ACCEPTANCE OF ELECTRONIC MAINTENANCE RECORDS

Similar documents
MySign Electronic Signature

Electronic Signature Policy

Implementing Electronic Signature Solutions 11/10/2015

Compliance Matrix for 21 CFR Part 11: Electronic Records

Part 11 Compliance SOP

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration

ISSUE N 1 MAJOR MODIFICATIONS. Version Changes Related Release No. PREVIOUS VERSIONS HISTORY. Version Date History Related Release No.

Publications. ACH Audit Requirements. A new approach to payments advising SM. Sound Practices Checklists

Adobe Sign and 21 CFR Part 11

Sparta Systems Stratas Solution

Sparta Systems TrackWise Digital Solution

21 CFR PART 11 COMPLIANCE

Electronic Data Processing 21 CFR Part 11

Integration of Agilent UV-Visible ChemStation with OpenLAB ECM

INFORMATION. Guidance on the use of the SM1000 and SM2000 Videographic Recorders for Electronic Record Keeping in FDA Approved Processes

WHITE PAPER AGILOFT COMPLIANCE WITH CFR 21 PART 11

COMPLIANCE. associates VALIDATOR WHITE PAPER. Addressing 21 cfr Part 11

Sparta Systems TrackWise Solution

4.2 Electronic Mail Policy

5. The technology risk evaluation need only be updated when significant changes or upgrades to systems are implemented.

BT Managed Secure Messaging. Non-Repudiation Policy

21 CFR Part 11 LIMS Requirements Electronic signatures and records

ACH Audit Guide for Third-Party Senders Step-by-Step Guidance and Interactive Form For Internal ACH Audits Audit Year 2017

ChromQuest 5.0. Tools to Aid in 21 CFR Part 11 Compliance. Introduction. General Overview. General Considerations

Information Security Policy

Assessment of Vaisala Veriteq viewlinc Continuous Monitoring System Compliance to 21 CFR Part 11 Requirements

Compliance of Shimadzu Total Organic Carbon (TOC) Analyzer with FDA 21 CFR Part 11 Regulations on Electronic Records and Electronic Signatures

OpenLAB ELN Supporting 21 CFR Part 11 Compliance

NucleoCounter NC-200, NucleoView NC-200 Software and Code of Federal Regulation 21 Part 11; Electronic Records, Electronic Signatures (21 CFR Part 11)

DIRECTIVE ON RECORDS AND INFORMATION MANAGEMENT (RIM) January 12, 2018

Information Security Data Classification Procedure

CARROLL COUNTY PUBLIC SCHOOLS ADMINISTRATIVE REGULATIONS BOARD POLICY EHB: DATA/RECORDS RETENTION. I. Purpose

Add or remove a digital signature in Office files

FDA 21 CFR Part 11 Compliance by Metrohm Raman

21 CFR Part 11 Module Design

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Exhibitor Software and 21 CFR Part 11

Disclosure text - PDS (PKI Disclosure Statement) for electronic signature and authentication certificates

Apple Inc. Certification Authority Certification Practice Statement. Apple Application Integration Sub-CA Apple Application Integration 2 Sub-CA

EDRMS Document Migration Guideline

Integration of Agilent OpenLAB CDS EZChrom Edition with OpenLAB ECM Compliance with 21 CFR Part 11

Development Authority of the North Country Governance Policies

Agilent Response to 21CFR Part11 requirements for the Agilent ChemStation Plus

Policy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4

White Paper Assessment of Veriteq viewlinc Environmental Monitoring System Compliance to 21 CFR Part 11Requirements

Chapter 9 Section 3. Digital Imaging (Scanned) And Electronic (Born-Digital) Records Process And Formats

ELECTRONIC RECORDS (EVIDENCE) ACT (No. 13 of 2014) ELECTRONIC RECORDS (EVIDENCE) REGULATIONS. (Published on, 2015) ARRANGEMENT OF REGULATIONS

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

CIVIL AVIATION REQUIREMENT SECTION 2 - AIRWORTHINESS SERIES E PART XII EFFECTIVE : FORTHWITH

Pharma IT ELECTRONIC RECORDS

Apple Inc. Certification Authority Certification Practice Statement

Policy Summary: This guidance outlines ACAOM s policy and procedures for managing documents. Table of Contents

RECORDS MANAGEMENT RECORDS MANAGEMENT SERVICES

UDRP Pilot Project. 1. Simplified way of sending signed hardcopies of Complaints and/or Responses to the Provider (Par. 3(b), Par. 5(b) of the Rules)

Virginia Commonwealth University School of Medicine Information Security Standard

TECHNICAL BULLETIN [ 1 / 13 ]

REGULATION ASPECTS 21 CFR PART11. 57, av. Général de Croutte TOULOUSE (FRANCE) (0) Fax +33 (0)

Apple Inc. Certification Authority Certification Practice Statement

Checklist and guidance for a Data Management Plan, v1.0

AlphaTrust PRONTO - Transaction Processing Overview

The Common Controls Framework BY ADOBE

SECURITY & PRIVACY DOCUMENTATION

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

System Assessment Report Relating to Electronic Records and Electronic Signatures; 21 CFR Part 11. System: tiamo (Software Version 2.

