Most FDA 21 CFR Part 11 guidance is written for pharmaceutical companies with dedicated QA teams, validation specialists, and legal counsel who parse regulatory language for a living. If you run a small clinical research site with a handful of staff and a coordinator who wears multiple hats, that guidance rarely translates into a clear list of what you need to do before your next study startup or FDA site inspection.
This guide is for site coordinators, principal investigators, and site managers at investigator sites running one to twenty studies. It covers what Part 11 actually requires at your level, which documents must be signed in a compliant system, what sponsors check during site qualification, and how to build a defensible compliance posture without a dedicated QA department.
Key Takeaways
- Part 11 applies to every electronic record your site creates or signs in connection with an FDA-regulated study. The size of your site doesn't change the requirement.
- Six document categories commonly require Part 11 compliant electronic signatures at investigator sites: the FDA Form 1572, delegation of authority log, protocol amendments, adverse event reports, regulatory correspondence, and drug or device accountability records.
- Sponsors routinely ask sites to provide their e-signature vendor's IQ/OQ/PQ validation documentation and written SOPs before trial startup. If your vendor can't supply these, you may not pass the site qualification review.
- The non-repudiation letter, a one-time certification that your site's electronic signatures are legally binding, is required under 21 CFR 11.100(c). Many small sites don't know this requirement exists.
- Three SOPs cover the ground FDA investigators most commonly check at small research sites: user access management, audit trail review, and electronic signature accountability.
Who Part 11 Applies to at Your Site
Part 11 applies to electronic records that are created, modified, maintained, archived, retrieved, or transmitted under FDA regulations. For an investigator site, that covers every electronic document you generate as part of an FDA-regulated clinical investigation.
The common misconception is that Part 11 compliance is mainly the sponsor's responsibility. The sponsor qualifies its own electronic data management systems. But when FDA investigators visit your site, they're looking at your systems: the tools your coordinators use to maintain site copies of regulatory documents, sign forms, and track study records.
If your site uses paper records and wet ink signatures, Part 11 doesn't apply to those records. But once you move to electronic records, even for just one document type, Part 11 applies. You can't mix paper and electronic within the same document category without a documented rationale for where the system boundaries are.
Six Document Types That Require Part 11 Compliant Signatures at Your Site
Not every piece of paper at a research site is an FDA-regulated document. But these six categories consistently require Part 11 compliant electronic signatures when maintained electronically:
- FDA Form 1572 or 2572: The Statement of Investigator commits the PI to comply with FDA regulations and GCP. If your site maintains an electronic 1572, the PI's signature must meet Part 11 requirements: two-component authentication, captured signature meaning, and a tamper-evident audit trail.
- Delegation of authority log: Every staff member authorized to perform protocol tasks must sign this log. It's one of the most inspected documents at clinical sites. When maintained electronically, the system must meet Part 11 requirements for all delegatee signatures.
- Protocol amendments: When an amendment requires site acknowledgment or PI signature, that electronic signature must comply with Part 11 if the document is maintained electronically.
- Adverse event reports: Site documentation of AE and SAE reporting, including PI signatures on SAE narratives and expedited reports, is subject to Part 11 when maintained electronically.
- Regulatory correspondence: Signed letters to the IRB, FDA, or sponsor fall under Part 11 when executed electronically.
- Drug and device accountability records: The PI's or pharmacist's signature on drug receipt, dispensing, and return logs is subject to Part 11 when the log is electronic.
What “Part 11 Compliant” Means for the Tool You Choose
Part 11 doesn't certify tools. There's no FDA-approved list of compliant e-signature platforms. “Part 11 compliant” is a claim vendors make, not a certification they earn. But the technical controls Part 11 requires are specific enough that you can verify whether a platform actually supports them:
- Two-component authentication at each signing event: Part 11 Section 11.200(a) requires at least two identification components, typically a username plus a TOTP code or password, applied together at the time of signing. A platform that only requires login once and then allows free signing with a click doesn't meet this.
- Signature meaning captured at signing: Section 11.50 requires that signed records include the signer's printed name, date and time, and the meaning of the signature (review, approval, responsibility, authorship). A signature block that just shows “signed” without a stated purpose doesn't satisfy Part 11.
- Tamper-evident audit trail: The system must log who acted on a record, when, and what the original value was before any change. SHA-256 hash-chained audit trails are the current technical standard for demonstrating tamper evidence. See the ALCOA+ audit trail software requirements for the full technical checklist.
- System validation documentation: The vendor must supply IQ/OQ/PQ validation protocols showing the system was tested against Part 11 requirements. Sponsors will ask for this during site qualification. If the vendor can't produce it, that's your answer.
