蒲公英 - 制藥技術的傳播者 GMP理論的實踐者

 找回密碼
 立即注冊

QQ登錄

只需一步,快速開始

使用微信帳號登錄

使用微信帳號登錄

查看: 530|回復: 4
打印 上一主題 下一主題
收起左側

[GMP相關] WHO《計算機化系統驗證指南》-2018

[復制鏈接]
藥徒
跳轉到指定樓層
樓主
發表于 2019-6-29 15:32:24 | 只看該作者 回帖獎勵 |倒序瀏覽 |閱讀模式
WHO今年發布了《驗證指南-附錄5 計算機化系統驗證》(征求意見稿),相比于其他機構發布的《計算機化系統驗證指南》,WHO發布的這版要求更加嚴格,內容更加具體。該指南共16章,涵蓋計算機化系統驗證方案和報告、供應商管理、用戶需求規范、系統設計和配置規范、設計確認、構建和項目實施、安裝確認、運行確認、標準操作規程和培訓、性能確認、系統維護、系統退役等內容,全文翻譯如下:

因篇幅關系,忽略第1-3章介紹性內容。

4.  COMPUTERIZED SYSTEM VALIDATION PROTOCOLS AND REPORTS
計算機化系統驗證方案和報告

4.1. A computerized system needs to be validated according to an approved protocol and final report including results and conclusions prior to routine use.
計算機化系統需要根據一份批準的方案進行驗證并在日常使用前報告驗證結果和結論。

Validation protocol
驗證方案

4.2.  Validation should be executed in accordance with the validation protocol and applicable written procedures.
驗證應根據驗證方案和適當的書面規程執行。

4.3. A validation protocol should define the objectives, the validation strategy, including roles and responsibilities and documentation and activities to be performed. The protocol should at least cover the scope, risk management approach, the specification, testing, review and release of the computerized system for GMP use.
驗證方案應規定目的,驗證策略,包括角色和職責以及將要執行的文件和活動。方案應至少包括范圍、風險管理方法、計算機化系統的標準、測試,審核與放行。

4.4. The  validation  protocol  should  be  tailored  to  the  system  type,  impact,  risks  and requirements applicable to the system for which it governs validation activities.
驗證方案應與系統的類型、影響、風險和系統所適用的要求相適應,從而決定驗證活動。

Validation report
驗證報告

4.5.  A validation report should be prepared, summarizing system validation activities.
應起草驗證報告,總結系統驗證活動。

4.6. It should make reference to the protocol and outline the validation process, and include an evaluation and conclusion on results. Deviations from the validation protocol and applicable written  procedures  should  be  described,  investigated,  assessed  and  justification  for  their acceptance or rejection should be documented.
驗證報告應索與驗證方案相關聯,并概述驗證過程,并包括對所獲得結果的評價和結論。應描述、調查、和評估任何不符合驗證方案和相應書面規程的偏差,并記錄可接受或不可接受的論證過程。

4.7. Results should be recorded, reviewed, analyzed and compared against the predetermined acceptance  criteria.  All  critical  and  major  test  discrepancies  that  occurred  during  the verification/validation  testing,  should  be  investigated  and  if  accepted  they  should  be appropriately justified.
應記錄、審核、分析結果,并與預定可接受標準進行比較。所有在驗證/確認測試過程中發生的關鍵和主要的測試偏差都應被調查,如接受,應進行適當的論證。

4.8. The conclusion of the report should state whether or not the outcome of the validation was considered  successful  and  should  make  recommendations  for  future  monitoring  where applicable. The report should be approved after appropriately addressing any issue identified during validation and the system should then be released for GMP use.
報告應給出驗證結果是否視為成功的結論,并在適用時,應給出針對將來監測的建議。報告應在適當地解決驗證中發現的問題后被批準,然后放行至GMP用途。

5.  VENDOR MANAGEMENT
供應商管理

5.1. When third parties (e.g. vendors, service providers) are used, e.g. to provide, install, configure, validate, maintain, modify or retain a computerized system or related service or for data processing or system components, including cloud-based systems, an evaluation of the vendor-supplied system or service and the vendor’s quality systems should be conducted and recorded.  The  scope  and  depth  of  this  evaluation  should  be  based  upon  risk  management principles.
當使用第三方(如供應商,服務提供商),如供應、安裝、配置、驗證、維護、修改或保存計算機化系統或相關服務或用于數據處理或系統組件,包括云系統,應對供應商的供應體系或服務及其質量體系進行評估并記錄。該評估的范圍和程度應基于風險管理原則。

