欧盟gmp附录11-计算机系统(中英文对照)

　 EUROPEAN COMMISSION

　欧盟委员会

　HEALTH AND CONSUMERS DIRECTORATE-GENERAL

　卫生与消费者协会

　Public Health and Risk Assessment 公共卫生与风险评估 Pharmaceuticals 药品

　Brussels,

　SANCO/C8/AM/sl/ares(2010)1064599

　EudraLex

　The Rules Governing Medicinal Products in the European Union

　欧盟药品生产规范

　Volume 4 卷4

　Good Manufacturing Practice

　Medicinal Products for Human and Veterinary Use 人用与兽用药品良好生产管理规范 Annex 11: Computerised Systems 附件11：计算机系统

　Legal basis for publishing the detailed guidelines: Article 47 of Directive 2001/83/EC on the Community code relating to medicinal products for humanuse and Article 51 of Directive 2001/82/EC on the Communitycode relating to veterinary medicinal products. This document provides guidance for the interpretation of the principles and guidelines of good manufacturing practice (GMP) for medicinal products as laid down in Directive 2003/94/EC for medicinal products for human use and Directive 91/412/EEC for veterinary use.

　依法发布的具体指导方针：2001/83/EC第47条人用药品规范和2001/82/EC第51 条兽用药品规范。此文件为2003/94/EC人用药品和91/412/EEC兽用药品GM法规、 指导方针的解释提供了指导。

　Status of the document: revision 1 文件版本：修订本 1

　Reasons for changes: the Annex has been revised in response to the increased use of computerised systems and the increased complexity of these systems. Consequential amendments are also proposed for Chapter 4 of the GMP Guide.

　修订原因： 为增强计算机系统的功能和复杂性而修订此附件。

　相应修正案也已被 提议作为GM指南的第4章。

　Deadline for coming into operation:

　30 June 2011

　生效时间： 2011年6月30日

　Prin ciple 总则

　This annex applies to all forms of computerised systems used as part of a GMP regulated activities. A computerised system is a set of software and hardware components which together fulfill

　certain functionalities.

　此附件适用于符合GM生产要求的所有形式的计算机系统。计算机系统是实现某 项特定功能的软件和硬件的组合。

　The applicati on should be validated; IT in frastructure should be qualified.

　应用程序应验证，IT基础设施应有权限设置。

　Where a computerised system replaces a manual operation, there should be no resulta nt decrease in product quality, process con trol or quality

　assura nee. There should be no in crease in the overall risk of the process. 用计算机系统代替手动操作应不对产品质量、过程控制和质量保证以及过程的整 体风险产生影响。

　General 常规

　Risk Man ageme nt 风险管理

　Risk man ageme nt should be applied throughout the lifecycle of the computerised system tak ing into acco unt patie nt safety, data in tegrity and product quality. As part of a risk man ageme nt system, decisi ons on the extent of validation and data integrity controls should be based on a justified and docume nted risk assessme nt of the computerised system.

　风险管理应贯穿整个计算机系统生命周期，以保证病人安全、数据完整性和产品 质量。作为风险管理系统的一部分，由计算机系统风险评估决定验证范围和数据 完整性控制。

　Pers onnel

　人员

　There should be close cooperati on betwee n all releva nt pers onnel such as Process Owner, System Owner, Qualified Pers ons and IT. All pers onnel should have appropriate qualificati on s, level of access and defi ned resp on sibilities to carry out their assig ned duties.

　所有有关人员（如工艺管理员、系统管理员、质检员和IT人员）应紧密合作。这 些人员应具有相应的资格证书、使用权限和定义好的相关工作职责。

　Suppliers and Service Providers

　供应商和服务供应商

　Whenthird parties （e.g. suppliers, service providers） are used e.g. to provide, in stall, con figure, in tegrate, validate, mai ntai n （e.g. via remote access）, modify or retain a computerised system or related service or for data process ing, formal agreeme nts must exist betwee n the manu facturer and any third parties, and these agreeme nts should in clude clear statements of the responsibilities of the third party.

