歐盟GMP附錄11-計算機系統(中英文對照)

EUROPEANCOMMISSION歐盟委員會HEALTHANDCONSUMERSDIRECTORATE-GENERAL衛(wèi)生與消費者協會PublicHealthandRiskAssessment公共衛(wèi)生與風險評估Pharmaceuticals藥品Brussels,SANCO/C8/AM/sl/ares(2010)1064599EudraLexTheRulesGoverningMedicinalProductsintheEuropeanUnion歐盟藥品生產規(guī)范Volume4卷4GoodManufacturingPracticeMedicinalProductsforHumanandVeterinaryUse人用與獸用藥品良好生產管理規(guī)范Annex11:ComputerisedSystems附件11：計算機系統Legalbasisforpublishingthedetailedguidelines:Article47ofDirective2001/83/EContheCommunitycoderelatingtomedicinalproductsforhumanuseandArticle51ofDirective2001/82/EContheCommunitycoderelatingtoveterinarymedicinalproducts.Thisdocumentprovidesguidancefortheinterpretationoftheprinciplesandguidelinesofgoodmanufacturingpractice(GMP)formedicinalproductsaslaiddowninDirective2003/94/ECformedicinalproductsforhumanuseandDirective91/412/EECforveterinaryuse.依法發(fā)布的具體指導方針：

2001/83/EC

第

47條人用藥品規(guī)范和

2001/82/EC

第

51

條獸用藥品規(guī)范。此文件為

2003/94/EC

人用藥品和

91/412/EEC

獸用藥品

GMP

法規(guī)、指導方針的解釋提供了指導。Statusofthedocument:

revision1文件版本：修訂本

1Reasonsforchanges: theAnnexhasbeenrevisedinresponsetotheincreaseduseof computerised systems and the increased complexity of these systems.ConsequentialamendmentsarealsoproposedforChapter4oftheGMPGuide.修訂原因：為增強計算機系統的功能和復雜性而修訂此附件。