5.2. The competence and reliability of a vendor are key factors when selecting a product and/or service provider and vendor management is an on-going process that requires periodic assessment  and  review.  Vendor  evaluation  activities  may  include  but  are  not  limited  to: completion of a quality related questionnaire by the vendor; gathering of vendor documentation related to system development, testing and maintenance includingvendor procedures, specifications, system architecture diagrams, test evidence, release notes and other relevant vendor documentation; an on-site audit of the vendor’s facilities should be conducted to evaluate the vendor’s system life-cycle control procedures, practices and documentation.
在選擇一個產品和/或服務的供應商時,供應商的能力和可靠性是關鍵要素,并且,供應商管理是一個持續的過程,需要定期評估和回顧。供應商評估活動包括但不局限于:由供應商填寫一份質量相關的問卷,收集與系統開發、測試和維護相關的供應商資料,包括供應商規程、標準、系統架構圖、測試證據、放行說明和其它相關供應商文件,應實施對供應商工廠的現場審計以評估供應商系統生命周期控制程序,實踐和文件。

5.3.  A contract should be in place between the manufacturer and the vendor and/or the service provider defining the roles and responsibilities and quality procedures for both parties, throughout the system life cycle. The contract acceptor should not pass to a third party any of the work entrusted to her/him under the contract without the manufacturer’s prior evaluation and approval of the arrangements.
藥品生產企業應與供應商和/或服務提供商簽訂協議,規定整個系統生命周期內雙方的角色和職責,以及質量程序。在藥品生產企業預先評估和批準之前,合約受托方不得將委托給他/她的任何工作轉交給第三方。

6.  REQUIREMENTS SPECIFICATIONS
需求規范

6.1. Requirements  specifications  should  be  written  to  document  user  requirements  and functional or operational requirements and performance requirements. Requirements may be documented in separate user requirements specifications (URS) and functional requirements specifications (FRS) documents or in a combined document.
應編寫需求規范記錄用戶需求和功能或操作和性能的需求。各類需求可以記錄在獨立的用戶需求規范(URS)和功能需求規范(FRS)中,也可以合并在一份文件中。

User requirements specifications
用戶需求規范

6.2. The authorized URS document, or equivalent, should describe the intended uses of the proposed computerized system and should define critical data and data life-cycle controls that will assure consistent and reliable data throughout the processes by which data is created, processed, transmitted, reviewed, reported, retained and retrieved and eventually disposed.
批準的 URS 文件,或同等文件,應描述目標計算機化系統的預期用途,并應識別關鍵數據和數據生命周期控制措施,用于保證數據在產生、處理、傳輸、審核、報告、存儲和檢索以及最終處置的過程中的一致性和可靠性。

6.3. The URS should be written in a way to ensure that the data will meet regulatory requirements such as the WHO Guidance on good data and record management practices (5).
URS 的編寫應符合法規要求,如 WHO 良好數據和記錄管理實踐指南。

