and identity management in clinical trials. It ensures that signatures applied to trial documents are attributable, authentic, secure, and compliant with international regulatory requirements including FDA 21 CFR Part 11, ICH GCP (E6 R2), EMA computerized system guidelines, CDSCO, and WHO expectations. Proper identity management prevents unauthorized access, ensures accountability, and supports data integrity principles such as ALCOA+.

Scope

This SOP applies to all individuals involved in clinical trials, including investigators, study coordinators, monitors, data managers, sponsors, CROs, and IT administrators. It covers both system-level and user-level management of credentials, assignment of roles, application of electronic signatures, periodic review of access, revocation of credentials, and archiving of e-signature logs in Trial Master File (TMF) and Investigator Site File (ISF).

Responsibilities

• Principal Investigator (PI): Ensures proper application of electronic signatures to CRFs, safety reports, and essential documents. Authorizes identity creation for site staff.
• Study Coordinator: Uses assigned credentials for data entry and document review. Ensures passwords and tokens are not shared.
• System Owner: Responsible for setting up user accounts, maintaining access controls, and managing revocations.
• Data Manager: Reviews e-signature audit logs and ensures compliance with role-based access policies.
• Sponsor/CRO: Provides global oversight of identity management policies and approves critical changes.
• QA Officer: Conducts audits to verify compliance of identity and e-signature processes with regulatory expectations.

Accountability

The PI is accountable for ensuring site-level compliance with this SOP. The sponsor is accountable for maintaining system-level oversight, and IT administrators are accountable for technical implementation and record maintenance.

Procedure

1. Identity Request and Verification
Each new staff member requiring access must submit an Identity Request Form approved by the PI.
The system owner verifies employment records and ensures training completion before provisioning access.
Identity details are logged in the Identity Assignment Log (Annexure-1).

2. Account Creation and Role Assignment
Unique user IDs must be created for each staff member. Shared accounts are strictly prohibited.
Roles (PI, CRA, Data Entry, QA Reviewer, etc.) are assigned based on job responsibilities.
Access rights must follow the principle of “least privilege.”

3. Credential Management
Passwords must be at least 8 characters, contain letters, numbers, and symbols, and expire every 90 days.
Systems must enforce automatic lockouts after 5 failed login attempts.
Multi-factor authentication (MFA) must be enabled where available.

4. Application of Electronic Signatures
Electronic signatures must include user ID, printed name, date/time stamp, and meaning of the signature (approval, review, submission, etc.).
CRFs and safety reports must be signed electronically by authorized personnel only.
Signature meaning must be predefined and linked to system workflows.

5. Authentication and Re-Authentication
Re-authentication must occur if a session is idle for more than 15 minutes.
High-risk actions (e.g., database lock, SAE reporting) require re-authentication before execution.

6. Audit Trails
All signature applications must be logged automatically with time-stamps and user ID.
Monthly review of audit logs must be performed by Data Manager and documented in E-Signature Audit Log (Annexure-2).

7. Access Reviews
Conduct quarterly reviews of user accounts to confirm only active trial staff have access.
Identify inactive accounts and revoke them immediately.

8. Revocation of Access
Access must be revoked when staff leave the study, change roles, or no longer require access.
Revocation details must be recorded in the Identity Revocation Log (Annexure-3).

9. Training
All users must undergo training on secure use of electronic signatures, password management, and system access protocols.
Refresher training must be completed annually or following any regulatory/system updates.

10. Archiving
All identity logs, signature records, and audit reports must be archived in TMF and ISF.
Retention period: minimum 15 years or as per applicable regulatory requirements.

Abbreviations

• SOP: Standard Operating Procedure
• PI: Principal Investigator
• CRA: Clinical Research Associate
• CRO: Clinical Research Organization
• QA: Quality Assurance
• TMF: Trial Master File
• ISF: Investigator Site File
• EDC: Electronic Data Capture
• CDMS: Clinical Data Management System
• MFA: Multi-Factor Authentication
• 21 CFR Part 11: FDA regulations on electronic records and signatures

Documents

1. Identity Assignment Log (Annexure-1)
2. E-Signature Audit Log (Annexure-2)
3. Identity Revocation Log (Annexure-3)

References

• ICH E6(R2) – Good Clinical Practice
• US FDA – 21 CFR Part 11: Electronic Records and Signatures
• EMA – Computerised Systems in Clinical Trials
• CDSCO – Electronic Records and Signature Guidance
• WHO – Data Integrity and Security in Clinical Research

Version: 1.0

Approval Section

Prepared By	Rajesh Kumar, Data Manager
Checked By	Sunita Reddy, QA Officer
Approved By	Dr. Anil Sharma, Principal Investigator

Annexures

Annexure-1: Identity Assignment Log

Date	User ID	Name	Role	Assigned By
10/09/2025	CT-USER-301	Ravi Kumar	Study Coordinator	PI
11/09/2025	CT-USER-302	Meena Sharma	CRA	Sponsor

Annexure-2: E-Signature Audit Log

Date	User ID	Action	Document	Verified By
12/09/2025	CT-USER-301	Signed CRF	Subject Visit 3	QA Officer
14/09/2025	CT-USER-302	Approved SAE Report	SAE Log #21	Data Manager

Annexure-3: Identity Revocation Log

Date	User ID	Name	Reason for Revocation	Revoked By
15/09/2025	CT-USER-288	Arun Mehta	Staff resignation	System Owner
16/09/2025	CT-USER-290	Priya Desai	Role change	Data Manager

Revision History

Revision Date	Revision No.	Revision Details	Reason for Revision	Approved By
26/08/2025	00	Initial version	New SOP creation	Head, Clinical Research

For more SOPs visit: Pharma SOP