相應修正案也已被提議作為

GMP

指南的第

4章。Deadlineforcomingintooperation:2011生效時間：2011年6月30日

30JunePrinciple 總則ThisannexappliestoallformsofcomputerisedsystemsusedaspartofaGMPregulatedactivities.Acomputerisedsystemisasetofsoftwareandhardwarecomponentswhichtogetherfulfillcertainfunctionalities.此附件適用于符合 GMP生產要求的所有形式的計算機系統。計算機系統是實現某項特定功能的軟件和硬件的組合。Theapplicationshouldbevalidated;ITinfrastructureshouldbequalified.應用程序應驗證， IT基礎設施應有權限設置。Whereacomputerisedsystemreplacesamanualoperation,thereshouldbenoresultantdecreaseinproductquality,processcontrolorqualityassurance.Thereshouldbenoincreaseintheoverallriskoftheprocess.用計算機系統代替手動操作應不對產品質量、過程控制和質量保證以及過程的整體風險產生影響。General 常規(guī)1.RiskManagement 風險管理Riskmanagementshouldbeappliedthroughoutthelifecycleofthecomputerisedsystemtakingintoaccountpatientsafety,dataintegrityandproductquality.Aspartofariskmanagementsystem,decisionsontheextentofvalidationanddataintegritycontrolsshouldbebasedonajustifiedanddocumentedriskassessmentofthecomputerisedsystem.風險管理應貫穿整個計算機系統生命周期，以保證病人安全、數據完整性和產品質量。作為風險管理系統的一部分，由計算機系統風險評估決定驗證范圍和數據完整性控制。2.Personnel人員ThereshouldbeclosecooperationbetweenallrelevantpersonnelsuchasProcessOwner,SystemOwner,QualifiedPersonsandIT.Allpersonnelshouldhaveappropriatequalifications,levelofaccessanddefinedresponsibilitiestocarryouttheirassignedduties.所有有關人員（如工藝管理員、系統管理員、質檢員和 IT人員）應緊密合作。這些人員應具有相應的資格證書、使用權限和定義好的相關工作職責。3.SuppliersandServiceProviders 供應商和服務供應商3.1Whenthirdparties(e.g.suppliers,serviceproviders)areusede.g.toprovide,install,configure,integrate,validate,maintain(e.g.viaremoteaccess),modifyorretainacomputerisedsystemorrelatedserviceorfordataprocessing,formalagreementsmustexistbetweenthemanufacturerandanythirdparties,andtheseagreementsshouldincludeclearstatementsoftheresponsibilitiesofthethirdparty.IT-departmentsshouldbeconsideredanalogous.3.1當第三方(如供應商、服務供應商 )為計算機系統、 相關服務或數據處理提供如供貨、安裝、配置、整合、驗證、維護 (如通過遠程訪問 )、修改或保持時，廠商和任何第三方之間必須有正式協議， 且在協議中應當明確第三方責任。 IT部門類似。3.2Thecompetenceandreliabilityofasupplierarekeyfactorswhenselectingaproductorserviceprovider.Theneedforanauditshouldbebasedonariskassessment.3.2供應商的實力和可靠性是選擇供應商產品或服務的關鍵因素，所以需要一個以風險評估為基礎的審計。3.3Documentationsuppliedwithcommercialoff-the-shelfproductsshouldbereviewedbyregulateduserstocheckthatuserrequirementsarefulfilled.3.3商業(yè)性標準文件應通過用戶審核并符合用戶需求。3.4Qualitysystemandauditinformationrelatingtosuppliersordevelopersofsoftwareandimplementedsystemsshouldbemadeavailabletoinspectorsonrequest.3.4軟件和應用系統開發(fā)商或供應商的質量體系和審計信息應便于核查人員查詢。ProjectPhase 項目階段4.Validation驗證4.1Thevalidationdocumentationandreportsshouldcovertherelevantstepsofthelifecycle.Manufacturersshouldbeabletojustifytheirstandards,protocols,acceptancecriteria,proceduresandrecordsbasedontheirriskassessment.4.1驗證文件和報告應包含系統生命周期的相關階段。廠商應能夠證明其標準、協議、驗收標準、規(guī)程和記錄都是基于其內部風險評估的。4.2Validationdocumentationshouldincludechangecontrolrecords(ifapplicable)andreportsonanydeviationsobservedduringthevalidationprocess.4.2驗證文件應包含驗證過程中的變更控制記錄（如適用）和偏差報告。4.3AnuptodatelistingofallrelevantsystemsandtheirGMPfunctionality(inventory)shouldbeavailable.4.3相關系統和其GMP功能（詳細目錄）的最新清單應有效。Forcriticalsystemsanuptodatesystemdescriptiondetailingthephysicalandlogicalarrangements,dataflowsandinterfaceswithothersystemsorprocesses,anyhardwareandsoftwarepre-requisites,andsecuritymeasuresshouldbeavailable.