When an FDA investigator arrives at your facility and asks to review your electronic signature procedures, the first thing they want to see is your SOPs. Not the software. Not the screenshots. The written procedures that govern how your team uses, manages, and oversees the system. If those SOPs are missing, incomplete, or don't match what the system actually does, you're looking at a 483 observation before the investigator even logs in.
Written policies for electronic signatures aren't optional under 21 CFR Part 11. Section 11.10(j) explicitly requires that organizations establish and adhere to written policies that hold individuals accountable for the actions they initiate under their electronic signatures. Section 11.10(i) requires that personnel using Part 11 systems are trained on those systems. These two requirements alone create a significant SOP obligation that many organizations underestimate.
Key Takeaways
- Part 11 Section 11.10(j) mandates written policies holding individuals accountable for their electronic signatures.
- FDA expects at least six distinct SOPs covering access management, training, audit trail review, incident response, change control, and accountability.
- Missing or unimplemented SOPs are among the most common 483 findings for Part 11 systems.
- SOPs must match actual system behavior: a procedure that describes manual steps for a task the system handles automatically is still a gap.
- Audit trail review SOPs are specifically scrutinized because Section 11.10(e) requires audit trails to be reviewed regularly.
Why SOPs Are a Formal Part 11 Requirement, Not Just Best Practice
There's a widespread misconception that SOPs for electronic signature systems are just good documentation hygiene. They're not. Part 11 is explicit about several categories of written procedures it requires.
Section 11.10(j) states: "Use of appropriate controls over systems documentation including adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance." But more directly, it requires that written policies be in place to hold individuals accountable for the actions they initiate under their electronic signatures. That language appears in the regulation text itself.
Section 11.300 adds requirements for written procedures covering issuance and revocation of electronic signature components (IDs and passwords), ensuring their uniqueness, and preventing unauthorized use. That's another SOP requirement that flows directly from the regulation.
The FDA's 2003 Scope and Application guidance reinforced the procedural emphasis: organizations should maintain procedures documenting their decisions about what constitutes an electronic record under their predicate rules and what controls apply. If you can't show those procedures during an inspection, you have a compliance gap whether or not your software is technically sound.
The Six SOPs FDA Part 11 Systems Need
Based on the regulatory text and what appears most consistently in FDA 483 observations, there are six SOPs that every organization using a Part 11 electronic signature system should maintain.
SOP 1: User Access Management and Credential Issuance
This SOP covers how user accounts are created, modified, and deactivated in the electronic signature system. Part 11 Section 11.300 requires specific controls over identification codes and passwords: they must be unique, periodically revised, and the system must have procedures to electronically deauthorize lost, stolen, or compromised tokens, with capability to issue temporary replacements.
Your access management SOP should define:
- The process for requesting a new user account (who approves, what information is required)
- How identity is verified before a credential is issued
- Role assignment and what access each role permits
- What triggers immediate deactivation (termination, leave of absence, role change)
- The process for temporary account suspension vs. permanent deactivation
- Password complexity requirements and rotation frequency
- What happens when a user suspects their credentials have been compromised
This SOP links directly to the system's user administration module. The written procedure and the system configuration must match. If your SOP says passwords must be changed every 90 days but the system enforces 60 days, that's a deviation that needs reconciliation.
SOP 2: Training and Competency Verification for Part 11 Systems
Section 11.10(i) requires that persons who develop, maintain, or use electronic record and signature systems have the education, training, and experience to perform their assigned tasks. The training SOP must document what training is required, when it must be completed, and how completion is recorded.
For electronic signature systems, training should cover:
- What an electronic signature is and what it legally means under Part 11
- The meaning of each signature type available in the system (approval, review, authorship, acknowledgment)
- How to verify that a signature was properly applied (what to check before signing)
- What constitutes misuse of an electronic signature and the accountability consequences
- How to report a suspected signature compromise or unauthorized system access
- System-specific procedures: how to log in, how to navigate to documents requiring signature, how to apply and confirm a signature
Training records should capture who was trained, when, on what specific subject matter, by what method (classroom, e-learning, on-the-job), and who verified competency. Retraining requirements should be stated explicitly: when a procedure changes, when an employee returns from extended leave, or when a periodic review identifies a gap.
