|
西门之碎碎念: 本文来自ISPE 制药工程 2021 年 05月/06月 刊中的 A Beginner’s Guide to IT System Inspection Readiness 实在是忍不住翻译出来了,如觉得冒犯,可以后台联系我,我删除,本文不用于任何商业用途,仅学习用。 本文作者Anders VIDSTRUP
This article provides a beginner’s overview of how organizations can achieve a state of preparedness (readiness) for inspections, with a specific focus on IT
systems.
本文概述了组织如何实现检查的准备(就绪)状态,特别关注 IT 系统。 Computerized systems are increasingly integrated into the pharmaceutical business, including within regulated Good Laboratory Practice (GLP), Good Clinical Practice (GCP), Good Pharmacovigilance Practice (GPvP), and Good Manufacturing Practice (GMP) domains and supporting activities. In turn, regulatory authorities conduct inspections to ensure that life sciences companies, clinical research teams, and other related organizations understand and comply with the regulations established to protect patient safety, product quality, and data integrity. As a result, computerized systems are a key focus area during audits and inspections.
计算机化系统越来越多地集成到制药业务中,包括在药物非临床研究质量管理规范(GLP),良好临床规范(GCP),良好药物警戒规范(GPvP)和药品生产质量管理规范(GMP)领域和支持活动中。反过来,监管机构进行检查,以确保生命科学公司、临床研究团队和其他相关组织了解并遵守为保护患者安全、产品质量和数据完整性而制定的法规。因此,计算机化系统是审计和检查期间的一个关键重点领域。 “Computerized systems” is a broad term. In this article, it will be a synonym for process control systems, laboratory equipment with embedded computerized systems, and applications used for GxP purposes in general that are made up of infrastructure, software, supported processes, and “people aspects” such as training and qualification. This definition can relate to solutions from cloud-based services such as infrastructure, platform, and software as a service (IaaS, PaaS, and SaaS) or on-premises solutions.
“计算机化系统”是一个广义的术语。在本文中,它将是流程控制系统、带有嵌入式计算机化系统的实验室设备以及用于 GxP 目的的应用程序的同义词,这些应用程序由基础架构、软件、支持的流程和“人员方面”(如培训和资质确认)组成。此定义可能与基于云的服务(如基础结构、平台和软件即服务(IaaS、PaaS 和 SaaS))或本地解决方案)的解决方案相关。 RESOURCES 资源Simple questions often have extremely complex answers. It may take time to find the right individuals to provide the appropriate information.
简单的问题往往有极其复杂的答案。找到合适的人来提供适当的信息可能需要一些时间。 Information on general approaches to inspections of computerized systems and the documentation to support such inspections can be found in:
关于视察计算机化系统的一般方法以及支持这种视察的文件的资料见: ISPE GAMP® 5 Guide: Compliant GxP Computerized Systems1
ISPE GAMP® 5 指南:兼容的 GxP 计算机化系统 1 Appendix M6: Inspection Readiness in ISPE GAMP® Guide: Records and Data Integrity2
附录 M6:ISPE GAMP® 指南中的检查准备情况:记录和数据完整性 2 US FDA’s “Inspections of Computerized Systems in Drug Processing”3
美国FDA的“药品加工计算机化系统的检查” 3 Section 24 (checklists and memory aids) in the Pharmaceutical Inspection Convention/Pharmaceutical Inspection Co-Operation Scheme’s “PIC/S Good Practices for Computerised Systems in Regulated 'GxP’ Environments”4
《药品检验公约》/《药物检验合作计划》的“受规管'GxP'环境中计算机化系统的良好做法”第24条(核对表和记忆辅助工具)4
General requirements to support inspections of computerized systems can be found in:
支持计算机化系统检查的一般要求可在以下位置找到: Chapter 7: Outsourced Activities in “EudraLex, Volume 4: EU Guidelines for GMPs for Medicinal Products for Human and Veterinary Use”5
第 7 章:“EudraLex,第 4 卷:欧盟人用和兽用药品 GMP 指南”中的外包活动 5 Annex 11: Computerised Systems in “EudraLex, Volume 4”6
附件11:“EudraLex,第4卷”中的计算机化系统 6 US FDA Compliance Policy Guide, Section 425.200, Computerized Drug Processing; Vendor Responsibility (CPG 7132a.12)7
美国 FDA 合规政策指南,第 425.200 节,计算机化药物加工;供应商责任 (CPG 7132a.12) 7 EMA’s “Q&A: Good Clinical Practice (GCP)”8
EMA的“Q&A:良好临床实践(GCP)” 8
PREPARING FOR INSPECTION
准备检查Regulators usually announce inspections ahead of time. Depending on the type of inspection, they may commonly provide between two and six weeks’ notice.
