M
mshell
We do the same thing. It is a lot easier in most cases to get a customer to grant approval in an email than to update a drawing. So we save copies of such approvals in the part specific file.
Are email acceptable as records? Email for a customer approval of some part?
S
schmib5
Hi folks,
I got a point to discuss with you on that topics.
Sure it is important to have a good management of electronic data as record captured in electronic system such as email.
But..
The problem we face more and more is about the way to assure the mail is authentic and is not a fake record. For instance I can write a mail that looks like a true email coming from one of my supplier.
Does anyone have a good solution to overcome this issue?
Bernard
I got a point to discuss with you on that topics.
Sure it is important to have a good management of electronic data as record captured in electronic system such as email.
But..
The problem we face more and more is about the way to assure the mail is authentic and is not a fake record. For instance I can write a mail that looks like a true email coming from one of my supplier.
Does anyone have a good solution to overcome this issue?
Bernard
What is the likelihood that someone is going to impersonate your suppliers, and if they did, why would they do it? When you're going to use an approval instrument, no matter what the medium might be, you need to know who is authorized to approve things. You don't want to get into a situation where someone from a supplier or customer authorizes something, and then find out later that the person had no authority to do so.
As far as checking the authenticity of e-mail messages is concerned, there are a few possibilities;
- Pick up the phone and call the person who (allegedly) sent the message.
- Check the e-mail header. There is more information there than sender and subject, but most e-mail clients don't display all of the information by default. For example, in Thunderbird, you would click on View-->Headers-->All. All of the e-mail clients I've seen have a similar method for viewing header information. That information will include the source server, as well as intermediate servers. If you have a message that you know is genuine, you should be able to compare it to suspect messages and determine whether the message emanated from the same source.
C
chergh - 2008
I'm quite sure i could make a letter or a fax appear as if it come from a supplier or customer, or even attempt to forge their signature if i have a previous example.
Just as you trust someone hasn't forged more traditional methods of approval you would trust an email in the same way.
Your also likely to have discussed this issue with your customer/supplier anyway so are likely to expect an email and therefore have no reason to doubt it's authenticity.
If you have issues in trusting your sources, I think this is far beyond meeting a TS requriement!!!!!!
There has to be an element of mutual trust between suppliers/customers or your relationship becomes so parinoid whats the point in doing business?!!!!!
S
schmib5
You are right and I fully agree with you.
However typical FDA inspector raise this point waiving the threat of Part11 compliance. Then, your compliance management overpasses the good and normal business practice.
I tell you that because I faced this kind of situation in the past where source authentication is stronger than only "trusting" a information source.
However typical FDA inspector raise this point waiving the threat of Part11 compliance. Then, your compliance management overpasses the good and normal business practice.
I tell you that because I faced this kind of situation in the past where source authentication is stronger than only "trusting" a information source.
F
fireonce
Re: Disaster recovery and Back-up
In our company, Email is only a temporary approval,
All records are approved by hand signature.
In our company, Email is only a temporary approval,
All records are approved by hand signature.
Helmut Jilling
Auditor / Consultant
Many clients use email as records for lower level things. It would not meet the legal requirement for signatures, if that is what you mean. For that, you would need legal signatures or digital signatures.
If you use email, I prefer they be saved to the appropriate client file, and not left in the email server. The same way you would do it if you printed it and filed the paper.
S
schmib5
Hi,
Yes I think you're heading in a good direction. I am aware of some add-ins that help being compliant towards CFR21 Part11 for Excel or Access. However do anyone knows about same kind of add-ins for email such as Outlook?
Yes I think you're heading in a good direction. I am aware of some add-ins that help being compliant towards CFR21 Part11 for Excel or Access. However do anyone knows about same kind of add-ins for email such as Outlook?
J
JaneB
Legislation depends on the country you're in. Here, email is accepted as a legal record.
I think it's horses for courses (as so often), working out: what's practical, what's important, what's expedient, what the pros & cons are of each medium, where the risk/s are... and then the particular organisation/business making a well-informed decision deciding what it wants to do.
The main issues I've found using emails are:
- auditors /other personnel who aren't technically savvy, are more familiar with the hardcopy, and thus prefer that, but sometimes hide behind the 'it has to be this way'. It doesn't always.
- People considering email as 'personal' records rather than data belonging to the organisation
- Technical constraints, eg, problems restoring individual emails - yes 'email' can be restored, but often that may mean restoring a whole bucket of email, not sorted into individual people's email (think needle & haystack)
- Temporary nature - IT in some organisations forcibly archive emails older than a particular time period (30/60 days etc), which means they aren't then available later
Either printing them out & filing, or even better, scanning & storing electronically as *pdf for example (environmentally sounder) can avoid these issues.
It's important to understand the situation and constraints before you make a firm decision. Internal audit can be of great help in testing the system & risks.
