Implement 21 CFR Part 11-compliant electronic signatures in a custom clinical trial application using time-stamped signing and non-repudiation controls

Verified steps

1. Implement unique user identification and password authentication for each signer; 21 CFR 11.300 requires electronic signatures based on at least two distinct identification components (e.g., user ID and password, or biometric plus ID) for non-biometric signatures
2. Bind each electronic signature to its associated electronic record by storing a cryptographic link (hash of the record content) alongside the signature record; this ensures the signature is invalidated if the record is altered post-signing (21 CFR 11.70)
3. Capture and store with each signature: the printed name of the signer, the date and time the signature was applied (server-side timestamp, not client-side), and the meaning of the signature (e.g., 'reviewed and approved', 'entered by') per 21 CFR 11.50
4. Ensure the signature display on the screen and in any printout includes all three required elements (name, date/time, meaning) so that paper printouts of the signed record are legally equivalent to the electronic original under 21 CFR 11.20(b)
5. Implement session management controls: limit session duration, require re-authentication for signing after session timeout, and log all sign-in attempts including failures per 21 CFR 11.10(g)
6. Include the signed records and signatures in the audit trail, with separate audit entries for the act of signing distinct from the record creation or modification entries, to satisfy both 11.10(e) and 11.50 requirements simultaneously