监管机构通常会提前宣布检查。根据检查的类型,他们通常会提前两到六周通知。 Once notice is given, the initial activities are to identify and confirm the scope of the inspection, its location, and the type of inspection (e.g., new drug application [NDA], routine, or a combination thereof). This information will help to identify which IT systems will potentially be covered within the scope and remit of the inspection.
一旦发出通知,最初的活动是确定和确认检查的范围、地点和检查类型(例如,新药申请 [NDA]、常规或两者的组合)。这些信息将有助于确定哪些信息技术系统可能属于检查的范围和职权范围。 An organization should plan to be inspection-ready at all times, and to support this, it is necessary to have a governance structure led by an inspection steering committee that can coordinate several key activities, including the following:
组织应计划随时做好检查准备,为了支持这一点,有必要建立一个由检查指导委员会领导的治理结构,该结构可以协调几项关键活动,包括以下内容: Providing an overview of IT systems in scope and the related business processes
提供范围内 IT 系统和相关业务流程的概述 Managing communication setup, planning, and availability of persons to be involved (e.g., system owners, system managers, specialists, and suppliers)
管理通信设置、规划和相关人员(例如,系统所有者、系统经理、专家和供应商)的可用性 Handling any necessary gap analysis activities, including corrective actions (refer to the checklist mentioned later in this article)
处理任何必要的差距分析活动,包括纠正措施(请参阅本文后面提到的清单) Preparing technical setup for inspections (e.g., demonstration of the IT system, tours of facilities including data centers)
为检查准备技术设置(例如,IT系统的演示,包括数据中心在内的设施参观) Ensuring it will be possible to respond to technical questions and provide evidence at short notice (e.g., test evidence related to backup and restore processes)
确保能够在短时间内回答技术问题并提供证据(例如,与备份和恢复过程相关的测试证据) Planning mock inspections if the organization is not accustomed to receiving regulatory inspections
如果组织从未接受过监管检查,则计划模拟检查 Planning the process for provision of electronic records in a secure format to the regulator if required during, or after, the inspection
规划在检查期间或之后根据需要以安全格式向监管机构提供电子记录的过程
It is the steering committee’s responsibility to ensure the organization is well prepared for upcoming inspections. A good way to substantiate this preparedness is to hold mock inspections so that everyone involved becomes familiar with inspection procedures and expectations of the process.
指导委员会有责任确保组织为即将到来的检查做好充分准备。证实这种准备的一个好方法是进行模拟检查,以便所有相关人员都熟悉检查程序和对过程的期望。 
ORGANIZING DURING INSPECTION
检查期间的组织During the conduct of the inspection, several activities will require attention. They can be briefly summarized as:
在进行检查期间,需要注意一些活动。它们可以简要概括为: Collecting, interpreting, distributing, and controlling questions raised by the inspector
收集、解释、分发和控制检查员提出的问题 Locating the appropriate documentation and delivering this to the inspector upon request in a timely manner
找到适当的文件,并根据要求及时将其交付给检查员 Coordinating answers and documentation to the inspector
协调对检查员的答复和文档 Communicating daily with relevant parties to share information on questions raised, answers, and the plan for the next day of the inspection
每天与相关方沟通,分享提出的问题、答案和第二天检查计划的信息
Inspection and Preparation Rooms
检查和准备室For practical purposes, it is valuable to have at least two dedicated meeting rooms established for the inspection process: one room designated the “inspection room,” where the inspector conducts requests plus a room (or two) where the organization’s employees may prepare.
出于实际目的,为检查过程建立至少两个专用会议室是有价值的:一个房间指定为“检查室”,检查员在那里处理请求,另外一个(或两个)房间供组织的员工准备。 The inspection room is where the inspection is hosted and the dialogue between the inspector and relevant employees is conducted. It is recommended to assign an employee to the role of secretary to record requests. For the secretary, the use of an online/real-time tool is useful so individuals supporting the inspection within or outside the inspection room can see the requests. It is vital that those in the preparation room(s) have the ability to follow the progress of the inspection in the inspection room without interrupting the inspector.
检查室是进行检查的地方,检查员与相关员工之间进行对话。建议指派一名员工担任秘书角色来记录请求。对于秘书来说,使用在线/实时工具很有用,因此支持检查室内外检查的人员可以看到请求。至关重要的是,准备室的人员能够在不打断检查员的情况下跟踪检查室的检查进度。 During the inspection, one or more support staff members should be assigned to serve as runners. Their responsibilities are to move between the inspection and preparation rooms, coordinating the requests and provision of responses, while also escorting additional people, as required, into the inspection room to respond.
