不是广告,应为这几个也这件事相关性较高,回头你自己看看,放在文末怕你不看
别着急,兴许你是QC—IT、QA,那这个你可以看看:
最后如果你在研究COTS,别忘了看看这个专辑:
正文开始,一图胜千言;下,应该在明天上午就发;我要睡觉了,脑瓜仁儿子疼。某人,收菜啦。
1.
Introduction
This concept paper addresses the need to update Annex 11, Computerised Systems, of the Good Manufacturing Practice (GMP) guide. Annex 11 is common to the member states of the European Union (EU)/European Economic Area (EEA) as well as to the participating authorities of the Pharmaceutical Inspection Co-operation Scheme (PIC/S). The current version was issued in 2011 and does not give sufficient guidance within a number of areas. Since then, there has been extensive progress in the use of new technologies.
本概念文件意在指明GMP指南附录11计算机化系统更新的必要性。附件11是欧盟(EU)/欧洲经济区(EEA)成员国以及药品检验合作计划(PIC/S)参与当局的共同文件。发布于2011年的当前版本在一些领域没有给出足够的指导。从那时起,新技术的使用已经有了广泛的进展。
Reasons for the revision of Annex 11 include, but are not limited to the following (in non-prioritised order and with references to existing sections in sharp brackets). More improvements may prove to be necessary as inputs will be received by the drafting group:
修订附件11的原因包括但不限于以下(以非优先顺序排列,并在方括号内注明现有章节)。由于起草小组将收到新的意见建议,下文可能需要进一步更新:
1.
[New] The document should be updated to replace relevant parts of the Q&A on Annex 11 and the Q&A on Data Integrity on the EMA GMP website.
本文档的更新将取代“EMA网站中关于数据完整性和附录11的问答”相关的部分
2.
[New] With regards to data integrity, Annex 11 will include requirements for ‘data in motion’ and ‘data at rest’ (backup, archive and disposal). Configuration hardening and integrated controls are expected to support and safeguard data integrity; technical solutions and automation are preferable instead of manual controls.
关于数据完整性,附件11将包括“【活跃数据】”和“【愣神儿数据】”(备份、存档和处理)的要求。将被要求强化配置和控制集成,以支持和保护数据完整性;技术解决方案和自动化代替人工控制更可取。
3.
[New] An update of the document with regulatory expectations to ‘digital transformation’ and similar newer concepts will be considered.
将考虑更新文件,对“数字转型”和类似的更新概念进行监管预期。
4.
[Principle准则] The scope should not only cover where a computerised system “replaces of a manual operation”, but rather, where it replaces ‘another system or a manual process’.
文件的范围不仅应涵盖计算机化系统“取代人工操作”的领域,还应涵盖它取代“另一个系统或人工步骤”的地方。
5.
[1] References should be made to ICH Q9.
参考文献应适配到ICHQ9。
6.
[3.1] The list of services should include to ‘operate’ a computerised system, e.g. ‘cloud’ services.
企业的第三方服务清单应包括“操作(租用)”计算机化系统,例如“云”服务。
7.
[3.1] For critical systems validated and/or operated by service providers (e.g. ‘cloud’ services), expectations should go beyond that “formal agreements must exist”. Regulated users should have access to the complete documentation for validation and safe operation of a system and be able to present this during regulatory inspections, e.g. with the help of the service provider. See also Notice to sponsors and Q&A #9 on the EMA GCP website and Q&A on the EMA GVP website)
对于由服务提供商验证和/或操作的关键系统(例如“云”服务),管控预期应不仅仅是“必须存在正式协议”。受监管用户应该能够访问系统验证和安全运行的完整文档,并能够在监管检查期间实现这一点,例如在服务提供商的帮助下。也可见EMA 网站GCP承办方注意事项和Q&A,以及EMA官网 GVP的Q&A。
8.