SOP 3: Audit Trail Review Procedure
This is the SOP that FDA inspectors scrutinize most closely. Section 11.10(e) requires that audit trails be computer-generated, time-stamped, and retained for the duration of the record. But retention alone isn't sufficient. The FDA expects audit trails to be reviewed, and the review must be documented.
Your audit trail review SOP should specify:
- Which systems have audit trails subject to periodic review
- Review frequency for each system (monthly is standard for high-risk systems; quarterly may be acceptable for lower-risk systems)
- What the reviewer is looking for: failed login attempts, shared credential use, deletions, modifications to critical records, unusual after-hours activity
- How the review is documented (date, reviewer name and role, period covered, findings, exceptions noted)
- What happens when an anomaly is found (escalation path, CAPA initiation criteria)
- Retention period for audit trail review records
The review procedure should produce a documented record that shows what was reviewed, when, and by whom. A reviewer who clicks through the audit trail without producing a record has performed no reviewable work from an FDA compliance standpoint. For more on what investigators check when reviewing audit trails, see our guide on FDA inspection readiness and audit trail requirements.
SOP 4: Electronic Signature Accountability and Non-Repudiation
Part 11 Section 11.10(j) explicitly requires written policies that hold individuals accountable for actions initiated under their electronic signatures. This SOP addresses what accountability means in practice for your organization.
The accountability SOP should state clearly:
- That electronic signatures applied in the system are legally equivalent to handwritten signatures
- That users are responsible for all actions performed under their credentials
- That sharing credentials is prohibited and constitutes a serious violation
- What happens if credentials are shared or misused: the specific disciplinary process and potential regulatory reporting obligations
- That users must protect their authentication credentials and must not disclose passwords to anyone, including IT support staff
- The procedure for challenging a signature that a user believes was applied without their authorization
Some organizations include this content in a general computer use policy or code of conduct. That's acceptable if the Part 11-specific requirements are explicitly covered and users have been trained on and acknowledged those requirements in writing.
SOP 5: Incident Response for Electronic Signature Compromise
Part 11 Section 11.300(d) requires procedures to electronically deauthorize lost, stolen, or potentially compromised tokens or devices that bear or generate identification codes or passwords. This creates a formal incident response requirement.
The incident response SOP should cover:
- How users report a suspected compromise (to whom, within what timeframe)
- Immediate actions: suspend the account, review the audit trail for unauthorized activity since last legitimate use
- Assessment: determine whether any unauthorized signatures were applied; if so, what records are affected
- Remediation: if unauthorized signatures are identified, how are those records flagged and investigated
- Documentation: the incident record, investigation findings, corrective actions, and whether any regulatory notification is required
- Recovery: how the user's account is reactivated and under what conditions (re-verification of identity, retraining)
Most organizations have general IT security incident response procedures. But those procedures often don't address the Part 11-specific dimension: the regulatory implications of potentially unauthorized electronic signatures on GxP records. The Part 11 incident response SOP should be cross-referenced to the IT procedure but must explicitly cover the signature integrity assessment.
SOP 6: System Change Control and Revalidation Triggers
Part 11 Section 11.10(a) requires that procedures and controls ensure the system's ongoing accuracy, reliability, and consistent intended performance. That means validation is not a one-time event. When the system changes, you need a procedure for assessing whether revalidation is required and what scope of revalidation is appropriate.