在检查期间,应指派一名或多名支持人员担任递送员。他们的职责是在视察室和准备室之间移动,协调请求和提供答复,同时根据需要护送更多的人进入视察室作出答复。 All coordination for the inspection takes place in the preparation room(s). In this space, employees manage all requests for materials and plan and prepare those materials for presentation to the inspector. Runners communicate timelines and status from the preparation room(s) to the host (typically an accountable person from the business and quality management team) in the inspection room. Figure 1 demonstrates how documentation requested for the inspection can be tracked.
检查的所有协调工作都在准备室进行。在这个空间中,员工管理所有材料请求,并计划和准备这些材料以提交给检查员。跑步者将时间表和状态从准备室传达给检查室的主持人(通常是业务和质量管理团队的负责人)。图 1 显示了如何跟踪检查所需的文档。 Members from the steering committee or management team related to IT systems are represented in the preparation room(s), where they continuously follow the trend of questions and identify potential IT areas/systems within the inspection scope. Based on this surveillance, the prioritization of activities at the system owner/manager level can be determined and communicated. Particular lines of questioning associated with an IT system (for example, access control, backup testing, or data integrity) can also be communicated to those responsible for other in-scope systems during the inspection to allow them to prepare for similar questions and provide responses in a timely manner.
与IT系统相关的指导委员会或管理团队的成员在准备室中派代表,他们不断跟踪问题的趋势,并确定检查范围内的潜在IT领域/系统。基于这种监视,可以确定和传达系统所有者/经理级别的活动的优先级。与 IT 系统相关的特定问题行(例如,访问控制、备份测试或数据完整性)也可以在检查期间传达给负责其他范围内系统的人员,以使他们能够为类似问题做好准备并及时提供响应。 The use of preparation rooms also allows coordination of the flow of people into the inspection room to present materials and respond to questions. Depending on the size of the team and the office setup, a separate room could be used for this purpose. The goal is to limit the number of people within the inspection room at any one time, and to ensure that the movement of people in and out of the room does not disturb the flow of question-ing/topics from the inspector’s perspective.
使用准备室还可以协调进入检查室的人流,以展示材料和回答问题。根据团队的规模和办公室设置,可以使用单独的房间来实现此目的。目标是在任何时候限制检查室内的人数,并确保进出房间的人员流动不会从检查员的角度干扰提问/主题的流动。 It is important that a person experienced with inspections oversees the person answering the inspector’s questions and providing supporting documentation. To further support the inspection in the best way, the person answering the inspector’s questions is typically expected to:
重要的是,具有检查经验的人员监督回答检查员问题并提供支持文件的人员。为了以最佳方式进一步支持检查,回答检查员问题的人员通常应: Provide a brief description of the working procedures and documents
提供工作程序和文件的简要说明 Answer questions from the inspector
回答检查员的问题 Seek clarification for any questions that are not clearly defined or understood
对于任何未明确定义或理解的问题,请寻求澄清
During preparation, it is recommended that attention is focused on the following areas to prevent misunderstandings or errors:
在准备过程中,建议注意以下方面,以防止误解或错误: Ensuring that the documentation presented answers the questions asked
确保提供的文档回答了提出的问题 Ensuring that the result/conclusion is clear from the documentation presented
确保从提交的文档中清楚地了解结果/结论 Reviewing the documentation to make sure that it can be used: for example, no notes pinpointing faults are attached, all applicable signatures are applied, and the correct document version is presented
查看文档以确保可以使用:例如,没有附加指出错误的注释,应用所有适用的签名,并提供正确的文档版本 Applying tags (#1, #2, etc.) to longer documents, as appropriate, so the relevant information can be easily located
根据需要将标签(#1、#2 等)应用于较长的文档,以便轻松找到相关信息 Presenting only the information necessary to support the answers to questions raised, while excluding too much or irrelevant documentation
仅提供支持所提问题的答案所需的信息,而排除过多或不相关的文档 Ensuring that all documentation is copied, registered, and stamped in line with the organization’s documentation policies
确保所有文档的复制、注册和盖章符合组织的文档政策
When these tasks are satisfactorily completed, the person is “released” as ready to enter the inspection room. Staff in the preparation room(s) will manage this entrance; it is recommended that the person attends the session before their allocated time slot to help them become comfortable with the style of the inspection and the atmosphere in the room.
当这些任务圆满完成时,该人被“释放”,准备进入检查室。准备室的工作人员将管理此入口;建议该人在分配的时间段之前参加会议,以帮助他们适应检查的风格和房间的气氛。 Case Example 案例示例The following is an example of IT systems–related questions provided by an EMA inspector on a GxP application about the organization’s handling adverse events, and the related preparation activities.
以下是 EMA 检查员在 GxP 应用程序上提供的有关组织处理不良事件和相关准备活动的 IT 系统相关问题的示例。 How do you manage backup?
如何管理备份? Is the backup qualified?
备份是否经过验证确认? I would like to see the disaster and recovery plans.
