IT infrastructure · EU GMP Annex 11 In development

Qualified once, verified per instance.

IT infrastructure is GAMP Category 1 — qualified, not validated. The building block is qualified once as a type; every instance is deterministically checked against the configuration baseline.

Relevant to EU GMP Annex 11, GAMP 5 (Category 1, Appendix M11) and the ISPE GAMP GPG on IT infrastructure.

Qualified, not validated — for Category 1 software the evidence is the recorded and verified version and configuration state, not a test campaign per machine.
One qualification, many implementations — the building block is qualified once; every instance is matched against the baseline, and drift becomes visible.
Related to equipment, deliberately separate — equipment is qualified per asset under Annex 15; the platform underneath as a type under Annex 11. Value and workflow are in preparation — in the pilot we build the discipline on your standard.

Check your use case → How the qualification workflow should run →

The full platform →

Annex 11GAMP 5 Cat. 1GAMP 5 M11ISPE GAMP GPG

Platform qualificationAnnex 11 · GAMP 5 Cat. 1

CMDB & configuration-item list as the registry · planned

Why IT infrastructure gets flagged in the audit

The platform carries every application. Its evidence rarely keeps up.

Annex 11 separates it in one sentence: the application is validated, the IT infrastructure is qualified. In practice, the evidence for the platform underneath your GxP applications lies scattered — build sheets, ticket histories, the knowledge of individual administrators. The more servers, sites and cloud shares, the harder it becomes to show that every instance still matches the qualified state.

Wrong verb, wrong effort

IT infrastructure gets treated like an application — or like equipment: every machine pushed through full test campaigns one by one. GAMP 5 takes a different route for Category 1; the extra effort adds no evidential value.

A baseline without a register

The configuration baseline lives in build sheets, in scripts or in the head of the most experienced person. Without a maintained configuration item list, the audit cannot show which state is actually the qualified one.

Drift goes unnoticed

Patches, ad-hoc changes and manual interventions alter instances gradually. Without a match against the baseline, the deviation surfaces in the audit — or not at all.

How traqx should map IT infrastructure

From inventory to a maintained state — one type, many instances.

The core principle stays the same as everywhere in traqx: Policy → SOP → Template. traqx should use your infrastructure policies, build SOPs, protocol templates and the configuration baseline to pre-structure qualification records, make source references visible and keep every decision traceable. The following steps describe the planned workflow — this use case is in preparation and will be built in the pilot on your real process.

Step 01 Capture platform inventory & baseline Building blocks, instances and their configuration items are kept as a register — name, model, OS and software versions, owner. The configuration baseline is captured under version control, instead of dissolving into build sheets. Planned · in preparation — workflow is built in the pilot

Step 02 Structure qualification plan & protocols traqx should pre-structure the platform qualification plan and protocols from your policies, build SOPs and templates — as a proposal that stands source-bound alongside, until you accept, change or reject it. The method stays yours; the structure and the evidence come from traqx. Planned · in preparation — proposal, no automatic write

Step 03 Qualify the building block once The platform type — say, an OS baseline or a standard VM image — is qualified once: qualified, not validated (GAMP Category 1). ITQ verification covers the technical check; the QA release stays strategic and risk-based. Both human — traqx does not qualify. Planned · in preparation — release stays with ITQ and QA

Step 04 Verify instances against the baseline Every new instance is deterministically matched against the qualified baseline — a version and configuration match instead of re-qualifying each machine. A deviation is surfaced as a review case, not silently accepted. Planned · in preparation — deterministic match, review on deviation

throughout Maintain the state · audit trail Qualification is not a one-off event: changes, backup/restore evidence and the periodic review stay linked to the record. The audit trail writes along: who, what, when, on what basis — as a continuously protected history. Planned · in preparation — audit trail on the same principle as live spokes

Check your use case → All five trust mechanisms →

Why this should hold up in the audit

The AI structures. Humans qualify.

