IT Infrastructure Qualification: Better Risk Management Due to Regulatory Requirements

A lab accident: a careless technician spills reagent, making the High Performance Liquid Chromatography (HPLC) archives unusable—with the most recent backup dating back six months. An intrusion into R&D computers: researchers scramble to assess the impact after highly sensitive data is stolen. A fire in the production workshop: a control cabinet is destroyed, shutting down production lines for two weeks. Whether caused by mistakes, deliberate actions, or unforeseen accidents, incidents like these can be anticipated and their risks better controlled through a robust IT infrastructure qualification process.

1. A quality system specific to the healthcare sector

Healthcare companies operate under strict regulations to safeguard patient safety, maintain product quality, and protect data integrity. In Europe, any computerized systems used in the pharmaceutical industry must comply with Annex 11 of Good Manufacturing Practices (GMP), as set out in EudraLex—the regulatory framework governing medicines within the European Union. Before computerized systems can be validated, the underlying IT (Information Technology) infrastructure must be qualified, since it underpins all essential IT processes, from incident management and system monitoring to data backup and recovery. The International Society for Pharmaceutical Engineering (ISPE) addressed these requirements in 2005 with the publication of the Good Automated Manufacturing Practice (GAMP) “Good Practice Guide IT Infrastructure Control and Compliance.”

IT infrastructure includes all the hardware and software resources necessary to ensure business applications function correctly. This might refer to an individual component—such as a network router—or an entire platform comprised of several elements. Both single components and larger systems fall under regulatory scrutiny, so server rooms, networks (LAN, WAN, switches, etc.), SANs, virtual servers, monitoring tools, anti-spam systems, and more all need to be qualified.

It’s important to understand the terminology: “qualification” applies to infrastructure, while “validation” is reserved for computerized systems, although both follow the same structured approach. Key to this process are two guiding principles: the team responsible for validation should be independent from system operations, and the process should focus closely on critical points—identified through risk analysis. Comprehensive documentation is essential, and best practices must be followed. While regulatory compliance demands considerable time and resources, it is vital for ensuring data integrity and traceability. Ultimately, qualifying your IT infrastructure not only ensures compliance but also enables effective risk management, especially when it comes to security.

*LAN (Local Area Network), WAN (Wide Area Network) and SAN (Storage Area Networks, or dedicated storage networks).

2. Qualification: a step-by-step process

The qualification of IT infrastructure follows a structured process defined by applicable standards, ensuring regulatory compliance with regulations and helping to minimize the risks of system failures. Each step considers the unique specifics of the company or organization, such as interactions between its internal infrastructure and that of its partners. Every phase of the qualification process—from supplier selection to performance validation—plays a crucial role in guaranteeing the reliable and secure operation of systems.

2.1 Qualifying hosting providers and services

Regulatory bodies set out clear steps for qualification, but these must be tailored to the unique nature of each company’s infrastructure—especially regarding how systems are distributed across company locations and partner sites. The process begins with a thorough audit of suppliers to ensure they meet required standards and can be properly qualified.

Depending on the service agreement, the organization hosting the computerized systems may not actually own the underlying infrastructure, but is always responsible for safeguarding the integrity of both the data and the systems. Qualifying a hosting provider means gaining a deep understanding of their operational methods and confirming they comply with regulatory guidelines. Just as important, the provider needs to adequately address the company’s specific requirements. For providers working in multiple industries, it’s crucial to tailor processes to meet the particular needs of the healthcare sector.

For service providers offering business applications or internet access, their solutions are typically standardized for efficiency. While these services can be customized, conducting qualification is essential before signing any contract. Skipping this step risks receiving services that don’t align with actual needs or, worse, creates security gaps. That’s why a supplier qualification audit is so important—not just for regulatory compliance, but also as a critical measure to minimize risk.

2.2 Infrastructure design review

The design review is a documented process that verifies whether infrastructure components are properly designed for their intended use. Like a systems design review, it ensures that both regulatory and user requirements are integrated and correctly addressed.

Infrastructure components are classified according to GAMP standards. Although Category 1 items don’t need a full design review, focused testing is still critical. For instance, when reviewing a network design, attention should be paid to the underlying technology (such as Internet Protocol (IP) routing or the Transmission Control Protocol (TCP) protocol) as well as the hardware being used. At a minimum, this review should be anchored by a detailed architectural record.

Importantly, the design review also serves to validate security-related features. This covers authentication processes (including directories and certificates), access controls, protective measures (like firewalls, antivirus, and antispam tools), and the assessment of encryption services and vendor-provided security patches.

