Choosing the Best E-Signature for Clinical Trials: 8 Requirements

Clinical trials run on signatures. Protocol approval. Site agreement execution. Delegation of authority logs. FDA Form 1572. Protocol amendment acknowledgments. Monitoring visit reports. The list goes on, and every one of those signatures needs to hold up under regulatory scrutiny, sometimes 15 to 25 years after it was captured.

So when a site coordinator or sponsor QA manager asks "what's the best e-signature for clinical trials," they're not asking which tool has the prettiest interface. They're asking which platform won't get them a Form 483 observation, a warning letter, or a clinical hold. That's a different question, and it has a more specific answer.

This post covers the eight requirements that actually matter for clinical trial e-signatures, drawn from FDA 21 CFR Part 11, the FDA's October 2024 final guidance on electronic systems in clinical investigations, ICH E6(R3) GCP, and EU CTR 536/2014. If a platform doesn't meet all eight, it has no business being in a regulated trial.

Why General-Purpose E-Signature Tools Fall Short

Most general-purpose e-signature platforms were built for contracts and HR documents. They're fast, cheap, and widely used. They're also fundamentally not designed for FDA-regulated work.

The problem isn't intent. It's architecture. A platform built to close sales contracts fast optimizes for signing speed and broad accessibility. A platform built for clinical trials optimizes for attribution, tamper evidence, signature meaning, and audit trail completeness. Those are genuinely different engineering priorities, and you can't add one on top of the other without a meaningful change to the underlying system.

The FDA's 2024 guidance makes clear that Part 11 compliance isn't just a checkbox. It requires that electronic systems be "trustworthy, reliable, and generally equivalent to paper records and handwritten signatures." That standard applies to the entire workflow, not just the moment of signing.

And FDA investigators know the difference. They've been inspecting electronic systems since Part 11 took effect in 1997. They know what a genuine audit trail looks like versus a log file bolted onto a general-purpose platform.

Requirement 1: Unique User Identification and Two-Factor Authentication

21 CFR 11.100(a) is unambiguous: electronic signatures must be unique to one individual and must not be reused or reassigned. That means shared logins are never acceptable in a regulated trial environment.

For signatures that aren't biometric-based (which covers virtually every e-signature platform), 21 CFR 11.200(a)(1) requires at least two distinct identification components. In practice, this means a username plus a password, or a password plus a one-time code. MFA at the signature event, not just at login, is the standard that holds up under inspection.

The FDA's 2024 guidance clarifies that drawing a signature with a finger or stylus on a touchscreen does not qualify as a handwritten signature for Part 11 purposes. That matters for sites using tablet-based workflows. A drawn signature without proper authentication behind it isn't compliant, no matter how much it looks like a pen signature.

What to look for in a platform: each signing event should require re-authentication, not just a click. The system should enforce unique user IDs and prevent account sharing at the technical level. MFA should be non-optional for regulated environments.

Requirement 2: Signature Meaning (Subpart C)

This is the requirement that surprises people who are new to Part 11. 21 CFR 11.50 requires that signed electronic records include the printed name of the signer, the date and time of execution, and the meaning associated with the signature.

That last part is the critical one. "Meaning" means the signer must attest to something specific. Not just "I signed this" but "I approve this protocol amendment" or "I have reviewed and approve the data on this case report form" or "I certify the accuracy of the information on this delegation log."

General-purpose e-signature tools typically don't support configurable signature meanings. They capture a signature, a name, and a timestamp. That's not Part 11-compliant for regulated clinical documents.

For a site coordinator signing a delegation of authority log, the meaning might be "I confirm the accuracy of my qualifications and tasks listed above." For a principal investigator signing a protocol, it's a different statement. A compliant platform lets you configure that meaning per document type and captures it as part of the permanent record.

Requirement 3: Tamper-Evident Audit Trail

21 CFR 11.10(e) requires audit trails that are "secure, computer-generated, time-stamped" and that independently record every action that creates, modifies, or deletes an electronic record. The word "independent" means the audit trail can't be stored where a system administrator can edit it.

The FDA's 2024 guidance reconfirms that during an inspection, FDA expects to see complete metadata including timestamps for original data acquisition and all changes made, including who made them and why. "Why" matters. A reason-for-change field isn't just an EU GMP Annex 11 requirement anymore. FDA inspectors expect it for any modification to a regulated record.