What Sponsors Check During Site Qualification
Before a sponsor accepts your site for a study, they often conduct a site qualification visit or document review. For electronic records and signatures, expect these questions:
- What e-signature software does your site use, and what version?
- Can you provide the vendor's IQ/OQ/PQ validation documentation?
- Do you have a user access management SOP?
- Does your system produce a compliant audit trail?
- Have all staff who will sign in the study received system-specific training?
- Has your organization submitted a non-repudiation letter to FDA?
Sites using general-purpose tools (shared email accounts, consumer e-signature products without a Life Sciences tier, or email-based signing) routinely fail sponsor qualification reviews because the tool can't produce IQ/OQ/PQ documentation. The sponsor isn't being unreasonable. They're protecting themselves from an FDA finding that traces back to deficient site-level records.
The Non-Repudiation Letter: A Requirement Many Small Sites Miss
21 CFR Part 11.100(c) requires that organizations using electronic signatures certify to the FDA that those signatures are the legally binding equivalent of handwritten signatures. This is called a letter of non-repudiation, and it must be signed with a handwritten signature on company letterhead before your site begins using electronic signatures in FDA-regulated activities.
Many small research sites have never submitted this letter. Sponsors often handle their own organizational letters, but investigator sites using their own e-signature systems need their own. Your site is creating the records, not the sponsor.
The practical news: one letter covers all studies and all future submissions. You submit it once per organization, and it covers every electronic signature your site applies going forward. The 2024 FDA Q&A #29 confirmed this. See the complete guide to the Part 11 non-repudiation letter for required letter elements and the current submission process.
What FDA Investigators Actually Check at Small Research Sites
Site inspections at investigator sites follow predictable patterns. For electronic records and signatures, investigators typically ask:
- Can you show me the audit trail for this document?
- Who approved this entry, and when?
- Do you have training records showing this staff member was trained before their first signature?
- Can I see your delegation of authority log, and has every listed person signed it?
- How does your system prevent someone else from signing under another person's credentials?
The most common Part 11 findings at small investigator sites are shared logins, missing audit trail entries for corrections, training records dated after the first signature, and delegation logs listing tasks but not signed by the delegated individuals.
With the FDA's April 2026 one-day inspection pilot now active (compressed site visits for broader surveillance coverage), audit trail readiness is an immediate operational requirement, not a multi-day preparation project. See the FDA inspection readiness checklist to verify your system can produce a complete audit trail export in under five minutes.
A Three-SOP Framework for Small Sites
Large pharmaceutical companies maintain ten or more SOPs governing their electronic signature systems. A small research site with two to ten staff needs a practical minimum. Three SOPs cover what FDA investigators most commonly check:
- SOP 1: User Access Management: Who requests an account, who approves it, what happens when someone leaves or changes roles, and how often you review who has active access. One page is enough if it's specific.
- SOP 2: Audit Trail Review: Who reviews the audit trail, how often (quarterly is the typical minimum for ongoing studies), what they look for, and where the review record is kept. A trained coordinator can perform this review if the SOP defines what “review” means and what constitutes a finding.
- SOP 3: Electronic Signature Accountability: What users acknowledge when they receive system access: that their electronic signature is legally binding, that they won't share credentials, and that they'll report any suspected compromise. Every user should sign an acknowledgment form before their first electronic signature.
For the full framework Part 11 Section 11.10(j) contemplates, see what FDA Part 11 requires in electronic signature SOPs. For small sites, the three above are the minimum that most sponsor audits and FDA inspections will check.
Pre-Study Checklist for Small Research Sites
Before using an e-signature system on an FDA-regulated study for the first time:
- Confirm your tool requires two-component authentication at each signing event, not just at login
- Obtain the vendor's IQ/OQ/PQ validation documentation and store it with your site files
- Submit your organization's non-repudiation letter to FDA (one-time, covers all studies)
- Write three SOPs: user access management, audit trail review, electronic signature accountability
- Train every user before their first signature and keep a dated training record
- Have each user sign an accountability acknowledgment form
- Test the audit trail export and confirm you can produce it in under five minutes
- Schedule quarterly audit trail reviews and document each one
The free 21 CFR Part 11 compliance checklist covers system-level technical requirements in detail. The checklist above covers the site-level operational layer that sponsor monitors and FDA investigators check during clinical site visits.
Purpose-built Part 11 platforms provide the IQ/OQ/PQ documentation, two-component signing enforcement, and ALCOA+ audit trails that small sites need to pass sponsor qualification reviews and FDA inspections, without requiring your coordinator to understand the regulatory text from scratch. If you're evaluating options, the Certivo compliance documentation covers how the audit trail, 2FA enforcement, and signature meaning requirements are implemented.