6.4.  Other aspects that should be specified include, but are not limited to, those related to:
其它應指出的方面,包括但不局限于如下:

  • the data to be entered, processed, reported, stored and retrieved by the system, including any master data and other data considered to be the most critical to system control and data output;
    將要由系統輸入、處理、報告、儲存和檢索的數據,包括所有主數據和其它對系統控制和數據輸出最為關鍵的數據。
  • the flow of data including that of the business process(es) in which the system will be used as well as the physical transfer of the data from the system to other systems or network  components.  Documentation  of  data  flows  and  data  process  maps  are recommended to facilitate the assessment and mitigation and control of data integrity risks across the actual, intended data process(es);
    數據流,包括系統將要使用的業務流程,以及數據從一個系統到另一個系統或網絡組件的物理轉移。建議有數據流和數據流程圖文件,以幫助在實際、預定數據流程下評估、降低和控制數據可靠性風險。
  • networks and operating system environments that support the data flows;
    支持數據流的網絡和操作系統環境。
  • how the system interfaces with other systems;
    系統怎樣與其它系統交互。
  • the operating program;
    操作程序
  • synchronization and security controls of time/date stamps;
    時間/日期戳的同步和安全控制。
  • controls of both the application software as well as operating systems to assure system access only to authorized persons;
    對應用程序和操作系統的訪問控制,保證僅限于授權用戶。
  • controls to ensure that data will be attributable to unique individuals (for example, to prohibit use of shared or generic login credentials);
    保證數據可追溯至個人的控制措施(例如,禁止使用共用或通用的登陸憑證)。
  • controls to ensure that data is legibly and contemporaneously recorded to durable (“permanent”) media at the time of each step and event and controls that enforce the sequencing of each step and event (for example, controls that prevent alteration of data in temporary memory in a manner that would not be documented);
    控制措施以保證數據各個步驟和事件發生時都能清晰地記錄到持久的(永久的)介質上,以及確保對各個步驟和事件的順序(例如,防止對儲存在臨時內存上的數據以一種無法記錄的方式被修改)。
  • controls that assure that all steps that create, modify or delete electronic data will be recorded  in  independent,  computer-generated  audit  trails  or  other  metadata  or alternate documents that record the “what” (e.g. original entry), “who” (e.g. user identification), “when” (e.g. time/date stamp) and “why” (e.g. reason) of the action;
    保證所有創建、修改、或刪除電子數據的步驟都將被記錄于獨立的、計算機生成的審計追蹤,或其它元數據,或替代的記錄,明確該活動的“什么”(如原始輸入),“誰”(如用戶 ID),“何時”(如時間/日期戳),以及“為什么”(如原因)。
  • backups and the ability to restore the system and data from backups;
    備份以及從備份恢復系統和數據的能力。
  • the ability to archive and retrieve the electronic data in a manner that assures that the archive copy preserves the full content of the original electronic data set, including all metadata needed to fully reconstruct the GMP activity. The archive copy should also preserve the meaning of the original electronic data set;
    歸檔和檢索電子數據的能力, 以確保歸檔副本保留原始電子數據集的全部內容, 包括充分重建GMP活動所需的所有元數據。歸檔副本還應保留原始電子數據集的含義;
  • input/output  checks,  including  implementation  of  procedures  for  the  review  of original electronic data and metadata, such as audit trails;
    輸入/輸出檢查,包括實施審核原始電子數據和元數據的程序,如審計追蹤。
  • controls for electronic signatures;
    電子簽名的控制措施。
  • alarms and flags that indicate alarm conditions and invalid and altered data in order to facilitate detection and review of these events;
    用以提示報警條件、失效和數據修改的報警和標志,以幫助發現和審核這些事件。
  • system documentation, including system specifications documents, user manuals and procedures for system use, data review and system administration;
    系統文件,包括系統標準文件,用戶手冊和系統使用,數據審核和系統管理的規程。
  • system capacity and volume requirements based upon the predicted system usage and performance requirements;
    根據預期的系統使用和性能要求,提出系統能力和容量需求。
  • performance monitoring of the system;
    系統性能監測。
  • controls for orderly system shutdown and recovery;
    確保系統的關閉和恢復有序進行的控制措施。
  • business continuity.
    業務連續性。


6.5. The extent and detail of the requirements should be commensurate with the operational risk and the complexity of the computerized system. User requirements should be specific and be phrased in a way to support their testing or verification within the computerized system’s context.
需求的范圍和詳細程度應與其運行風險和計算機化系統復雜程度相匹配。用戶需求應具體,并以一種可以在計算機化系統語境下支持測試或確認的方式進行措辭。

Functional specifications
功能規范

6.6. Functional  specifications  should  describe  in  detail  the  functions,  performances  and interfaces of the computerized system based upon technical requirements needed to satisfy user requirements.
功能規范應基于所需的技術要求詳細說明計算機化系統的功能,性能和接口,以滿足用戶需求。

6.7. The functional specifications provide a basis for the system design and configuration specifications.  Functional  specifications  should  consider  requirements  for  operation  of  the computerized system in the intended computing environment, such as functions provided by vendor-supplied software as well as functions required for user business processes that are not met by commercial off-the-shelf software (COTS) functionality and default configurations  that will require custom code development. Network infrastructure requirements should also be taken into account. Each described function should be verifiable.
功能規范為系統設計和配置規范提供了基礎。功能規范應考慮計算機化系統在預期的計算機環境中運行所需的要求,如由供應商提供功能的軟件,以及用戶業務流程所需的功能無法通過商用現成軟件和默認配置滿足,需要定制化代碼開發的軟件。網絡基礎架構需求也應納入考慮范圍。每個所描述的功能均應可確認。

6.8. Personnel access roles that provide the ability and/or authorization to write, alter or access programs should be defined and qualified. There should be appropriate segregation of roles  between  personnel  responsible  for  the  business  process  and  personnel  for  system administration and maintenance.
應規定并確認具備寫入、修改或訪問程序的能力和/或授權的人員訪問角色。應適當劃分負責業務流程的人員,和負責系統管理和維護的人員的角色。

7.  SYSTEM DESIGN AND CONFIGURATION SPECIFICATIONS
系統設計和配置規范

7.1.  System design and configuration specifications should be developed based on user and functional requirements. Specification of design parameters and configuration settings (separate or combined) should ensure data integrity and compliance with the WHO guidance on good data and record management practices (5).
應基于用戶和功能需求規范起草系統設計和配置規范。設計參數和配置設置的標準(單獨的或整合的)應保證數據可靠性并符合 WHO 良好的數據和記錄管理實踐指南。

7.2. System  design  and  configuration  specifications  should  provide  a  high-level  system description as well as an overview of the system physical and logical architecture and should map out the system business process and relevant work flows and data flows if these have not already been documented in other requirements specifications documents.
系統設計和配置規范應提供一個高水平的系統描述以及系統物理和邏輯架構的概述,并應描繪出系統業務流程和相關工作流和數據流,如這些內容還沒有在其它需求規范文件中記錄。