Here too the traqx core principle applies: no AI output is silently written into a controlled record — and traqx does not qualify or certify any platform. traqx should generate, verify and monitor the evidence; the qualification decision stays with ITQ and QA. The infrastructure workflow is planned to build on the existing traqx architecture and is in preparation.

Generate A proposal stays a proposal Plan and protocol drafts should live as pending proposals on the record. The stored content stays unchanged until a human acts — no platform qualifies itself.

Verify Two-stage human release ITQ verification (SME, technical check) is the default path; the QA release stays strategic and risk-based — not every document, but every significant decision. Both stages are attributed, audited decisions; there is no autonomous release.

Monitor Source-bound instead of invented Proposals should draw from your infrastructure policies, build SOPs and approved templates. Every citation is checked deterministically against this pool; an invented source is surfaced as a warning, not output as truth.

By construction

What a building-block qualification should structurally secure.

1× → n

qualified as a type, verified per instance

The building block should be qualified once and every instance matched against the baseline. The audit question “why does the match suffice instead of re-qualifying?” becomes answerable on the record — Category 1: qualified, not validated.

Drift

becomes visible

Deviation from the qualified baseline should appear as a review case, not quietly disappear. Review-by-exception directs attention to the exception — conformance already carries its evidence.

silent AI writes

No proposal should enter the record without human approval. By construction — not by discipline. This principle applies platform-wide; the infrastructure workflow on top of it is in preparation.

Status: in preparation. This use case is not yet available — value and workflow are planned, not a live feature. The structural properties shown here describe the planned discipline on the existing traqx architecture; traqx does not qualify any platform and gives no guarantee of an audit outcome — but better preparation. We publish reliable time or cost effects only with real pilot or case-study data.

Questions from practice

Common questions on IT infrastructure qualification

Does IT infrastructure need to be validated or qualified?

Qualified: EU GMP Annex 11 requires IT infrastructure to be qualified — the applications running on it are validated. The difference determines testing depth and documentation: the infrastructure must demonstrably be operated under control, not evidence every use case.

What counts as GxP-relevant IT infrastructure?

Servers, network components, virtualisation, operating systems, databases and cloud platform services — the platform GxP applications run on. GxP-relevant is whatever can affect the integrity, availability or traceability of regulated data.

How do you qualify cloud infrastructure?

Through a robust supplier assessment (certifications and audit rights, for example), defined configuration baselines, documented verification of your own instances against those baselines, and consistent change control. Responsibility stays with the regulated company — in the cloud too.

How often must IT infrastructure be requalified?

Change-driven and risk-based: every relevant change goes through change control and is verified against the baseline; periodic reviews confirm the qualified state. Once qualified cleanly as a building block, every instance can be evidenced against the same baseline.

More disciplines

One platform, many use cases.

Same trust architecture — sources first, AI as a suggestion, human decides, audit trail stays — across every GxP discipline.

CSV SOP management Audit readiness Equipment Process CAPA Change control Cleanroom Suppliers

Security & standards · built for traceable evidence

Made in Germany GDPR-compliant · EU-hosted No model training on your data

Built forGAMP 5EU-GMP Annex 1121 CFR Part 11ALCOA+

MembershipsISPEPDAGQMA

Founded by CSV experts with 15+ years of domain expertise

Pilot program · IT infrastructure in preparation · built together

Help shape platform qualification with us.

IT infrastructure qualification is in preparation — and that is exactly why now is the right moment. Bring a real building block into the pilot — say, an OS baseline or a standard VM image — and build the discipline with us on your standard, instead of having a finished template imposed on you.

Book a 30-minute demo slot → Check your use case → Read FAQ →

No sales pitch — a short conversation around your concrete infrastructure scope. IT infrastructure qualification stays clearly marked as a roadmap use case; we assess together whether a build-out pilot makes sense. The assessment is yours even if you say no afterwards; source room deleted on request with evidence.

Roadmap pilots only when we can accompany the scope with full attention · discovery in order of arrival