以下文章来源于 海螺研习社
最近国内GMP大大小小的群内流传着一份关于数据完整性的问答,问答来源于ECA“数据可靠性网络课程”对学员提问的问题的回答,具体因为ECA新闻稿可以参阅下文,感兴趣的朋友还可以在网上注册ECA的新闻稿,他们会定期发送欧美GMP的相关新闻给大家)作者Dr. Wolfgang Schumacher,有30余年的制药行业经验,不少转载和翻译方的评价是“他的这些回答可以作为大家实践问题的参考,分享给大家”云云。
笔者在浏览了这些问答后,深感不安,担心这些问答会误导国内的从业人员,给大家的日常事件带来不必要的困扰。为了以正视听,海螺研习社将相关问答的一家之言进行了评论。当然,海螺研习社也不是官方机构,相关评论基于“常识”和“科学”,以及参考学习了相关官方(FDA和MHRA)指南和我们自己多年实践的经验,不足之处,也欢迎业内专家斧正!
Question 1:Are the analytical data arising in the course of the validation of analytical procedures critical data?
提问:在分析方法验证过程中产生的分析数据是否属于关键数据?
Answer: No, since these data are released with the completion of the validation process and it only presents the basis for future analyses. Therefore there is only an indirect criticality; no audit trail review is required.
答:不是。因为这些数据在验证过程完成之后即放行,只能代表将来分析的基础。因此这只是间接关键性,不需要进行审计追踪审核。
海螺研习社观点:我们不能同意欧洲专家的意见。分析方法验证过程中产生的数据是方法验证真实性和科学性的基础,如果分析方法阶段的数据不完整有缺陷,将直接影响到方法本身的真实性和科学性,对于该产品所有批次的放行检测将带来风险和质疑。其影响范围实际比具体的某一批批放行数据的数据完整性更大更广泛。我们建议这部分的工作要严格符合数据完整性,需要进行审计追踪审核。
在实际的审计当中,我们也发现有不少中国企业方法验证阶段的数据完整性是缺失的,存在某一测试反复进行,数据达不到方案标准甚至验证失败的情况,如果不审核这些数据完整性,将给日常的检测放行测试带来更大的风险。实际上很多日常放行测试发生的偏差和OOS,究其本源就是方法验证阶段相关方法和操作就是不合格的,而没有真实的体现带来的问题。
Question 2:The calibration of equipment influences the correctness of data. Does this mean that the calibration is critical?
提问:设备校正会影响数据的正确性。这是否意味着校正是关键的?
Answer: Since the calibration influences the patient safety only indirectly no audit trail review is required
答:由于校正只会间接影响患者安全,因此不需要审计追踪审核。
海螺研习社观点:我们依然不能接受这个欧洲专家的观点。实际上我们认为仪器校正阶段的数据真实性和完整性将影响到多个产品多个方法的检测,其影响的范围会更大。校验不正确,直接影响到仪器的不正常,而这些数据如果不能真实的体现出来,将给多个产品多个测试方法的检测结果带来真实性的缺陷。
一样的,在现实的操作中,我们发现很多例仪器检验不合格没有被真实体现的案例。反复测试,串改数据以及降低标准批准的案例比比皆是。或许在欧美这类事件不会发生,但是在中国企业中,这类问题应该是值得我们高度重视的。
问答1和2或许会有人不重视的另一个原因可能是到目前为止,美国FDA也好欧洲官方检查也好,都没有对方法验证阶段和仪器校验阶段的数据完整性进行审核的例子。我们基于“科学”和“常识”的判断认为对于QC实验室来说,根据数据影响的范围大小,我们建议企业按照 仪器校验数据【影响面是多产品多方法】比方法验证【单一产品但是该产品的所有批次】数据重要,方法验证数据比稳定性数据【单一产品但是一段时间段的所有批次】重要,稳定性数据比批放行数据【单一产品单一批次】重要的原则来评估自己的数据完整性风险大小,关于这点,我们欢迎大家的商榷。
Question 3a:Practical example: What about a reactor control from production that has neither user management nor a password or an audit trail etc.? Is it allowed to continue using this control?
提问:实例:如果反应釜的生产控制没有用户管理,也没有密码或审计追踪等,会怎么样?是否允许继续使用此类控制?
Answer: It is definitively recommended to plan a replacement. The time of replacement depends on the product manufactured with the reactor. This defines the criticality.
答:绝对建议计划对此进行有计划的更换。更换的时间取决于反应釜所生产的药品。这是关键的。
海螺研习社观点:理论上,这点我们和欧洲专家的观点一致。在官方参与的培训中,US FDA和EDQM也曾经提到过对于生产用PLC权限管理,审计追踪等方面的要求,并有展出他们在检查中发现的相关缺陷的图片。但是实际上不论是制剂还是原料药的生产设备的数据完整性,目前实践操作中,欧美官方对于这些数据的审核力度还不能和QC实验室相提并论。其实践的力度有待于药监当局的监管力度,我们将密切关注其监管进展。
Question 3b:Practical example: What about a reactor control from production that has neither user management nor a password or an audit trail etc.? (The control concerned is the control of a reactor which is used for the manufacture of intermediates and APIs but not of final products). Is it allowed to continue using this control or does it have to be withdrawn from use?
