1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Granting user acces to GMP production systems

Discussion in 'Qualification & Validation (Also 21 CFR Part 11)' started by Eóin McMahon, Jan 16, 2020.

  1. Eóin McMahon

    Eóin McMahon New Member

    Jan 16, 2020
    Likes Received:
    Trophy Points:
    As an Automation Engineer I use quite a nice old method of granting access for people to automated production systems as follows:
    1. System owner requests a user gain access to a system, indicating their role and their completed training.
    2. I complete a paper form, attaching a training report, indicating the system, the users details, and the level of access and get the system owner to sign their approval.
    3. Once approved I grant the access to the system, sign it as administrator, and file the form in a folder with other forms.
    4. Then annually the system owner reviews a list of all users to the system (that I produce) to ensure the right people have access at the right level and are trained.

    So my issue is: I would like to get rid of all of this paper and signing approvals.
    So I propose that we do the same things but instead of a form I use a 'Work Order' on our Engineering Computerised Maintenance Management System. I would add the same detail in the Work Order as on the printed form.
    But in this instance the system owner would not approve granting of access.
    My argument is that if the owner or their delegate asked me in the first place why do I need to get them to approve of it? I don't believe documented approval is in any regulations, but I am open to correction on this.
    I would still have a traceable mechanism of granting access to systems that could be reviewed, but just less paper, printing, storage and compliance issues with form filling.
    Apologies if this is too long, but I am interested if anyone else is interested in this.
  2. yodon

    yodon Well-Known Member

    Aug 3, 2015
    Likes Received:
    Trophy Points:
    Hi Eóin, welcome to the QFO! Your post is not too long; sometimes (like here) the detail is necessary to get better responses.

    I agree with you that you have what sounds to be a bit of unnecessary bureaucracy. I also don't know of any regulations that require the approvals you indicate.

    It sounds like your proposed method would work but be sure:
    • it can't result in an unexpected escalation of privilege (nobody can skirt around controls)
    • the system owner has complete visibility (not a regulatory aspect necessarily but sounds like part of the culture there); i.e., knowing when someone is added and for what role
    You *might* consider doing a process FMEA type activity, considering if / how the change can go rogue (or not fulfill regulatory requirements since you did post in the Part 11 forum) and then ensure the controls are in place to prevent it. (And since this is in Part 11, you'll likely need to validate the system.)