Technically, tamper evidence means cryptographic hashing. When an audit trail entry is written, the system generates a hash of that entry. If anyone modifies the entry later, the hash no longer matches and the tampering is detectable regardless of who made the change. SHA-256 hash chains are the current standard.

Ask any vendor this question: can a database administrator with direct table access modify an audit trail entry without the system detecting it? If the answer involves access controls rather than a technical detection mechanism, that's not tamper evidence under Part 11.

For a deeper look at what a compliant audit trail must contain, see our electronic signature audit trail requirements guide.

Requirement 4: Guest Signing Without Compromising Compliance

This is a practical requirement that doesn't come from the CFR directly, but shapes compliance in real trial operations every day.

Clinical trials involve multiple parties: sponsors, CROs, clinical sites, IRBs, monitors. Not all of them will have accounts on your e-signature platform. A sponsor using one system needs site investigators to sign protocol documents. A CRO needs external monitors to sign visit reports. Subject signatures on regulated documents (where applicable) come from people who will never have a platform account.

Some platforms handle this with "guest signing," where the system sends an authenticated link to an external signer's email. The critical compliance question is whether that guest signing workflow still satisfies Part 11's two-component authentication requirement and properly captures the signer's identity, the signature meaning, and the timestamp in the audit trail.

A guest signing flow that just sends a link and accepts a click is not Part 11-compliant, regardless of what the vendor says. The signer's identity needs to be verified, not just their email address. For regulated trial documents, that means the system must capture how the identity was confirmed and link that confirmation to the signature record in the audit trail.

Requirement 5: Delegation of Authority Log Support

The delegation of authority (DOA) log is one of the most heavily reviewed documents during an FDA inspection of a clinical site. It records which tasks the principal investigator has delegated to which team members, when those delegations were made, and which team members have acknowledged their responsibilities.

Every person listed on the DOA log needs to sign it with their unique electronic signature. The PI needs to sign. The coordinator who processes the delegation needs to sign. And when staff turn over, the new team members need to sign with their own credentials.

FDA investigators look at DOA logs carefully. They verify that the signatures correspond to the people actually performing the tasks. They check whether the audit trail shows when each person signed versus when they actually started performing delegated tasks. A delegation log signed after the fact is a red flag.

The platform you choose needs to support multi-party signing workflows where each signer has their own account, their own credentials, and signs with their own authenticated session. It also needs to capture the sequence and timing of signatures in the audit trail.

Requirement 6: IQ/OQ Validation Documentation

Before any electronic system is used in a regulated clinical investigation, it needs to be validated. That means Installation Qualification (IQ) documentation confirming the system was installed correctly, and Operational Qualification (OQ) documentation confirming it performs as intended.

FDA's Computer Software Assurance (CSA) guidance, which replaced the older CSV approach, takes a more risk-based view of validation. But the expectation that you can demonstrate the system performs its intended functions with documented evidence hasn't gone away. It's just more proportionate to the risk.

For an e-signature platform, this means the vendor should provide or support:

• A validation master plan or vendor qualification documentation
• Pre-written IQ/OQ test scripts you can execute and document
• A traceability matrix linking Part 11 requirements to system functions
• Change control documentation for system updates so you know when re-qualification is needed

Vendors that provide none of this are putting the entire validation burden on your team. That's a significant time and cost investment, and it's one of the most important practical differences between purpose-built compliance platforms and general-purpose tools.

See our IQ/OQ/PQ validation guide for e-signature systems for a step-by-step walkthrough of what the qualification process looks like under CSA.

Requirement 7: Long-Term Record Retention

The retention requirements for clinical trial records are not short. Under EU CTR 536/2014 Article 58, the minimum retention period is 25 years from trial completion for most investigational medicinal products. Under FDA's 21 CFR 312.62, sponsors must retain essential documents for two years after marketing approval or two years after IND closure, which for long-running programs can span decades.

The practical problem: most e-signature platforms don't explicitly commit to 25-year data availability. They commit to your current subscription period. That creates a structural gap you need to address before using any platform in a regulated trial.

The questions to ask a vendor are: What happens to my records if I cancel the subscription? Can I export the full audit trail in a non-proprietary format (CSV, JSON, or XML)? Is that export right guaranteed contractually for the full retention period? Does the export include all metadata, not just the signed documents?

