We are creating a Sharepoint/Infopath form for users to request access to a GMP/Part 11/validated system.
The form is electronically approved by the employee manager and system administrator.
The form will not automatically grant a user access. The access still has to be provided manually by the system administrator after reviewing the form.
- Is there any reason for this form to be considered 21 CFR Part 11 relevant?
- Do we need to validate the form?
You always have to look back to the predicate rule to determine Part 11 applicability. Is there a rule that requires this form? Is there a rule that requires the form be signed?
I would presume that this is only a means to internally manage access and so Part 11 wouldn’t apply.
Also, don’t look at validation from a regulatory aspect. Look from a business aspect. Can the form be filled in in a way that will impact quality (including security)? What are the risks if the form is filled out incorrectly? Can the form be used to gain unauthorized access? Those should be the questions you ask when deciding whether or not to validate.