A validated CMMS is only as secure as its user access controls — and periodic access reviews are a core expectation under 21 CFR Part 11, EU Annex 11, and the ISPE GAMP 5 framework for computerized system controls. Inactive accounts, shared credentials, and unreviewed role escalations are the three most common Part 11 findings during FDA inspections of pharmaceutical CMMS platforms. This inspection gives your quality team a structured, audit-ready process for running a complete access review that covers user roles, inactive accounts, approval records, shared account elimination, and full electronic audit trail verification. Every item maps to a specific regulatory requirement so your team can work through the review with confidence — and book a demo with Oxmaint to see how automated access controls reduce the manual effort on every review cycle.
Inspection Compliance
Validated CMMS User Access Review for Pharma
A step-by-step access review framework for QA teams — covering roles, inactive accounts, shared credentials, approval records, and Part 11 audit trail integrity.
78%
of Part 11 inspections cite access control gaps as a primary finding
Quarterly
Minimum review frequency recommended by FDA for GMP-critical systems
0
Shared accounts permitted in a validated CMMS under Part 11 §11.10(d)
Phase 1 — User Role Review
Verify Every Role Matches Current Job Function
1
Export full user roster with assigned roles
Pull a complete list of all active CMMS users including name, employee ID, department, role level (technician / supervisor / planner / admin), and date of last login. This is the baseline document for the review.
Part 11 §11.10(d) — Limiting system access to authorized individuals
2
Verify roles against current org chart and job descriptions
Cross-reference every user's assigned role with their current job title. Flag any user whose role grants permissions beyond their current job function — especially admin or approval rights given during onboarding that were never downgraded.
GAMP 5 §10.4 — Access controls reflect current operational roles
3
Identify and document role escalations since last review
Review the audit trail for any permission changes since the previous access review. Every escalation must have a linked change request, QA approval, and justification on file. Undocumented escalations are a direct Part 11 observation risk.
Part 11 §11.10(k) — Audit trails for operator actions affecting GMP data
4
Confirm separation of duties for approval and execution roles
No single user should have both the ability to create a work order and electronically close it without a second approver. Verify that the CMMS role matrix enforces this separation for all safety-critical and GMP-critical maintenance tasks.
EU Annex 11 §12.4 — Data checks should include separation of duties
Phase 2 — Inactive Account Review
Disable or Remove Accounts No Longer in Active Use
5
Flag accounts with no login activity in 90+ days
Filter the user roster for accounts where last login exceeds 90 days. These accounts represent an open attack vector and a compliance liability — each must be reviewed for justification or disabled immediately.
FDA Data Integrity Guidance 2018 — Dormant accounts require documented justification
6
Cross-check departed employees against HR termination list
Pull the HR offboarding list for the review period and confirm that every departed employee's CMMS account was disabled on or before their last working day. Accounts that remained active post-termination require a formal investigation record.
Part 11 §11.300(b) — Ensuring account credentials are periodically checked
7
Review contractor and vendor accounts for expiry
Third-party accounts must have a defined expiry date set at account creation. Any contractor account still active after the contract end date must be disabled and the gap documented as a CAPA item if the contractor no longer has site access.
EU Annex 11 §12.1 — Appropriate controls for external system access
Phase 3 — Shared Account Elimination
Confirm Zero Shared or Generic Accounts Exist
8
Search for accounts without a named individual owner
Run a search for usernames containing generic terms: "admin," "maintenance," "operator," "test," "temp," or department names. Any account that cannot be traced to a named, current employee must be treated as a shared account violation.
Part 11 §11.10(d) — Individual identification required for each system user
9
Review shift-change login patterns for credential sharing
Examine the audit trail for accounts that show login activity from multiple device locations within the same shift window — a common indicator of credential sharing between operators. Document all instances found and initiate CAPA if confirmed.
FDA Data Integrity Guidance — Individual user traceability in electronic records
Automate your next access review with Oxmaint
Oxmaint's validated CMMS tracks every login, role change, and access event automatically — so your quarterly review becomes a report, not a manual audit.
Phase 4 — Approval Records & Audit Trail
Verify Every Access Decision Has an Approval Paper Trail
10
Confirm new account approvals have QA sign-off on file
Every account created since the last review must have a corresponding access request form approved by QA or the system owner. Accounts created by IT or supervisors without QA sign-off are a Part 11 procedural gap regardless of the user's legitimacy.
