Never Rely on Electronic Signatures Without System Validation

Don’t Use Electronic Signatures Unless Systems Are Validated

Remember: Electronic signatures must only be used on GMP records if the system has been validated for compliance with applicable regulations like 21 CFR Part 11.

Why This Matters in GMP

Electronic signatures have become standard in modern GMP environments, offering efficiency, auditability, and real-time record-keeping. However, their use introduces serious compliance risks if implemented in unvalidated systems. An unvalidated platform may lack robust access control, data integrity protection, audit trails, or even proper linkage between signature and signer — rendering GMP records non-compliant and legally inadmissible.

For instance, if a batch release is approved using an unvalidated electronic system that lacks proper user authentication, regulators may question the entire batch disposition process. Worse, if the system allows shared credentials or overwriting of signed data, it violates core GMP and data integrity principles. Validation ensures that the electronic signature is secure, attributable, and tamper-evident — foundational requirements for electronic records to be GMP-compliant.

Also Read: Do Not Reuse Recovered Solvents Without Testing and GMP Documentation

Regulatory and Compliance Implications

21 CFR Part 11 explicitly defines requirements for electronic records and electronic signatures, including system validation, audit trails, access control, and signature authenticity. EU GMP Annex 11 also mandates computerized systems to

be validated to ensure data reliability. WHO GMP echoes these expectations, emphasizing that all e-records must be trustworthy, retrievable, and secure over the record retention period.

Auditors and regulators closely scrutinize electronic signature systems. If an electronic signature is used in a system that lacks validation documentation, SOPs, or change control logs, it may lead to critical findings. Inadequate validation also calls into question the reliability of the entire GMP document repository, which can result in product recalls, certification revocations, or data integrity warning letters.

Also Read: Prevent Unfiltered Air Entry into Grade A/B GMP Zones

Implementation Best Practices

Validate all systems used for GMP-relevant electronic signatures based on a documented User Requirements Specification (URS). Include features like unique login credentials, password protection, time-stamped audit trails, and signature linking to specific actions or data fields. Use software development lifecycle (SDLC) and GAMP 5 guidelines for risk-based validation.

Establish SOPs covering electronic signature usage, user training, periodic revalidation, and backup protocols. Conduct regular audits to verify system integrity, access logs, and compliance with company policies. Train QA and IT staff to maintain validation documentation and ensure that any software updates are subjected to change control and impact assessment.

Regulatory References

– 21 CFR Part 11 – Electronic Records and Signatures
– EU GMP Annex 11 – Computerized Systems
– WHO TRS 1019, Annex 3 – GMP for computerized systems
– ISPE GAMP 5 – Risk-based Approach to Computerized Systems

Also Read: Mobile Apps in GMP Environments: Validation and Data Integrity