提问:实例:如果反应釜的生产控制没有用户管理,也没有密码或审计追踪等,会怎么样?(这里涉及的受控反应釜是用于中间体和API生产,但不用于制剂生产)。是否可以继续使用这些控制,还是必须停止使用?
Answer: Thank you for clarifying the question. I do not think it is necessary to replace the reactor control immediately if it is used for the production of an intermediate. Recommendation: Assess all systems and equipment and arrange them according to priority classes (for instance by using a rather simple FMEA). This is used to define when to deal with the priority classes, for example Prio 1= until the end of 2017, Prio 2=until the end of 2018 etc…
答:谢谢你对问题的澄清。如果反应釜用于中间体的生产,我不觉得有必要立即替换此反应釜控制。建议:评估所有系统和设备,依据优先级别来对其进行安排(例如,使用相对简单的FMEA)。用此种方法来界定需要在何时处理不同优先级别,例如,第1优先=2017年年底,第2优先=2018年年底等……
海螺研习社观点:这点我们的意见和欧洲专家一致。但是我们要强调的是,在执行层面我们还是建议原料药企业采用人工纸质记录。FDA从2002年开始推行PAT技术(Process Analysis Technology, 工艺分析技术),但是至今由于化学反应本身的特性和复杂性,这一技术在业界的推广并不顺利。对于那些DCS系统应用较广的发酵控制工艺,洁净区温湿度控制计算机系统,我们的建议是人工纸质记录作为主要的正式记录反而有利于现场检查的顺利进行(当然你的计算机系统的数据不能和你的人工记录相互矛盾或冲突)。
Question 4: Is the audit trail review prior to the release of each batch a regulatory requirement or is it only recommended so far?
提问:在放行每批产品之前,是否有法规要求执行审计追踪审核,还是说目前为止只是建议?
Answer: Annex 11 requires the audit trail review. Inspectors consider the release of batches to be the most critical process of all.
答:附录11要求进行审计追踪审核。检查员认为批放行是所有内容中最关键的过程。
海螺研习社观点:我们支持欧洲顾问的观点,虽然类似的问题US FDA的官员在北美相关主题的培训时并没有明确表示“周期性审核”是“批批审核”。(也可以参见本文后的参考文献的规定)但是实际操作中,我们发现美国FDA的检察官如果现场提出来“是否有进行数据完整性审核”的时候,他们期望看到的是每批放行时有QA进行审核。尤其是系统刚刚建立之初,相关的数据完整性审核我们期望企业做到每批放行时进行。考虑到审计追踪的数据量极大,其中包括了很多非关键的数据,如果对于所有数据都一直由人工进行审核意义不大,并会极大地占用有限的人力资源。比较现实的操作方式是,这一模式运行一段时间(例如三个月或者半年)之后,企业可以根据审核过程中发现的问题多少,问题的性质,以及涉及的产品进行归类分析,按照风险等级进行评估。根据所用软件的特性,按照风险评估的结果,对于关键性的审计追踪数据保持每批放行前进行审核,对于其它非关键审计追踪数据定期进行抽查审核(例如将每批审核降低到多少批次审核一次或是多少时间审核一次)。当然相关的规定需要有SOP的支持,也需要有变更流程的控制,规定放行审核和定期抽查审核的具体方法。
Question 5: Hybrid systems: No audit trail retrofitting possible. What can be done?
提问:混合系统:审计追踪是无法更新的。这要怎么办呢?
Answer: First of all I would clarify all other criteria (access, user/admin profile, safety). How critical is this data? Plan a replacement according to the classification of the criticality (= priority) if the data is critical.
答:首先,应当说明所有其它标准(登入、用户/管理概况、安全性)。这些数据有多关键?如果数据关键,则依据关键等级(=优先级)来计划替换。
海螺研习社观点:如果公司财力能满足要求,那么欧洲顾问的建议是可行的。对于出口英国的企业来说,MHRA的指南有明确的要求,2017年底之前所有的分析仪器能做到数据完整性和全面审计功能的,都期望进行软件升级以符合要求。FDA的要求相对含糊。对于少量产品的单机系统的企业,我们建议的是用人工纸质记录去代替计算机自动的全面审计系统作为过度阶段的有利支持。
对于历史数据,不能追溯其数据完整性的数据,需要进行历史数据回顾和风险评估,这样的回顾需要涵盖产品的效期,可以分阶段分市场进行,官方检查时,尤其是美国FDA的检查时,对于历史数据的回顾是非常看重的,回顾的范围、深度、以及发现问题的整改(CAPA)有效性都是检察官综合考量的要素。强烈建议那些出口量较大的企业,对自己出口欧美的重点产品所有批号进行规范的历史数据审核来避免潜在的现场检查不通过的风险。
Question 6: Role concept: Is a user allowed to carry out a reintegration? (GC-system)
提问:角色概念:一个用户是否允许执行重新积分?(GC系统)
Answer: As far as I can see, the answer to this is 'no'. This should first be authorized by the Head of Laboratory stating the reason.
