IT – Information Technology Business Process

The Information Technology (IT) business process governs the provision, operation, security, and support of computerized systems and infrastructure used to enable GMP and quality operations while preserving data integrity, availability, and compliance.

IT Operating Model

The IT Operating Model below illustrates how computerized systems are specified, implemented, operated, maintained, and controlled to support GMP processes as validated systems of record.

IT Inputs
Business and GMP system requirements
Regulatory and data integrity expectations
Approved system specifications and change requests

IT Control Flow

System Planning & Specification
Requirements definition, risk assessment, and system design

System Implementation & Validation
Configuration, testing, and validation of GMP-relevant systems

System Operation & Security
User access control, monitoring, backup, and cybersecurity

System Support & Maintenance
Incident management, change control, and lifecycle support

IT Lifecycle Control

IT Outputs
Validated systems of record
Secure and available GMP data
Traceable system and change records

IT systems supporting GMP activities operate as validated systems of record and must meet applicable data integrity, security, and availability requirements throughout their lifecycle.

Process Interfaces & Boundaries

Upstream: Business needs, process families, and regulatory requirements
Downstream: All GMP and quality process families – execution using validated systems
Governance: QMS defines CSV, data integrity, and Part 11 expectations; IT operates systems accordingly

Quality Control Requirements Supported by Information Technology

Information Technology is classified as a QC-Enabling Domain. IT activities support defined Quality Control Requirements in accordance with the Quality Control Requirements Index (QC-REQ-IDX) under the authority of Quality Control Operations (QCO).

QC-DI-004 – Electronic Record & System Governance: IT maintains governance of electronic systems supporting GMP activities, including system validation, data integrity, access control, audit trail management, backup, and disaster recovery controls.
QC-CHG-003 – Validation & Requalification Governance: IT executes system changes, upgrades, and configuration updates in accordance with defined validation and requalification requirements for GMP-impacting systems.

Information Technology does not establish product acceptance criteria or make disposition decisions. IT ensures validated system state and electronic record integrity to support Quality Control determinations within defined authority.

System incidents, data integrity concerns, or validation gaps identified during IT activities are documented and escalated through deviation, change control, or quality event processes in accordance with the enterprise Quality System.