Are audit trails required to capture user logins?

ejs101 · April 13, 2017, 10:31pm

In a gmp computerized system, does the audit trail required to capture user logins? I’ve just encountered a system which comes equipped with an audit trail. While the audit trail captures records including time/date/user when the system start/stop/abort or when changes are made to setpoints, user roles, etc., however, it does not capture the login if the user does not perform any such executions. Is this acceptable as far as compliance to 21 CFR Part 11?

I’m used to seeing systems where anytime a user access the system, a record is created.

Any insight is appreciated.

Thank you,

Boomer_Chemist · April 15, 2017, 8:38pm

I have my doubts. However, it is not expressly forbidden in the following PIC/S document. To me it seems against the ‘spirit’ of CSV (Computer Software Validation).

https://www.picscheme.org/layout/document.php?id=155

JaredCroft · April 17, 2017, 3:57pm

My sentiments are the same as boomer chemist. I guess for read only stuff (what you described above), you might not actually need to record who was looking at things. I am surprised that the log-in/log-out is not logged somewhere.

uhohraggy · April 18, 2017, 12:02am

If a tree falls in the forest and there is no one to hear it does it make a sound?

Sorry… couldn’t resist. I would think it would probably be ok, but it is odd… and I don’t think I’ve seen it before, but I have seen systems that anyone could view information without logging in (fairly common for various monitoring programs). For example, you might have a facilities temp monitoring program that displays the temp…the user may even be able to click around and look back at older data without requiring a login. Sort of like and old school chart recorder.

ejs101 · April 19, 2017, 12:10am

Hi All.

Thanks to all for your feedback. I actually reached out to the vendor who confirmed that the system indeed does not capture logins.

I’m glad to know that you all share a similar sentiment as I do.

Thanks.

David1 · April 30, 2017, 7:58pm

I would expect logins to be recorded. Especially if you may need to confirm that someone has read something for example an SOP on a particular date. You need to ask do I need to track usage of the system to fulfil a regulatory requirement.

Dr David Trew
BSc (Hons), PhD, CChem MRSC
Director

David Trew Consulting Ltd
Consultancy services for chemistry based businesses
and laboratory service sectors.

davidtrew@davidtrew.co.uk
Telephone: +44 (0)1494 700693
www.davidtrew.co.uk

Note: The information placed above is not intended to constitute Consultancy. No liability is accepted for losses incurred through reliance on same.