Electronic Record Keeping System

Standards from FSIMS 8900.1 Chapter 31

B. Electronic Recordkeeping Systems.

Each certificate holder with an electronic recordkeeping system must have policies, procedures, and methods in place that support the use of the system and ensure the integrity of the records maintained on the system. Electronic recordkeeping system procedures must be incorporated into the certificate holder’s manual system, along with a description of the system itself. For those certificate holders who are not required to have manuals (e.g., part 135 single pilot and part 141), a standalone electronic recordkeeping system procedures document is an acceptable alternative, provided it is an official document maintained by the certificate holder. Policies, procedures, and system descriptions must address all of the elements outlined in paragraph 3-3010, including all of the subparagraphs contained therein.

1) System Description.

The certificate holder’s manual (or document for operations that do not require a manual) must contain a detailed description of each electronic recordkeeping system utilized by the certificate holder to maintain and store records required by 14 CFR. A certificate holder may utilize more than one system to maintain various kinds of records. In addition to addressing all of the elements contained in paragraph 3-3010, including all of the subparagraphs contained therein, the system description should include the following:

a) System facilities, hardware, and software.

b) Identification of the records maintained and stored on the system. If there is more than one system, a description of each recordkeeping system is required along with the records maintained and stored on each system.

c) Identification of which electronic records for which the certificate holder will use an authorized electronic signature process.

2) Security.

An electronic recordkeeping system must ensure that each record is preserved and cannot be altered. Access to the system must be controlled and password protected. The system must also have the ability to protect confidential information.

3) Authenticity and Prevention of Unauthorized Access or Data Corruption.

An electronic recordkeeping system must have a method of ensuring the integrity of each record through appropriate levels of security such as recognition of an electronic signature or other means, which uniquely identify the initiating person as the author of that record. The system must provide for secure access and contain safeguards against unauthorized access. Procedures should include unauthorized event recognition, which includes actions to be taken by the certificate holder upon discovery of an attempt by an unauthorized individual to access and/or make entries into the electronic recordkeeping system.

4) QC and Auditing.

An electronic recordkeeping system should have a means to ensure the quality, accuracy, and integrity of the records maintained on the system, as well as any backup to the system. There should be auditing procedures for computer systems and workstations that are part of, or have access to, the electronic recordkeeping system. QC policies and procedures must include at least the following:

a) Verification of Record Accuracy. Policies and procedures must include the verification of the accuracy and integrity of records maintained on the recordkeeping system through auditing at regular intervals (e.g., biannually, annually, or in accordance with a certificate holder’s training cycle).

b) Verification of Backup Integrity. Policies and procedures should include verification of the accuracy and integrity of records maintained on the backup system.

c) Verification of Changes Requiring Electronic Signature. Policies and procedures must include verification that any changes made to record data contain a new electronic signature, for those records that contain signatures.

d) Persons Responsible for Verification. Policies and procedures must name the person responsible for the QC process and for verification of records.

5) Maintenance Support and Backup Measures.

The system should include procedures for maintenance and support that include provisions for electronic system (computer hardware, software, application network, etc.) outages and protect against the loss of record data. The system should also include backup measures to maintain and provide access to records in the event of a system failure. The method of backup may be a separate electronic system, a backup server, or backup drive. Backup can also include media, such as print or CD-ROM, external drive, or other media acceptable to the FAA.

6) Procedures for Making Required Records Available to FAA and National Transportation Safety Board (NTSB) Personnel.

A certificate holder must provide its records in a format and manner that is acceptable to the requesting agency. FAA personnel assigned to a certificate holder with an electronic recordkeeping system may request a certificate holder to provide direct access to the electronic system for the purpose of inspecting regulatory records. Providing this direct access to the FAA is voluntary. The FAA will not request direct electronic access to records beyond those that are required by regulation and authorized in A025. It is important to distinguish a certificate holder’s voluntary provision of direct access to its electronic recordkeeping system to the FAA from the certificate holder’s responsibility to make regulatory records available to the FAA in accordance with 14 CFR part 119, § 119.59(c). In accordance with this regulation, each employee of, or person used by, the certificate holder who is responsible for maintaining the certificate holder’s regulatory records (those required under Title 49 of the United States Code (49 U.S.C.) applicable to the operation of the certificate holder) must make those records available to the Administrator.

7) Training and User Instructions.

A certificate holder with an electronic recordkeeping system must provide training and user instructions to persons responsible for entering, maintaining, and retrieving data from the system. Training should include security awareness and system integrity, as well as procedures that are necessary to authorize access to the electronic recordkeeping system. User instructions should include those for FAA personnel who are provided direct access to the system. Acceptable methods of providing training include, but are not limited to: classroom instruction, online or system tutorials, user guides, and simulated problem solving exercises.

