Segregation of Duties (SoD): What is it? and How is it Implemented for Data Integrity?

What is Segregation of Duties?

Segregation of Duties (SoD) refers generally to the breakdown in user access levels/user permissions on a system in a Pharma or Biopharma environment. SoD is a crucial principle of an environment which is compliant with industry standards of Data Integrity. It ensures that no users have end-to-end responsibility for critical process/system functions which would be outside the scope of their contributions to the process. As such, it minimises risks of fraud, error, unauthorised repeat testing or other activities which could affect the integrity of processed data on a system. SoD also ensures that data is complete, consistent, and accurate by involving independent checks, balances, and approvals at different stages of the data lifecycle.

In pharmaceutical areas such as Manufacturing, Quality Control (QC) Laboratories, and Quality Systems, SoD guarantees that no single user can complete, review, and approve the same set of data or documents. This separation strengthens oversight, maintains audit trails, and supports regulatory compliance (e.g., FDA 21 CFR Part 11, EudraLex Annex 11).

FDA 21 CFR Part 11:

• Requires that electronic records and signatures are trustworthy and equivalent to paper.
• Enforces audit trail requirements, access controls, and authority checks.
• SoD helps ensure that users cannot bypass controls (e.g., modifying a record and signing it off themselves).

EudraLex Annex 11 (EU GMP):

• Emphasizes that data integrity must be ensured throughout the lifecycle.
• Requires that duties are clearly assigned and segregated, especially in validated computerized systems.
• States: “It should be ensured that persons developing, maintaining or using systems have defined responsibilities which do not conflict.”

Importance of SoD in Data Integrity.

• Prevents conflicts of interest.
• Reduces errors and manipulation risks.
• Strengthens compliance with regulatory requirements.
• Supports the principles of ALCOA++ (Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, Available).

 

Steps to Perform Segregation of Duties for Data Integrity

1. Identify Critical Processes
   Determine which processes involve GxP data creation, modification, review, or approval, and assess them for SoD requirements.
2. Verify Role-Based Access Controls (RBAC) Are Implemented
   Ensure the system enforces appropriate access rights based on defined user roles, preventing unauthorized or conflicting actions.
3. Confirm Roles and Responsibilities Are Clearly Defined
   Review documentation and training to ensure all personnel understand their assigned duties and limitations within the system.
4. Ensure All Segregation of Duties (SoD) Controls Are Fully Documented
   Validate that SoD configurations, responsibilities, access rights, and reviews are recorded in SOPs.

General SoD Verification Questions for Quality Systems, QC Research Laboratories, and Manufacturing, aligned with GxP and Data Integrity principles:

A. QUALITY SYSTEMS

1. Is there a segregation of duties document, documented in a SOP?
2. Are there Role based access controls (RBAC) for the system?
3. What roles types are available for the system?
4. Are there at least 3 role types:

• • Administrator
  • Supervisor
  • User

5. Is data automatically saved within software or does it require user intervention?

 

B. QUALITY CONTROL & RESEARCH LABORATORIES

1. Can users modify or delete data directly from analytical instruments?
2. Can the same person collect, test, and approve the sample?
3. Are sampling and testing responsibilities clearly separated?
4. Is there independent second-person verification for calculations and raw data?
5. Are audit trails independently reviewed?

 

C. MANUFACTURING / PRODUCTION

 

1. Is the operator who performs manufacturing tasks different from the person who verifies or releases the batch?
2. Are in-process quality checks performed by someone other than the person executing the manufacturing steps?
3. Is line clearance and reconciliation reviewed independently by QA or someone other than the operator?
4. Are audit trail reviews conducted?
5. Are backups taken frequently of system data?

Generic Segregation of Duties Model for Pharmaceutical & Biomedical Operations

User Access Levels and Privileges

In a typical quality system, users are categorized into types based on their department and job role. Each type is assigned specific privileges aligned with their responsibilities.

Example User Types:

User Type	Description
System Administrator	Full system control, configuration, and maintenance.
Team Lead	Oversees day-to-day activities, sample assignments.
Analyst	Conducts sample analysis, reads and enters results. (Generally, a system SME).
Data Reviewer	Reviews data entries and reports for accuracy.
Read-Only User	Can view information without making modifications.

 

Generic User Access and Privileges Matrix

Functionality	System Admin	Team Lead	Analyst	Reviewer	Read-Only
View Data	Y	Y	Y	Y	Y
Create Data	N	N	Y	N	N
Modify Data	N	Y	Y	N	N
Delete Data	N	N	N	N	N
Review Data	N	N	N	Y	N
Approve Data	N	Y	N	N	N
Manage User Access	Y	N	N	N	N
Print Reports	N	Y	Y	Y	N
Audit Trail Review	Y	Y	Y	Y	Y

 

Note: “Y” = Access Granted, “N” = No Access.

 

Conclusion

Implementing Segregation of Duties and properly defining user access levels are critical steps toward achieving robust Data Integrity. It helps organizations safeguard their data, maintain regulatory compliance, and promote transparent and trustworthy quality management processes.

When designing any system, ensuring clear mapping of roles to responsibilities and conducting periodic access reviews helps to detect and correct any conflicts in the SoD early in system/process implementation.

Contact us

If you’d like to learn more about strengthening compliance, safeguarding your data, or tailoring role-based access controls for your processes, get in touch with our team today.

📞 051 878 555
📧 info@dataworks.ie
🌐 www.dataworks.ie