Installation Qualification (IQ)Installation Qualification

Installation Qualification (IQ) is the documented verification that equipment, utilities, facilities, computerized systems (e.g., MES, eBMR/eDHR, LIMS), interfaces, and critical peripherals are installed in accordance with approved specifications, drawings, bills of materials, environmental prerequisites, and supplier recommendations. IQ creates the authoritative baseline of versions, configurations, and as-built status, under change control, from which Operational Qualification (OQ) and Performance Qualification (PQ) proceed. For computerized systems, IQ typically includes verification of infrastructure (servers, databases, clients), network topology, logical security, time synchronization, backup/restore readiness, and activation of audit trails, aligned to data integrity principles.

IQ draws on a risk-based lifecycle per EU GMP Annex 15 and GAMP 5, allowing use of supplier tests (FAT/SAT) where justified, while ensuring site-specific installation conditions are verified. It is distinct from engineering commissioning (which can supply evidence) and from OQ (which challenges functions) and PQ/PPQ (which demonstrates process performance). In regulated manufacturing, incomplete or poorly controlled IQ undermines the credibility of subsequent OQ/PQ and creates data integrity and quality system risks.

Regulators do not prescribe IQ step-by-step, but they require qualified equipment and validated systems. EU GMP Annex 15 describes qualification and validation as a lifecycle, expecting documented evidence that installation meets design and manufacturer requirements. Annex 11 adds expectations for computerized systems, including security, audit trails, backups, and change control. In the U.S., 21 CFR 211.63 and 211.68 require appropriate equipment design, installation, calibration, and controls for automated systems, while 21 CFR 820.70 requires manufacturers to establish and maintain procedures to ensure equipment is suitable for intended use, maintained, and appropriately installed.

GAMP 5 defines a scalable, risk-based approach tailored to system category and impact, encouraging leveraging supplier documentation while ensuring site installation evidence. ISA-95 offers a reference model for scoping MES and integration layers so installation controls can be verified across Levels 3–4 (applications, interfaces) and, where applicable, Level 2 controls. Data integrity guidance (e.g., MHRA) reinforces that installation-level controls—time sync, secure user provisioning, audit trails, and backups—are foundational to trustworthy electronic records and signatures (Part 11/Annex 11).

An effective IQ scope captures: the physical asset or system boundary; prerequisite utilities (power, HVAC, compressed air, clean steam, water), environmental classification; networking and cybersecurity controls; installed software components and versions (OS, DBMS, application, middleware); configurations and parameters that affect validated state; license keys; and device/peripheral hookups (barcode scanners, label printers, scales). Acceptance criteria should be unambiguous, objective, and traceable to the URS/DS and supplier recommendations—e.g., server OS version equals approved list; audit trail function enabled and tamper-evident; NTP-sourced time sync within defined tolerance; backup jobs scheduled and successful with test restore; minimum cleanroom classification achieved; utilities within specified ranges.

• Documented as-built drawings, network diagrams, and rack elevations; redlines resolved or dispositioned
• Asset tags/serials match equipment lists; calibration status verified for critical instruments
• Software bill of materials (SBOM), version baselines, and checksum/signature verification retained
• Security hardening applied per standard build; local admin rights restricted; anti-malware configured
• Service accounts and roles defined; AD/LDAP integration tested; password policies enforced
• Backup/restore tested to a quarantined sandbox; evidence retained; retention configured
• All GMP-relevant audit trails enabled and time-synchronized; clock drift monitored
• Label printers and scanners installed with validated label templates and symbologies as applicable

GAMP 5 frames IQ tasks by system category and software type. For configurable MES (generally GAMP Category 4 or 5 depending on extensibility), IQ focuses on platform installation, infrastructure qualification, and control of configuration items under change control. Supplier deliverables—installation guides, release notes, hardening baselines—are referenced and verified. Where supplier testing (FAT/SAT) demonstrates build integrity, site IQ still confirms environment alignment (OS/DBMS patch levels, virtualization settings, container orchestration parameters), unique site configurations (regional time zone/locale implications), and activation of compliance controls (Part 11/Annex 11 features).

Key GAMP-aligned IQ artifacts include: installation protocol with risk-rationale, executed test records and objective evidence (screenshots, command outputs, config exports), deviation management with impact assessment, traceability matrix mapping URS/DS to IQ acceptance criteria, and the final IQ report authorizing progression to OQ. Configuration baselines and environment snapshots (e.g., Infrastructure as Code manifests, VM templates, container images) should be versioned, signed, and linked in the validation repository to facilitate disaster recovery and reproducibility.

ISA-95 clarifies where MES sits between enterprise (Level 4) and control (Level 2). IQ must verify the installation and interfaces across these layers. Typical MES IQ checks confirm application servers, databases, client deployments, message brokers, interface adapters (ERP, QMS, LIMS, WMS), and shop-floor integrations (labelers, scales, PLC/SCADA gateways). Installation also documents role-based access aligned to manufacturing roles, audit trail activation for master data and e-records, time synchronization across nodes, and printing/scanning infrastructure with validated symbologies.

