Informed Consent E-Signatures: FDA Part 11 Requirements

Informed consent documentation is the most inspection-sensitive document category at a clinical research site. FDA investigators look at consent forms during virtually every site inspection, and the electronic signature on that form carries a specific set of regulatory requirements that most generic e-signature tools were never designed to meet.

This guide covers what 21 CFR Part 11 and 21 CFR Part 50 together require for electronic signatures on informed consent forms, what the audit trail must capture for each consent event, how IRBs and sponsors evaluate your e-consent setup during qualification, and the three compliance gaps that show up most often when FDA investigators review consent records at investigator sites.

Two Regulations, One Document

Informed consent in FDA-regulated clinical trials sits at the intersection of two separate regulatory frameworks. Most site staff know 21 CFR Part 50, which defines the elements of informed consent and the process for obtaining it. Fewer have mapped out exactly what Part 11 adds when the consent form is signed electronically.

Part 50 requires that consent be obtained before a subject participates in a study, that the form contain specific elements (risks, benefits, alternatives, voluntary nature, contact information), that the subject and an authorized investigator both sign, and that the subject receive a copy. None of these requirements go away when you move to electronic signatures. Part 11 adds the technical controls that make an electronic signature legally equivalent to a handwritten one: unique user identification, two-component authentication at the moment of signing, captured signature meaning, and a tamper-evident audit trail bound to the document.

The critical point is that a consent document must satisfy both frameworks simultaneously. A form that meets Part 50 substantive requirements but is signed with a non-compliant e-signature tool fails Part 11. A system that meets every Part 11 technical requirement but allows a subject to sign before reviewing all required elements fails Part 50. Both gaps result in 483 observations.

What Part 11 Requires for Consent Signatures Specifically

Part 11 Section 11.50 requires that each signed record display the signer's printed name, the date and time of the signature, and the meaning of the signature. For informed consent, the meaning element is specific: the subject's signature means voluntary agreement to participate under the terms described. The investigator's signature (or that of the authorized designee) means the consent process was completed according to the protocol and IRB-approved procedures.

Part 11 Section 11.200(a) requires that non-biometric electronic signatures use at least two distinct identification components applied together at the time of signing. For investigator signatures, this typically means a username plus a time-based one-time password (TOTP) or hardware key. For subject signatures, the identity verification challenge is different: subjects aren't employees with organizational credentials, so the system needs a documented method for verifying who is signing.

Part 11 Section 11.70 requires that the signature be linked to the record in a way that makes the signature inseparable from the document. If the consent form is modified after the subject signs, the original signature must be preserved on the original version, and any subsequent signing must be on the amended document. A system that allows the document to be swapped out under an existing signature fails this requirement.

Subject Identity Verification: The Unsolved Problem for Many Sites

Investigator sites often have a clear answer for how they verify the identity of staff who sign electronically. Staff get credentials through an onboarding process, they're trained, and they use those credentials at each signing event.

Subject identity verification is harder. A consent platform that sends a link to a subject's email address and lets them click to sign has established identity only to the extent that the person has access to that email account. For many sponsors and IRBs, that level of verification is not sufficient for a first-consent signature.

The approaches that hold up under sponsor and IRB scrutiny tend to involve at least one of the following:

• In-person witness or staff verification at first consent. The subject signs electronically in front of site staff who verify identity in person, then the staff member co-signs as witness. This mirrors the traditional paper consent process and satisfies FDA's preference for in-person consent for initial enrollment.
• Video call with identity check. For remote or decentralized trials, the consent process occurs over a verified video call where the subject presents photo ID to the investigator or designee before signing. The video call record and staff notes document the identity verification.
• Knowledge-based authentication (KBA). Some platforms integrate KBA as a secondary identity check for subjects signing remotely. KBA is not a universal substitute for in-person verification, and sponsors and IRBs vary in whether they accept it. Document your rationale if you use it.

Whatever method you use, the process must be described in your protocol and approved by your IRB. The e-consent platform's technical controls are one piece; the documented process for verifying who is actually signing is the other.

Audit Trail Requirements for Consent Documents

The audit trail for an informed consent event must capture more than the fact that someone signed. FDA investigators, sponsors, and IRBs routinely ask to see the full consent audit trail, and a record that shows only a name and timestamp will not answer their questions.

