GxP is shorthand for "Good Practice" — and depending on which discipline you work in, the specific requirements for electronic signatures differ in ways that trip up even experienced compliance teams. A GMP batch record has different signature obligations than a GLP study report or a GCP informed consent form. And the regulations that govern each aren't interchangeable.
This guide breaks down exactly what GMP, GLP, and GCP each require from electronic signatures, where the requirements overlap, and where they diverge. If you work across multiple GxP disciplines, or if you're evaluating a single e-signature platform to cover all three, this comparison will save you significant pain during your next inspection.
Key Takeaways
- All three GxP disciplines require FDA 21 CFR Part 11 compliance for electronic signatures in FDA-regulated studies and manufacturing.
- GCP adds an additional non-repudiation letter requirement — each organization must certify to FDA that their electronic signatures are legally binding equivalents of handwritten signatures.
- GLP has strict study director signature rules that require a single accountable individual, not just any authorized user.
- GMP requires signatures on every batch record critical step, with specific "reason for change" requirements if any prior entry is modified.
- EU requirements differ from US requirements in each discipline — Annex 11 and Annex 15 apply to GMP, OECD GLP Principles apply to GLP, and ICH E6(R3) applies to GCP.
- A platform built for Part 11 compliance satisfies the technical foundation for all three, but your SOPs must address discipline-specific procedural obligations.
The Shared Foundation: FDA 21 CFR Part 11
Regardless of discipline, if you're creating FDA-required records electronically, Part 11 applies. This covers GMP batch records, GLP study data, and GCP clinical trial documentation — all of them. The Part 11 requirements that apply equally across GxP disciplines are:
- System validation: The system must be validated to produce accurate and reliable records. GMP validation typically uses IQ/OQ/PQ under FDA's Computer Software Assurance (CSA) guidance. GLP and GCP organizations increasingly apply the same framework.
- Audit trails: Under 21 CFR 11.10(e), every system must maintain a secure, computer-generated, time-stamped audit trail of who created, modified, or deleted a record, when, and (for modifications) what was changed. The audit trail must capture original values, not just new values.
- Unique user credentials: Each user must have credentials that can't be shared. Under 21 CFR 11.100, electronic signatures must be unique to one individual and not reused or reassigned.
- Two-component identification: For non-biometric signatures, Part 11 requires at least two distinct identification components — typically a username and password, or a password combined with a one-time authenticator code.
- Signature manifestation: Every signed electronic record must display the signer's printed name, the date and time of signing with time zone, and the meaning of the signature (e.g., "Approved," "Reviewed," or "Authored").
- Record protection: Signed records must be protected from modification after signing. If a change is required, the change must go through a controlled process with a new audit entry and reason for change.
All three disciplines must meet these controls. Where they diverge is in the additional, discipline-specific requirements layered on top of Part 11.
GMP Electronic Signature Requirements
Good Manufacturing Practice governs pharmaceutical manufacturing, API production, and — since February 2026 when the QMSR replaced the old QSR — most medical device manufacturing in the US. GMP creates the highest volume of required signatures of any GxP discipline.
What GMP requires for electronic signatures
In GMP, electronic signatures are required on batch production records, batch release records, equipment cleaning logs, environmental monitoring reports, deviation investigations, change control records, stability study protocols and reports, and standard operating procedures (both initial approval and revision approvals). This is not an exhaustive list — any record required by a predicate rule (21 CFR Parts 210, 211, or 820/QMSR) that you maintain electronically must comply with Part 11.
The GMP-specific requirement most commonly creating compliance gaps is the reason for change requirement. Under GMP, if any data in a batch record is modified after initial entry, the system must capture the original value, the new value, the person who made the change, the timestamp, and the reason for the change. Software that lets users overwrite data without capturing the original value is not Part 11 compliant, regardless of what the vendor's marketing materials say.