[3.3] Despite being mentioned in the Glossary, the term “commercial off-the-shelf products” (COTS) is not adequately defined and may easily be understood too broadly. Critical COTS products, even those used by “a broad spectrum of users” should be qualified by the vendor or by the regulated user, and the documentation for this should be available for inspection. The use of the term and the expectation for qualification, validation and safe operation of such (e.g. ‘cloud’) systems should be clarified.
尽管在术语表中有提及,但“商业现货产品”(COTS)一词的定义并不充分,很容易理解得过于宽泛。关键的COTS产品,即使是那些“广泛的用户”使用的产品,也应该由供应商或受监管的用户进行资格确认,并应提供相关文档以供检查。应澄清该术语的使用以及对这类(如“云”)系统的确认、验证和安全操作的期望。
【别人有、别人用,不代表你用也OK。】
9.
[4.1] The meaning of the term ‘validation’ (and ‘qualification’), needs to be clarified. It should be emphasised that both activities consist of a verification of required and specified functionality as described in user requirements specifications (URS) or similar.
术语“验证”(和“确认”)的含义需要澄清。应该强调的是,这两项活动都包括对用户需求规范(URS)或类似内容中所描述的所需和指定功能的核实。
10.
[4.1] Following a risk-based approach, system qualification and validation should especially challenge critical parts of systems which are used to make GMP decisions, parts which ensure product quality and data integrity and parts, which have been specifically designed or customised.
遵循基于风险的方法,系统确认和验证应该特别挑战用于制定GMP决策的系统的关键部分,确保产品质量和数据完整性的部分,以及专门设计或定制的部分。
11.
[4.4] It is not sufficiently clear what is implied by the sentence saying “User requirements should be traceable throughout the life-cycle”. A user requirements specification, or similar, describing all the implemented and required GMP critical functionality which has been automated, and which the regulated user is relying on, should be the very basis for any qualification or validation of the system, whether performed by the regulated user or by the vendor. User requirements specifications should be kept updated and aligned with the implemented system throughout the system life-cycle and there should be a documented traceability between user requirements, any underlying functional specifications and test cases. “在整个生命周期中,用户需求应该是可跟踪的”这句话所暗示的含义并不足够清楚。用户需求规范,或类似的描述所有已实现和要求的已自动化的GMP关键功能,以及受监管用户所依赖的GMP关键功能,应该是系统的任何确认或验证的基础,无论由受监管用户还是由供应商执行。在整个系统生命周期中,用户需求规范应该不断更新,并与实现的系统保持一致,并且在用户需求、任何底层功能规范和测试用例之间应该有文档化的可追溯性。
【系统上线时,和URS是一致的,客观承认和允许先期USR的不充分。】
12.
[4.5] It should be acknowledged and addressed that software development today very often follows agile development processes, and criteria for accepting such products and corresponding documentation, which may not consist of traditional documents, should be clarified.
应该承认和强调的是,今天的软件开发经常遵循敏捷开发过程,接受此类产品和相应文档的标准(可能不包含传统文档)应该得到澄清。
【但愿你能把 敏捷、迭代、瀑布模型、螺旋模型、极限编程、水晶编程搞懂。不懂,不想看,我划水ing】
13.
[6] Guidelines should be included for classification of critical data and critical systems.
关键数据和关键系统的分类应包括指导方针。
14.
[7.1] Systems, networks and infrastructure should protect the integrity of GMP processes and data. Examples should be included of measures, both physical and electronic, required to protect data against both intentional and unintentional loss of data integrity.
系统、网络和基础设施应保护GMP过程和数据的完整性。应举例说明为保护数据免遭有意和无意的数据完整性损失而需要采取的物理和电子措施。
15.
[7.2] Testing of the ability to restore system data (and if not otherwise easily recreated, the system itself) from backup is critically important, but the required periodic check of this ability, even if no changes have been made to the backup or restore processes, is not regarded necessary. Long-term backup (or archival) to volatile media should be based on a validated procedure (e.g. through ‘accelerated testing’). In this case, testing should not focus on whether a backup is still readable, but rather, validating that it will be readable for a given period.
