Most clinical research sites treat electronic signatures as a checkbox. Click to sign, move on, done. But the FDA has a different definition of "done," and the gap between those two definitions is where 483 observations are born.
21 CFR Part 11 electronic signaturesaren't just digital approximations of a wet-ink signature. They carry specific technical requirements, procedural obligations, and evidentiary expectations. Getting them right isn't complicated, but it does require understanding what the regulation actually says, not just what a vendor's marketing page says about it.
This guide walks through what Part 11 electronic signatures must do, what Subpart B and Subpart C require, and the most common places clinical sites and sponsors fall short.
Why Signature Validity Is the Real Issue
Before diving into the regulation, it's worth being clear about what's at stake.
The whole premise of Part 11 is that an electronic signature can be legally equivalent to a handwritten signature. That equivalence isn't automatic. It has to be earned through specific controls. If those controls aren't in place, the signature isn't equivalent to anything. It's just a click.
That matters enormously for clinical research. Protocol amendments, adverse event reports, case report forms, investigator agreements -- these are all documents that may be reviewed by FDA investigators. If the signatures on those documents can't be validated as attributable to a specific individual at a specific moment in time, the records lose their evidentiary value. And that's when inspections get uncomfortable.
The FDA's October 2024 final guidance on electronic systems in clinical investigations reinforced this point. The agency clarified expectations for cloud-based systems, remote signing workflows, and digital health technologies, but the core requirement hasn't changed since 1997: electronic signatures must be trustworthy, reliable, and genuinely equivalent to paper.
What Subpart B Requires (The Records Side)
Subpart B of Part 11 covers controls for electronic records. It's the infrastructure your signatures live in.
Section 11.10 lists requirements for closed systems -- which covers most clinical research platforms. The key controls:
Validation.The system must be validated to ensure accuracy, reliability, and consistent performance. This isn't a one-time exercise. It's maintained through the system lifecycle, with change control applied whenever the system is updated.
Audit trails. Section 11.10(e) is the most-cited provision in FDA 483 observations. Your system must produce a secure, computer-generated, time-stamped audit trailthat captures operator entries and actions. That trail has to be independent of the operator (meaning the person who took the action can't modify the record of it), and it must be retained for at least as long as the underlying record.
Access controls.Only authorized individuals can access the system. Section 11.10(d) requires unique credentials tied to specific individuals. Shared accounts are a direct violation, and they're also the single fastest way to destroy audit trail integrity.
Record retrieval.The system must be able to generate accurate, complete copies of records in both human-readable and electronic form for FDA inspection. If an investigator shows up and your system can't produce legible records on demand, that's an immediate problem.
Signature-to-record linking.Section 11.70 requires that electronic signatures be cryptographically or otherwise technically linked to their records so they can't be excised, copied, or transferred to falsify a different record. This is what separates a compliant electronic signature from a typed name at the bottom of an email.
Section 11.30 covers open systems -- those where access isn't controlled by the record owner, such as email or public-facing portals. Open systems require additional controls including encryption and the use of digital signatures from recognized certificate authorities. Most clinical research sites operate closed systems, but the distinction matters if you're transmitting records externally.
What Subpart C Requires (The Signature Side)
Subpart C is where the specific requirements for Part 11 electronic signatures themselves live. This is the part most organizations underinvest in understanding.
Section 11.100: Each Signature Must Be Unique
An electronic signature must be unique to one individual. It can't be reused or reassigned to anyone else. Before your organization assigns electronic signatures to individuals, it must verify their identities. And critically, your organization must certify to the FDA -- in writing, with a handwritten signature, submitted to the FDA Office of Regional Operations -- that your electronic signatures are the legally binding equivalent of handwritten signatures.
That certification requirement surprises a lot of teams. It's not a form most platforms walk you through. But it's a real obligation, and it's the formal moment at which your organization commits to the evidentiary weight of every signature executed in your system.
Section 11.200: Two Identification Components
For non-biometric electronic signatures -- which covers the vast majority of clinical research sites -- the system must employ at least two distinct identification components. The classic example is a user ID combined with a password.
There's an important nuance here. When someone signs multiple documents during a single, continuous period of controlled system access, the first signing must use all identification components. Subsequent signings in that session may use just one. But if signings happen in separate sessions, each one requires all components.
This matters for workflow design. A system that lets a user sign once and then applies that signature to a queue of documents without re-authentication doesn't meet the session-based requirements of 11.200. Each signing event in a separate access period requires the full authentication sequence.
Biometric-based signatures follow different rules: they must be designed so only the genuine owner can use them, and that design must be tested and validated.
Section 11.300: Password Controls
Organizations using ID and password combinations must maintain specific controls. These include keeping each credential combination unique across all users, requiring periodic password revisions, having procedures to deauthorize compromised credentials, using transaction safeguards to prevent unauthorized use, and testing devices that generate or bear identification codes.
Section 11.300 is often where compliance quietly breaks down. Password management policies are documented in an SOP, but enforcement is lax. Passwords are shared because it's convenient during a site visit. Terminated users aren't deactivated promptly. These aren't exotic edge cases -- they're patterns that appear repeatedly in FDA warning letters.
Section 11.50: Signature Manifestations
Every signed electronic record must display the signer's printed name, the date and time the signature was executed, and the meaning of the signature. That last one is critical and frequently missed.