為對一個最新的關鍵系統進行詳細的系統描述 （如物理、 邏輯流程、數據流和與其他系統或進程的接口），任何硬件和軟件都是必須的，并應有安全措施。4.4UserRequirementsSpecificationsshoulddescribetherequiredfunctionsofthecomputerisedsystemandbebasedondocumentedriskassessmentandGMPimpact.Userrequirementsshouldbetraceablethroughoutthelife-cycle.4.4URS應基于風險評估和GMP影響性文件描述計算機系統的功能需求。用戶需求應貫穿整個系統生命周期。4.5Theregulatedusershouldtakeallreasonablesteps,toensurethatthesystemhasbeendevelopedinaccordancewithanappropriatequalitymanagementsystem.Thesuppliershouldbeassessedappropriately.4.5管理者應采取合理措施保證系統更新與最新的質量管理系統一致， 并對供應商作出適當的評估。4.6Forthevalidationofbespokeorcustomisedcomputerisedsystemsthereshouldbeaprocessinplacethatensurestheformalassessmentandreportingofqualityandperformancemeasuresforallthelife-cyclestagesofthesystem.4.6為驗證固化或自定義計算機系統，應對系統生命周期的每個階段都進行驗證，以確認正式評估、質量報告和業(yè)績評估報告。4.7Evidenceofappropriatetestmethodsandtestscenariosshouldbedemonstrated.Particularly,system(process)parameterlimits,datalimitsanderrorhandlingshouldbeconsidered.Automatedtestingtoolsandtestenvironmentsshouldhavedocumentedassessmentsfortheiradequacy.4.7應對測試方法和測試環(huán)境加以論證，特別是系統(工藝)參數范圍、數據范圍和錯誤處理。自動化測試工具和測試環(huán)境的合適性應該有書面的評估報告。4.8Ifdataaretransferredtoanotherdataformatorsystem,validationshouldincludechecksthatdataarenotalteredinvalueand/ormeaningduringthismigrationprocess.4.8數據轉化成其他格式或傳輸到其他系統時，驗證內容應包括檢查其數據值和/或含義在轉化或傳輸過程中沒有被改變。OperationalPhase 運行階段5.Data數據Computerisedsystemsexchangingdataelectronicallywithothersystemsshouldincludeappropriatebuilt-inchecksforthecorrectandsecureentryandprocessingofdata,inordertominimizetherisks.計算機系統和其他系統之間交換數據時， 應有適當的內部校驗， 以保證數據輸入和數據處理的正確性及安全性，以期讓風險降到最低。6.AccuracyChecks 精度檢查Forcriticaldataenteredmanually,thereshouldbeanadditionalcheckontheaccuracyofthedata.Thischeckmaybedonebyasecondoperatororbyvalidatedelectronicmeans.Thecriticalityandthepotentialconsequencesoferroneousorincorrectlyentereddatatoasystemshouldbecoveredbyriskmanagement.當手動輸入關鍵數據時， 應當復核數據的準確性。 此復核可以由另外的操作人員執(zhí)行或通過經驗證的電子方式進行。風險管理應考慮系統錯誤和系統誤輸入數據所造成的危險或潛在影響。7.DataStorage數據存儲7.1Datashouldbesecuredbybothphysicalandelectronicmeansagainstdamage.Storeddatashouldbecheckedforaccessibility,readabilityandaccuracy.Accesstodatashouldbeensuredthroughouttheretentionperiod.7.1數據應以物理和電子兩種方式保存，以避免丟失。存儲的數據應易查詢、可讀和準確，并在有效期內。7.2Regularback-upsofallrelevantdatashouldbedone.Integrityandaccuracyofback?updataandtheabilitytorestorethedatashouldbecheckedduringvalidationandmonitoredperiodically.7.2應定期備份相關數據。在定期驗證和檢測時，應檢查備份數據的完整性、準確性和其恢復數據庫的能力。8.Printouts打印輸出8.1Itshouldbepossibletoobtainclearprintedcopiesofelectronicallystoreddata.8.1儲存的電子數據應可被清晰打印。8.2Forrecordssupportingbatchreleaseitshouldbepossibletogenerateprintoutsindicatingifanyofthedatahasbeenchangedsincetheoriginalentry.8.2從最初開始的任何數據變更都應被打印在批放行紀錄上。9.AuditTrails審計跟蹤Considerationshouldbegiven,basedonariskassessment,tobuildingintothesystemthecreationofarecordofallGMP-relevantchangesanddeletions(asystemgenerated"audittrail").ForchangeordeletionofGMP-relevantdatathereasonshouldbedocumented.Audittrailsneedtobeavailableandconvertibletoagenerallyintelligibleformandregularlyreviewed.基于風險評估，系統中應考慮建立所有與 GMP相關的變更和刪除記錄 (系統產生的“審計跟蹤”)。