我想看看灾难和恢复计划。
Preparation Room Discussion
准备室讨论To address question 1 (How do you manage backup?), staff in the preparation room cover the following issues:
为了解决问题 1(您如何管理备份?),准备室的工作人员涵盖了以下问题: Are procedures in place internally and at the service provider as well?
程序是否在内部和服务提供商处到位? Are all servers included in the backup according to the configuration item list for the application?
根据应用程序的配置项目列表,备份中是否包含所有服务器? If the backup has failed, do we follow the procedure? How is information provided between the service provider and us?
如果备份失败,我们是否遵循该过程?服务提供商和我们之间如何提供信息? What backup method is used?
使用什么备份方法? What is stated in the agreements (service level agreement/statement of work) between our company and the service provider handling backups?
我们公司与处理备份的服务提供商之间的协议(服务级别协议/工作说明书)中规定了什么?
For the inspector’s second question (Is the backup qualified?), key areas for preparation are:
对于检查员的第二个问题(备份是否经过验证确认?),准备的关键领域是: What version of is used? 使用什么版本的? Are all the required documents in place (qualification)?
所有必需的文件(验证文件)是否到位? What has been included in the challenge test supported by the conducted risk assessment?
在进行的风险评估支持的挑战测试中包括了哪些内容? What is the split of responsibilities between the backup service provider and the system/application owner?
备份服务提供商和系统/应用程序所有者之间的责任划分是什么? Are there any issues with the backup system which we need to be aware of?
备份系统是否存在我们需要注意的问题?
For the inspector’s third request, about the disaster and recovery plans, the staff in the preparation room review:
对于检查员的第三个要求,关于灾难和恢复计划,准备室的工作人员审查: Are procedures in place specifically for the applications?
是否专门为申请制定了程序? What is the split between our procedures and service provider procedures?
我们的程序和服务提供商的程序之间有什么区别? When was disaster and recovery planning last tested?
上次测试灾难和恢复计划是什么时候? What is the process for data recovery?
数据恢复的过程是什么?
Inspection Room Strategies
检查室策略The employees meeting with the inspector provide a high-level explanation that hosts the backup on servers related to the specific application. Their strategies include:
与检查员会面的员工提供了一个高级说明,该说明在与特定应用程序相关的服务器上托管备份。他们的策略包括: Having documentation about daily backup operation procedures ready to show to the inspector
准备好有关日常备份操作过程的文档,以便向检查员展示 Providing the name of the backup system
提供备份系统的名称 Explaining that the servers are backed up daily following the standard operating procedure (SOP), which also describes the retention period, and being prepared to present the SOP documents
说明服务器每天按照标准操作程序 (SOP) 进行备份,该操作过程也描述了保留期,并准备提供 SOP 文档 Confirming that the backup system is qualified according to the quality management system (QMS) process, and having any relevant reports available to present
确认备份系统符合质量管理体系(QMS)流程,并提供任何相关报告 Confirming that backup and restore functionality is a part of qualification
确认备份和还原功能是验证确认的一部分
Regarding the inspector’s request to see the organization’s disaster and recovery plans, the employees explain that the overall disaster and recovery plans for the service provider and central backup system are confidential and may not be disclosed to third parties (a reference to the specific company policy is provided). The employees further explain that the overall plan is implemented by an instruction in both the service provider’s QMS and the company’s own QMS, and they have the instruction available to show to the inspector.
关于检查员要求查看组织的灾难和恢复计划,员工解释说,服务提供商和备份系统的整体灾难和恢复计划是保密的,可能不会透露给第三方(提供对特定公司政策的参考)。员工进一步解释说,总体计划是通过服务提供商的质量管理体系和公司自己的质量管理体系中的说明来实施的,并且他们有指示可以向检查员展示。 Finally, to demonstrate that the organization properly conducts backups, the employees are prepared to provide evidence for the previous week’s completed backup.
最后,为了证明组织正确执行了备份,员工准备为前一周完成的备份提供证据。 THE CHECKLIST 核对清单Based on this author’s experience, the regulated company should always be able to answer five basic questions about computerized systems:
根据作者的经验,受监管的公司应该始终能够回答有关计算机化系统的五个基本问题: What does the system do?
系统有什么作用? What are the potential product quality, patient safety, and data integrity aspects of the system?
该系统的潜在产品质量、患者安全和数据完整性方面是什么? Who has access to the system?
谁有权访问该系统? What does the system consist of?
系统由什么组成? How do you know the system works as it should/is it fit for intended use?
您如何知道系统按预期工作/是否适合预期用途?
The checklist in the Appendix (available at ISPE.org/it-systems-checklist) can be used to prepare to answer these questions. It is built upon good practice gained from knowledge of auditing, previous inspections, and guidelines from the authorities. It does not cover all situations. However, if the company can respond “yes” to all questions and individuals are able to practice answers and responses, significant problems are unlikely to occur during the inspection. The checklist is generic and therefore does not take into consideration any local requirements.