　IT-departme nts should be con sidered an alogous.

　3.1当第三方（如供应商、服务供应商）为计算机系统、相关服务或数据处理提供 如供货、安装、配置、整合、验证、维护（如通过远程访问）、修改或保持时，厂

　商和任何第三方之间必须有正式协议，

　且在协议中应当明确第三方责任。IT部门

　类似。

　The compete nee and reliability of a supplier are key factors whe n

　selecting a product or service provider. The need for an audit should be based on a risk assessme nt.

　3.2供应商的实力和可靠性是选择供应商产品或服务的关键因素，所以需要一个 以风险评估为基础的审计。

　Documentation supplied with commercial off-the-shelf products should be reviewed by regulated users to check that user requireme nts are

　fulfilled.

　3.3商业性标准文件应通过用户审核并符合用户需求。

　Quality system and audit information relating to suppliers or developers of software and impleme nted systems should be made available to in spectors on request.

　3.4软件和应用系统开发商或供应商的质量体系和审计信息应便于核查人员查 询。

　Project Phase 项目阶段

　Validatio n 验证

　The validati on docume ntati on and reports should cover the releva nt steps of the life cycle. Manu facturers should be able to justify their

　standards, protocols, acceptanee criteria, procedures and records based on their risk assessme nt.

　4.1验证文件和报告应包含系统生命周期的相关阶段。厂商应能够证明其标准、 协议、验收标准、规程和记录都是基于其内部风险评估的。

　Validati on docume ntati on should in clude cha nge con trol records （if applicable） and reports on any deviations observed during the validation process.

　4.2验证文件应包含验证过程中的变更控制记录（如适用）和偏差报告。

　An up to date listi ng of all releva nt systems and their GMP functionality （inventory） should be available.

　4.3相关系统和其GMP功能（详细目录）的最新清单应有效。

　For critical systems an up to date system description detailing the physical and logical arran geme nts, data flows and in terfaces with other systems or processes, any hardware and software pre-requisites, and security measures should be available.

　为对一个最新的关键系统进行详细的系统描述

　（如物理、逻辑流程、数据流和与

　其他系统或进程的接口），任何硬件和软件都是必须的，并应有安全措施。

　User Requireme nts Specificatio ns should describe the required

　fun cti ons of the computerised system and be based on docume nted risk assessme nt and GMP impact. User requireme nts should be traceable throughout the life-cycle.

　4.4URS应基于风险评估和GMP影响性文件描述计算机系统的功能需求。用户需 求应贯穿整个系统生命周期。

　The regulated user should take all reas on able steps, to en sure that the system has bee n developed in accorda nee with an appropriate quality man ageme nt system. The supplier should be assessed appropriately.

　4.5管理者应采取合理措施保证系统更新与最新的质量管理系统一致，

　并对供应

　商作出适当的评估。

　For the validation

　of bespoke or customised computerised systems there

　should be a process in place that en sures the formal assessme nt and

　report ing of quality and performa nee measures for all the life-cycle stages of the system.

　4.6为验证固化或自定义计算机系统，应对系统生命周期的每个阶段都进行验 证，以确认正式评估、质量报告和业绩评估报告。

　Evide nee of appropriate test methods and test sce narios should be dem on strated. Particularly, system (process) parameter limits, data limits and error handling should be considered. Automated testing tools and test en vir onments should have docume nted assessme nts for their adequacy.

　4.7应对测试方法和测试环境加以论证， 特别是系统(工艺)参数范围、数据范围 和错误处理。自动化测试工具和测试环境的合适性应该有书面的评估报告。

　If data are transferred

　to another data format or system, validation

　should in clude checks that data are not altered in value an d/or meaning

　during this migration process.

　4.8数据转化成其他格式或传输到其他系统时，验证内容应包括检查其数据值和 /或含义在转化或传输过程中没有被改变。

　Operatio nal Phase

　运行阶段

　Data 数据

　Computerised systems excha nging data electro nically with other systems should in clude appropriate built-i n checks for the correct and secure entry and process ing of data, in order to mini mize the risks.