與GMP相關的數據，其變更或刪除的原因應被記錄。審計跟蹤需轉換成一般可理解的形式并定期審核。10.ChangeandConfigurationManagement 變更和配置管理Anychangestoacomputerisedsystemincludingsystemconfigurationsshouldonlybemadeinacontrolledmannerinaccordancewithadefinedprocedure.計算機系統的任何變更 （包括系統配置的更換） 應當有控制地按照規(guī)定的程序進行。11.Periodicevaluation 周期性評估ComputerisedsystemsshouldbeperiodicallyevaluatedtoconfirmthattheyremaininavalidstateandarecompliantwithGMP.Suchevaluationsshouldinclude,whereappropriate,thecurrentrangeoffunctionality,deviationrecords,incidents,problems,upgradehistory,performance,reliability,securityandvalidationstatusreports.計算機系統應該定期進行評估以確認其仍有效并符合GMP標準。這樣的評估應該包括適應性、功能性、偏差記錄、事件、問題、歷史追溯、性能、可靠性、安全性和驗證狀態(tài)報告。12.Security安全性12.1Physicaland/orlogicalcontrolsshouldbeinplacetorestrictaccesstocomputerisedsystemtoauthorisedpersons.Suitablemethodsofpreventingunauthorisedentrytothesystemmayincludetheuseofkeys,passcards,personalcodeswithpasswords,biometrics,restrictedaccesstocomputerequipmentanddatastorageareas.12.1物理和/或邏輯控制器應能獨自限制進入計算機系統的授權人，并用適當方法防止未經授權的登錄 （可能包含密碼、 通行卡、個人密碼、生物識別的使用） ，以此限制進入電腦設備和數據存儲硬盤。12.2Theextentofsecuritycontrolsdependsonthecriticalityofthecomputerisedsystem.12.2安全控制的程度取決于計算機系統的危險等級。12.3Creation,change,andcancellationofaccessauthorisationsshouldberecorded.12.3通行許可的創(chuàng)建、變更和注銷都應被記錄。12.4Managementsystemsfordataandfordocumentsshouldbedesignedtorecordtheidentityofoperatorsentering,changing,confirmingordeletingdataincludingdateandtime.12.4數據和文件管理體系應記錄登錄人員的身份、 變更內容以及包括日期和時間的確認或刪除。13.IncidentManagement 事件管理Allincidents,notonlysystemfailuresanddataerrors,shouldbereportedandassessed.Therootcauseofacriticalincidentshouldbeidentifiedandshouldformthebasisofcorrectiveandpreventiveactions.所有事件（不僅指系統故障和數據錯誤）均應被記錄及評估。一個關鍵事件的根本起因也應該被鑒定并形成糾正和預防措施。14.ElectronicSignature 電子簽名Electronicrecordsmaybesignedelectronically.Electronicsignaturesareexpectedto:電子文件可用電子簽名。電子簽名將 :a．havethesameimpactashand-writtensignatureswithintheboundariesofthecompany,在公司范圍內電子簽名應有與手寫簽名具有同等的效果，b．bepermanentlylinkedtotheirrespectiverecord, 將永久與其各自的記錄相關聯，c．includethetimeanddatethattheywereapplied.應包括其使用的時間和日期。15.Batchrelease 批放行Whenacomputerisedsystemisusedforrecordingcertificationandbatchrelease,thesystemshouldallowonlyQualifiedPersonstocertifythereleaseofthebatchesanditshouldclearlyidentifyandrecordthepersonreleasingorcertifyingthebatches.Thisshouldbeperformedusinganelectronicsignature.當一個計算機系統用來記錄認證和批放行時， 系統應該只允許質量人員確認批放行，并且要清楚地識別和記錄放行人員的批動作或批證明。這才是電子簽名應履行的。16.BusinessContinuity 業(yè)務連續(xù)性Fortheavailabilityofcomputerisedsystemssupportingcriticalprocesses,provisionsshouldbemadetoensurecontinuityofsupportforthoseprocessesintheeventofasystembreakdown(e.g.amanualoralternativesystem).Thetimerequiredtobringthealternativearrangementsintouseshouldbebasedonriskandappropriateforaparticularsystemandthebusinessprocessitsupports.Thesearrangementsshouldbeadequatelydocumentedandtested.計算機系統所提供的關鍵工藝的有效性應被規(guī)定，以確保工藝流程在系統故障(如手動或替代系統 )的情況下持續(xù)運行。切換時間應基于風險，并適合特殊系統和其提供的工業(yè)流程。這些設置應該有充分的記錄和測試。17.Archiving歸檔Datamaybearchived.Thisdatashouldbecheckedforaccessibility,readabilityandintegrity.Ifrelevantchangesaretobemadetothesystem(puterequipmentorprograms),thentheabilitytoretrievethedatashouldbeensuredandtested.數據應