7.3. The system design and configuration specifications may include, as applicable, a software design  specification  in  case  of  code  development  and  configuration  specifications  of  the software application parameters, such as security profiles, audit trail configuration, data libraries and other configurable elements.
系統設計和配置規范應包括,如適用,對于存在代碼開發的情況,軟件設計規范;軟件應用程序參數的配置標準,如安全權限,審計追蹤配置,數據庫和其它配置要素。

7.4. In addition, the system design and configuration specifications may also include, based upon risk, the hardware  design  and  its  configuration specifications as  well  as that of  any supporting network infrastructure.
另外,系統和配置規范應根據風險包括:硬件設計及其配置規范,以及所有支持性網絡架構的設計和配置規范。

7.5. System  design  and  configuration  specifications  should  include  secure,  protected, independent computer-generated audit trails to track configuration changes to critical  settings in the system.
系統設計和配置規范應包括安全的、受保護的、計算機獨立生成的審計追蹤,以追蹤系統關鍵設置的配置變更。

8.  DESIGN QUALIFICATION
設計確認

8.1. A  design  review  should  be  conducted  to  verify  that  the  proposed  design  and configuration of the system is suitable for its intended purpose and will meet all applicable user and functional requirements specifications.
應進行設計審查以確認所提出的系統設計和配置適用于其預期用戶并符合所有適用的用戶和功能需求規范。

8.2. It may include a review of vendor documentation, if applicable, and verification that requirements specifications are traceable to proposed design and configuration specifications.
設計審查可以包括對供應商文件的審查(如適用),并確認可以追溯到所提出的設計和配置規范。

9.  BUILD AND PROJECT IMPLEMENTATION
構建和項目實施

9.1. Once the system requirements and the system design and configuration are specified and verified, where applicable, system development activities may begin. The development activities may occur as a dedicated phase following completion of specification of system requirements, design  and  configuration.  Alternatively,  development  activities  may  occur  iteratively  as requirements  are  specified  and  verified  (such  as  when  prototyping  or  rapid-development methodologies are employed).
一旦系統需求及系統設計和配置被明確和確認,系統開發活動就可以開始(如適用)。開發活動可以作為一個獨立的階段,在完成系統的需求、設計和配置規范后執行;蛘,開發活動也可以在需求被明確和確認過程中反復進行(如,采用原型法或快速開發方法)。

Vendor-supplied systems
供應商提供的系統

9.2. For vendor-supplied systems, development controls for the vendor-supplied portion of the  computerized  system  should  be  assessed  during  the  vendor  evaluation  or  supplier qualification. For vendor-supplied systems that include custom components (such as custom- coded interfaces or custom report tools) and/or require configuration (such as configuration of securityprofilesinthesoftwareorconfigurationofthehardwarewithinthe network infrastructure),  the  system  should  be  developed  under  an  appropriate  documented  quality management system.
對于供應商提供的系統,應在供應商評估或確認階段,評估由供應商提供的計算機化系統的開發過程控制。對于定制化(如定制代碼接口或定制報告工具)和/或需要配置(如,在軟件中配置安全權限,或在網絡架構中配置硬件)的,系統應在一個適當的書面的質量管理體系下進行開發。

Custom-developed systems
定制開發系統

9.3. For  custom-developed  systems  and  configurable  systems,  the  system  should  be developed under an appropriate documented quality system. For these systems or modules the quality management system controls should include development of code in accordance with documented programing standards, review of code for adherence to programing standards and designspecificationsanddevelopmenttestingthatmayincludeunittestingand module/integration testing.
對于定制開發系統和可配置系統,系統的開發應在一個適當的書面的質量體系下進行。對于這些系統或模塊,質量管理體系控制應包括符合書面編程標準的代碼開發、用以確認符合編程標準和設計標準的代碼審核、和開發測試,包括單元測試和模塊/集成測試。

9.4. System  prototyping  and  rapid,  agile  development  methodologies  may  be  employed during the system build and development testing phase. There should be an adequate level of documentation of these activities.
可在系統構建和開發測試階段采用系統原型法和快速的、靈活的開發模式。對于這些活動,應具備充分的記錄。

Preparation for the system qualification phases
系統確認階段準備

9.5. The system development and build phase should be followed by the system qualification phase.  This  typically  consists  of  installation,  operational  and  performance  testing.  Actual qualification required may vary depending on the scope of the validation project as defined in the validation plan and based upon a documented and justified risk assessment.
系統確認階段應在系統開發和構建階段之后。確認階段通常由安裝、運行和性能測試組成。實際所需的確認可能取決于驗證計劃中制定的驗證項目范圍,并基于書面合理的風險評估。

9.6. Prior  to  the  initiation  of  the  system  qualification  phase,  the  software  program  and requirements and specifications documents should be finalized and subsequently managed under formal change control.
在系統確認階段開始前,軟件程序和需求及規范文件應定最終確定,并后續按照正式變更控制程序管理。

9.7.  Persons who will be conducting the system qualification should be trained to adhere to the following requirements for system qualification:
實施系統確認的人員應接受培訓,使其遵守以下系統確認的要求:

  • test documentation should be generated to provide evidence of testing;
    應形成測試記錄以提供測試證據
  • test documentation should comply with good documentation practices;
    測試記錄應符合良好文件記錄實踐
  • any discrepancies between actual test results and expected results should be documented and  adequately resolved based upon risk prior to proceeding to subsequent test phases.
    應記錄所有實際測試結果和預期結果之間的偏離,并根據風險在繼續下一個測試階段前被充分地解決。


10.  INSTALLATION QUALIFICATION
安裝確認

10.1. Installation qualification (IQ), also referred to as installation verification testing should provide documented evidence that the computerized system, including software and associated hardware, is installed and configured in the intended system test and production environments according to written specifications.
安裝確認(IQ),也稱為安裝確認測試,應提供計算機化系統,包括軟件和相關硬件,已按照書面程序安裝和配置在預期的系統測試和生產環境。

10.2. The IQ will verify, for example, that the computer hardware on which the software application is installed has the proper firmware and operating system, that all components are present and in the proper condition and that each component is installed per the manufacturer or developer instructions.
IQ 將確認,如安裝軟件程序的計算機硬件具備適當的固件和操作系統,所有的組件都存在并且處于合適的環境下,即每個組件都按照生產商或開發商的指導進行安裝。

10.3. IQ should include verification that configurable elements of the system are appropriately set as specified. Where appropriate, this could also be done during operational qualification(OQ).
IQ 應包括確認系統配置要素按要求進行了設置。在適當情況下,這部分也可以在運行確認(OQ)中完成。

11.  OPERATIONAL QUALIFICATION
運行確認

11.1. The  OQ,  or  operational/functional  verification  testing,  should  provide  documented evidence that software and hardware function as intended over anticipated operating ranges.
OQ,或者運行/功能確認測試,應提供軟件和硬件功能在預期運行范圍內符合預期的書面證明。

11.2. Functional testing should include, based upon risk:
根據風險,功能測試應包括:

  • an appropriate degree of challenge testing (such as boundary, range, limit, nonsense entry testing) to verify the system appropriately handles erroneous entries or erroneous use;
    適當程度的挑戰性測試(如邊界,范圍,限制,無效輸入測試),以確認系統可以正確地處理不正確的輸入或不正確的使用。
  • verification that alarms are raised based upon alarm conditions;
    確認在警報條件下能觸發報警
  • flags are raised to signal invalid or altered data.
    無效信號或被修改的數據可以被標記


12.  STANDARD OPERATING PROCEDURES AND TRAINING
標準操作規程和培訓

12.1. Prior to the conduct of the performance qualification (PQ) and user acceptance testing (UAT), and prior to the release of the computerized system, there should be adequate written procedures and documents and training programmes created defining system use and control. These  may include  vendor-supplied  user  manuals  as  well  as  SOPs  and  training  programs developed in-house.
在性能確認(PQ)和用戶驗收測試(UAT)開始前,以及在計算機化系統放行之前,應建立充分的定義系統使用和控制的書面規程和文件以及培訓程序。包括供應商提供的用戶手冊以及企業 SOP 和培訓程序。

12.2. Procedures  and  training  programs  that  should  be  developed  include,  but  are  not necessarily limited to:
應起草的規程和培訓程序包括,但不限于:

system use procedures that address:
系統使用規程,明確:

  • routine operation and use of the system in the intended business process(es),
    系統在既定業務流程內的日常操作和使用
  • review of the electronic data and associated metadata (such as audit trails) and how the source electronic records will be reconciled with printouts, if any,
    電子數據及相關元數據(如審計追蹤)的審核,以及如打印,怎樣對比原始電子記錄和打印的紙質記錄
  • mechanisms for signing electronic data,
    簽署電子數據的機制
  • system training requirements prior to being granted system access;
    在授予系統訪問權限之前的系統培訓要求


system administration procedures that address:
系統管理規程,明確:

  • granting and disabling user access and maintaining security controls,
    用戶訪問和維護安全控制的授權和禁用
  • backup/restore,
    備份/恢復
  • archival/retrieval,
    歸檔/檢索
  • disaster recovery and business continuity,
    災難恢復和業務連續性
  • change management,
    變更管理
  • incident and problem management,
    事件和問題管理
  • system maintenance.
    系統維護


13.  PERFORMANCE QUALIFICATION AND USER ACCEPTANCE TESTING
性能確認和用戶驗收測試

13.1. PQ, that includes UAT, should be conducted to verify the intended system use and administration defined in the URS and design qualification (DQ), or equivalent document.
應執行 PQ,包括 UAT,以確認 URS 和設計確認(DQ),或其它同等文件中規定的系統預期用途和管理。

13.2. The PQ should be conducted in the live environment or in a test environment that is equivalent to the live environment in terms of overall software and hardware configuration.
PQ 應在使用環境下,或等同于使用環境的測試環境(包括整體軟件和硬件配置方面)下執行。

13.3. PQtestingshouldalsoinclude,asapplicable,anappropriatedegreeof stress/load/volume testing based upon the anticipated system use and performance requirements in the production environment.
PQ 測試應包括,如適用,根據系統預期用途和在使用環境下的性能要求進行適當的壓力/負載/容量測試。

13.4. In addition, an appropriate degree of end-to-end or regression testing of the system should  be  conducted  to  verify the  system  performs  reliably when  system  components  are integrated in the fully-configured system deployed in the production environment.
另外,應執行適當程度的系統的端到端或回歸測試,以確認系統組件在使用環境集成為一個完全配置的系統后,系統性能可靠。

13.5. UAT should be conducted by system users to verify the adequacy of system, use of SOPs and training programs. The UAT should include verification of the ability to generate and process only valid data within the computerized system, including the ability to efficiently review electronic data and metadata, such as audit trails.
系統用戶應進行 UAT 測試以確認系統、SOP 使用和培訓項目的充分性。UAT 應包括,確認在計算機化系統內,生成和處理數據有效的能力,包括能夠有效地審核電子數據和元數據的能力,如審計追蹤。

Legacy systems
遺留系統

13.6. The continued use of a legacy system should be justified by demonstrating the system continues to be relevant to the GMP process being supported and by ensuring adequate validation of the system has been performed.
遺留系統的繼續使用應經過論證,證明系統繼續與所支持的 GMP 流程相關,并確保實施了充分的系統驗證。

13.7. The validation approach to be taken should aim at providing data and information to support the retrospective documentation of the system as well as requalification evidence.
所采取的驗證方法應能提供用于支持系統回顧性文件以及再確認證據的數據和信息。

13.8. A risk assessment should be undertaken to determine the criticality of the system to the process or operation being supported and a gap analysis should identify the level of completeness of existing qualification documentation (e.g. URS, IQ/OQ/PQ, SOPs) and state of system control, operation and maintenance.
應進行風險評估,確定系統對于其所支持的流程或操作的關鍵性,并進行差距分析識別現有確認文件(如 URS,IQ/OQ/PQ,SOP)的完整程度,以及系統控制、操作和維護的說明。

13.9. For legacy systems, because of their age and unique characteristics, the system development documentation and records appropriate for validation may not be available. Nevertheless, the strategy should be consistent with validation principles where assurance is established, based on compilation and formal review of the history of use, maintenance, error report and change control system records. These activities should be based on documented URS. If historical data do not encompass the current range of operating parameters, or if there have been significant changes between past and current practices, then retrospective data would not of itself support validation of the current system.
對于遺留系統,由于其年限和獨特的特性,可能不具備適用于驗證的開發文件和記錄。然而,驗證策略應在基于系統歷史使用、維護、錯誤報告和變更控制系統記錄的梳理和正式審核,與質量保證驗證原則一致。這些活動應基于書面的 URS。如果歷史數據不能夠覆蓋運行參數的現行范圍,或者過去和現行的狀態之間曾有過重大變更的,那么回顧性數據不能用于支持現行系統的驗證。

13.10. The validation exercise should demonstrate that user requirements and system description have been appropriately established as well as provide evidence that the system has been qualified and accepted and that GXP requirements are met.
驗證活動應證明已恰當地制定用戶需求和系統描述,并提供系統經確認和接受,符合 GXP 要求的證據。

13.11. System retirement should be considered as a system life-cycle phase. It should be planned, risk-based and documented. If migration or archiving of GMP-relevant data (4) is necessary, the process must be documented.
系統退役應作為系統生命周期的一個階段進行考察。系統退役應有計劃,基于風險和書面化。如果需要遷移或歸檔 GMP 相關數據,那么該過程應被記錄。

13.12. Where electronic data are transferred from one system to another it should be demonstrated that data are not altered during the migration process. Conversion of data to a different format should be considered as data migration. Where data are transferred to another medium, data must be verified as an exact copy prior to any destruction of the original data.
如果電子數據由一個系統轉移到另一個,那么應證明數據在遷移過程中沒有被改變。將數據轉換為不同格式應被視為數據遷移。當數據轉移到另一個介質中,在銷毀原始數據之前,必須確認轉移后的數據為真實副本。

