How to meet AS9100 Electronic Signature Requirements

[dsanabria]

I am looking at our current “Electronic Signature” procedure for revision and wanted to know what are 3rd party auditors looking for or if there are any requirements that we should comply to.

 

[Big Jim]

I am looking at our current “Electronic Signature” procedure for revision and wanted to know what are 3rd party auditors looking for or if there are any requirements that we should comply to.

The requirement is tucked away in the traceability section of the standard, 7.5.3, and all it talks about is establishing controls.

"When acceptance authority media are used (e.g., stamps, electronic signatures, passwords), the organization shall establish appropriate controls for the media."

It's really pretty much up to you to determine how you are going to do it. For the most part, auditors are simply looking to confirm that they are controlled. One of the things I look for is evidence that access to the controlled signatures are shared.

Others may have additional insight.

 

[dkusleika]

I consider two main points re electronic signatures

1. You can't sign somebody else's name.
2. If you see an electronic signature, you can trace it back to the actual human being.

I'm not a 3rd party auditor, but I think if you meet those two nobody will have a problem.

 

[v9991]

although, not from AS9100, here's an regulatory body's view of Electronic signatures...
https://www.accessdata.fda.gov/scri...FRPart=11&showFR=1&subpartNode=21:1.0.1.1.7.3

Subpart C--Electronic Signatures
Sec. 11.100 General requirements.
(a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.
(b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual`s electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual.
(c) Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures.
(1) The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations, 12420 Parklawn Drive, RM 3007 Rockville, MD 20857.
Sec. 11.200 Electronic signature components and controls.
(a) Electronic signatures that are not based upon biometrics shall:
(1) Employ at least two distinct identification components such as an identification code and password.
(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.
(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.
(2) Be used only by their genuine owners; and
(3) Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.
(b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners.
Sec. 11.300 Controls for identification codes/passwords.
Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include:
(a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.
(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).
(c) Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls.
(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.
(e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.

Refer...pg.7 of
https://downloads.seapine.com/pub/papers/21CFRPart11.pdf

 

[BETSY06115]

Does anyone have an electronic signature procedure to share? We need to develop one for a govt. contractor and we are not sure of what they are looking for.
Thank you.

 

[Mark Meer]

I'd suggest checking to see if there are any additional regional regulatory requirements...

As stated by Big Jim, the Standard's requirements leave it wide open giving you a lot of room to implement a procedure as you see fit.
...but then you might find later that regional regulations have a bunch more specific requirements (as, for example, the FDA requirements as posted by v9991).

Personally, I've not come across any requirements for electronic signatures as specific as the FDA's 21 CFR Part 11. ...If your procedure satisfies these requirements, chances are it'll be adequate regardless of your region of operations.