Data integrity requirements (ALCOA+) begin at installation. IQ should verify that audit trails are configured, immutable, and time-aligned; that user access is role-based with unique IDs; and that backups are validated by test restore and protected from tampering. Annex 11 and Part 11 expect these controls to be demonstrably effective. Cybersecurity posture at installation affects validated state: hardening standards applied, patch levels recorded, default credentials eliminated, system services minimized, and network segregation enforced. NIST SP 800-82 controls for ICS complement GMP expectations by emphasizing asset inventories, boundary protection, and monitoring—controls that must be established and evidenced at IQ to reduce attack surface and maintain data integrity.

• Immutable audit trail storage with integrity checks; log forwarding to secured SIEM
• Secure time source hierarchy; documented max drift with corrective actions
• MFA for remote administration; PAM for service accounts; credential vaulting
• TLS certificates lifecycle documented; private keys controlled; strong cipher policies
• Malware protection tuned with vendor-recommended exclusions; change detection enabled
• Network ACLs and firewall rules captured; interfaces whitelisted; no open debug ports in production

Annex 15 and GAMP 5 encourage leveraging supplier testing (FAT) and site acceptance (SAT) when scientifically justified. The IQ protocol should include an evidence-leveraging plan: identify supplier tests that are installation-relevant, assess equivalence to site conditions, and perform targeted gaps where environment or configuration differs. Maintain supplier certificates, installation guides, release notes, and cybersecurity advisories in the validation file. Where virtual appliances or containers are provided, verify cryptographic signatures and image provenance. Any deltas from the supplier’s qualified reference architecture must be addressed with additional IQ steps or risk controls before proceeding to OQ.

1. Map supplier evidence to IQ acceptance criteria; document equivalence rationale.
2. Identify environmental and infrastructure differences; plan gap testing.
3. Execute site-specific verifications; archive objective evidence.
4. Approve leveraged set via QA; escalate deviations with impact assessments.
5. Baseline the final installed configuration; lock under change control.

IQ execution should be proceduralized with clear responsibilities and contemporaneous documentation. Use pre-approved checklists tied to specifications; capture evidence at the point of work (photos, command outputs, config exports); and manage deviations with impact assessments on product quality and data integrity. Maintain controlled as-built drawings and network diagrams, reconcile serial numbers and firmware levels, and verify calibration statuses for instruments that affect GxP data. Common pitfalls include treating IQ as a paperwork exercise, failing to record precise version/build identifiers, enabling only partial audit trails, omitting restore tests, neglecting time synchronization, and not baselining infrastructure-as-code or VM templates—each undermines reproducibility and traceability.

• Tie each IQ step to a URS/DS requirement and supplier recommendation; ensure objective pass/fail criteria.
• Export and sign configuration snapshots; store checksums alongside evidence artifacts.
• Perform negative tests where relevant (e.g., failed logon lockout) to prove security parameters are effective.
• Instantiate a clean rollback plan; verify golden image integrity and provenance.
• Schedule periodic re-verification (e.g., DR restore test) as part of ongoing control and CPV/metrics.

IQ is anchored in the broader validation lifecycle: URS and DQ define what must be installed and why; IQ proves it is installed correctly; OQ challenges functional requirements and failure modes; PQ/PPQ demonstrates sustained performance under normal operations. Change control governs transitions between states and any post-IQ modifications (patches, hotfixes, configuration changes) require impact assessment and, where applicable, partial re-IQ or regression OQ. For MES and integrated platforms, alignment to ISA-95 clarifies system boundaries and interfaces—each interface or connector may have its own IQ evidence set tied to data integrity controls, error handling, and retry behaviors.

Quality metrics should include IQ health indicators: number of deviations, time-to-close, percentage of automated evidence capture, restore-test success rate, and audit trail configuration coverage. These feed management review and continued process verification of the validated state. For medical devices, link IQ outcomes to 21 CFR 820.70 procedures and, where software in production is safety-relevant, to risk management outputs so that installation controls address identified hazards (e.g., backup power, fail-safe modes, alarm routing).

Requalification triggers are change-driven and risk-based. Material changes to infrastructure (OS/DBMS major upgrades, hypervisor changes), network topology affecting segregation or latency, security architecture (identity provider migration, certificate authority change), or application platform versions typically require partial or full re-IQ. Hotfixes and minor patches may be addressed by controlled verification steps if risk-justified. Relocation of equipment, introduction of new peripherals, or changes to utility feeds also drive re-IQ. Annex 15 expects periodic review and requalification aligned to the system’s criticality and change history; this should be codified in SOPs and linked with the site QMS change control.

• Major version upgrade of MES or database: full IQ subset plus targeted OQ regression
• Identity platform or domain change: security and access control re-verification
• Time source or NTP hierarchy change: re-verify time sync, audit trail timestamps, and drift alerts
• Data center migration or virtualization stack change: performance prerequisites and backup/restore re-test
• Peripheral replacement (e.g., scales/printers): driver/firmware IQ plus label/template checks

On a single platform, IQ benefits from consistent asset models, shared identity, and unified evidence capture. V5 Ultimate packages installation checklists aligned to Annex 11/15 and GAMP 5, auto-discovers installed components (servers, databases, services, connectors), and captures cryptographic hashes and version metadata. It verifies security baselines (roles, audit trail activation, password policies), records time synchronization state, and schedules a test-restore workflow with evidence artifact retention. Interfaces (ERP, QMS, LIMS, WMS) are treated as first-class configuration items with endpoint and certificate verification steps. The resulting IQ report links forward to OQ/PQ and backward to URS/DQ via a live traceability matrix, and is locked under change control for reproducibility.