8) Persons with Authorized Access.

System procedures should address specific access requirements for personnel authorized to make entries into the system. The certificate holder must provide each person with a unique individual access code and password to validate any entry made by the individual.

9) Instructor and Evaluator Access and Certifications.

Policies and procedures should address access by designated personnel, such as instructors, check pilots, check Flight Engineers (FE), aircraft dispatcher supervisors, and flight attendant (F/A) supervisors, to electronically enter record information and certify all record entries for which they are responsible. Electronic instructor certifications must meet all of the requirements of a valid electronic signature. The certificate holder may devise a system that requires the validating official to either enter a real-time record into the system or complete a written transmittal document in Portable Document Format (PDF) to be uploaded into the system by the appropriate personnel. If a PDF is used, the document must contain a valid electronic signature of the individual certifying the record. For authentication purposes, the electronic signature must be a permanent part of the electronic record.

10) Responsible Personnel.

Policies and procedures should identify the personnel who have the overall responsibility for the integrity and security of the electronic recordkeeping system(s) and who are responsible for controlling access to the system. Policies and procedures should also identify the persons with the authority and responsibility for modifying the electronic record system, as well as those who are responsible for entering data into the system.

11) Transferring Data to Another System.

Technological advances may make it desirable or necessary for a certificate holder to update its electronic recordkeeping system or transfer data to a new system. The certificate holder must have policies and procedures that ensure the continued integrity of record data when a certificate holder moves records from one system to another. This could entail running redundant systems for a brief period of time.

12) Continuity of Data between Legacy and Electronic Systems.

Any certificate holder should have a method to ensure continuity of data during transition from a legacy system (hardcopy) to an electronic system.

13) Continuity of Data for Outsource Maintenance Providers.

Procedures should ensure continuity of record data utilized and maintained by outsource maintenance providers.

14) Maintenance Record Transfer.

Procedures should ensure that electronic maintenance records transferred with an aircraft meet the regulatory requirements for record transfer (refer to part 43, § 43.10, and §§ 91.419, 121.380a, and 135.441).

15) Electronic Authentication, Signature, Validation, or Endorsement.

Most regulatory records require some kind of validation, such as a signature, certification, endorsement, or authentication. This validation must be a permanent part of any electronic record. To be considered valid, any electronic form of validation, authentication, endorsement, etc., must meet the FAA’s standards for electronic signatures, and the certificate holder must have the authority to use electronic signatures in its OpSpec A025. See paragraph 3-3006 for FAA standards for electronic signatures.

C. Changes to the System Require FAA Approval or Acceptance Prior to Implementation.

A certificate holder’s policies and procedures should include details of when revisions to the electronic recordkeeping system will be submitted for approval or acceptance (depending on the regulatory requirement) prior to implementation. This includes new versions of system software. Software version numbers will be included in the OpSpec A025 authorization for parts 91K, 121, 125, and 135. For all operations to which this section applies, changes to the electronic recordkeeping system must be included in the manual or official document containing the electronic recordkeeping system description.

How NWDS' Systems Deal with FAA Electronic Records Standards

B.1) System Description.

Applies to both SMS Pro and Part 5 Automation Tool.

SMS Pro and Part 5 Automation Tool are secure Web applications consisting of three major components:

• Application Files;
• SQL Server Database; and
• File Server (for attachments and supporting documentation).

The purpose of the Web application is to provide tools necessary to manage an aviation safety management system. The main application in production contains approximately 12,750 files inside of 1,670 folders. NWDS' SMS database programs are built on top of the open source DotNetNuke (DNN) content management system. As of 2017, active DNN version in NWDS' products is 7.4.3. The current version of both SMS Pro and the Part 5 Automation Tool is 1.1.1.

Inside the SQL Server database, there are approximately

• 450 tables,
• 65 views,
• 2450 stored procedures, and
• 90 functions.

Users are not permitted direct access to the secured SQL Server database. They must access data via the Web application which uses Microsoft's Role Provider to manage security. Therefore, database security is managed on the application level. When the Web application requires database access, it must provide credentials to login to the SQL Server database.

B.1) a)
System Facilities, Hardware, and Software

NWDS' SMS database programs are hosted in a secure server farm in the Central United States (Nebraska). Secured database backups are stored both in Nebraska and Alaska.

Details of system facilities can be found here.