附录中的清单(可在 ISPE.org/it-systems-checklist 获得)可用于准备回答这些问题。它建立在从审计知识、以前的检查和当局的指导方针中获得的良好实践之上。它并不涵盖所有情况。但是,如果公司能够对所有问题回答“是”,并且个人能够练习答案和回答,那么在检查过程中不太可能出现重大问题。该清单是通用的,因此不考虑任何当地要求。 
SPECIFIC SCENARIOS 具体方案The following sections review some scenarios that can be especially challenging during inspection of computerized systems.
以下各节回顾了在检查计算机化系统时可能特别具有挑战性的一些情况。 Providing an Up-to-Date Inventory
提供最新清单Larger companies should have a dependable enterprise architecture in place to provide an up-to-date inventory of computerized systems when inspected. Some companies have a holistic IT solution that covers all information; other companies have a local inventory list in each department and then consolidate those lists as a part of the inspection-readiness process. Figure 2 illustrates a spreadsheet tool for inventorying computerized systems.
较大的公司应该有一个可靠的企业架构,以便在检查时提供计算机化系统的最新清单。一些公司拥有涵盖所有信息的整体 IT 解决方案;其他公司在每个部门都有一个本地库存清单,然后将这些清单合并为检查准备过程的一部分。图 2 说明了用于清点计算机化系统的电子表格工具。 The following data could be stored in a central repository, or system inventory, to support inspections:
以下数据可以存储在中央存储库或系统清单中,以支持检查: Software/service name and possible vendor(s)
软件/服务名称和可能的供应商 Software category 软件类别 Current version 当前版本 Original go-live year 原始上线年份 Criticality是否关键系统 Life-cycle status 生命周期状态 Level of user access
用户访问级别 Security measures 安全措施 Link to user guides
用户指南的索引/链接 Agreements/operational level agreements
协议/业务层面的协议 System access 系统访问 Dependencies’ business processes
依赖关系的业务流程 Responsibilities 责任 Interfaces 接口
The process of maintaining the system inventory should be described in an SOP. If those data are not held in a central repository such as a system inventory, a job aid specifying the location and points of contact could be useful.
维护系统清单的过程应在SOP中描述。如果这些数据未保存在中央存储库(如系统清单)中,则指定位置和联系点的工作辅助可能会很有用。 Inspector Access to Computerized Systems
检查员访问计算机化系统In the past, it would have been very unusual for an inspector to request direct access to systems. When such requests are made, the host will usually have an experienced system user log on to the system and then the inspector indicates which transactions or data they wish to see. Demonstration of systems should be planned in advance to make sure relevant functionality and related data are shown appropriately.
过去,检查员请求直接访问系统是非常不寻常的。当发出此类请求时,审计主持通常会让有经验的系统用户登录到系统,然后检查器指示他们希望查看哪些事务或数据。应提前计划系统演示,以确保适当显示相关功能和相关数据。 A significant barrier to inspector access is the need to create an approved user ID and provide the appropriate system training to the inspector. Typically, inspectors should only be granted access to a guest network for administrative purposes. During an inspection, segregation between the internal network and guest network must be possible.
检查员访问的一个重大障碍是需要创建批准的用户 ID 并向检查员提供适当的系统培训。通常,应仅出于管理目的向检查员授予对访客网络的访问权限。在检查期间,内部网络和访客网络之间必须能够隔离。 Requests for Electronic Computer Records
索取电子计算机记录During inspections, it is not unusual for an inspector to request an electronic copy of records from the computerized system. Inspectors may also request access to audit trail data, which they then analyze using tools that search for unusual patterns in the audit trail that could hint toward data integrity issues.
在视察期间,视察员要求计算机化系统提供记录的电子副本的情况并不少见。检查员还可以请求访问审计跟踪数据,然后他们使用工具进行分析,这些工具在审计跟踪中搜索可能暗示数据完整性问题的异常模式。 When considering such requests, the company should clearly understand what data are requested, in which format records should be provided, and on what media. When providing an electronic copy of a record, it is preferable to use a validated export function in the computerized system. If data are to be extracted from a database or similar system, it might be necessary to make a script to transfer the data. This script must be specified, reviewed, and tested to make sure it works properly. In all cases, the method for copying electronic data should be documented.
在考虑此类请求时,公司应清楚地了解请求哪些数据、应以何种格式提供记录以及在何种媒体上提供。在提供记录的电子副本时,最好在计算机化系统中使用经验证的导出功能。如果要从数据库或类似系统中提取数据,则可能需要编写脚本来传输数据。必须指定、检查和测试此脚本,以确保其正常工作。在所有情况下,都应记录复制电子数据的方法。 To verify what data are delivered to the inspector, a digital fingerprint on the files should be made. This could be done via an MD5 (message digest algorithm 5) hash code. This is documented together with an electronic copy of the record. In addition, company security protocols (e.g., regarding the use of removable media, virus checking, and data encryption) must also be followed.