2.3 Installation Qualification

Installation Qualification (IQ) isn’t about simply installing an infrastructure component or recording that it was installed—it’s about verifying that everything has been set up correctly. This means confirming that all necessary elements, and only those elements, are present, and that the supporting documentation is thorough and accurate. The documentation review includes supplier manuals, network topology and logic diagrams, procedures, system labeling standards, and more.

However, checking the documentation alone is not enough; targeted, precise tests must be carried out. These tests might include verifying environmental requirements for power supply, hardware elements like disk controllers, and software components such as server operating systems. Network hardware is also checked, both at the physical level and the logical configuration.

After IQ is complete—and provided there are no major unresolved issues—the process moves on to Operational Qualification (OQ). This handover is outlined in the qualification plan, which details the approach for qualifying each component (or group of components) and clarifies the roles and responsibilities for everyone involved.

2.4 Operational Qualification

Operational Qualification (OQ) confirms that the installed infrastructure performs as expected. To ensure accuracy, tests should be conducted in conditions that closely resemble real-world production environments. For each component, the assessment covers its core functions, administrative capabilities (like managing access rights), and broader features related to business continuity.

Testing is guided by identified risks—based on the outcomes of the risk analysis. Rather than serving as a mere checkbox for compliance, these tests are specifically designed to expose potential issues. Beyond standard scenarios, testing should include boundary cases (e.g., what happens if data falls outside permitted values?), failure situations (e.g., what happens to the data if a computer disconnects from the network?), and stress tests (e.g., how does the system respond when all users are active at once?).

After operational testing, there should be clear proof that databases are correctly linked, response times under defined conditions meet expectations, and the infrastructure component operates according to all specified requirements.

2.5 Performance Qualification 

Performance Qualification (PQ) is the last step in the qualification process. Its main goal is to verify that the infrastructure component or platform runs smoothly and reliably, in line with approved procedures and user requirements. PQ is often divided into two or three separate phases.

PQ confirms that the component or platform is fully prepared for deployment into production. Optionally, a Post-Implementation Qualification (PIQ) can be carried out once the system is live. PIQ tracks key performance indicators, which are monitored throughout the lifecycle of the infrastructure to ensure continued optimal operation.

3. Systematic Qualification

Once the qualification process is successfully completed, the infrastructure is both secure and fully operational. It’s worth noting that infrastructure tends to evolve quickly. While it supports all business systems, qualifying it individually through each application ends up being a repetitive effort. To improve efficiency, a parallel process called systematic qualification is used. With new approaches such as Infrastructure as Code, systematic qualification helps standardize infrastructure management and makes it easier to keep everything in a qualified state.

This process involves establishing IT procedures for change management, incident management, configuration control, network monitoring, and even data center maintenance. IT teams create detailed records for each infrastructure component and share them as needed. When validation teams prepare operational qualification tests for a business application, they can refer directly to these component records to complete their checks. This method streamlines the application qualification process by building on the already qualified infrastructure that hosts the application.

Conclusion

Annex 11 of the pharmaceutical GMPs is currently being revised, but IQ remains a core requirement. It’s highlighted throughout sections dealing with data security, as well as the availability of both systems and their data. Qualifying IT infrastructure is essential for ensuring regulatory compliance, system security, and optimal performance. The qualification process—covering IQ, OQ, and PQ—takes a structured and thorough approach to validating technical components while addressing the unique needs of users and business applications.

This approach isn’t limited to technical verification; it’s part of a forward-looking strategy to build an infrastructure that’s reliable and ready to meet both current and future demands. Achieving success depends on engaged teams, clearly defined responsibilities, and the seamless integration of established processes. By maintaining this high level of rigor, organizations not only achieve compliance but are also better equipped to anticipate and address upcoming challenges within a secure and dependable framework.

Need help?

Our experts help ensure the compliance of your IT infrastructures:

• Audit / assessment of infrastructure compliance (Annex 11 / ISO 27001:2022)
• Audit / assessment of proposed infrastructure services (Annex 11 / ISO 27001:2022)
• Training on IT infrastructure qualification
• Qualification execution:
  • Drafting and participation in risk analyses
  • Drafting and execution of IQ/OQ/PQ phases
  • Preparation of interim and final reports
  • Management of non-conformities (NC) and CAPA
• Implementation and ongoing update of an IS/IT QMS with systematic, continuous qualification

Contact us at: solutionprojectdelivery@efor-group.com.