Meaning refers to the purpose of the signing: review, approval, responsibility, authorship. A signature without a stated meaning doesn't tell the FDA why the person signed. That's not just a formality. In a clinical investigation, there's a significant difference between a monitor who reviewed a document and a principal investigator who approved it. Both need to be captured in the record, and they need to be distinct.
The meaning must appear in any human-readable form of the record, whether it's displayed on screen or printed.
The FDA's 2024 Clinical Investigations Guidance
In October 2024, the FDA finalized its Q&A guidance on electronic systems, records, and signatures in clinical investigations. It was the most substantive update to clinical trial electronic records guidance since the 2003 Scope and Application document.
The 2024 guidance addressed 29 questions across electronic records, IT service providers, digital health technologies, and electronic signatures. Key clarifications relevant to sites and sponsors:
Cloud-based systems are held to the same Part 11 standards as on-premise systems. The vendor is responsible for system-level controls; the sponsor or site retains responsibility for appropriate use and validation documentation.
IT service providers(including SaaS vendors) must be qualified as part of the regulated entity's vendor management process. A Part 11 compliance statement from a vendor doesn't substitute for the site's own qualification activities.
Remote and hybrid signing workflowsare acceptable, but the authentication requirements of Subpart C still apply. A system that emails a link and counts the click as a signature doesn't meet the two-component requirement.
The guidance also reinforced that audit trail review is a required activity, not just an audit preparation step. Sites should be reviewing audit trails regularly as part of ongoing quality oversight.
The Most Common Part 11 Electronic Signature Failures at Clinical Sites
After reviewing FDA 483 observations and warning letters across clinical research settings, the failures cluster around a predictable set of issues.
Shared credentials.One login for the whole monitoring team. One PI password shared with the coordinator "just for urgent situations." Each of these destroys attribution. When the audit trail shows a signature from "Dr. J. Smith" but three people had access to that password, the signature is meaningless.
Missing signature meaning.The platform captures name and timestamp, but the meaning field is blank or defaulted to a generic value that doesn't distinguish between review and approval. This is a Section 11.50 violation and it shows up in inspections.
Session re-authentication not enforced. The system lets users sign a batch of documents in one click without re-entering credentials. This fails the session-based requirement of Section 11.200 when those signings constitute distinct access periods.
No FDA certification letter.Section 11.100(c) requires a certification to the FDA that your organization's electronic signatures are binding. A surprising number of organizations that have been using electronic signatures for years have never filed this certification. It doesn't void past signatures retroactively, but it's a compliance gap that investigators notice.
Signature-record links that can be broken.PDFs with a typed name and no cryptographic binding to the document. Systems where a signed record can be re-exported without its signature metadata. Documents where the signature block is in a separate file from the content it's supposed to cover. All of these fail Section 11.70.
Audit trails that can be modified.Database administrators with direct table access. Log files stored in writable locations. Audit entries that can be amended by users. Section 11.10(e) requires an immutable trail. If your database admins can edit the log, your audit trail isn't compliant.
What a Valid Part 11 Electronic Signature Actually Looks Like
A compliant Part 11 electronic signature does several things at the same time:
- It's tied to a specific individual through unique credentials that only they control.
- It was executed using at least two identification components (or biometrics).
- It captures the signer's printed name, the exact date and time, and the specific meaning of the signing.
- It's cryptographically or technically linked to the record so it can't be moved or replicated.
- It's captured in an immutable, time-stamped audit trail that no operator can modify.
- It was executed on a validated system with documented controls for access, record retention, and retrieval.
That's what "Part 11 compliant" means for an electronic signature. Not just a digital signature widget. Not just a checkbox in a vendor's compliance matrix. A specific set of technical and procedural controls that together give the signature evidentiary weight.
Signature Validity, Not Just Document Storage
There's a distinction worth making explicit, because it shapes how you think about the problem.
Part 11 compliance for electronic records is often framed as a storage and retention question: are the documents saved in the right format, for long enough, in a secure system? That's part of it. But for signatures specifically, the question is validity. Can you prove, with confidence, that a specific identified individual executed this specific signature at this specific moment, with this specific stated intent?
If the answer to any part of that is "not really," the signature's legal equivalence to a handwritten one is in doubt. And in a regulated clinical investigation, that's not an abstract concern. It affects the integrity of your trial records and, ultimately, your ability to submit credible data.
Platforms purpose-built for Part 11handle these requirements as design constraints, not optional features. They enforce two-factor authentication at each signing event, generate immutable audit entries automatically, capture signature meaning as a required field, and bind signatures to records in a way that survives export and review. That's what to look for when evaluating any system you'll use for regulated signatures.
Conclusion
Part 11 electronic signaturescarry specific, enforceable requirements that go well beyond clicking to approve. Subpart B defines the records infrastructure those signatures must live in. Subpart C defines exactly what the signature itself must consist of, how it must be authenticated, and what it must display. The FDA's 2024 clinical investigations guidance updated the context for cloud and remote workflows, but the core standards are unchanged.
The sites and sponsors that stay out of trouble aren't the ones with the most sophisticated technology. They're the ones who understand what the regulation actually requires, implement systems that enforce those requirements by design, and train their teams to treat signature integrity as a quality obligation, not an IT question.
For more on how audit trails support signature validity, see our guide to audit trail requirements for regulated industries. For a broader look at the regulation itself, see our complete guide to FDA 21 CFR Part 11.