为了验证哪些数据传递到检查官,应在文件上制作数字指纹。这可以通过 MD5(消息摘要算法 5)哈希代码来完成。这与记录的电子副本一起记录在案。此外,还必须遵守公司安全协议(例如,关于使用可移动媒体、病毒检查和数据加密)。 Global Multisite System Inspection
全球多站点系统检查Some systems (e.g., enterprise resource planning) might be maintained at the corporate level. If the inspection is at a site level, it is important that the system owner can provide the necessary support to the local site. In general, validation of generic features is done centrally, and specific flows and functions are validated locally. This split should be clearly identified in the validation documentation and associated SOPs. As a part of the planning for inspection, planning participants should determine who will provide what kind of evidence to inspectors. Special attention should be given to SOPs covering how change control for the IT system, risk management, and incidents are managed between the corporate level and site level.
有些系统(例如,企业资源规划)可能在公司一级维护。如果检查是在站点级别进行的,则系统所有者可以为本地站点提供必要的支持非常重要。通常,通用功能的验证是集中完成的,特定的流和函数在本地验证。应在验证文档和相关 SOP 中明确标识此拆分。作为检查规划的一部分,规划参与者应确定谁将向视察员提供何种证据。应特别注意SOP,涵盖如何在公司级别和站点级别之间管理IT系统,风险管理和事件的变更控制。 Supplier Involvement 供应商参与In today’s world of cloud-based systems (IaaS, PaaS, and SaaS), much of the essential documentation discussed in this article may only be available from the cloud computing service provider (supplier).
在当今基于云的系统(IaaS、PaaS 和 SaaS)世界中,本文中讨论的许多基本文档可能只能从云计算服务提供商(供应商)处获得。 The QMS at the regulated company should include the management of outsourced activities because the regulated company retains ultimate responsibility for the system validation and therefore must ensure processes are in place to ensure the control and review of outsourced activities. The regulated company is responsible for the suitability of computer systems (hardware and software) used in the manufacture, processing, or holding of a drug product.
受监管公司的质量管理体系应包括外包活动的管理,因为受监管公司保留对系统验证的最终责任,因此必须确保流程到位,以确保对外包活动的控制和审查。受监管的公司负责用于制造、加工或持有药品的计算机系统(硬件和软件)的适用性。 Basic Recommendations 基本建议As a minimum, it is recommended that organizations ensure the following:
至少,建议组织确保以下内容: Quality system and audit information relating to suppliers or developers of software and implemented systems/services is made available to inspectors on request.
与软件和已实施的系统/服务的供应商或开发商相关的质量体系和审核信息可应要求提供给检查员。 The organization has formal quality agreements with all suppliers, and these agreements include clear statements to:
该组织与所有供应商签订了正式的质量协议,这些协议包括以下明确声明: Define the system owner’s and suppliers’ roles in making and maintaining original documents or true copies in accordance with cGMP or other GxP regulations
根据 cGMP 或其他 GxP 法规,定义系统所有者和供应商在制作和维护原始文档或真实副本方面的作用 Explain how those records will be made readily available for inspection
解释如何随时提供这些记录以供检查 Indicate that electronic records will be stored in accordance with cGMP or other GxP regulations and will be immediately retrievable during the required record-keeping time frames established in applicable regulations
表明电子记录将根据 cGMP 或其他 GxP 法规进行存储,并且可以在适用法规规定的所需记录保存时间范围内立即检索 Indicate how suppliers will support inspections both through specialists and documentation
说明供应商将如何通过专家和文档支持检查
The organization documents its monitoring and review of the supplier’s performance, including the identification and implementation of any required corrective and preventive actions or improvement(s).
组织记录其对供应商绩效的监控和审查,包括确定和实施任何所需的纠正和预防措施或改进。
Requirements for Clinical Trial Sponsors
临床试验申办者要求Regarding the level of qualification/validation required of a clinical trial sponsor when using an electronic system previously qualified by a supplier, the EMA Q&A for GCP states:8
关于临床试验申办者在使用供应商先前认证的电子系统时所需的确认/验证水平,GCP 的 EMA 问答指出:8 The system in question may be a system validated by the supplier, but installed at the sponsor, or a system provided as software-as-a-service (SaaS or cloud solution).…
有问题的系统可能是由供应商验证但安装在申办方处的系统,或者是作为软件即服务(SaaS或云解决方案)提供的系统。 According to ICH E6(R2), sections 5.2.1 and 5.5.3.a, respectively, “the ultimate responsibility for the quality and integrity of the trial data always resides with the sponsor” and “the sponsor should ensure and document that the electronic data processing system(s) conforms to the sponsors established requirements for completeness, accuracy, reliability, and consistent intended performance (i.e., validation).”