As of 2017, hardware used to manage the aviation SMS programs consists of:

• 350 GB Hard Drive;
• Dual core Intel Xeon CPU e5-2670 2.50GHz
• 16 GB RAM; on a
• 64 bit operating system.

Software includes:

• Windows Server 2016
• SQL Server 2016
• Internet information Services 10

B.1) b)
Identification of the records maintained and stored on the system. If there is more than one system, a description of each recordkeeping system is required along with the records maintained and stored on each system.

NWDS' SMS database system manages the documentation and treatment of multiple types of events, depending on which modules a client possess. these records include, but are not limited to:

• Reported issues, hazards and audit findings;
• Training records;
• Management of Change reviews;
• Proactive Hazard Identification processes;
• Flight risk assessments;
• Polices (and who has read them);
• SMS duties and authorities (and who has read them);
• Version controlled documentation (and who has read them);
• Audits; and
• Safety communications.

B.1) c)
Identification of which electronic records for which the certificate holder will use an authorized electronic signature process.

NWDS does not enforce or facilitate the processing of electronic signatures. This is beyond the scope of NWDS' SMS database software

B.2) Security

Access to records is through the Web application. Accessing the Web application requires a unique username and password. Permissions to access records is managed by client Administrators called SMS Admins. SMS Admins configure user accounts and user permissions.

Permissions are granted by the use of roles. NWDS' Web applications use Microsoft's Role Provider. There are basic application roles and client configured roles. Generally, only the application specific roles restrict access to records except in the safety communications and version controlled document manager.

Confidential information is protected by requiring:

• Unique username & password for each account; and
• Transport-level security using encrypted traffic.

B.3) Authenticity and Prevention of Unauthorized Access or Data Corruption.

Users are required to login to access records with their assigned username and password. User activity is logged whenever a system change is detected. On client-hosted systems, enhanced system logging is available that tracks every page and record accessed by users.

Firewalls and intrusion detection systems constantly monitor and alert NWDS personnel via email when unauthorized access is attempted. Depending on the type of activity, NWDS personnel will either manage the event at the company level or escalate the event to data center personnel. For denial of service attacks, mitigation measures are the responsibility of the data center.

At the record level, clients can review logs for event activity, including access to records or exporting hazard records to PDF.

B.4) QC and Auditing

NWDS has the ability to compare historical entries to data records upon request. Deleted records older than three years are deleted.

B.4) a)
Verification of Record Accuracy

NWDS continuously monitors the database looking for anomalies. These anomalies are discovered either by clients or by NWDS personnel when reviewing reports. When discovered, NWDS immediately takes corrective actions to ensure reports are accurate or educate clients as to why data results are displayed in a particular fashion. Since much of the data is either confidential or restricted, data security remains a top priority for NWDS staff.

B.5) Maintenance Support and Backup Measures.

Database data is backed up nightly at approximately 1 AM Central Time. Backups are tested biweekly to ensure accuracy and availability. Upon request, clients can request copies of the database and their respective client files.

B.6) Procedures for Making Required Records Available to FAA and National Transportation Safety Board (NTSB) Personnel

NWDS' SMS database programs have an "External Auditor" role that was designed to grant access to external auditing agencies. This role is mostly view only, except for the ability to raise findings or leave remarks regarding specific records.

B.7) Training and User Instructions

NWDS has both online video and written documentation regarding the use of the system. It is up to each client to manage end-user instructions regarding security awareness and system integrity, as well as necessary procedures to authorize access to NWDS' SMS programs.

B.8) Persons with Authorized Access

Each client using NWDS' SMS databases has the responsibility and authority to grant access to system resources. At a high level, the Web application enforces a password policy, but it is up to each client to manage program access by providing each person with a unique individual access code and password to validate and associate user entries.

B.10) Responsible Personnel.

NWDS provides clients the ability to manage users and determine who has the responsibility and authority to grant access to data. Any user with SMS Admin permissions has the ability to influence system integrity and security.

C. Changes to the System Require FAA Approval or Acceptance Prior to Implementation

NWDS' SMS has two versions: 0.1.1 and 1.1.1. In 4th Quarter of 2016 and the 1st Quarter of 2017, clients on the legacy system were migrated to version 1.1.1.

As of Februrary 2017, all clients are using version 1.1.1. Patches are regularly applied to the system every Friday. Major changes are announced two weeks before release. All personnel have access to the publicly available "change log" by accessing online "Documentation".

2018 Audit Answers by NWDS

2019 Audit Answers by NWDS

2020 Audit Answers by NWDS

2021 Audit Answers by NWDS

2022 Audit Answers by NWDS

2023 Audit Answers by NWDS