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

The Impact of 21 CFR Part 11 on Product Development

msis Security Policy and Protocol

TERMS OF USE FOR THE NATIONAL LIVESTOCK IDENTIFICATION SYSTEM DATABASE

ISO/IEC INTERNATIONAL STANDARD. Information technology Code of practice for information security management

e-sign and TimeStamping

Southington Public Schools

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Agilent ICP-MS ChemStation Complying with 21 CFR Part 11. Application Note. Overview

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Version 1/2018. GDPR Processor Security Controls

APPENDIX THREE RETENTION AND DISPOSAL SCHEDULE IMPLEMENTATION GUIDELINES FOR NSU PROVIDERS

Cian Kinsella CEO, Digiprove

Customer Due Diligence, Using New Technology in the Customer for CDue Diligence Purposes Process

Advisory Circular. Subject: INTERNET COMMUNICATIONS OF Date: 11/1/02 AC No.: AVIATION WEATHER AND NOTAMS Initiated by: ARS-100

Introduction. So what is 21 CFR Part 11? Who Should Comply with 21CFR Part 11?

Annex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems

Baseline Information Security and Privacy Requirements for Suppliers

Annex 1 to NIST Special Publication Recommended Security Controls for Federal Information Systems

Oracle Data Cloud ( ODC ) Inbound Security Policies

Status: February IT Security Directive External Service Providers

Electronic Records Management the role of TNA. Richard Blake Head of the Records Management Advisory Service

Mobile Wallet Service Terms and Conditions

Security Digital Certificate Manager

SPRING-FORD AREA SCHOOL DISTRICT

IBM. Security Digital Certificate Manager. IBM i 7.1

Data Management and Sharing Plan

ISO INTERNATIONAL STANDARD. Information and documentation Records management Part 1: General

RPR CRITERIA AND FORMATS

MINIMUM SECURITY CONTROLS SUMMARY

( Utility Name ) Identity Theft Prevention Program

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations

Richemont DNS Inc. DNS Practice Statement for the PANERAI Zone. Version 0.2

SSL Certificates Certificate Policy (CP)

Prevention of Identity Theft in Student Financial Transactions AP 5800

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Transcription:

BAC-AW-04 Issue: 1 Effective: 9-Jan-17 ACCEPTANCE OF ELECTRONIC MAINTENANCE RECORDS GENERAL Bermuda Advisory Circulars are issued to provide advice, guidance and information on standards, practices and procedures necessary to support Overseas Territory Aviation Requirements (OTARS). PURPOSE This Bermuda Advisory Circular provides guidance on the acceptance and use of electronic aircraft maintenance recordkeeping systems (EAMR) which may also include the use of electronic signatures, as defined in appendix A of this Advisory Circular. The guidance in this Advisory Circular pertains to an aircraft operator, an Aircraft Maintenance Organization, or a Continued Airworthiness Management Organisation here in after referred to as an Organisation. RELATED REQUIREMENTS This Circular relates to: OTAR Part 39 Continued Airworthiness Requirements OTAR Part 43 General Maintenance Requirements OTAR Part 145 Aircraft Maintenance Organisation Approval CHANGE INFORMATION This is the first issue of this Circular. ENQUIRIES Enquiries regarding the content of this Circular should be addressed to the Bermuda Civil Aviation Authority. Enquiries can be sent by email to info@bcaa.bm BAC-AW-04 Page 1 of 8

Table of Contents 1 GENERAL... 3 2 APPLICABILITY... 3 3 PART A... 3 4 PART B... 4 APPENDIX A: ELECTRONIC SIGNATURE DEFINITIONS... 5 APPENDEX B: EAMR REQUIREMENTS CHECKLIST...7 BAC-AW-04 Page 2 of 8

