Authorisations on documents are essential. It is even one of the requirement of the ISO 9001 International Standard: documents must be approved prior to being issued.
Approval can come in various forms (wet signatures, electronic signatures, workflow)
This approval can come in various forms, including wet signatures, electronic signatures, approval through an electronic workflow, etc.
The best practice in this area always lies with methods that allow the end-user to be certain, when opening and reading a document, that the document has been approved for release.
Therefore, any method allowing to show signatures or official stamps of approval on the first page of the document itself, should be favoured, as opposed to systems where the approval trail is only kept in a software package managing workflows for example.
The reason for that being: if the document is printed, sent to a third-party, or used on site, the user must still be able to determine if the document was approved or not. Without having to consult the audit trail in a separate software.
Challenges of an authorisation system
This requirement for a formal authorisation system comes with its own challenges, including:
- Ensuring that only authorised personnel actually signs / authorises documents
- Ensuring that, if using initials, those refer to a unique person
- Ensuring that we use the authorised signature of each person, if using wet signature
- Ensuring that we use a secured e-signature system, if opting for electronic signatures
- If using an electronic workflow to approve documents, ensure that the approval is reflected on the actual document
These challenges are encountered on a daily basis by Document Control professionals.
Authorised personnel and initials register
A few good practices can be listed here to show how Document Controllers from around the world and across industries come up with solutions to these challenges.
At the very least, if the company uses initials on documents (or in registers, such as the MDR), they should have a unique initials register. This can be maintained by the HR department for example: each employee is allocated a unique set of initials.
This requires maintenance and constant update, and it is also recommended to keep a record of each revision of this register, so that we can refer back to an older revision, in case for example of audit or investigation on a document.
More advanced, one of the good practice we have seen is to maintain an authorisation register: that is a list of personnel authorised to sign, with an indication of which documents they are authorised to approve, their named deputy in case of absence, as well as the record of both their initials and signatures.
Also, in terms of the good practices, if a Company decides to go for electronic signatures on documents, it must implement it through a dedicated e-signature software package. This will address a certain number of concerns and limitations that occur when using a non-speciliased software package, for example: problems when several persons need to sign documents, concerns about the security of signatures used, issues with the set-up of e-signatures.
Software such E-sign or Docusign for example, definitely help tackling all these e-signatures challenges.
For those who are using an EDMS that integrates approval workflows for example, we have seen good and bad practices here too.
In this case, usually the document does not circulate from one desk to another to gather signatures for example: the program does it for you: you can set up the workflow either in parallel or in sequence, so that each person who needs to approve gets to formally approve the document electronically, by simply clicling on a button. The concern is that, if that process replaces the actual signature on documents, the end-user loses the ability of knowing that a document was approved, if it is viewed outside of the EDMS.
So, in this case, the best practice is to configure the EDMS so that it reflects on the document itself that the document was approved through an electronic workflow: for example, by automatically including a watermark on approved documents, or by automatically showing the electronic signatures on documents.
In any case, we need to think first about the end user: the Document Controller will always know whether a document is approved or not, but do we make it easy enough for the end-user not to be mistaken?