A complete consent audit trail should capture:

• Document version at signing. The exact version of the IRB-approved consent form that was presented and signed, including version number, IRB approval date, and a hash or checksum that proves the document content at signing matches what the system has on file. Version mismatches (where the audit trail shows a signature but it's unclear which version of the form was signed) are one of the most common consent-related 483 findings.
• Timestamp with time zone. Part 11 requires a date and time stamp. For multisite trials, a time zone reference is essential. If a subject in California signs at 11:45 PM and the system records it without a time zone, you may not be able to demonstrate whether the consent preceded any study procedures performed the following morning.
• Signature meaning for each signer. The subject's signature meaning (voluntary agreement to participate) and the investigator's signature meaning (confirmation that the consent process was completed) must both appear in the signed record. These are distinct meanings and should be captured separately.
• Identity verification method. A notation in the record (or a linked entry in the site's records) of how the subject's identity was verified before the consent signature was accepted. Not all platforms support this natively; some sites maintain a separate witness log that cross-references the electronic consent record.
• Delivery confirmation for subject copy. Under 21 CFR 50.27(b)(2), the subject or authorized representative must receive a copy of the signed consent form. In an electronic workflow, the audit trail should show that the signed document was delivered to the subject (email with delivery confirmation, or a portal acknowledgment) at or before the time they began study procedures.

Re-Consent: Where Electronic Workflows Break Down

A consent document is a living record across the life of a study. Protocols get amended. Risk information gets updated. IRBs require revisions. Each amendment that materially changes the risk profile or the subject's rights triggers a re-consent requirement: the subject must be presented with the updated form and must sign again.

In paper workflows, re-consent is straightforward if inconvenient: print the new form, bring the subject in or send it by mail, have them sign, and file it. In electronic workflows, re-consent introduces specific risks:

• Superseded version confusion. If the platform doesn't clearly mark the prior consent version as superseded and require a new signature on the new version, coordinators sometimes update the form in the system without triggering a re-consent workflow. The audit trail then shows a subject signed version 1.0 of a consent form that has since been replaced by version 2.0 with different risk disclosures.
• Blanket acknowledgment vs. actual re-consent. Some coordinators, under time pressure, note in the file that the subject "reviewed and acknowledged" the new form without executing a new electronic signature. This does not satisfy the re-consent requirement. An acknowledgment notation is not the equivalent of a signed consent form, and FDA investigators know the difference.
• Subjects who can't be reached. A subject who has moved or changed contact information presents a real operational problem for electronic re-consent. Having a documented procedure for these situations (including when a subject may need to be withdrawn if re-consent can't be obtained within the protocol-specified window) is part of your site's obligation, not an edge case to handle informally.

The e-consent platform should enforce re-consent as a workflow, not leave it to coordinators to manage manually. When an IRB-approved amendment requiring re-consent is uploaded, the system should automatically flag subjects who need to sign again and prevent study procedure documentation until re-consent is complete, or generate a clear exception record if re-consent was waived by the IRB.

IRB and Sponsor Qualification: What They Actually Check

Sponsors conducting site qualification visits and IRBs reviewing site e-consent procedures ask similar questions. They're trying to determine whether your platform and your process together produce consent records that will hold up to FDA scrutiny.

Common questions from sponsor monitors during site qualification:

• What e-consent or e-signature platform does the site use, and is it the same system as the sponsor's, or the site's own system?
• Can you show the IQ/OQ/PQ validation documentation for the system?
• How does the system link the subject's signature to the specific IRB-approved version of the consent form?
• How is the subject's identity verified before their e-signature is accepted?
• Can you demonstrate that the subject received a copy of the signed consent form at the time of signing?
• How does the system handle re-consent when an amendment is received?

Sites that use a purpose-built Part 11 platform can produce answers to these questions from the platform's documentation. Sites using general-purpose tools (consumer e-signature products, shared PDF tools, email-based signing) typically can't produce IQ/OQ/PQ documentation and can't demonstrate version control or re-consent workflows. That gap fails sponsor qualification, and it surfaces as a finding when FDA investigators visit.

ICH E6(R3) and What Changed for Consent Records

ICH E6(R3), the updated Good Clinical Practice guideline finalized in 2023, introduced a more explicit framework for technology-enabled trial conduct. For consent records, two changes are relevant to sites running electronic workflows.

First, E6(R3) reinforces that the consent process is a process, not just a document. The guideline emphasizes that subjects must have sufficient time and opportunity to consider participation and ask questions. An e-consent system that presents a multi-screen form and captures a signature in two minutes without any mechanism for the subject to pause, ask questions, or request clarification doesn't satisfy E6(R3)'s process requirements, regardless of whether the electronic signature itself is technically Part 11 compliant.

Second, E6(R3) aligns with FDA's risk-based approach to validation. System validation for an e-consent platform should be proportionate to the risk. The signature capture mechanism and audit trail are high-risk functions and require rigorous validation. The formatting of the consent document template is lower-risk. A risk-based validation approach documents this distinction explicitly rather than applying the same test intensity to every system function.

