22 September 2022

Good documentation practices in GMP and GDP regulated environments

Importance of having principles of good documentation practice implemented in company procedures and day to day operations is evident from the outcome of Health Authority inspections. Documentation procedures, data integrity are routinely reviewed by inspectors and poor documentation best practices appear among the top 10 reasons for failing Health Authority inspections. Good documentation practices (GDocP) are key components of Good Manufacturing Practice (GMP) and Good Distribution Practice (GDP) compliance. In the Pharmaceutical and Medical Devices industry are codified as rules by the European Medicine Agency (EMA), World Health Organization (WHO) and US Food and Drug Administration (FDA). Document control via an organized system of best practice is the way in which traceability and accountability of quality goods and products can be monitored and guaranteed. Good documentation constitutes an essential part of the quality assurance system and is key to operating in compliance with GMP and GDP requirements. Most important principles of GdocP are commonly abbreviated as ALCOA+ principles; Attributable, Legible, Original, Contemporaneous and Accurate.



Clear data and records that can identify the person who actually records the data





information is recorded contemporaneously; at the time of the activity and in a such way that is permanent and allows full reconstruction of the activity



Activities need to be recorded at the time they are performed or they occur. Time and date stamps need to be synchronized and controlled.



Genuine data and records retained as originals or certified copies that preserve completeness



Accurate and valid



Complete and none of information selectively left out

Available at anytime to anyone who required them in order to be able to perform their role.

Consistent, compatible, and non-contradictory

Preserved and retrievable during its lifetime according to the data type retention period.



Below are listed some requirements that should be applied to all the GMP and GDP documentation:


Document signatures

No signature pads, scanned signatures or duplicated original signatures shall be used to replace a handwritten signature by the person signing


Documents shall be signed in permanent ink


Documents with original signatures shall be kept throughout the life of the document



Handwritten entries


Handwriting should be legible and discernible „ A document is considered unusable if it cannot be read“


Adequate space is provided for expected handwritten entries


Handwritten entries are in indelible ink. Pencil must never be used


Critical entries must be independently checked (second person verified)


No spaces for handwritten entries are left blank – crossed out or “N/A„


Ditto marks or continuation lines are not acceptable


A stamp in lieu of a handwritten signature is not acceptable



Manual signing of documents


Strict control over the use of own signature and initials should be maintained


Everyone who signs controlled documentation must register their signature and initials. This allows identification of a person performing or supervising a specific GMP activity. This registration includes all temporary and contract employees


It must always be clear who is responsible for performing a specific operation or entering data


It is not a good practice to use only names, because names are not unique (several people may have the same name). In addition, it is difficult to use signatures all of the time because they are often illegible. As a result, initials must be used, and it is these signatures and initials that must be registered



Correction of Documentation Errors


Draw a single line through the error


Make the correction next to the error


Write an explanation for the error


Sign and date the correction.


Electronic and digital signatures

Current legal framework that sets out the current regime and requirements on electronic and digital signatures within Europe and United Stated is listed below:

  • eIDAS (electronic Identification and Trust Services) Regulation – EU No.910/2014
  • EU GMP – Annex 11: Computerized systems
  • ESIGN (Electronic Signatures in Global and National Commerce) Act
  • UETA (Uniform Electronic Transactions) Act
  • 21 CFR Part 11: Electronic records, electronic signatures

European eIDAS Regulation provides a predictable regulatory environment to enable secure and seamless electronic interactions between businesses, citizens and public authorities and sets out the rules for the legal use and recognition of electronic signature procedures in the Member States of the European Union. eIDAS recognizes three types of electronic signatures – Standard, Advanced and Qualified. Electronic signatures are all legally valid and get the same status as a handwritten signatures. The legitimacy of electronic signatures does not depend on the country where the parties are located, but on the applicable law under which the agreement is entered into; therefore, the legality of an electronic signature varies depending on applicable member state’s domestic law. Through the United States electronic signatures have the same legal status as handwritten signatures.

Electronic signature (or e-signature) is a broad term referring to any electronic process that indicates acceptance of an agreement or a record. Typical e-signature solutions use common electronic authentication methods to verify signer identity, such as an email address, a corporate ID, or a phone PIN.  Digital signature is a specific implementation of an electronic signature type that uses certificate-based digital IDs to authenticate signer identity and demonstrate proof of signing by binding each signature to the document with encryption. Validation occurs through trusted certificate authorities (CAs) or trust service providers (TSPs). The term “electronic signature” on its own does not guarantee that any type of third-party validation of the signatory or integrity of the document’s content has taken place. The difference with digital signatures is that they are not regulated like digital signatures are. The standards are defined by the vendors which ensure that their signatures are secure.

An electronic signature can consist of anything from writing your name at the bottom of an email, a scanned signature, clicking an “I accept” button, associated biometric data such as fingerprints, or using an e-signing platform.  Some examples of electronic signature include:

  • a typed name at the end of an email;
  • a typed name on an electronic form or document;
  • an image of a handwritten signature on a transmitted fax;
  • a personal identification number (PIN) entered into a bank ATM;
  • clicking “agree” or “disagree” on an electronic “terms and agreements” contract.

A handwritten but digitally captured signature made on a touch device, such as a tablet or smartphone (sometimes referred to as a “dynamic signature”). A digital signature is the most secure and sophisticated form of electronic signature. Unlike a basic electronic signature, a digital signature uses a PKI-based digital certificate issued by a certificate authority (CA) which binds the identity of a person or organization to a cryptographic key pair. When a document is digitally signed with the signer’s private key, the document’s content and the signatory’s identity are bound together cryptographically to form a unique digital fingerprint. This digital signature ensures authentication, integrity, non-repudiation:

  • trusted and compliant (certificate-based digital IDs come from accredited providers to meet compliance. Identity must be proven before obtaining);
  • protected (digital signature and the PDF document are cryptographically bound and secured with a tamper-evident seal);
  • unique to you (use a unique digital certificate and PIN to easily validate your credentials and identity);
  • easy to validate (the signed document and your digital signature can both be revalidated for more than 10 years).

Requirements for implementation of electronic and digital signatures in the company

Table below provides an overview on minimum requirements (as per GMP and GDP requirements) related to implementation (deployment) of electronic and digital signatures.

Electronic records, signatures (ERES)

Digital signature

Verify that an International Data Processing Agreement is in place with the selected service provider before proceeding with the transfer of personal data.

Verify that an International Data Processing Agreement is in place with the selected service provider before proceeding with the transfer of personal data.

Validated computerized system (software, hardware)

Digital PKI certificate issued by trusted third-party certificate authority

Audit trail

Signature creation software (pdf – Adobe Standard)

Access control – unique usernames, password, roles and privileges

Single or multiple signature fields prepared by author in advance

Trained, qualified personnel (users)

Signature data: name/surname, time stamp, reason for signing

Secure control in place to ensure the data integrity. Electronic signatures should be permanently linked to corresponding records.

A certificated signature created by the author of the document (validation of the document, prevent editing or tampering).

Approval signatures of the concerned parties

Data retention (archiving, backup – Envelope purge system in place );

Routine checks for accessibility, readability and integrity

Storage of documents on safe location with restricted access, ensure possibility to check validity, authenticity of signatures.