根据ICH E6(R2)第5.2.1节和第5.5.3.a节,“试验数据的质量和完整性的最终责任始终由申办者承担”和“申办者应确保并记录电子数据处理系统符合申办者对完整性、准确性、可靠性和一致预期性能的既定要求(即 验证)”。 According to ICH E6(R2), section 1.65., validation of computerized systems is “a process of establishing and documenting that the specified requirements of a computerized system can be consistently fulfilled from design until decommissioning of the system or transition to a new system.”
根据ICH E6(R2)第1.65节,计算机化系统的验证是“建立和记录计算机化系统的特定要求可以从设计到系统退役或过渡到新系统的过程。 The sponsor may rely on qualification documentation provided by the supplier if the qualification activities performed by the supplier have been assessed as adequate. However, the sponsor may also have to perform additional qualification/validation activities based on a documented risk assessment.
如果供应商进行的资格认证活动已被评估为充分,则保荐人可以依赖供应商提供的资格文件。但是,申办者可能还必须根据记录在案的风险评估执行额外的确认/验证活动。 The conditions for a sponsor to use the supplier’s qualification documentation include, but are not limited to, the following:8
保荐人使用供应商验证确认文件的条件包括但不限于以下内容:8 The sponsor has thorough knowledge of the vendor’s quality system and qualification activities, which will usually be obtained through an in-depth assessment/audit.
保荐人对供应商的质量体系和验证确认活动有透彻的了解,这通常可以通过深入的评估/审核获得。 An assessment/audit has been performed by qualified staff, with sufficient time spent on the activities and with cooperation from the vendor.
评估/审计由合格的工作人员进行,有足够的时间在活动上,并得到供应商的合作。 An assessment/audit has gone sufficiently deep into the activities, and a suitable number of examples for relevant activities has been reviewed (and documented).
评估/审计已经足够深入地了解了各项活动,并审查(并记录了相关活动的适当数量的例子)。 The assessment/audit report determined that the vendor’s qualification documentation is satisfactory, or that shortcomings can be mitigated by the sponsor (e.g., the sponsor is performing part of the qualification).
评估/审计报告确定供应商的资格文件令人满意,或者保荐人可以减轻缺陷(例如,申办方正在履行部分验证确认)。 When required during a GCP inspection, the qualification documentation is made available to the inspectors in a timely manner, irrespective of whether it is provided by the sponsor, the contract research organization, or the vendor.
在GCP稽查期间需要时,无论资格文件是由申办方、合同研究组织还是供应商提供的,都会及时提供给检验员。 Both the sponsor and the vendor establish full configuration management for qualification and production environments, and establish that the sponsor can fully account for any differences between the vendor’s validation environment and the sponsor’s production environment; subsequently, the sponsor should justify any differences that are considered insignificant. If this is not done, the qualification effort potentially does not justify the use of the system.
发起人和供应商都为资格认证和生产环境建立了完整的配置管理,并确定发起人可以充分考虑供应商的验证环境和发起人的生产环境之间的任何差异;随后,保荐人应证明任何被认为无关紧要的差异。如果不这样做,认证工作可能无法证明使用该系统是合理的。 The sponsor performed an installation qualification/performance qualification if the system depends on trained users.
如果系统依赖于经过培训的用户,则发起人执行安装资格/性能认证。
The EMA Q&A for GCP notes the following about potential pitfalls in contractual relationships with electronic systems vendors in relation to clinical trials:8
GCP 的 EMA 问答指出了以下与电子系统供应商在临床试验方面的合同关系中的潜在陷阱:8 Special consideration should be given on relevant training and quality systems. Experience suggests that vendors accepting tasks regarding electronic systems are frequently knowledgeable about IT systems and sometimes data protection legislation, but not necessarily on ICH E6(R2) requirements, quality systems, etc.
应特别考虑相关的培训和质量体系。经验表明,接受电子系统任务的供应商通常了解IT系统,有时也了解数据保护法规,但不一定了解ICH E6(R2)要求,质量体系等。 Vendors must be able to document knowledge on, for example, GCP and compliance. Agreements should state that the clinical trial sponsor can access conduct audits at the vendor site, and that the vendor site agrees to allow inspections by national and international authorities. In addition, agreements need to specify that vendors shall provide the necessary documentation (e.g., qualification documentation prepared by the vendor concerning the system) when requested during a GCP audit/inspection process.
