IT Infrastructure Qualification for Small & Medium Medical Devices Companies (and SaMD): ISO 13485:2016 Compliance

What is IT Infrastructure Qualification

Information Technology Infrastructure Qualification (IT IQ) is prevalent in regulated industries, particularly within Life Sciences sectors like pharmaceuticals, biotechnology, and medical devices. Its objective is to ensure the reliability, security, and adherence to compliance standards of information technology systems and infrastructure used in product development, manufacturing, testing, and distribution.

This process involves activities and documentation to validate that the IT infrastructure meets defined regulatory requirements and quality standards. The following highlights the key aspects of IT infrastructure qualification: cybersecurity, regulatory compliance, risk assessment, change control, user access control, data integrity, periodic review, audit and inspections, training, and documentation.

Importance for Small & Medium Medical Device Companies

Regulatory standards apply uniformly across companies of all sizes, offering no leniency for smaller enterprises. Hence, small, and medium-sized companies should prioritize cybersecurity for survival.

A significant breach could jeopardize projects and sensitive data, especially in highly regulated markets. Neglecting cybersecurity and lacking proper documentation or IT governance is a critical oversight.

Qualifying the infrastructure offers three key benefits:

Organizations that embrace this certification demonstrate their dedication to quality, not only to their customers but also to regulatory authorities.

Is Infrastructure Qualification a requirement of ISO 13485:2016?

Indeed, that's correct. Particularly, for item 7.5.1 (b) under control of production and service provision, focusing on subitem (b) ‘qualification of infrastructure’.In essence, this requirement emphasizes the necessity for production and service provision to be planned, executed, monitored, and controlled to ensure adherence to specifications. This entails various production controls, including, but not limited to, the qualification of infrastructure.

Furthermore, Section 6.3 introduces a requirement for infrastructure aimed at preventing mix-ups among items and facilitating the organized handling of merchandise. Additionally, it includes information systems among the listed supporting services.

Similarly, the same item elaborates that the organization should document maintenance requirements, delineating the intervals for conducting maintenance activities for infrastructure, including IT. These specifications are crucial, particularly when the absence or neglect of maintenance activities could affect product quality.

Moreover, these requirements should encompass equipment used in production, as well as the management of the work environment and monitoring and measurement processes. This aligns with what is typically undertaken during infrastructure qualification using a risk-based approach.

International Medical Device Regulators Forum (IMDRF)

The IMDRF facilitates international multilateral cooperation to converge regulations concerning medical devices and Software as a Medical Device (SaMD). The goal is to promote adaptable strategies for addressing emerging challenges while ensuring the protection and enhancement of public health and safety. Its membership includes competent authorities from diverse countries committed to collaborating on regulatory harmonization efforts.

IMDRF has several technical working groups that issue guides. One of them is related to the subject of this blog – ‘Application of Quality Management System’ issued on 02/OCT/2015. This guide links the requirements of ISO 13485 in force at the time with the SaMD cycle of processes and activities.

In item 8.3, it's highlighted that having appropriately qualified automated tools and supporting infrastructure is crucial for effectively managing configuration and ensuring traceability to other lifecycle activities. This underscores the advantage that infrastructure qualification can provide us.

When considering patient safety and clinical environment factors, as emphasized in various SaMD lifecycle processes and activities, it's essential to account for people, technology, infrastructure, and potential new hazards arising from implementation and usage. The qualification process for IT infrastructure can effectively address these considerations.

Impact of Unqualified Infrastructure

Medical facilities are increasingly vulnerable to cyber-attacks, with malicious actors targeting IT systems with ransomware.

Unlike other network devices, medical equipment traditionally lacks robust security measures, making it an easy target for hackers seeking access to entire server sets. Breaching such equipment not only allows hackers to compromise or disrupt other devices but also creates avenues for potential breaches of patient data.

The validated status of GxP applications, which are critical for patient safety, product quality, or data integrity, relies heavily on the underlying IT infrastructure. Failure to maintain this infrastructure in a controlled and compliant state can compromise the integrity of these applications.

To ensure compliance and mitigate risks, a planned qualification process involving specification and verification, based on industry best practices for IT, is essential.

IT Infrastructure Control

In summary, several key aspects should be verified for compliance regarding IT Infrastructure Qualification:

  • Change control management.
  • Configuration management
  • Security management
  • Server management
  • Network management.
  • Incident and problem management
  • Help Desk (also known as Service Desk in ITIL®)
  • Backup, restore, and archive.
  • Disaster recovery
  • Performance monitoring
  • Supplier management
  • Quality assurance

When an external vendor hosts or manages some or all aspects of a regulated cloud or IT infrastructure, several components of the Quality Management System (QMS) should undergo assessment. These include:

  • Quality Manual
  • Qualification documents
  • Risk assessment.
  • Data privacy document
  • Datacenter management and monitoring
  • Change and configuration management.
  • Disaster recovery plan
  • Document control.
  • Training procedure
  • Internal audit procedure
  • Emergency response
  • Backup, restore, and archive.

About the authors:


Lilian Ribeiro is a chemical engineer with a decade of technical and commercial expertise in the food industry, with a specialization in corporate quality and quality control. She also has valuable experience in the health and pharmaceutical sectors. As an advocate for paperless validation, she is passionate about introducing efficiency and innovation to life science companies. Lílian's extensive experience is instrumental in validation and qualification projects, encompassing VLMS, ERP, EQMS, automation (PW), and IT infrastructure qualification.

Silvia Martins is an electrical engineer with two decades of experience in the biopharmaceutical and medical device sectors. She has received training in GAMP5 and FDA 21 CFR Part 11 in England, SAP® validation in Germany, and has expertise in data integrity and data governance gained in Denmark. As the CEO and co-founder of FIVE Validation, a company committed to simplifying compliance processes, Silvia is dedicated to expediting and streamlining procedures for clients while maintaining a high level of robustness and compliance.


ISPE® GAMP® Good Practice Guide: IT Infrastructure Control and Compliance (Second Edition)

ISO 13485:2016 Medical Devices – Quality management systems – Requirements for regulatory purposes

IMDRF SaMD: Application of Quality Management System


GAMP5® is a guide that has its intellectual rights reserved by ISPE®. Available for purchase at