Training & SOPs
21 CFR Part 11 §11.10(i) requires that personnel who use electronic record/electronic signature systems have appropriate education, training, and experience. EU Annex 11 §2 requires that training be provided for GMP-related computerized systems. This page provides training topic guidance and SOP templates to support your compliance program.
Note: These are recommended topics and templates. Your organization is responsible for developing, documenting, and maintaining its own training program and SOPs based on your specific regulatory requirements.
Training Requirements
Who Needs Training
| Role | Training Scope | When |
|---|
| All signers | Signing ceremony, PIN management, signature meanings, audit trail awareness | Before first use, and after significant updates |
| Reviewers / Approvers | All signer topics plus: approval workflow, separation of duties, rejection process | Before first approval, and after significant updates |
| Administrators | All topics plus: signature policies, safety classification, permission management, audit trail review, chain validation, GDPR erasure, export | Before administering SealDoc, and after significant updates |
Recommended Training Topics
- Signing ceremony walkthrough — demonstrate the full ceremony: select meaning, affirm identity (type name), enter PIN. Explain why each step is required (21 CFR Part 11 §11.200).
- PIN security — never share your PIN. Report suspected compromise immediately. Understand lockout (3 attempts, 15 minutes) and expiry (180 days default).
- Signature meanings — explain each meaning (Approved, Reviewed, Verified, Witnessed, Authored, Acknowledged) and when to use them.
- Approval workflow — Draft → In Review → Approved lifecycle. What happens when you submit, approve, or reject.
- Revert on edit — explain that editing a signed document revokes all signatures and requires re-approval.
- Separation of duties — the person who submits cannot be the sole approver. Explain person-level vs. department-level independence.
- Audit trail awareness — every action is logged and cannot be deleted. Users should understand that their actions are permanently recorded.
- Safety classification (if applicable) — explain the active scheme, what each level means, and how it affects approval requirements.
Training Records
Maintain records of who was trained, on what topics, when, and by whom. Training records should include:
- Employee name and role
- Training date
- Topics covered
- Trainer name
- Assessment result (if applicable)
- Next retraining date
Recommended SOPs
The following SOPs are recommended for organizations using SealDoc in regulated environments. Each section below provides the SOP scope, key steps, and references.
SOP 1: Electronic Signature Ceremony
| Section | Content |
|---|
| Purpose | Define the procedure for electronically signing Jira issues and Confluence pages using SealDoc. |
| Scope | All users who sign documents within regulated projects. |
| Key steps | 1. Open the document in Jira/Confluence. 2. Click "Sign" in the SealDoc panel. 3. Select the appropriate signature meaning. 4. Add a comment describing your review (optional but recommended). 5. Type your full name to affirm intent. 6. Enter your signing PIN. 7. Confirm the signature was recorded in the audit trail. |
| References | 21 CFR Part 11 §11.50, §11.100, §11.200(a)(1) |
SOP 2: PIN Management
| Section | Content |
|---|
| Purpose | Define the procedure for creating, maintaining, and protecting signing PINs. |
| Scope | All users with signing permissions. |
| Key steps | 1. Create a 4-6 digit PIN that is not a trivially weak sequence. 2. Never share your PIN with anyone. 3. If you suspect your PIN has been compromised, report it to your administrator immediately and request a force-expire. 4. When your PIN expires (180 days default), create a new PIN that differs from the previous one. 5. If locked out after 3 failed attempts, wait 15 minutes before trying again. |
| References | 21 CFR Part 11 §11.200(a)(1), §11.300 |
SOP 3: Audit Trail Review
| Section | Content |
|---|
| Purpose | Define the procedure for periodic review of the SealDoc audit trail. |
| Scope | Administrators and quality managers. |
| Key steps | 1. Open SealDoc admin page or project page. 2. Navigate to the Audit Log tab. 3. Review entries for the period since last review. 4. Look for: unusual patterns (multiple failed PIN attempts, unexpected revocations, configuration changes by unauthorized users). 5. Run chain validation to verify integrity. 6. Document findings and any corrective actions. 7. Export the reviewed period as CSV/PDF for offline archival. |
| Frequency | At minimum quarterly, or as required by your quality system. |
| References | 21 CFR Part 11 §11.10(e), EU Annex 11 §9 |
SOP 4: Chain Validation
| Section | Content |
|---|
| Purpose | Define the procedure for verifying audit trail integrity using the chain validation tool. |
| Scope | Administrators. |
| Key steps | 1. Open the SealDoc project page. 2. Click "Validate Chain". 3. Review results: all checks should pass (hash continuity, gap detection, HMAC verification, entry integrity). 4. If any check fails: do not attempt to fix the data. Document the failure, including the specific entry where the chain broke. Escalate to the quality manager and the SealDoc vendor. 5. Record the validation result and date. |
| Frequency | Monthly, or after any suspected data integrity incident. |
| References | EU Annex 11 §7, §9 |
SOP 5: Safety Classification Changes
| Section | Content |
|---|
| Purpose | Define the procedure for assigning or changing safety classification on documents. |
| Scope | Users with signing permissions in projects that use safety classification. |
| Key steps | 1. Assess the risk level of the document according to your organization's risk assessment process. 2. Open the SealDoc panel and select the appropriate safety classification level. 3. The change is logged in the audit trail. 4. If the document is In Review or Approved, all active signatures are automatically revoked and the document reverts to Draft. The document must be re-approved under the new classification level. 5. Coordinate with approvers to ensure re-approval uses the correct per-class rules. |
| References | ISO 26262 Part 3, DO-178C §2.3, IEC 62304 §4.3 (as applicable) |
SOP 6: GDPR Erasure Request
| Section | Content |
|---|
| Purpose | Define the procedure for processing GDPR right-to-erasure requests for SealDoc data. |
| Scope | Administrators and data protection officers. |
| Key steps | 1. Receive and validate the erasure request per your organization's GDPR process. 2. Navigate to SealDoc admin. 3. Execute the GDPR erasure function for the specified user. 4. Verify that display names have been anonymized in audit trail entries. 5. Verify that the hash chain remains intact (run chain validation). 6. Document the erasure action and its completion date. |
| References | GDPR Art. 17 |
SOP 7: Incident Response (Integrity Failure)
| Section | Content |
|---|
| Purpose | Define the procedure for responding to detected data integrity failures. |
| Scope | Administrators and quality managers. |
| Key steps | 1. If chain validation fails or a hash mismatch is detected, immediately document the failure (entry ID, nature of failure, timestamp of detection). 2. Do not attempt to modify, delete, or "fix" audit trail entries. 3. Export the current audit trail as CSV for forensic preservation. 4. Notify the quality manager and begin a deviation investigation. 5. Contact SealDoc support at contact@be4.software with the failure details. 6. Assess impact: determine which signatures, approvals, or documents may be affected. 7. Document the root cause analysis, corrective actions, and preventive actions (CAPA). |
| References | 21 CFR Part 11 §11.10(e), EU Annex 11 §9, ICH Q10 |
