EU GMP问答-11 附录11 计算机化系统10问

EUGMP guide annexes: Supplementary requirements: Annex 11: Computerised systems

EU GMP指南附录：补充要求：附录11：计算机化系统

1.Appropriate controls for electronic documents such as templates should beimplemented. Are there any specific requirements for templates of spreadsheets?H+V February 2011

对于电子文件，例如模板要进行适当的控制。这里对于数据表是否有什么特定的要求？H+V 2011年2月

Templates ofspreadsheets help to avoid erroneous calculations from data remaining fromprevious calculations. They should be suitably checked for accuracy andreliability (annex 11 p7.1). They should be stored in a manner which ensuresappropriate version control (chapter 4 p4.1).

数据表的模板帮助避免之前计算保留数据导致的错误计算。针对数据表，要检查其准确性和可靠性（附录11页7.1）。数据表存贮方式要能保证适当的版本控制（第4章页4.1）。

2. What typeof accuracy checks (annex 11 p 6) are expected for the use of spreadsheets? H+VFebruary 2011

使用数据表格时，要进行哪些准确度检查（附录11页5）？H+V 2011年1月

Data integrityshould be ensured by suitably implemented and risk-assessed controls. Thecalculations and the files should be secured in such a way that formulationsare not accidentally overwritten. Accidental input of an inappropriate datatype should be prevented or result in an error message (e.g. text in a numericfield or a decimal format into an integer field). So-called 'boundary checks'are encouraged.

应通过适当实施的和基于风险的控制来保证数据完整性。计算和文档应受到保护，公式不能被无意改写。能防止无意输入不适当的数据类型，或导致错误信息（例如，在数字域中输入文字或在整数域中输入小数）。鼓励进行所谓“边界测试”。

3. Are thereany specific considerations for the validation of spreadsheets? H+V February2011

数据表的验证有哪些需要特殊考虑的？H+V 2011年2月

Validationaccording to paragraph 4 of annex 11 is required at least for spreadsheets thatcontain custom code (e.g. Visual Basic for applications). Formulas or othertypes of algorithm should be verified for correctness.

根据附录11第4段，对数据表格所需要进行的验证至少包括定制代码（例如visual Basic应用）。公式或其它计算输入应进行正确性核实。

4. Whatmeasures are required to ensure data security of databases? H+V February 2011

要采取什么措施来保证数据库的数据安全性？H+V 2011年2月

Data securityincludes integrity, reliability and availability of data. During validation ofa database-based or inclusive system, consideration should be given to:

数据安全性包括完整性、可靠性和数据可获得性。在数据库或兼容系统验证期间，要考虑以下内容：

·implementing procedures and mechanisms to ensure datasecurity and keeping the meaning and logical arrangement of data;

·实施程序和原理来保证数据安全性，保持数据的含义和逻辑意义

·load-testing, taking into account future growth ofthe database and tools to monitor the saturation of the database;

·负载测试，考虑将来数据库的增长，数据库数据饱和度的监控工具

·precautions for necessary migration of data (annex 11p17) at the end of the life-cycle of the system.

·在系统的生命周期结束时必要的数据迁移预防措施（附录11页17）

5. At whichphases of the system life-cycle is risk management recommended? H+V February2011

推荐在系统的生命周期哪个阶段进行风险管理？H+V 2011年2月

Risk managementshould be applied throughout the whole life-cycle. A first risk assessmentshould be performed to determine the GMP criticality of the system, i.e. doesthe system have an impact on patient safety, product quality or data integrity?User-requirement specifications are usually developed with consideration ofpotential risks and form the basis for the first formal risk assessment.

风险管理适用于整个生命周期。首次风险评估应在决定系统的GMP关键性时实施，即，确认系统是否对患者安全、产品质量或数据完整性造成影响？一般在此时考虑潜在风险，建立用户需求手册，形成首次正式风险评估的基础。

Complex systemsshould be evaluated in further more detailed risk assessments to determinecritical functions. This will help ensure that validation activities cover allcritical functions.

复杂系统要对更多更详细的风险进行评估，以决定其关键功能。这将有助于保证验证活动覆盖所有关键功能。

Risk managementincludes the implementation of appropriate controls and their verification.

风险管理包括实施适当的控制及对其进行核实。

6. Are userrequirements needed as part of the retrospective validation of legacy systems?H+V February 2011

遗留系统的回顾性验证是否还需要用户需求手册？H+V 2011年2月

The way tocheck whether a computerised system is fit for its intended purpose is todefine user requirements and perform a gap analysis to determine the validationeffort for retrospective validation. These user requirements should beverified.

