Why Intranet SOPs Without Access Restrictions Violate GMP Standards
Introduction to the Audit Finding
1. The Issue Explained
Standard Operating Procedures (SOPs) hosted on the company intranet are accessible to all personnel without user authentication or role-based restrictions.
2. GMP Compliance Gap
- Unauthorized personnel may download, modify, or circulate SOPs
- Old or draft versions may be accessed and followed by mistake
- No traceability of document access or usage
3. Systemic Risk
Open access to critical procedures can result in operational deviations, misapplication of SOPs, and lack of audit traceability.
4. Example Scenario
Operators accessed a superseded SOP from the intranet folder, leading to incorrect cleaning procedure execution — later flagged during a GMP audit.
Regulatory Expectations and Inspection Observations
1. USFDA 21 CFR 211.180(c)
Requires that all records, including SOPs, must be controlled, retained, and readily available only to authorized personnel.
2. EU GMP Chapter 4
Stipulates that access to documents should be restricted to individuals who need them for performance of their duties.
3. WHO TRS 996
Highlights the importance of document security and controlled distribution, especially for electronic formats.
4. Regulatory Observations
- USFDA: “Intranet hosted SOPs lacked user restrictions. Anyone in the network could access and print them.”
- MHRA: “Access to QA-controlled procedures via unsecured
Root Causes of SOP Access Control Lapses
1. IT-QA Disconnect
QA defines SOP distribution policy but IT implements document repositories without GMP-compliant access controls.
2. Shared Network Folders
SOPs are placed in general intranet folders with default read permissions across departments.
3. Absence of Electronic Document Control System
Companies lacking an EDMS resort to uncontrolled methods of SOP sharing, compromising version integrity.
4. Lack of Training
Personnel are unaware of SOP access protocol and may unintentionally circulate unapproved versions.
Prevention of SOP Distribution Risks via Intranet
1. Role-Based Access Controls (RBAC)
Set document-level permissions on intranet folders using Active Directory roles or document security software.
2. Controlled Intranet Portals
Use a QA-approved SOP portal with login authentication and version locking mechanisms.
3. SOP Listing, Not Hosting
Host SOP lists on intranet but link to controlled copies stored on a secure EDMS platform.
4. Watermark and Download Restrictions
Use view-only formats with user-specific watermarks to prevent uncontrolled sharing of SOP PDFs.
5. Real-Time Access Logs
Track who accessed, viewed, or downloaded SOPs for audit traceability and to detect anomalies.
Corrective and Preventive Actions (CAPA)
1. Corrective Measures
- Remove SOPs from shared folders lacking proper access restrictions
- Transition SOP access to a secure EDMS or restricted SharePoint location
- Conduct a full access audit of all electronic SOPs
2. Preventive Controls
Define SOP access policy in the Documentation Control SOP, specifying authorization levels and IT protocols.
3. IT-QA Governance
Establish a Document Access Governance Committee including QA and IT to monitor and audit document security systems.
4. Regulatory Alignment
Benchmark controls with agencies such as TGA and USFDA to ensure security best practices in SOP hosting.
5. Training and Awareness
Include SOP access and security protocols in training modules for all document users.