Vendors who can't give you clear, contractual answers to those questions are not suitable for records that need to survive a potential inspection in 2045.

Requirement 8: Closed System Controls (Subpart B)

21 CFR Part 11 distinguishes between closed systems (where access is controlled by the system owner, such as an internal company platform) and open systems (where electronic records are accessible via open networks). Most cloud-based e-signature platforms are operating as closed systems, but need appropriate controls under 11.10.

These controls include: limiting system access to authorized users, using authority checks to ensure users can only perform authorized functions, using device checks where appropriate, and maintaining a complete list of authorized users with their access levels documented.

The FDA's 2024 guidance specifically requires that sponsors and clinical investigators maintain records of all trial personnel authorized to access electronic systems, along with any changes to access rights. When a team member leaves a site, their access should be revoked and that revocation should be documented in the system's access log.

This is often the access management piece that general-purpose tools handle loosely. In a regulated trial, "deactivate the account" needs to create an audit trail entry with a timestamp and a reason.

Applying ICH E6(R3) to Your Platform Choice

ICH E6(R3), finalized in January 2025, updates GCP guidance for the first time since the 2016 addendum. For electronic systems, the changes are meaningful.

E6(R3) now explicitly defines "signature" to include electronic signatures, removing any ambiguity about whether GCP documentation requirements apply to electronic records. Its Data Governance section (Principle 5) requires that trial data be attributable, legible, contemporaneous, original, and accurate, with the same traceability requirements that ALCOA+ describes in the data integrity context.

For sites conducting trials under FDA, EMA, and other ICH member agency oversight simultaneously, E6(R3) alignment is the right baseline. A platform that satisfies Part 11 technically but doesn't support the data governance principles E6(R3) describes will face questions during EMA inspections.

The Eight Requirements: Quick Reference

When evaluating the best e-signature for clinical trials, check each of these:

1. Unique user IDs, no sharing, MFA at the signature event (not just at login) per 21 CFR 11.100 and 11.200
2. Configurable signature meaning captured in the signed record per 21 CFR 11.50
3. Tamper-evident audit trail using cryptographic hashing, with original values, reason-for-change, and immutable entries per 21 CFR 11.10(e)
4. Guest signing with verified identity, not just email link access, for external parties
5. Multi-party signing support for delegation of authority logs and other multi-signatory documents with full audit trail sequencing
6. Vendor-supplied IQ/OQ documentation and a Part 11 requirements traceability matrix
7. 25-year-capable record retention with contractual export rights in non-proprietary formats
8. Access management controls including user authorization records, access level documentation, and auditable deactivation workflows

A platform that misses even one of these in a regulated trial is a liability. Not theoretically. Concretely, in the form of 483 observations, corrective action requirements, and in serious cases, questions about the integrity of trial data itself.

What FDA Inspectors Actually Look For

When an FDA investigator reviews your electronic systems during a clinical site inspection, they're working through a mental checklist built from Part 11, the 2024 guidance, and years of enforcement experience. Here's what comes up consistently.

They'll ask to see the delegation of authority log and check whether the audit trail shows each signature was applied at the right time relative to task performance. Signatures applied retroactively to validate work already done are a finding.

They'll look at whether any team members share credentials. It takes about two minutes to check if multiple people use the same login by looking at the audit trail for login events from different IP addresses at overlapping times.

They'll request a specific document's full audit trail and check whether it captures original values on modifications, timestamps from a controlled clock, and the identity of every person who accessed or modified it.

And they'll ask what your process is for revoking access when staff leave. An informal answer ("we email IT") is a gap. A documented procedure with evidence in the system is what passes.

For more detail on what investigators specifically request during site inspections, the FDA audit trail readiness guide walks through common day-one document requests and where sites typically fall short.

Certivo was built specifically for FDA-regulated environments. Every signature captures a configurable meaning. Every audit trail entry is SHA-256 hashed and immutable. Guest signing for external parties satisfies Part 11 authentication requirements. IQ/OQ documentation and a Part 11 traceability matrix are included in every account. And records export to CSV or JSON without requiring support involvement.

If you're evaluating platforms for a clinical trial program and want to see how these requirements translate into actual features, start a free trial or review the compliance documentation. The compliance page includes the full list of Part 11 controls and how each one is implemented technically.