测试从备份中恢复系统数据(如果不容易重新创建,则恢复系统本身)的能力至关重要,但是对这种能力进行必要的定期检查是没有必要的,即使没有对备份或恢复过程进行更改。对易失介质的长期备份(或存档)应基于经过验证的程序(例如,通过“加速测试”)。在这种情况下,测试不应该关注备份是否仍然可读,而是验证它在给定的时间内是否可读。
【终于有点正本清源的感觉了,让验证回归验证,让CSA的A是真正的A。致敬Bob的努力】
16.
[7.2] Important expectations to backup processes are missing, e.g. to what is covered by a backup (e.g. data only or data and application), what types of backups are made (e.g. incremental or complete), how often backups are made (all types), how long backups are retained, which media is used for backups, and where backups are kept (e.g. physical separation).
缺少对备份过程的重要期望,例如备份覆盖什么(例如,仅数据或数据和应用程序),进行什么类型的备份(例如,增量式或完全式),进行备份的频率(所有类型),备份保留多长时间,备份使用哪种介质,以及备份保存在哪里(例如,物理隔离)。
17.
[8] The section should include an expectation to be able to obtain data in electronic format including the complete audit trail. The requirement to be able to print data may be reconsidered. 该部分应包括期望能够获得电子格式的数据,包括完整的审计跟踪。可以重新考虑能够打印数据的要求。
【应该说当时官方还不懂这一块,但,现在人家关注了,你懂了吗?】
18.
[9] An audit trail functionality which automatically logs all manual interactions on GMP critical systems, where users, data or settings can be manually changed, should be regarded as mandatory; not just ‘considered based on a risk assessment’. Controlling processes or capturing, holding or transferring electronic data in such systems without audit trail functionality is not acceptable; any grace period within this area has long expired.
审计跟踪功能自动记录GMP关键系统上的所有手动交互——用户、数据或设置可以手动更改等的领域——这应该被视为强制性的;而不仅仅是“基于风险评估的考虑”。在这种没有审计追踪功能的系统中,电子数据的控制过程或捕获、保存或传输是不可接受的;这个领域的任何宽限期早就过期了。
【某些企业和某些品牌的仪器商,该醒醒了,不是我不选择你,虽然你很强,功能上】
19.
[9] The audit trail should positively identify the user who made a change, it should give a full account of what was changed, i.e. both the new and all old values should be clearly visible, it should include the full time and date when the change was made, and for all other changes except where a value is entered in an empty field or where this is completely obvious, the user should be prompted for the reason or rationale for why the change was made.
审计跟踪应该积极地识别做出更改的用户,它应该充分说明发生了什么变化,例如,新值和旧值都应该清晰可见,它应该包括进行更改的完整时间和日期,对于所有其他更改,除了在空字段输入值或这是完全明显的,用户应该被提示进行更改的原因或基本理由。
20.
[9] It should not be possible to edit audit trail data or to deactivate the audit trail functionality for normal or privileged users working on the system. If these functionalities are available, they should only be accessible for system administrators who should not be involved in GMP production or in day-to-day work on the system (see ‘segregation of duties’).
对于在系统上工作的普通用户或特权用户,不应该编辑审计跟踪数据或禁用审计跟踪功能。如果这些功能是可用的,它们应该仅供不应参与GMP生产或系统日常工作的系统管理员访问(参见“职责分离”)。
21.
[9] The concept and purpose of audit trail review is inadequately described. The process should focus on a review of the integrity of manual changes made on a system, e.g. a verification of the reason for changes and whether changes have been made on unusual dates, hours and by unusual users.
对审计跟踪审核的概念和目的描述不充分。该过程应关注对系统进行手动更改的完整性审查,例如验证更改的原因,以及更改是否在不寻常的日期、时间和由不寻常的用户进行。