1 GENERAL 1.1 An electronic aircraft maintenance recordkeeping system (EAMR) is a system of record processing in which aircraft maintenance records are entered, stored, generated and retrieved electronically by a computer system rather than in the traditional hard copy paper form. 1.2 OTAR 39.73(d), 39.75, 43.57(c) and 145.117(c) concerning Maintenance records, requires an Organisation to make provision for the recording and retention of aircraft, engine and propeller maintenance records in hard copy or in electronic coded form. In the case where an Organisation chooses to develop and adopt an EAMR for the recording and retention of aircraft records in electronic coded form, the system shall have suitable backup and storage capabilities, security measures and safeguards, as outlined in this Advisory Circular. The guidance in this Advisory Circular provides an Organisation a method in which he can produce an EAMR system acceptable to the Governor. 1.3 EAMR systems can be separated into two distinct types. (a) An EAMR system that enters, stores, generates and retrieves aircraft maintenance records electronically and incorporates the use of an electronic signature in the process. The requirements for this kind of EAMR are detailed in Part A of this Advisory Circular. (b) An EAMR system that stores and retrieves aircraft records electronically but does not generate the original record. For example, in the case where aircraft maintenance records are originally in paper format and are scanned and filed electronically. The requirements for this kind of EAMR are detailed in Part B of this Advisory Circular. 1.4 Appendix B (EAMR REQUIREMENTS CHECKLIST) of this Advisory Circular should be used as a guide when developing an EAMR and procedures for the system. 1.5 The EAMR REQUIREMENTS CHECKLIST should be completed and form part of the EAMR procedures and be made available for review if requested by the BCAA. 2 APPLICABILITY 2.1 Any Organisation intending to utilize an EAMR system. 3 PART A 3.1 When constructing an EAMR to meet the maintenance records requirements in OTAR 39.73(d), 39.75, 43.57(c) and 145.117 (c) the following elements must be considered and addressed in the Organisation s procedures for the system: (a) General Description. A general description of an EAMR system should be included in the procedures detailing but not limited to the following elements: i. The computer software and hardware being used. ii. Identify the users of the EAMR and describe the system access levels that are incorporated. For example, level one might be read only, level 2 read and enter and so on. BAC-AW-04 Page 3 of 8

iii. iv. Identify who retains ownership and responsibility for the EAMR and associated procedures. A flow process which describes generally how a maintenance record is entered, stored, generated and retrieved from the system. (b) Security. i. The electronic system should protect confidential information. ii. iii. The system should ensure that the information is not altered in an unauthorized way and should include data alteration traceability features. A corresponding policy and management structure should support the computer hardware and computer software that delivers the information. (c) Procedures. Before introducing an electronic maintenance recordkeeping system, computer procedures must be developed to include the following: i. Procedures for making maintenance records available for review by the BCAA. This procedure and computer system must be capable of producing paper copies of the viewed information at the request of the BCAA. ii. iii. iv. Procedures describing how electronic signatures will be used as it relates to all the elements that are associated with the use of electronic signatures, as detailed in Appendix A. Procedures to generate passwords and personal identification codes that ensure that the system will not permit password duplication. Procedures for auditing the computer system to ensure the integrity of the system. A record of the audit should be completed and retained on file in accordance with an Organisation s record retention policy. This audit may be a computer program that automatically audits itself. v. Procedures describing how an Organisation will ensure that the computerized records are transferable and are transmitted in accordance with the appropriate regulatory requirements to customers or to another Organisation. The records may be either electronic or paper copies. vi. vii. viii. Procedures to ensure that records required to be transferred with an aircraft are transferable and in a format (either electronic or on paper) that is acceptable to the new owner/operator. Procedures for EAMR backup for data loss and recovery. A description of the training procedure and requirements necessary to authorize access to the EAMR computer hardware and software system. 4 PART B 4.1 Procedures should be developed that consider those same elements previously mentioned in Part A of this Advisory Circular where applicable and are relative to the system size and complexity. The procedures should also include the Organisation s policy with regards to the disposition of any original hard copy maintenance records once they are entered into the EAMR. BAC-AW-04 Page 4 of 8

APPENDIX A: ELECTRONIC SIGNATURE Before the use of electronic signatures, handwritten signatures were used on any required record, record entry, or document to authentify it. The electronic signature s purpose is identical to that of a handwritten signature. The handwritten signature is universally accepted because it has certain qualities and features that should be preserved in any electronic signature. Therefore, an electronic signature should possess those qualities and attributes that guarantee a handwritten signature s authenticity. DEFINITIONS Digital Signature. Cryptographically generated data that identifies a document s signatory (signer) and certifies that the document has not been altered. Digital signature technology is the foundation of a variety of security, electronic business, and electronic commerce products. This technology is based on public/private key cryptography, digital signature technology used in secure messaging, public key infrastructure (PKI), virtual private network (VPN), web standards for secure transactions, and electronic digital signatures. Electronic Signature. The online equivalent of a handwritten signature. It is an electronic sound, symbol, or process attached to or logically associated with a contract or other record and executed or adopted by an individual. It electronically identifies and authenticates an individual entering, verifying, or auditing computer-based records. An electronic signature combines cryptographic functions of digital signatures with the image of an individual s handwritten signature or some other visible mark considered acceptable in a traditional signing process. It authenticates data with a hash algorithm and provides permanent, secure user-authentication. In this Advisory Circular, the term electronic signature refers to either electronic signatures or digital signatures. The specific electronic signature used depends on the end user s preference and the system application. An electronic signature may be part of an EAMR system and if so should consider the following: (a) Uniqueness. An electronic signature should retain those qualities of a handwritten signature that guarantee its uniqueness. A signature should identify a specific individual and be difficult to duplicate. A unique signature provides evidence that an individual agrees with a statement. An electronic system cannot provide a unique identification with reasonable certainty unless the identification is difficult for an unauthorized individual to duplicate. An acceptable method of proving the uniqueness of a signature is by using an identification and authentication procedure that validates the identity of the signatory. For example, an individual using an electronic signature should be required to identify himself or herself, and the system that produces the electronic signature should then authenticate that identification. Acceptable means of identification and authentication include the use of separate and unrelated identification and authentication codes. These codes could be encoded onto badges, cards, cryptographic keys, or other objects. Systems using PINs or passwords also are an acceptable method of ensuring uniqueness. Additionally, a system could use BAC-AW-04 Page 5 of 8