In the EU, GMP electronic signatures must also comply with EU GMP Annex 11. The 2025 draft revision of Annex 11 explicitly requires multi-factor authentication for electronic signatures on GMP-critical records and aligns with eIDAS for cross-border situations. UK MHRA maintains its own GMP guidance that largely mirrors Annex 11 post-Brexit.
GMP audit trail review
GMP regulations expect periodic audit trail review as part of the batch release process and the periodic review of computerized systems. This means your SOP must define a review frequency, and you must have documented evidence that reviews occurred. FDA 483 observations frequently cite either the absence of an audit trail review SOP or the lack of records showing the reviews were actually completed.
Many GMP organizations review audit trails per batch (for manufacturing) and quarterly (for quality management systems). Either approach satisfies FDA expectations if documented and consistently followed.
GLP Electronic Signature Requirements
Good Laboratory Practice applies to non-clinical safety studies submitted to FDA in support of regulatory applications. GLP regulations sit in 21 CFR Part 58 and have requirements that differ meaningfully from GMP — particularly around individual accountability.
The study director requirement
The most distinctive GLP electronic signature requirement is the study director signature. Under 21 CFR 58.33, there must be a single study director with overall responsibility for each study. The study director must sign the study plan (protocol), any amendments, and the final report. This isn't a generic "approved by" role — it's a specific designated individual.
For e-signature platforms, this means you need the ability to assign a specific user as study director and require their signature on specific document types. A system that allows any authorized user to sign any document type without role-based controls won't satisfy this requirement.
GLP raw data and audit trails
GLP requires that raw data be defined, collected, and retained in a way that allows full reconstruction of the study. Under 21 CFR 58.3(k), raw data includes all original laboratory worksheets, records, memoranda, notes, or exact copies. For electronic systems, FDA expects the audit trail to serve as the primary mechanism for demonstrating data integrity over the life of the study — which for GLP studies can be decades.
OECD GLP Principles (which apply to organizations submitting data to EU, Japanese, and other OECD member regulators) require the same controls as FDA's 21 CFR Part 58, with some additional expectations around data migration. If you migrate data to a new system during a long-running study, the audit trail for both the old and new system must be preserved and traceable.
GLP vs GMP audit trail differences
GLP studies often have much longer data retention requirements than GMP batch records. A chronic toxicology study supporting an NDA might require 15 or more years of retention. The electronic records from that study, including every audit trail entry, must remain readable for that entire period. This makes the enduring andavailable ALCOA+ principles especially critical in GLP systems — proprietary formats that require the original software to read are a liability risk over multi-decade retention periods.
GCP Electronic Signature Requirements
Good Clinical Practice governs the conduct of clinical trials in human subjects. GCP regulations sit in 21 CFR Parts 50, 56, and 312, with ICH E6(R3) providing the international harmonized standard that FDA endorses.
The non-repudiation letter
GCP has a procedural requirement with no equivalent in GMP or GLP: the electronic signature non-repudiation letter. Under 21 CFR 11.100(c), persons or organizations using electronic signatures must certify to FDA that the electronic signatures used in their system are the legally binding equivalents of traditional handwritten signatures. FDA requires this certification to be submitted in writing — in paper — to FDA headquarters before or at the time electronic signatures are first used on FDA-regulated clinical records.
The FDA's 2024 final guidance on electronic systems in clinical investigations (the Q&A guidance finalized October 2024) clarified that an organization may submit a single non-repudiation letter to cover all studies conducted by that organization. This letter must be retained and available for inspection. Many clinical sites and sponsors are unaware this requirement exists — it's one of the most frequently missed GCP e-signature compliance obligations.
Delegation of authority and GCP site signatures
GCP requires documented delegation of authority from the principal investigator (PI) to site staff. The delegation of authority log must capture who is delegated, what tasks they're authorized to perform, and when the delegation was granted or revoked. If staff change mid-study, the log must reflect those changes.
For e-signature platforms at clinical sites, this means you need role-based controls that restrict who can sign specific document types based on their current delegation status. A site coordinator can't sign a document that requires PI-level authority just because they have system access.
ICH E6(R3) and the audit trail
ICH E6(R3), the GCP guideline revised in 2023, reinforces that audit trails must capture all GCP-relevant data changes in clinical trial management systems. For systems used to manage GCP records, this means capturing who made every change, when, and what the change was — with original and new values preserved. E6(R3) also adds stronger language around risk-based quality management and emphasizes that data integrity must be built into system design, not added as a post-hoc control.
The FDA's 2024 clinical investigations guidance applies these principles to modern technologies including cloud-based systems and decentralized trial tools. It explicitly states that FDA considers Part 11 to apply to all electronic systems used in FDA-regulated clinical investigations, including third-party SaaS platforms used by sponsors and sites.
Where GMP, GLP, and GCP Requirements Diverge
The table below summarizes the key differences across the three disciplines for electronic signature compliance:
| Requirement | GMP | GLP | GCP |
|---|---|---|---|
| Part 11 applies | Yes | Yes | Yes |
| Non-repudiation letter to FDA | Not required | Not required | Required (11.100(c)) |
| Role-specific signature authority | Batch release roles | Study director designation required | PI delegation of authority log |
| Reason for change required | Yes, per entry | Yes, per entry | Yes, per entry |
| Audit trail review cadence | Per batch or periodic | Per study milestones | Periodic per site SOP |
| EU counterpart regulation | Annex 11 (+ UK GMP) | OECD GLP Principles | ICH E6(R3) |
| Typical retention period | 1 year post-expiry / per product lifecycle | 15+ years for safety study data | 25 years (EU CTR 536/2014 Art. 58) |
| MFA for signing | Part 11 + Annex 11 draft require it | Part 11 requires two-component | Part 11 requires two-component |
Common Compliance Failures Across GxP Disciplines
FDA 483 observations in GxP environments consistently cluster around the same set of failures, regardless of discipline:
Shared login credentials
This is the single most common Part 11 finding in all three GxP disciplines. When two people share a username and password, the attributable principle of ALCOA+ fails. Every signature and every audit trail entry is ambiguous — you can't prove who actually performed the action. FDA has issued warning letters to GMP manufacturers, GLP facilities, and clinical research sites for this violation.
System-generated vs. user-provided timestamps
Part 11 requires that timestamps be computer-generated, meaning the system determines the time — not the user. Systems that let users enter or modify the date and time of a signature violate this requirement. This is particularly common in legacy spreadsheet-based systems that have been adapted for GxP use without being properly validated for Part 11.
Missing or incomplete audit trails
A surprising number of FDA 483 observations cite systems where the audit trail doesn't capture all GxP-relevant actions. Administrator actions are frequently missing — if your system administrator can modify records without those actions being logged, you have an audit trail gap. This is especially problematic in GMP systems where database-level access by IT staff could theoretically allow changes that bypass the application-level audit trail.
No documented audit trail review
Having an audit trail isn't enough if you can't demonstrate it's being reviewed. All three GxP disciplines expect a written SOP defining the review frequency and documented evidence that reviews were completed on schedule. FDA investigators routinely ask for audit trail review records during inspections. Organizations that have a "review procedure" on paper but no execution records are particularly vulnerable.
Can One E-Signature Platform Satisfy All Three GxP Disciplines?
Yes — but the platform needs to be designed for it, not adapted from a general-purpose tool. The key technical requirements for a cross-GxP e-signature platform are:
- Role-based signature controls: The ability to define which users can sign which document types, and to enforce those controls at the system level rather than just through process controls.
- Full ALCOA+ audit trail: Captures all GxP-relevant actions, including administrator actions, failed attempts, and access events. Every entry includes who, what, when (system-generated timestamp), and original value.
- Tamper-evident audit storage: Hash-chained audit entries that make any after-the-fact modification detectable. This satisfies both FDA Part 11 and the OECD GLP "original record" requirement.
- Two-factor authentication at signing: Required by Part 11 for non-biometric signatures, and now increasingly expected by Annex 11 for GMP environments. Should be enforced at the moment of signing, not just at login.
- Configurable retention periods: GMP, GLP, and GCP have different retention requirements. A system that supports configurable per-document-type retention, including the 25-year requirement under EU CTR 536/2014, avoids the risk of early deletion.
- Validation documentation: IQ/OQ/PQ protocols, traceability matrices, and system configuration documentation. This is your evidence during an inspection that the system was qualified before use.
The organizational controls vary by discipline. You'll need different SOPs for GMP batch record signing, GLP study director designation, and GCP delegation of authority management. But the underlying platform requirements are the same — and a purpose-built, Part 11 compliant e-signature platform can serve as the technical foundation for all three.
For a broader look at what to require from a vendor, see our E-Signature Vendor Evaluation Checklist, which covers 40+ RFP questions covering Part 11, Annex 11, and ALCOA+ requirements across all GxP disciplines.
GxP Electronic Signatures Under EU and UK Regulations
US-based organizations often focus exclusively on FDA requirements, but if you're conducting studies or manufacturing products for EU or UK markets, additional frameworks apply.
EU GMP Annex 11
The 2025 draft revision of EU GMP Annex 11 significantly strengthens electronic signature requirements compared to the current text. Key additions in the draft include:
- Explicit multi-factor authentication requirements for GMP-critical signatures
- Alignment with eIDAS for cross-border and intra-company signature scenarios
- Cloud and SaaS systems addressed directly (previously unclear)
- Enhanced audit trail accessibility requirements during inspections
Once finalized, the revised Annex 11 will create higher technical expectations for GMP e-signature systems than the current text. Organizations using general-purpose e-signature tools without native MFA enforcement at the signing event should assess their compliance position now.
ICH E6(R3) for GCP
ICH E6(R3), the revised GCP guideline that EMA, FDA, and other ICH members endorse, shifts to risk-based approaches for data quality management. For electronic signatures in clinical trials, this means the system's data integrity controls must be proportionate to the risk associated with the record. High-risk records (informed consent, primary efficacy endpoints) require the strongest controls; administrative records may warrant less intensive oversight.
Preparing Your SOPs for GxP Electronic Signatures
Even a perfectly validated, Part 11-compliant platform won't satisfy FDA if your SOPs don't address discipline-specific obligations. At minimum, your e-signature SOP suite should cover:
- User account management and unique credential assignment
- Password policy and MFA enrollment
- Role assignment and periodic access review
- Audit trail review schedule and documentation
- Handling of GLP study director designations
- GCP non-repudiation letter submission and retention
- GCP delegation of authority log maintenance
- Record retention periods by document category and GxP discipline
- Incident response for potential audit trail integrity events
- Training requirements and acknowledgment process
The SOP gap is where most organizations get caught. The platform can be technically compliant, but if there's no SOP defining audit trail review cadence or no records showing GCP staff completed training before signing, the inspection finding will cite the organizational control failure, not the platform.
Summary
GMP, GLP, and GCP all sit on the same Part 11 foundation — audit trails, unique credentials, two-component authentication, and system validation. Where they differ is in the role-specific, document-specific, and procedural obligations each discipline layers on top. GCP adds the non-repudiation letter and delegation of authority tracking. GLP adds study director designation requirements and extended data retention. GMP adds per-entry reason-for-change and periodic audit trail review tied to batch release.
For organizations operating across multiple GxP disciplines, the right approach is a platform that handles the shared technical requirements natively, combined with discipline- specific SOPs that address the unique procedural obligations of each area. That combination covers you from GMP batch records through GLP study reports to GCP clinical trial documentation — without needing a different tool for each.
If you're evaluating whether your current platform meets Part 11 across all three disciplines, our 21 CFR Part 11 Compliance Checklist covers every Subpart B and Subpart C requirement with a checkable format you can run against any system. And for a deeper look at how Certivo specifically addresses GxP compliance, the compliance overview page walks through each regulatory framework with implementation details.