供应商必须能够记录有关 GCP 和合规性等方面的知识。协议应规定临床试验申办者可以在供应商现场进行审核,并且供应商站点同意允许国家和国际当局进行检查。此外,协议需要规定,在GCP审核/检查过程中提出要求时,供应商应提供必要的文件(例如,供应商准备的有关系统的资格文件)。 Vendors should have appropriate documentation in place. Any qualification documentation prepared by the vendor concerning the system should be available for inspection.
供应商应准备适当的文档。供应商准备的有关系统的任何资格文件都应可供检查。 Furthermore, agreements should stipulate that the vendor will escalate any potential serious breaches to the sponsor in a timely manner. Serious breaches should be defined to include security breaches which the supplier becomes aware of (e.g., by notification from other sponsors using the same system), if the breaches could have any impact on the data integrity, reliability, and robustness, or the safety and rights of the trial subjects.
此外,协议应规定卖方将及时将任何潜在的严重违规行为上报给保荐人。严重违规行为应定义为包括供应商意识到的安全漏洞(例如,通过使用同一系统的其他申办方的通知),如果这些漏洞可能对数据完整性、可靠性和稳健性或试验对象的安全和权利产生任何影响。 DATA INTEGRITY 数据完整性Data integrity is a topic that spans processes and products in the regulated company. Some of the recommendations already mentioned in this article refer to data integrity. In addition, special attention should be given to the following areas.
数据完整性是一个跨越受监管公司流程和产品的主题。本文中已经提到的一些建议涉及数据完整性。此外,应特别注意以下领域。 General Procedures 一般程序General procedures focused on data integrity must be in place. Regulated companies should:
必须制定侧重于数据完整性的一般程序。受监管的公司应: Consider record and data integrity within the context of broader inspection-readiness programs
在更广泛的检查准备计划的背景下考虑记录和数据完整性 Establish and maintain policies and procedures that ensure a constant state of inspection readiness
建立和维护政策和程序,以确保检查准备状态的持续状态 Have robust established procedures for all aspects of the system life cycle
为系统生命周期的各个方面制定稳健的既定程序 Be prepared for regulatory inspections:
为监管检查做好准备: Focusing on the management of record and data integrity to verify the adequacy of controls
专注于记录和数据完整性的管理,以验证控制的充分性 Using a forensic approach that challenges the data integrity of specific records
使用挑战特定记录的数据完整性的取证方法
Accountability 职责The process owner and system owner are normally accountable for responding to system-specific questions during regulatory inspections. Process own-ers and system owners should be:
流程所有者和系统所有者通常负责在监管检查期间回答系统特定的问题。流程负责人和系统所有者应: Knowledgeable about the documentation supporting the implementation, control, maintenance, use, and history of the system
了解支持系统实施、控制、维护、使用和历史的文档 Able to discuss any technical and procedural controls implemented to support the integrity of the creation, processing, and reporting of records and data
能够讨论为支持记录和数据的创建、处理和报告的完整性而实施的任何技术和程序控制 Able to share information about the requirements and testing of the data integrity relating to technical and procedural controls
能够共享有关技术和程序控制相关的数据完整性要求和测试的信息 Able to discuss the key computer system documents including requirements for data integrity controls and system security controls
能够讨论关键计算机系统文档,包括数据完整性控制和系统安全控制的要求
Procedure Monitoring 程序监控From an operational point of view, there should be robust monitoring of the system, business, and IT support procedures to ensure that the processes are adequate and are being followed. Areas that should be routinely reviewed as part of monitoring to ensure inspection-readiness include:
从操作的角度来看,应该对系统、业务和 IT 支持过程进行强有力的监控,以确保流程充分且得到遵守。作为监测的一部分,应定期审查以确保检查准备就绪的领域包括: Audit trail: 审计跟踪: Use SOP governs the timely recording of data.
使用SOP控制数据的及时记录。 Records are approved/signed only by authorized users.
记录仅由授权用户批准/签名。 Approvals are enforced at specific points in the business process.
审批在业务流程的特定点强制执行。 Audit trail review (in accordance with risk) is integrated into the business process.
审计跟踪审查(根据风险)被集成到业务流程中。
CONCLUSION 结论The purpose of inspections is to demonstrate to regulators that the regulated company complies with requirements and implements controls in their QMS with the goals of patient safety, product quality, and data integrity. Inspections are more likely to have a successful outcome when organizations follow recommendations for validating and maintaining computerized systems. Further recommendations and guidance to support planning and preparing for inspections are available from ISPE.1 ,2
检查的目的是向监管机构证明受监管的公司符合要求,并在其质量管理体系中实施控制,目标是患者安全、产品质量和数据完整性。当各组织遵循验证和维护计算机化系统的建议时,检查更有可能取得成功的结果。ISPE提供了进一步的建议和指导,以支持规划和准备检查。1 2 Above all, remember the 5Ps: Proper planning prevents poor performance.
最重要的是,请记住5P:适当的计划可以防止性能不佳。
|