physical characteristics, such as a fingerprint, handprint, or voice pattern, as a method of identification and authorization. (b) Scope. The scope of information being affirmed with an electronic signature should be clear to the signatory and to subsequent readers of the record, record entry, or document. (c) Signature Security. The security of an individual s handwritten signature is maintained by ensuring that it is difficult for another individual to duplicate or alter it. An electronic signature should maintain an equivalent level of security. An electronic system that produces signatures should restrict other individuals from affixing another individual s signature to a record, record entry, or document. Such a system enhances safety by preventing an unauthorized individual from certifying required documents, such as an airworthiness release, and should include: i. A corresponding policy and management structure must support the computer hardware and software that delivers the information. ii. iii. iv. Signature authenticity/verification. Through control and archives, the computer software should determine if the signature is genuine and if the individual is authorized to participate. This can be accomplished by comparing the signature to a public key archive or some other means. This capability should be an integral part of the computer software. Archiving electronically signed documents: Since no paper document with an ink signature exists, a means of safely archiving electronically signed documents should be part of any electronic signature computer software. This will provide for future authentication. The system should contain restrictions and procedures to prohibit the use of an individual s electronic signature when the individual leaves or terminates employment. This should be done immediately upon notification of the change in employment status. v. Procedures should be established allowing the organization to correct documents. (d) Non-repudiation. An electronic signature should prevent a signatory from denying that he or she affixed a signature to a specific record, record entry, or document. The more difficult it is to duplicate a signature, the likelier the signature was created by the signatory. (e) Traceability. An electronic signature should provide positive traceability to the individual who signed a record, record entry, or any other document. BAC-AW-04 Page 6 of 8

Appendix B (EAMR REQUIREMENTS CHECKLIST) BAC Reference Requirement Yes No Manual Ref 3.1 (a) General Description (1) The computer software and hardware being used. (2) Identify the users of the EAMR and describe the system access levels that are incorporated. For example, level one might be read only, level 2 read and enter and so on. (3) Identify who retains ownership and responsibility for the EAMR and associated procedures. (4) A flow process which describes generally how a maintenance record is entered, stored, generated and retrieved from the system. 3.1 (b) Security (1) The electronic system should protect confidential information (2) The system should ensure that the information is not altered in an unauthorized way and should include data alteration traceability features. (3) A corresponding policy and management structure should support the computer hardware and computer software that delivers the information. BAC-AW-04 Page 7 of 8

BAC Reference Requirement Yes No Manual Ref 3.1 (c) Procedures (1) Procedures for making maintenance records available for review by the BCAA. This procedure and computer system must be capable of producing paper copies of the viewed information at the request of the BCAA. (2) Procedures describing how electronic signatures will be used as it relates to all the elements that are associated with the use of electronic signatures, as detailed in Appendix A. (3) Procedures to generate passwords and personal identification codes that ensure that the system will not permit password duplication. (4) Procedures for auditing the computer system to ensure the integrity of the system. A record of the audit should be completed and retained on file in accordance with the Organisation s record retention policy. This audit may be a computer program that automatically audits itself. (5) Procedures describing how the Organisation will ensure that the computerized records are transmitted in accordance with the appropriate regulatory requirements to customers or to another Organisation. The records may be either electronic or paper copies. (6) Procedures to ensure that records required to be transferred with an aircraft are in a format (either electronic or on paper) that is acceptable to the new owner/operator. (7) Procedures for EAMR backup for data loss and recovery. (8) A description of the training procedure and requirements necessary to authorize access to the EAMR computer hardware and software system. BAC-AW-04 Page 8 of 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback