包含更新附录11的补充要求Q&A和DI的Q&A。那就趁着2026年过期前,赶紧看看。
本篇只有附录11的补充要求Q&A。
DI的,得下一篇。
注意:本部分内容,将被2022.11.16发布的吹风文档(征求意见中)更新。
Guidance on good manufacturing practice and good distribution practice: Questions and answers | European Medicines Agency (europa.eu)
EU GMP guide annexes: Supplementary requirements: Annex 11: Computerised systems
EU GMP指南附件:补充要求:附件11:计算机化系统
1. Appropriate controls for electronic documents such as templates should be implemented. Are there any specific requirements for templates of spreadsheets? H+V February 2011
应对模板等电子文档实施适当的控制。电子表格模板有什么具体要求吗?
Templates of spreadsheets help to avoid erroneous calculations from data remaining from previous calculations. They should be suitably checked for accuracy and reliability (annex 11 p7.1). They should be stored in a manner which ensures appropriate version control (chapter 4 p4.1).
电子表格模板应该有助于避免从先前计算中剩余的数据中进行错误计算。应适当检查其准确性和可靠性(附件11,第7.1页)。它们的存储方式应确保适当的版本控制(第4章p4.1)。
2. What type of accuracy checks (annex 11 p 6) are expected for the use of spreadsheets? H+V February 2011
使用电子表格需要进行哪些类型的准确性检查(附件 11 第 6 页)?
Data integrity should be ensured by suitably implemented and risk-assessed controls. The calculations and the files should be secured in such a way that formulations are not accidentally overwritten. Accidental input of an inappropriate data type should be prevented or result in an error message (e.g. text in a numeric field or a decimal format into an integer field). So-called 'boundary checks' are encouraged.
应通过适当实施和风险评估的控制来确保数据的完整性。应以不会意外覆盖公式的方式保护计算和文件。应防止意外输入不适当的数据类型或导致错误消息(例如,数字字段中的文本或整数字段中的十进制格式)。鼓励进行所谓的“边界检查”。【boundary checks、boundary scan,程序或电路的一种检查方式,确保冗余的能力】
3. Are there any specific considerations for the validation of spreadsheets? H+V February 2011
电子表格的验证是否有任何特定的注意事项?
Validation according to paragraph 4 of annex 11 is required at least for spreadsheets that contain custom code (e.g. Visual Basic for applications). Formulas or other types of algorithm should be verified for correctness.
至少对于包含自定义代码的电子表格(例如应用程序的Visual Basic),至少需要根据附件11第4段进行验证。应验证公式或其他类型的算法的正确性。
4. What measures are required to ensure data security of databases? H+V February 2011
需要采取哪些措施来确保数据库的数据安全?
Data security includes integrity, reliability and availability of data. During validation of a database-based or inclusive system, consideration should be given to:
数据安全性包括数据的完整性、可靠性和可用性。在验证基于数据库或兼容的系统时,应考虑:
implementing procedures and mechanisms to ensure data security and keeping the meaning and logical arrangement of data;
实施程序和机制,以确保数据安全并保持数据的含义和逻辑安排;
load-testing, taking into account future growth of the database and tools to monitor the saturation of the database;
负载测试,考虑到数据库的未来增长和监测数据库饱和度的工具;
precautions for necessary migration of data (annex 11 p17) at the end of the life-cycle of the system.
在系统生命周期结束时进行必要数据迁移的预防措施(附件11 p17)
5. At which phases of the system life-cycle is risk management recommended? H+V February 2011
建议在系统生命周期的哪些阶段进行风险管理?
Risk management should be applied throughout the whole life-cycle. A first risk assessment should be performed to determine the GMP criticality of the system, i.e. does the system have an impact on patient safety, product quality or data integrity? User-requirement specifications are usually developed with consideration of potential risks and form the basis for the first formal risk assessment.
风险管理应贯穿整个生命周期。应进行首次风险评估以确定系统的GMP关键性,即系统是否对患者安全,产品质量或数据完整性产生影响?用户需求规范通常在考虑潜在风险的情况下制定,并构成第一次正式风险评估的基础。
Complex systems should be evaluated in further more detailed risk assessments to determine critical functions. This will help ensure that validation activities cover all critical functions.
应在进一步更详细的风险评估中评估复杂系统,以确定关键功能。这将有助于确保验证活动涵盖所有关键职能。
Risk management includes the implementation of appropriate controls and their verification.
风险管理包括实施适当的控制及其验证。
6. Are user requirements needed as part of the retrospective validation of legacy systems? H+V February 2011
在对遗留(旧有)系统进行追溯验证时是否需要用户需求?
The way to check whether a computerised system is fit for its intended purpose is to define user requirements and perform a gap analysis to determine the validation effort for retrospective validation. These user requirements should be verified.
检查计算机化系统是否适合其预期目的的方法是定义用户需求并执行差距分析,以确定回顾性验证的验证工作。应验证这些用户要求。
7. When do I have to revalidate computerised systems? H+V February 2011
我什么时候需要重新验证计算机化系统?
Computerised systems should be reviewed periodically to confirm that they remain in a validated state. Periodic evaluation should include, where applicable, the current range of functionality, deviation records, change records, upgrade history, performance, reliability and security. The time period for revaluation and revalidation should be based on the criticality of the system.
应定期审查计算机化系统,以确认它们仍处于验证状态。定期评估应包括(如适用)当前功能范围、偏差记录、变更记录、升级历史记录、性能、可靠性和安全性。重新评估和重新验证的时间段应基于系统的关键程度。
8. What are the requirements for storage time of electronic data and documents? H+V February 2011
对电子数据和文件的存储时间有什么要求?
The requirements for storage of electronically data and documents do not differ from paper documents. It should be ensured that electronic signatures applied to electronic records are valid for the entire storage period for documents.
存储电子数据和文件的要求与纸质文件没有区别。应确保应用于电子记录的电子签名在整个文件储存期内有效。
9. What are the relevant validation efforts for small devices? H+V February 2011
小型设备的相关验证工作是什么?
Small devices are usually off-the-shelf pieces of equipment that is widely used. In these cases, the development life-cycle is mainly controlled by the vendor. The pharmaceutical customer should therefore reasonably assess the vendor's capability of developing software according to common standards of quality.
小型设备通常是广泛使用的现成设备。在这些情况下,开发生命周期主要由供应商控制。因此,制药企业应根据通用质量标准合理评估供应商开发软件的能力。
A vendor assessment needs to be performed and the application needs to be verified against the requirements for the intended use. From the perspective of the regulated industry, the implementation of such a device is driven by an implementation life-cycle. At minimum the following items need to be addressed:
需要执行供应商评估,并且需要根据预期用途的要求验证应用程序。从受监管行业的角度来看,这种设备的实现是由实施生命周期驱动的。至少需要解决以下事项:
requirement definition for the intended use including process limitations. This should also include a statement indicating whether data are stored or transferred to another system. As per the definition of a small device, data are not stored permanently but temporarily and are not to be modified by a user. Therefore, limited user access handling is acceptable. It needs to be ensured that parameter data influencing the device's behaviour may not be altered without suitable permission;
期用途的要求定义,包括过程限制。这还应包括一个声明,指示数据是存储还是传输到另一个系统。根据小型设备的定义,数据不是永久存储,而是临时存储,用户不得修改。因此,有限的用户访问处理是可以接受的。需要确保未经适当许可,不得更改影响设备行为的参数数据;
risk assessment, taking into consideration the intended use and the risk to patients for associated with the process supported by the small device; 风险评估,同时考虑预期用途和与小型设备支持的过程相关的患者风险;
vendor assessment; 供应商评估;
list of available documentation from the vendor, especially those describing the methodology used and the calculation algorithm, if applicable. A vendor certificate or equivalent detailing the testing performed by the vendor may also be included; 供应商提供的可用文档列表,特别是描述所用方法和计算算法的文档(如果适用)。还可以包括详细说明供应商执行的测试的供应商证书或同等证书;
calibration certificate, if applicable; 校准证书(如适用);
validation plan according to the risk-assessment results; 根据风险评估结果制定验证计划;
verification testing proving that the device fulfills the requirements for the intended use. It may be equivalent to a PQ-phase.核实性测试,以证明设备满足预期用途的要求。它可能等同于PQ阶段。
Small manufacturing devices are sometimes only equipped with microprocessors and firmware and are not capable of high-level administration functions. Moreover, data is often transient in nature in these devices. Due to the latter there is no risk of inadvertently modifying data. An audit trail is therefore not necessary and user access may be limited to those functions of parameter control.
小型制造设备有时仅配备微处理器和固件,无法执行高级管理功能。此外,在这些设备中,数据通常是瞬态的。由于后者,不存在无意中修改数据的风险。因此,不需要审计跟踪,用户访问可能仅限于参数控制功能。
10. What alternative controls are accepted in case a system is not capable to generate printouts indicating if any of the data has been changed since the original entry? H+V February 2011
如果系统无法生成打印输出,指示自原始条目以来是否有任何数据已更改,则接受哪些替代控制?
As long as this functionality is not supported by the supplier, it may be acceptable to describe in a procedure the fact that a print-out of the related audit trail report must be generated and linked manually to the record supporting batch release.
只要供应商不支持此功能,就可以在程序中描述以下事实:必须生成相关审计跟踪报告的打印输出,并将其手动链接到支持批次放行的记录。
