|

Access Control and Electronic Signatures in Computerized Systems

1. Purpose and Control Objective

Access control and electronic signature controls ensure that only authorized individuals can access computerized systems, perform regulated actions, and approve or verify records in a manner that is attributable, traceable, and secure. These controls protect electronic records by enforcing:

  • identity of the individual performing an action
  • authorization based on defined roles
  • accountability for actions affecting GMP data
  • binding of approvals and decisions to specific users

They directly support data integrity by ensuring attribution, controlled access, and protection against unauthorized modification.

2. Regulatory Context and Compliance Basis

These controls are required under 21 CFR Part 11 and support the expectations defined by ALCOA+ Principles. Regulatory expectations require that:

  • each user is uniquely identifiable
  • system access is restricted to authorized individuals
  • electronic signatures are attributable and legally binding
  • signed records cannot be altered without traceability
  • controls are enforced through both system configuration and procedural governance

This article focuses on how these expectations are implemented as system controls.

3. Identity and Authentication Control

Each system user must be uniquely identified. Core requirements:

  • unique user ID for every individual
  • no shared or generic accounts
  • controlled authentication mechanisms such as passwords or equivalent secure methods
  • enforcement of password complexity, expiration, and reuse restrictions
  • session control including automatic timeout and re-authentication

Authentication must ensure that the individual accessing the system is the same individual assigned to the account.

Failure to enforce identity control eliminates attribution and invalidates data integrity.

4. Authorization and Role-Based Access Control

Access to system functions must be restricted based on defined roles. Core principles:

  • role-based access aligned with job responsibilities
  • least privilege assignment
  • segregation of duties between execution, review, and approval
  • restriction of administrative privileges
  • prevention of conflicting roles

Role definitions must be documented and controlled. Privileges must not be assigned ad hoc.

System behavior must enforce:

  • access only to permitted functions
  • denial of unauthorized actions
  • visibility restrictions where applicable

5. User Account Lifecycle Management

User access must be controlled throughout the entire lifecycle. Required controls:

  • formal account creation with documented approval
  • assignment of roles based on defined access matrix
  • controlled modification of roles and privileges
  • management of temporary or elevated access
  • prompt deactivation of inactive or terminated users
  • periodic review of active accounts and assigned roles

Failure in lifecycle management results in unauthorized access and uncontrolled system use.

6. Electronic Signature Control Model

An electronic signature represents a deliberate, attributable action performed by an individual. It is required for actions such as:

  • record approval
  • result verification
  • release decisions
  • critical data entry confirmation

Each electronic signature must:

  • be uniquely linked to an individual
  • include user identity
  • include date and time of execution
  • include meaning of the signature where applicable
  • be permanently associated with the record

Electronic signatures are not generic confirmations. They represent controlled, accountable decisions.

7. Signature Execution and Enforcement

Systems must enforce strict controls around signature execution. Required behaviors:

  • re-entry of user credentials at the time of signing
  • prevention of signature execution without authentication
  • prohibition of signature delegation or sharing
  • controlled signature prompts triggered by defined actions
  • capture of signature meaning where required
  • prevention of record approval without completion of required steps

The system must not allow bypass of signature requirements.

8. System Behavior Requirements

Access and signature controls must be implemented as enforceable system behaviors. The system must:

  • reject unauthorized login attempts
  • prevent access outside assigned roles
  • block execution of restricted functions
  • require electronic signatures for defined actions
  • bind signatures to specific records and record states
  • prevent modification of signed records without traceability or controlled versioning

These behaviors must be deterministic and consistently enforced.

9. Qualification and Verification Strategy

Access control and electronic signature functionality must be verified during system qualification, primarily within Operational Qualification. Testing must include challenge conditions, not only nominal operation. Typical verification includes:

  • confirmation of role-based access restrictions
  • attempted execution of unauthorized functions
  • verification of login controls and failed login handling
  • verification of session timeout behavior
  • execution of electronic signatures under valid conditions
  • rejection of invalid credentials during signature execution
  • confirmation of signature attribution and timestamp
  • verification that signatures are correctly linked to records
  • confirmation that records cannot be altered after approval without control

Test evidence must demonstrate that controls are enforced under both expected and adverse conditions.

10. Procedural Controls and Governance

System controls must be supported by procedural controls. Required procedures include:

  • user account management
  • password and authentication control
  • role definition and access matrix management
  • periodic access review
  • electronic signature use and control
  • administrator privilege control

Procedures must define responsibilities, approval requirements, and documentation expectations.

11. Failure Modes and Compliance Risks

Common failures include:

  • shared or generic user accounts
  • excessive or uncontrolled administrator access
  • role definitions not aligned with actual responsibilities
  • inactive accounts remaining active
  • uncontrolled temporary access
  • lack of periodic access review
  • signature execution without re-authentication
  • signatures not permanently linked to records
  • ability to modify approved records without control

These failures directly compromise attribution, accountability, and record integrity.

12. Documentation and Evidence Requirements

The following documentation must be maintained:

  • access control matrix defining roles and privileges
  • user account lists with assigned roles
  • account creation and modification approvals
  • procedures governing access and signature control
  • electronic signature policy or procedure
  • qualification test evidence
  • periodic access review records
  • training records for system users

Documentation must demonstrate that controls are defined, implemented, and maintained.

13. Relationship to Other Data Integrity Controls

Access control and electronic signatures define:

  • who can access the system
  • who can perform actions
  • who approved or verified records

They operate together with:

  • audit trails, which record what actions occurred and how data changed
  • data lifecycle controls, which define how data is created, modified, retained, and protected

These controls must remain distinct but coordinated.

14. Conclusion

Access control and electronic signatures are enforceable system controls that establish identity, authorization, and accountability within GMP computerized systems. They must be:

  • intentionally designed
  • procedurally governed
  • technically enforced
  • rigorously verified

Without effective implementation of these controls, electronic records cannot be considered reliable, attributable, or compliant.