The change control SOP should define:
- What constitutes a significant change to the system (major version update, configuration change, new integration, infrastructure migration)
- How changes are evaluated for impact on the validated state (impact assessment process)
- The revalidation activities triggered by different categories of change
- Who approves changes and the associated revalidation before going live
- How changes are documented in the system's validation lifecycle documentation
- The communication process to users when a system change affects procedures
What FDA Investigators Check During SOP Audits
Understanding what investigators look for helps you structure your SOP program effectively. Based on patterns in FDA 483 observations and warning letters related to Part 11, here's what tends to come up in electronic signature SOP audits:
| Investigator Question | Related SOP | Common Finding |
|---|---|---|
| Can I see your SOP for granting access to this system? | Access Management | SOP exists but onboarding records show it wasn't followed for recent hires |
| How do you verify that users are trained before they sign documents? | Training | Training records exist but don't specifically cover electronic signature meaning |
| Show me your audit trail review records for the last 12 months | Audit Trail Review | No formal review records; users say they "look at it periodically" |
| What happens if an employee leaves? How quickly is access revoked? | Access Management | SOP says 24 hours; actual deactivation records show some accounts stayed active for weeks |
| Do users acknowledge they are responsible for their electronic signatures? | Accountability | No signed acknowledgment on file for a portion of current users |
| How do you handle a situation where a password might have been shared? | Incident Response | No specific procedure; answer is "we'd reset the password", with no investigation protocol |
How to Structure Each SOP
A well-structured SOP is easier for investigators to review and easier for staff to follow. While format varies by organization and QMS system, effective Part 11 SOPs typically include:
- Title and document identifier: The SOP name and a unique reference number for version control
- Purpose: One or two sentences stating why this procedure exists and what regulatory requirement it addresses (cite the specific Part 11 section)
- Scope: Which systems, roles, and facilities the SOP covers, and what it explicitly doesn't cover
- Responsibilities: Who does what: the quality team, system administrators, users, and management
- Definitions: Key terms used in the procedure, especially where Part 11 uses specific regulatory definitions
- Procedure: Step-by-step instructions. Each step should be action-oriented, with clear ownership and observable output
- Records: What documentation this procedure creates, where it's stored, and how long it's retained
- References: The regulatory citations (21 CFR Part 11 sections), related SOPs, and system user documentation
- Version history: Changes made between versions with effective dates
The procedure section is where most SOP gaps appear. Vague language like "users should verify access rights periodically" tells an investigator nothing. Effective procedures specify who does the verification, on what schedule, using what method, and producing what record.
SOP Gaps That Generate 483 Observations
The most commonly cited SOP-related Part 11 findings fall into four patterns:
- SOP doesn't exist: The procedure is implied by the system's configuration but was never written down. "The system enforces it automatically" is not a substitute for a written procedure in regulated environments.
- SOP exists but isn't followed: The procedure describes a process that staff don't actually use. This often happens after a system upgrade or process change that wasn't captured in change control.
- SOP isn't current: The version on the QMS is 3 years old and describes a system configuration that no longer exists. Out-of-date SOPs can be worse than no SOP if they describe incorrect behavior.
- SOP doesn't cite Part 11: The procedure covers the activity but doesn't connect it to the regulatory requirement. FDA investigators want to see that your procedures are grounded in the actual regulation, not just internal preference.
Selecting a platform purpose-built for regulated industries can reduce your SOP burden. Systems that enforce audit trail immutability, role-based access, and credential controls at the software level don't need separate procedures to maintain those behaviors. Your SOPs document what the system does and who is responsible for oversight, not how to manually implement controls the system handles automatically. For more on what to look for in a purpose-built platform, see our guide on what makes an e-signature platform genuinely Part 11 compliant, or explore ALCOA+ audit trail software requirements to understand the technical controls that underpin your audit trail SOPs.
Connecting Your SOPs to Inspection Readiness
Electronic signature SOPs don't exist in isolation. They're part of your overall inspection readiness posture. Before any FDA inspection, run through this SOP-specific pre-inspection checklist:
- Are all six SOP categories documented and current (effective version matches actual system behavior)?
- Have all current users signed a training acknowledgment for each relevant SOP?
- Do audit trail review records exist for the past 12 months, with no unexplained gaps?
- Are access deactivation records available for all employees who left during the past 12 months?
- Does every current user have a complete access request and onboarding record?
- Can you produce a list of all users with access, their roles, and when access was granted?
- Is there a change control record for every system update since the last inspection?
The goal isn't perfect documentation for its own sake. It's that your SOPs reflect a genuine quality system in which electronic signatures mean something: a specific person, at a specific time, made a deliberate decision and is accountable for it. That's what Part 11 is actually trying to ensure. SOPs are the human layer that makes the system controls meaningful.