　计算机系统和其他系统之间交换数据时，

　应有适当的内部校验，以保证数据输入

　和数据处理的正确性及安全性，以期让风险降到最低。

　Accuracy Checks

　精度检查

　For critical data entered manually, there should be an additional check on the accuracy of the data. This check may be done by a sec ond operator or by validated electronic means. The criticality and the potential con seque nces of erron eous or in correctly en tered data to a system should be covered by risk man ageme nt.

　当手动输入关键数据时，应当复核数据的准确性。此复核可以由另外的操作人员 执行或通过经验证的电子方式进行。风险管理应考虑系统错误和系统误输入数据 所造成的危险或潜在影响。

　Data Storage 数据存储

　Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability and accuracy. Access to data should be en sured throughout the rete nti on

　period.

　7.1数据应以物理和电子两种方式保存，

　以避免丢失。存储的数据应易查询、可

　读和准确，

　并在有效期内。

　Regular back-ups of all releva nt data should be done. In tegrity and accuracy of back ? up data and the ability to restore the data should be checked during validation and monitored periodically.

　7.2应定期备份相关数据。在定期验证和检测时，应检查备份数据的完整性、准 确性和其恢复数据库的能力。

　Prin touts 打印输出

　It should be possible to obtain clear printed copies of electronically stored data.

　8.1储存的电子数据应可被清晰打印。

　For records support ing batch release it should be possible to gen erate

　printouts

　indicating

　if any of the data has been changed since the original

　en try.

　8.2从最初开始的任何数据变更都应被打印在批放行纪录上。

　Audit Trails 审计跟踪

　Con siderati on should be give n, based on a risk assessme nt, to buildi ng

　into the system the creati on of a record of all GMP-releva nt cha nges

　and

　deleti ons （a system gen erated "audit trail"）. For cha nge or deletio n of GMP-releva nt data the reas on should be docume nted. Audit trails n eed to be available and conv ertible to a gen erally in telligible form and regularly reviewed.

　基于风险评估，系统中应考虑建立所有与 GMP相关的变更和删除记录（系统产生 的“审计跟踪”）。与GMP相关的数据，其变更或删除的原因应被记录。审计跟 踪需转换成一般可理解的形式并定期审核。

　Cha nge and Con figuration Ma nageme nt

　变更和配置管理

　Any cha nges to a computerised system in cludi ng system con figurati ons should only be made in a con trolled manner in accorda nce with a defi ned procedure.

　计算机系统的任何变更（包括系统配置的更换）应当有控制地按照规定的程序进 行。

　Periodic evaluatio n

　周期性评估

　Computerised systems should be periodically evaluated to confirm that they rema in in a valid state and are complia nt with GMP.Such evaluati ons should in clude, where appropriate, the curre nt range of function ality, deviati on records, in cide nts, problems, upgrade history, performa nce, reliability, security and validation status reports.

　计算机系统应该定期进行评估以确认其仍有效并符合

　GMP标准。这样的评估应该

　包括适应性、功能性、偏差记录、事件、问题、历史追溯、性能、可靠性、安全 性和验证状态报告。

　Security 安全性

　Physical an d/or logical con trols should be in place to restrict

　access to computerised system to authorised persons. Suitable methods of preventing unauthorised entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, restricted access to computer equipme nt and data storage areas.

　12.1物理和/或逻辑控制器应能独自限制进入计算机系统的授权人， 并用适当方 法防止未经授权的登录（可能包含密码、通行卡、个人密码、生物识别的使用）， 以此限制进入电脑设备和数据存储硬盘。

　The extent of security controls depends on the criticality of the computerised system.

　12.2安全控制的程度取决于计算机系统的危险等级。

　Creation, change, and cancellation of access authorisations should be recorded.

　12.3通行许可的创建、变更和注销都应被记录。

　Managementsystems for data and for documents should be designed to record the ide ntity of operators en teri ng, cha nging, con firm ing or

　deleting data including date and time.