13.13. Data migration efforts may vary greatly in complexity and measures to ensure appropriate transfer of data should be commensurate to identified risks. Migrated data should remain usable and should retain its content and meaning. The value and/or meaning of and links between a system audit trail and electronic signatures should be ensured in a migration process.
數據遷移的難易程度根據系統復雜性而大不相同。用于保證數據正確轉移的措施應與所識別的風險相匹配。遷移后的數據應保持其可用性,并保留其內容和含義。遷移過程應保證系統審計追蹤和電子簽名與原數值和/或含義之間的鏈接。

14.  SYSTEM OPERATION AND MAINTENANCE
系統操作和維護

Security and access control
安全和訪問控制

14.1. Manufacturers should have systems and procedures in place to ensure security of data integrity and access control to computerized systems.
生產商應具備系統和程序,保證完整數據的安全性和計算機化系統的訪問控制。

14.2. Suitable  security  measures  should  be  in  place  to  prevent  unauthorized  entry  or manipulation or deletion of data through both the application software as well as in operating system environments in which data may be stored or transmitted. Data should be entered or amended only by persons authorized to do so.
應制定適當的控制措施防止對數據未經授權的進入或篡改或刪除,不管是通過軟件本身還是儲存或傳輸數據的操作系統。數據只能由授權人員輸入或修正。

14.3. The  activity  of  entering  data,  changing  or  amending  incorrect  entries  and  creating backups should be done in accordance with SOPs.
輸入數據、改變或修改錯誤輸入,以及創建備份等活動應按照 SOP 進行。

14.4. Security should extend to devices used to store programs. Access to these devices should be controlled.
安全措施應延伸至儲存程序的設備。應控制對這些設備的訪問。

14.5. Procedures for review of audit trails and when necessary metadata should define the frequency, roles and responsibilities, and nature of these reviews.
審計追蹤審核和適用情形下元數據審核的規程,應規定審核活動的頻率、角色和職責,以及審核的性質。

14.6. Actions, performance of the system and acquisition of data should be traceable and identify the persons who made entries and or changes, approved decisions or performed other critical steps in system use or control.
系統的活動、性能和數據的采集應可追溯,并識別那些在系統使用和控制中進行輸入或修改,批準決定或實施其它關鍵步驟的人員。

14.7. Details  on  user  profiles,  access  rights  to  systems,  networks,  servers,  computerized systems and software should be documented and an up-to-date list on the individual user rights for the software, individual computer systems and networks should be maintained and subjected to change control. The level of detail should be sufficient to enable computer system validation personnel, information technology (IT) personnel/any external auditor/inspector to ascertain that security features of the system and of software used to obtain and process critical data cannot be circumvented.
應記錄關于用戶配置,系統訪問權限,網絡,服務器,計算機化系統和軟件的詳細情況,并維護一份實時更新的權限清單記錄軟件、個人計算機系統和網絡的用戶權限,并遵循變更控制。該清單應足夠詳細,以幫助計算機系統驗證人員、信息技術(IT)人員/任何外部審計人員/檢查人員可以確定用于獲取和處理關鍵數據的系統和軟件具備安全的特性。

14.8. All  GMP  computerized systems, either stand-alone or in a network, should  have a system commensurate to identified risks for monitoring through an audit trail events that are relevant. These events should include all elements that need to be monitored to ensure that the integrity (5) of the data could not have been compromised, such as but not limited to, changes in data,deletionofdata,dates,times,backups,archives,changesinuseraccessrights, addition/deletion of users and logins. In accordance with WHO guidance on good data and record management practices (5). The configuration and archival of these audit trails should be documented and also be subjected to change control. These audit trails should be accurate, consistent,secure and available through out the retention period and their generation appropriately qualified.
所有 GMP 計算機化系統,不管是單機還是網絡版,應具備一個與所識別的風險相適應的審計追蹤事件相關的監測系統。被追蹤的事件應包括所有需要被監控的要素,以確保數據完整性不受到危害,例如(但不局限于),數據更改,數據刪除,日期,時間,備份,歸檔,用戶訪問權限變更,用戶和登陸賬號的增加/刪除。為符合 WHO 《數據和記錄管理規范》,應記錄這些審計追蹤記錄的配置和歸檔,并遵循變更控制。這些審計追蹤記錄應準確、一致、安全并在整個保存期間可用,審計追蹤的生成應經過確認。

Operation and maintenance
操作和維護

14.9. Entry  of   data  into  a  computerized  system  should  be  verified  by  an  independent authorized person and locked before release for routine use.
將數據輸入到一個計算機化系統的過程應由一個獨立的經授權的人員確認,并在放行用于日常使用前鎖定。

14.10. Validated computerized systems should be maintained in a validated state once released to the GXP production environment.
已驗證的計算機化系統應在放行至 GXP 生產環境后保持驗證狀態。