The Three Most Common Consent-Related 483 Observations at Investigator Sites

FDA's inspection data and published 483 observations point to three recurring issues at investigator sites using electronic consent:

• Consent signed after study procedures began. The audit trail shows a subject's first study procedure (a blood draw, a baseline assessment, a randomization event) before the consent signature timestamp. This is a significant finding under 21 CFR 50.20. Electronic audit trails make this discrepancy unambiguous in ways that paper records sometimes obscured. A compliant platform will prevent study documentation from being tied to a subject who hasn't completed consent, but only if the site has configured it that way and trained coordinators to use it correctly.
• Consent signed on the wrong version of the form. The audit trail shows a valid signature, but the form version signed is not the currently IRB-approved version. Either the site loaded an updated form without requiring re-consent from subjects already enrolled, or a new subject signed an outdated form that wasn't removed from the active signing queue. Version control requires deliberate platform configuration and a documented process for retiring prior versions.
• No documented copy delivery to the subject. 21 CFR 50.27 requires that the subject receive a copy of the signed form. In electronic workflows, the record often shows a signature but no confirmation that the subject received their copy. Many platforms generate a signed PDF but don't log delivery. If FDA asks "did this subject receive a copy of their signed consent form?" the answer needs to come from a record, not from a coordinator's recollection.

What to Look for in a Platform Used for Electronic Consent

Not every Part 11 e-signature platform is designed with the specific requirements of informed consent workflows in mind. When evaluating a platform for consent use at your site, these capabilities are worth verifying before you commit:

• Version control with automatic retirement of superseded consent forms
• Re-consent workflow enforcement when an updated form is loaded for an active study
• Audit trail entries that capture the document hash or version identifier at the time of each signature, not just after the fact
• Delivery confirmation for subject copies, logged in the audit trail
• Two-component authentication at each signing event (not just at login) for all signers including investigators and staff
• IQ/OQ/PQ validation documentation ready for sponsor qualification reviews
• Configurable signature meaning capture so the subject's signature and the investigator's countersignature can carry distinct meanings

Klyverity's signing architecture enforces two-component authentication at each signing event, captures a SHA-256 hash of the document at signing, and logs signature meaning for each signer role. Every signed consent record in Klyverity is bound to the document version that was presented, so version mismatches can't happen silently. If you're evaluating your current setup against these requirements, request a demo to see how a consent workflow operates end to end, including the audit trail view a sponsor monitor or FDA investigator would see.

FAQ

Does 21 CFR Part 11 apply to electronic informed consent forms?

Yes. Informed consent forms are required by a predicate rule (21 CFR Part 50), and when they are maintained electronically, 21 CFR Part 11 applies to the electronic records and signatures. Both Part 50 (consent content and process requirements) and Part 11 (electronic record and signature technical requirements) must be satisfied. See our guide on Part 11 applicability and predicate rules for the full applicability framework.

Can a subject sign an informed consent form electronically without being in person?

FDA does not prohibit remote electronic consent, but the consent process must still satisfy 21 CFR Part 50 requirements, including the opportunity for the subject to have questions answered. The FDA's September 2024 final guidance on decentralized clinical trials endorses remote consent provided the protocol describes the process and the IRB approves it. Subject identity verification at the time of signing must be documented regardless of whether the signing is remote or in person.

What must the audit trail capture for an electronic consent signature?

At a minimum: the signer's full name and unique identifier, the date and time with time zone, the meaning of the signature, the version or hash of the consent document that was signed, and confirmation that the subject received a copy. Some sponsors also require a record of the identity verification method used for the subject's signature.

Does the site need its own validation documentation if the sponsor provides the e-consent platform?

If the site is using the sponsor's platform under the sponsor's validation umbrella, the sponsor's documentation typically covers the site's use. But if the site operates its own e-signature or e-consent system, the site is responsible for its own IQ/OQ/PQ documentation and must have submitted its own non-repudiation letter to FDA under 21 CFR 11.100(c). Sites often don't realize they fall into the second category until a sponsor asks for documentation they don't have.

Is re-consent required every time a protocol amendment is approved?

Not necessarily for every amendment, but re-consent is required when an amendment changes information that would reasonably affect a subject's decision to continue participation, such as new or increased risks, changes to procedures affecting the subject, or changes to the study's purpose. The IRB makes the determination of whether re-consent is required for a specific amendment. When re-consent is required, enrolled subjects must sign the updated form before continuing study participation.

What happens if a subject signs the wrong version of a consent form?

A signature on a superseded consent form is a protocol deviation. The site should document the deviation, obtain a corrected consent on the current IRB-approved form as soon as practicable, and assess whether any study procedures performed under the incorrect consent need to be reviewed. If the deviation is identified during an inspection, having a documented corrective action in place is far better than no record at all.