Why Intranet SOPs Without Access Restrictions Violate GMP Standards

Introduction to the Audit Finding

1. The Issue Explained

Standard Operating Procedures (SOPs) hosted on the company intranet are accessible to all personnel without user authentication or role-based restrictions.

2. GMP Compliance Gap

• Unauthorized personnel may download, modify, or circulate SOPs
• Old or draft versions may be accessed and followed by mistake
• No traceability of document access or usage

3. Systemic Risk

Open access to critical procedures can result in operational deviations, misapplication of SOPs, and lack of audit traceability.

4. Example Scenario

Operators accessed a superseded SOP from the intranet folder, leading to incorrect cleaning procedure execution — later flagged during a GMP audit.

Regulatory Expectations and Inspection Observations

1. USFDA 21 CFR 211.180(c)

Requires that all records, including SOPs, must be controlled, retained, and readily available only to authorized personnel.

2. EU GMP Chapter 4

Stipulates that access to documents should be restricted to individuals who need them for performance of their duties.

3. WHO TRS 996

Highlights the importance of document security and controlled distribution, especially for electronic formats.

4. Regulatory Observations

• USFDA: “Intranet hosted SOPs lacked user restrictions. Anyone in the network could access and print them.”
• MHRA: “Access to QA-controlled procedures via unsecured intranet folder was observed.”

Root Causes of SOP Access Control Lapses

1. IT-QA Disconnect

QA defines SOP distribution policy but IT implements document repositories without GMP-compliant access controls.

2. Shared Network Folders

SOPs are placed in general intranet folders with default read permissions across departments.

3. Absence of Electronic Document Control System

Companies lacking an EDMS resort to uncontrolled methods of SOP sharing, compromising version integrity.

4. Lack of Training

Personnel are unaware of SOP access protocol and may unintentionally circulate unapproved versions.

Prevention of SOP Distribution Risks via Intranet

1. Role-Based Access Controls (RBAC)

Set document-level permissions on intranet folders using Active Directory roles or document security software.

2. Controlled Intranet Portals

Use a QA-approved SOP portal with login authentication and version locking mechanisms.

3. SOP Listing, Not Hosting

Host SOP lists on intranet but link to controlled copies stored on a secure EDMS platform.

4. Watermark and Download Restrictions

Use view-only formats with user-specific watermarks to prevent uncontrolled sharing of SOP PDFs.

5. Real-Time Access Logs

Track who accessed, viewed, or downloaded SOPs for audit traceability and to detect anomalies.

Corrective and Preventive Actions (CAPA)

1. Corrective Measures

• Remove SOPs from shared folders lacking proper access restrictions
• Transition SOP access to a secure EDMS or restricted SharePoint location
• Conduct a full access audit of all electronic SOPs

2. Preventive Controls

Define SOP access policy in the Documentation Control SOP, specifying authorization levels and IT protocols.

3. IT-QA Governance

Establish a Document Access Governance Committee including QA and IT to monitor and audit document security systems.

4. Regulatory Alignment

Benchmark controls with agencies such as TGA and USFDA to ensure security best practices in SOP hosting.

5. Training and Awareness

Include SOP access and security protocols in training modules for all document users.