检查一个计算机化系统是否适合其既定用途的方法就是定义用户需求，进行差距分析来决定回顾性验证的要求。该用户需求要进行核实。

7. When do Ihave to revalidate computerised systems? H+V February 2011

我要在什么时候再验证计算机化系统？H+V 2011年2月

Computerisedsystems should be reviewed periodically to confirm that they remain in avalidated state. Periodic evaluation should include, where applicable, thecurrent range of functionality, deviation records, change records, upgradehistory, performance, reliability and security. The time period for revaluationand revalidation should be based on the criticality of the system.

计算机化系统应进行周期回顾，确认其仍处于验证状态。周期性评估应包括，适用时，功能的目前范围、偏差记录、变更记录、升级历史、性能、可靠性和安全性。再评估和再验证的周期应基于系统的关键性。

8. What arethe requirements for storage time of electronic data and documents? H+VFebruary 2011

电子数据和文件的存贮时长要求是什么？H+V 2011年2月

Therequirements for storage of electronically data and documents do not differfrom paper documents. It should be ensured that electronic signatures appliedto electronic records are valid for the entire storage period for documents.

电子数据和文件的存贮要求与纸质文件没有区别。要保证应用于电子记录的电子签名在整个文件的存贮期内均有效。

9. What arethe relevant validation efforts for small devices? H+V February 2011

小型装置的相关验证要求是怎么样的？H+V 2011年2月

Small devicesare usually off-the-shelf pieces of equipment that is widely used. In thesecases, the development life-cycle is mainly controlled by the vendor. Thepharmaceutical customer should therefore reasonably assess the vendor’scapability of developing software according to common standards of quality.

小型装置，通常是现成的设备部件被广泛应用。在这种情况下，生命周期的开发主要由供应商来控制。药业客户应根据常规质量标准合理评估供应商的软件研发能力。

A vendorassessment needs to be performed and the application needs to be verifiedagainst the requirements for the intended use. From the perspective of theregulated industry, the implementation of such a device is driven by animplementation life-cycle. At minimum the following items need to be addressed:

要进行供应商评估，应用程序要根据既定用途进行核实。从法规规范的行业角度来说，实施这样的装置是要涵盖整个生命周期的。至少需要说明以下项目：

lrequirement definition for the intended use includingprocess limitations. This should also include a statement indicating whetherdata are stored or transferred to another system. As per the definition of asmall device, data are not stored permanently but temporarily and are not to bemodified by a user. Therefore, limited user access handling is acceptable. Itneeds to be ensured that parameter data influencing the device's behaviour maynot be altered without suitable permission;

l既定用途的需求定义，包括工艺限度。这还应该包括一份声明，说明是否数据会存贮或转移至另一个系统。正如小型装置的定义，数据是不能永久保存的，而只是临时的，不能由用户进行修改。因此，受限的用户进入权限处理是可以接受的。要保证影响装置的参数数据动作不会在没有适当允许的情况下被改变。

lrisk assessment, taking into consideration theintended use and the risk to patients for associated with the process supportedby the small device;

l风险评估，考虑既定用途和由小型装置支持的工艺伴随的患者风险

lvendor assessment;

l供应商评估

llist of available documentation from the vendor,especially those describing the methodology used and the calculation algorithm,if applicable. A vendor certificate or equivalent detailing the testingperformed by the vendor may also be included;

l供应商提供的可获得文件的清单，如可行的话，特别是那些描述所使用的方法法和计算方法的文件。还可以包括供应商证书或供应商所做的对等的详细测试。

lcalibration certificate, if applicable;

l校正证书，适用时

lvalidation plan according to the risk-assessmentresults;

l根据风险评估结果制订的验证计划

lverification testing proving that the device fulfillsthe requirements for the intended use. It may be equivalent to a PQ-phase.

l性能确认证明装置满足既定用途要求。相当于PQ阶段

Smallmanufacturing devices are sometimes only equipped with microprocessors andfirmware and are not capable of high-level administration functions. Moreover,data is often transient in nature in these devices. Due to the latter there isno risk of inadvertently modifying data. An audit trail is therefore notnecessary and user access may be limited to those functions of parametercontrol.

小型生产装置有时只是微处理器和固件，不具备高端管理功能。另外，数据通常只是短暂地存贮在这些装置内。基于后者，并没有不可逆修改数据的风险。因此不需要具备审计追踪功能，进入参数控制的用户权限可能需要进行限制。

10. Whatalternative controls are accepted in case a system is not capable to generateprintouts indicating if any of the data has been changed since the original entry?H+V February 2011

如果系统不能产生打印指示是否上次原始输入后有数据被更改，那可以什么样的替代控制是可以接受的？H+V 2011年2月

As long as thisfunctionality is not supported by the supplier, it may be acceptable todescribe in a procedure the fact that a print-out of the related audit trailreport must be generated and linked manually to the record supporting batchrelease.

如果供应商不支持该功能，也可以接受在规程里描述必须生成相关审计追踪报告的打印事实，并手工链接到支持批放行的记录。