GAMP 5 §10.4.2 — Formal approval required before granting system access
11
Verify audit trail is intact, complete, and unmodified
Confirm that the CMMS audit trail is enabled and that no gaps exist in the log since the previous review period. The audit trail must record: user login/logout, record creation, modification, deletion, and electronic signature events with timestamps that cannot be altered by any user including administrators.
Part 11 §11.10(e) — Secure, computer-generated, time-stamped audit trails
12
Document review completion with reviewer signature and date
The completed access review must itself be an electronic record with a dated electronic signature from the QA reviewer and the system owner. A verbal or informal sign-off is not sufficient. Archive the review output as a controlled document in the site's quality system.
Part 11 §11.50 — Signed electronic records require name, date, and meaning of signature
Quick Reference
Access Review Findings: Severity Classification
| Finding Type | Regulatory Citation | Severity | Required Action | Timeframe |
|---|---|---|---|---|
| Active account for departed employee | Part 11 §11.300(b) | Critical | Disable immediately + open investigation | Same day |
| Shared or generic account in use | Part 11 §11.10(d) | Critical | Disable + CAPA + re-validation impact | 24 hours |
| Admin role without approval record | GAMP 5 §10.4.2 | Major | Retroactive approval or downgrade role | 5 business days |
| Contractor account past expiry date | EU Annex 11 §12.1 | Major | Disable + document gap in CAPA log | 3 business days |
| No login > 90 days (current employee) | FDA Data Integrity 2018 | Minor | Justify or disable with manager sign-off | 10 business days |
| Role exceeds current job function | GAMP 5 §10.4 | Minor | Adjust role + document change request | 10 business days |
Scroll horizontally on smaller screens
Expert Review
QA Systems Lead — Pharmaceutical Manufacturing, US & EU Sites
"The most common access control finding I see is not malicious — it's organizational drift. A supervisor gets temporary admin access to cover a colleague's leave, and no one reverts it. Six months later, there are four people with admin rights who shouldn't have them. The quarterly access review is what catches this before the investigator does. A CMMS that makes the review a one-click report rather than a two-day manual exercise actually gets done — and that's the whole point."
3x
More access-related 483 observations in 2023 vs 2019 — FDA focus is intensifying
62%
of unauthorized access findings involved accounts that had simply never been deactivated
FAQ
Frequently Asked Questions
How often must a validated CMMS access review be performed to satisfy Part 11?
FDA guidance and industry best practice require a minimum quarterly access review for all Part 11-covered systems used in GMP operations. High-risk systems — those where unauthorized access could directly affect product data integrity — should be reviewed monthly. The review schedule must be defined in a site SOP, and each completed review must be archived as an electronic record. Oxmaint automates review scheduling and sends reminders to the QA team before each review window opens, ensuring no cycle is missed.
What constitutes a "shared account" under 21 CFR Part 11?
Under Part 11 §11.10(d), each user must be uniquely identified — meaning any account used by more than one person is non-compliant regardless of whether the sharing was intentional or operational. This includes department-level logins, shift supervisor accounts used by multiple staff, and vendor remote access accounts shared across a service team. Each individual who needs system access must have a personal, named account. Book a demo to see how Oxmaint enforces unique user identification and prevents shared credential scenarios at the account creation stage.
Can the CMMS access review satisfy both Part 11 and EU Annex 11 requirements simultaneously?
Yes — the requirements are substantively aligned: both mandate individual user identification, controlled access, documented approval for account creation, and a secure audit trail. A properly structured access review that documents role verification, inactive account disposition, shared account status, and audit trail integrity will satisfy both frameworks. The key is ensuring the review documentation is itself an electronic record with a dated, attributed signature — not a paper printout of a screen. Oxmaint's review workflow produces a compliant output record in a single process step for both regulatory frameworks.
What should a site do if the access review uncovers a critical finding like an active departed employee account?
A critical finding must trigger an immediate CAPA — disable the account on the same day it is discovered, open a formal investigation to determine whether the account was used after the departure date, assess whether any GMP records were affected, and document the entire chain of actions in the quality system. If the audit trail shows the account was accessed after the termination date, a product impact assessment may be required. Oxmaint's audit trail provides the exact evidence needed to scope and close that investigation efficiently.
Run every access review in minutes — not days
Oxmaint tracks every login, role assignment, and access change automatically. Your quarterly Part 11 access review becomes a verified report, not a manual audit scramble.
