21 CFR Part 11 and digital evidence in trials: a checklist for sponsors
A sponsor running a multicentre trial registered with the FDA faces two sets of rules on data that do not overlap. In Europe the reference is ICH Good Clinical Practice; in the United States, every electronic record and every signature applied to that record falls under 21 CFR Part 11, the rule by which the FDA decides when a digital document carries the same weight as a paper original.
The complication appears when the same data point (an informed consent, an eCRF entry, a scan uploaded from a remote site) must withstand both inspections. An audit trail that satisfies a European monitor may not satisfy an FDA investigator, and a signature valid under eIDAS is not automatically recognised as an electronic signature under Part 11. So the operational question for a GxP quality manager is a single one: which controls make a record collected outside the United States defensible before the FDA without multiplying systems?
The answer is that 21 CFR Part 11 does not demand a specific technology, but three verifiable guarantees: a tamper-evident audit trail, the unique identification of the signer, and validation of the system that produces the record. Aligning trial processes means mapping each guarantee onto a concrete control. This insight provides the checklist to do exactly that, and shows where certification at the source closes the gap between Good Clinical Practice and Part 11. For the full picture of the sector, see our guide on certified digital evidence in clinical trials.
This insight is part of our guide: Certified clinical trials: digital evidence for trial monitoring and compliance
The three pillars of 21 CFR Part 11 for trial data
21 CFR Part 11 rests on three requirements the FDA verifies during inspection: audit trail, signer identity, and system validation. They are cumulative: a single gap makes the entire electronic record contestable. Turning them into an operational checklist is the first step for any sponsor.
A tamper-evident audit trail
The rule (§11.10(e)) requires a system-generated, time-stamped audit trail that independently records the date and time of every creation, modification, or deletion of a record. It must answer four questions: who acted, what they did, when, and why. Per the FDA guidance on computerised systems in clinical investigations, the audit trail must not be alterable by the user who produced the data, and it must remain available for the full retention period of the record.
The typical weak point of many trial workflows is that the audit trail lives inside the same database that holds the data: whoever administers the system could, in theory, rewrite it. The FDA instead expects a guarantee of integrity that does not depend on trusting the administrator. This is where an electronic seal with a qualified timestamp, anchored to the data at the moment of capture, separates the proof of integrity from the system that stores it.
Unique identification of the signer
§11.100 and §11.200 require every electronic signature to be linked to a single individual, not reusable by others, and the link between signature and signer to be demonstrable. In a decentralized trial, where consent may be signed from home and the record uploaded by a research nurse, this requirement becomes critical: you must prove not only that the document is authentic, but that it was signed by that specific person, at that moment.
European electronic signatures based on an eIDAS qualified certificate satisfy the uniqueness and non-repudiation criteria. The cross-recognition between eIDAS qualified signatures and Part 11 requirements, already mapped by initiatives such as SAFE-BioPharma, allows a single signing infrastructure to serve both regulatory fronts, avoiding duplicate authentication systems.
System validation
§11.10(a) requires validating systems to ensure accuracy, reliability, and the ability to discern valid records from altered ones. The FDA guidance updated in 2024 confirms a risk-based approach: the extent of validation is proportionate to the criticality of the data, not uniform across every component. For a sponsor this means documenting the system life cycle, testing, and change-management procedures, with a level of rigour scaled to the data's impact on patient safety and study outcome.
Where ICH GCP E6 and 21 CFR Part 11 meet (and where they do not)
ICH GCP E6 and 21 CFR Part 11 share the goal of data integrity, but approach it from different angles: the first is a process good practice, the second a technical rule on records and signatures. Knowing the overlap and the residual gaps prevents assuming a compliance the FDA would not recognise.
Overlaps and residual gaps
E6(R2) requires computerised systems used to create, modify, and archive clinical data to be validated and traceable: this covers much of §11.10. The gap emerges on signatures. E6 does not prescribe a technical signing mechanism equivalent to a handwritten signature, whereas Part 11 requires it explicitly through §11.50 and §11.70 (signature manifestation and link to the record). A sponsor that has only validated the EDC but not formalised the electronic signing regime is compliant with E6 yet exposed to an FDA finding.
| Requirement | ICH GCP E6 | 21 CFR Part 11 |
|---|---|---|
| System validation | Required (process) | Required (§11.10(a)) |
| Audit trail | Data traceability | System-generated, time-stamped, tamper-evident (§11.10(e)) |
| Electronic signature | No prescribed technical mechanism | Unique, non-repudiable, linked to the record (§11.50, §11.70, §11.200) |
| Approach | Process good practice | Technical rule on records and signatures |
The impact of decentralized trials (DCT)
E6(R2) did not explicitly address decentralized trials. The E6(R3) revision, effective in 2025, embeds decentralized elements into the study design and reaffirms that GCP principles apply to DCTs as well. This moves the data problem away from the trial site: consent, visits, and images collected at the patient's home must be born defensible. The timestamp and seal applied at the moment and place of capture become the only way to prove the origin of a record produced outside the controlled perimeter of the site.
How certification at the source meets Part 11 requirements
Certification at the source meets the three Part 11 pillars by shifting the guarantee from the storage system to the moment of data capture. Instead of proving after the fact that a database was not tampered with, you create a proof of integrity anchored to the data from its origin. TrueScreen is the platform that acquires data with a forensic methodology and certifies it with legal value: it computes the SHA-256 hash of the dataset, applies a qualified timestamp, and integrates the electronic seal of a third-party qualified QTSP, producing a signed access log.
For a sponsor running an FDA-registered trial, this means the who, what, when of the audit trail no longer depends on the good faith of the system administrator: it is sealed in a proof verifiable by anyone, independent of the database. The signer's identity rests on eIDAS qualified certificates, already aligned with the uniqueness criteria of Part 11. System validation benefits from a documented, repeatable process, consistent with the risk-based approach the FDA expects.
The capabilities that enter the trial workflow
The electronic seal certifies informed consents and eCRFs with a demonstrable link between signature and signer. Acquisition through the TrueScreen platform certifies images, telemedicine recordings, and reports uploaded by peripheral sites, applying hash and timestamp at the origin. A site running a DCT can thus prove that a remotely signed consent is authentic, intact, and traceable to the person, exactly what an FDA investigator verifies during inspection. One point stands firm: TrueScreen is not a QTSP nor a certification authority. It integrates via API the seal issued by third-party qualified QTSPs, giving the sponsor the proof without replacing the authority that issues it. This is the foundation of the Digital Provenance model applied to clinical data.