　12.4数据和文件管理体系应记录登录人员的身份、

　变更内容以及包括日期和时间

　的确认或删除。

　ncide nt Man ageme nt

　事件管理

　All in cide nts, not on ly system failures and data errors, should be reported and assessed. The root cause of a critical in cide nt should be identified and should form the basis of corrective and preventive actions. 所有事件（不仅指系统故障和数据错误）均应被记录及评估。一个关键事件的根 本起因也应该被鉴定并形成纠正和预防措施。

　Electro nic Sig nature 电子签名

　Electro nic records may be sig ned electr oni cally. Electro nic sig natures are expected to:

　电子文件可用电子签名。电子签名将：

　 have the sameimpact as han d-writte n

　sig natures with in the boun daries of the compa ny,

　在公司范围内电子签名应有与手写签名具有同等的效果，

　be perma nen tly lin ked to their respective record,

　将永久与其各自的记录相关联，

　include the time and date that they were applied.

　应包括其使用的时间和日期。

　Batch release 批放行

　Whena computerised system is used for recording certification and batch release, the system should allow only Qualified Pers ons to certify the release of the batches and it should clearly identify

　and record the person

　releas ing or certify ing the batches. This should be performed using an electr onic sig nature.

　当一个计算机系统用来记录认证和批放行时，系统应该只允许质量人员确认批放 行，并且要清楚地识别和记录放行人员的批动作或批证明。

　这才是电子签名应履

　行的。

　Busi ness Contin uity

　业务连续性

　For the availability of computerised systems supporting critical processes, provisions should be made to ensure continuity

　of support for

　those processes in the eve nt of a system breakdow n （e.g. a manual or alter native system）. The time required to bring the alter native arran geme nts into use should be based on risk and appropriate for a particular system and the bus in ess process it supports. These arran geme nts should be adequately docume nted and tested.

　计算机系统所提供的关键工艺的有效性应被规定，以确保工艺流程在系统故障 （如手动或替代系统）的情况下持续运行。切换时间应基于风险，并适合特殊系统 和其提供的工业流程。这些设置应该有充分的记录和测试。

　Archiving 归档

　Data may be archived. This data should be checked for accessibility, readability and integrity. If relevant changes are to be madeto the system （e.g. computer equipment or programs）, then the ability to retrieve the data should be ensured and tested.

　数据应被存档，并作访问性、可读性和完整性检查。如果系统作相关变更 （ 如计 算机设备或程序变更 ） ，其数据恢复能力应被保证和测试。

　Glossary 术语

　Application: Software installed on a defined platform/hardware providing specific functionality

　应用程序： 在某个特定平台安装的软件或提供某种特殊功能的硬件。

　Bespoke/Customized computerised system: A computerised system individually designed to suit a specific business process

　固化/ 自定义计算机系统： 适合某项特定业务流程的单个计算机系统。

　Commercial of the shelf software: Software commercially available, whose fitness for use is demonstrated by a broad spectrum of users.

　商业软件： 此软件应市场化、功能适用并且得到广大用户的认可。

　IT Infrastructure: The hardware and software such as networking software and operation systems, which makes it possible for the application to function.

　IT基础设施：满足某项功能的硬件和软件（如网络软件和操作系统）。

　Life cycle: All phases in the life of the system from initial requirements until retirement including design, specification, programming, testing, installation, operation, and maintenance.

　生命周期： 包含从初始要求提出到退役的所有系统生命阶段，其中包含设计、 详述、程序编制、测试、安装、运行和维护。

　Process owner: The person responsible for the business process.

　工艺管理员： 为工艺流程负责的人员。

　System owner: The person responsible for the availability, and maintenance of a computerised system and for the security of the data residing on that system.

　系统管理员： 对计算机系统的有效性、维护和系统数据安全负责的人员。

　Third Party: Parties not directly managed by the holder of the manufacturing and/or import authorisation.

　第三方： 不直接受雇于制造厂商和 / 或被授权的组织。