - AA Deliverable Requirements

6.1 AA Deliverable Definitions

AA-CHK-IT-ACCESS-APR: Checklist confirming required approvals prior to access changes.
AA-LOG-IT-ACCESS-REL: Continuous log of access provisioning, modification, and revocation.
AA-FRM-IT-ESIG-REL: Controlled form authorizing electronic signature credentials.
AA-REC-IT-ESIG-EVT: Immutable audit record of electronic signature execution.
AA-LOG-IT-BACKUP-DLY: Log demonstrating completion of scheduled system backups.
AA-REC-IT-RESTORE-EVT: Evidence of successful data restoration testing.
AA-FRM-IT-VAL-APR: QA approval of validation strategy and results.
AA-REC-IT-VAL-REL: Validation Summary Report confirming intended use.

6.2 Emergency Use Only Checklist Mockup

Emergency Use Only — Not a Controlled Record

SYSTEM ACCESS APPROVAL CHECKLIST

[ ] Access request documented
[ ] Role-based access defined
[ ] Segregation of duties verified
[ ] QA approval obtained
[ ] Access provisioned
[ ] Access change logged

Operator Signature: __________  Date: ______
QA Signature: _________________ Date: ______

6.3 AA Type–Specific Execution Requirements

Checklists (CHK): Binary verification; failures require immediate QA escalation.
Logs (LOG): Real-time, chronological entries; no overwriting or deletion.
Forms (FRM): Approved prior to execution; complete metadata required.
Records (REC): ALCOA+ compliant and Part 11–controlled where electronic.

INFORMATION QMS FAMILY PACK

Table of Contents