14.11. There  should  be  written  procedures  governing  system  operation  and  maintenance, including, for example:
應具備書面規程管理系統操作和維護,包括:

  • performance monitoring;
    性能監測
  • change management and configuration management;
    變更管理和配置管理
  • problem/incident management;
    問題/事件管理
  • program and data security;
    程序和數據安全
  • program and data backup/restore and archival/retrieval;
    程序和數據備份/恢復和歸檔/檢索
  • system administration and maintenance;
    系統管理和維護
  • data flow and data life cycle;
    數據流和數據生命周期
  • system use and review of electronic data and metadata (such as audit trails);
    系統使用和電子數據及元數據(如審計追蹤)審核
  • personnel training;
    人員培訓
  • disaster recovery and business continuity;
    災難恢復和業務連續性
  • availability of spare parts and technical support;
    備件供應情況和技術支持
  • periodic re-evaluation.
    定期再評價


Periodic review
周期性回顧

14.12. Computerized systems should be periodically reviewed to determine whether the system remains in a validated state or whether there is a need for revalidation. The scope and extent of the revalidation should be determined using a risk-based approach. The review should at least cover:
應定期回顧計算機化系統,以確定系統是否保持在一個已驗證的狀態或者是否需要再驗證。再驗證的范圍和程度應使用基于風險的方法確定;仡檻辽俑采w:
  • review of changes;
    變更回顧
  • review of deviations;
    偏差回顧
  • review of incidents/ events;
    事件回顧
  • systems documentation;
    系統文件
  • procedures;
    規程
  • training;
    培訓
  • effectiveness of corrective and preventive action (CAPA).
    整改預防措施 CAPA 的有效性


14.13. CAPA should be taken where indicated as a result of the periodic review.
當周期性回顧的結論指明需要 CAPA 時,應啟動 CAPA。

14.14. Automatic or live updates should be subject to review prior to becoming effective.
自動升級或在線升級應在執行前進行審核。

15.  SYSTEM RETIREMENT
系統退役

15.1. Once the computerized system or components are no longer needed, the system  or components should be retired and decommissioned in accordance with established authorized procedures including a change control procedure and a formal plan for retirement.
一旦不再需要計算機化系統或其組件時,系統或組件應按照已建立經批準的程序進行退役。批準的規程包括變更控制程序和一份正式的退役計劃。

15.2. Records should be in a readable form and in a manner that preserves the content and meaning of the source electronic records throughout the required records retention period.
盡管退役,仍應保持在整個所要求的記錄保存期間,確保記錄的可讀性,并保持原電子記錄的內容和含義。

15.3. The  outcome  of  the  retirement  activities,  including  traceability  of  the  data  and computerized systems, should be presented in a report.
退役活動的結果,包括數據和計算機化系統的可追溯性,應呈現在報告中。

分享到:  QQ好友和群QQ好友和群 QQ空間QQ空間 騰訊微博騰訊微博 騰訊朋友騰訊朋友
收藏收藏6 分享分享 分享淘帖 好評好評2 差評差評
回復

使用道具 舉報

沙發
發表于 2019-6-30 08:28:59 | 只看該作者
很好的資料,學習學習!
回復 支持 反對

使用道具 舉報

板凳
發表于 2019-7-4 11:50:16 | 只看該作者
學習學習,謝謝分享
回復 支持 反對

使用道具 舉報

地板
發表于 2019-7-8 16:48:09 來自手機 | 只看該作者
回復 支持 反對

使用道具 舉報

藥徒
5#
發表于 2019-7-8 19:25:39 | 只看該作者
謝謝分享,學習學習
回復 支持 反對

使用道具 舉報

您需要登錄后才可以回帖 登錄 | 立即注冊

本版積分規則

×友情提示
1、無權下載附件會員可能原因:1.“待驗證用戶組“,請點擊注冊郵箱里面收到的確認郵件即可; 2.作者設定權限的,提高用戶組級別即可
2、對本站的任何疑問或合作需求,請聯系微信tank066,關于怎樣提高用戶組/積分:http://www.8268855.com/thread-6764-1-1.html
3、注冊用戶在本社區發表、轉載的任何作品僅代表其個人觀點,不代表本社區認同其觀點。
4、如果存在違反國家相關法律、法規、條例的行為,我們有權在不經作者準許的情況下刪除其在本論壇所發表的文章。
5、所有網友不要盜用有明確版權要求的作品,轉貼請注明來源,否則文責自負。

QQ|手機版|蒲公英|ouryao|蒲公英 ( 京ICP備14042168號 京ICP證150354號 )

GMT+8, 2019-8-2 08:14 , Processed in 0.124066 second(s), 38 queries .

Powered by Discuz! X3.2

© 2001-2012 Comsenz Inc.

返回頂部 陕西快乐十分