答:依我之见,回答是“不允许”。这首先需要化验室最高领导授权,并说明理由。
海螺研习社观点:任何手动积分和变更条件的自动积分都需要进行合理化解释后,并在主管的授权下进行,老的积分条件和图谱以及新的积分条件最好记录在案被查。这点我们和欧洲顾问的观点是一致的,只是我们不觉得这样的授权一定需要实验室最高领导授权,相关小组长或是主管身份的人即可授权进行这样的操作。当然这样的授权需要有SOP的规定,确保此操作是一个受控的行为并有相关记录支持。
Question 7: It is difficult to carry out the separation between the persons of administrator and user in the CDS. Is it possible that the admin and the user being the same person?
提问:在CDS里面很难将管理者与用户分开来。是否可能将管理者和用户授予同一人?
Answer:This is possible but it needs to be described in a SOP.
答:可以,但需要在SOP里描述。
海螺研习社观点:我们不支持欧洲专家的观点,实际上这样的操作很难保证,除非每次不同用户登录的时候都有照片或是视频证据证明。实际上目前国内商业化的成熟CDS软件都有至少两个层次的授权,管理者和用户完全可以实现分离账号。当然,我们是要提醒下大家,目前国内这类操作软件实际并不能做到全面审计追踪的功能。
Question 8: Process validation data are category 3 data - therefore no audit trail review is required. But isn't it required to carry out a review for the generation of validation measuring data?
提问:工艺验证数据是第3类数据---因此,不需要审计追踪审核。但是否需要对验证测量数据生成情况进行审核呢?
Answer: As you have stated correctly, validation data have the criticality of category 3. It is very unlikely that the user will carry out changes since there is no reason for falsification - in contrast to the batch release.
答:你是对的,验证数据的关键类别为3。由于并没有造假理由,因此用户不大可能对其进行修改----这与批放行情况是相反的。
海螺研习社观点:我们没有参加相关培训,不能了解所谓的分类标准是什么。但是基于常识和我们的经验,我们不认为国内企业对于工艺验证数据“没有造假理由”。实际上我们发现目前不少企业还存在着“为了验证而验证”的现象,相关的验证报告只是做给检察官看的。所以实际上工艺验证数据是需要符合审计追踪的,也应该被重点审核的。当然我们实际操作中重点是审核人工纸质记录的完整性和真实性。如果贵司大量使用了计算机化系统进行工艺验证控制,那么相关数据强烈建议符合数据完整性的基本要求,QA要进行电子数据审核。
Question 9: Hello, is it useful to review the "windows event viewer" for GxP devices?
提问:你好,对GXP装置审核“windows事件查看器”是否有用?
Answer: This is a good idea but it will probably not be realistic as too many events would be reported. Its use would anyway only be worth considering for systems which save data locally, and thank God this isn't done by many modern systems anymore.
答:这是个好主意,但可能并不现实,因为这里面会报告太多事件。只有当数据保存于本机时才认为值得考虑使用此方法,谢天谢地,许多现代化系统已经不再这么做了。
海螺研习社观点:基于我们对微软“Windows事件查看器”的了解,它是为了计算机Windows系统安全而建立的,所以它本身的默认设置仅仅记录的是Windows系统安全相关的事件,如系统时间更改,应用软件登陆登出异常的相关信息,以及用户信息等事件。对于应用软件内部的具体功能的具体操作、数据处理、数据备份和审核并不进行记录。举个例子来说,对于empower 3软件的登陆登出以及异常报错,事件查看器是记录的,但是empower 3中具体project的创建、修改、删除、备份,以及具体分析方法的创建/修改/删除/备份,事件查看器是没有具体的记录的。所以对于不少公司采用单机版控制的时候单纯设定事件查看器的权限来试图实现”全面审计”(audit trail)的功能,我们都认为是不合适的。实际操作中不少IR/UV/比旋光/颗粒度仪都存在这一问题,都需要用户高度重视。我们看到有些软件试图通过更改事件查看器的默认设置,在事件查看器上增加模块来实现全面审计追踪,但是实际操作中会出现各种缺陷和问题。出现问题的原因请参见10a问题中我们的观点。这个欧洲专家显然对这一问题的认知是不够的。
Question 10a: Must the report for a riew of the audit trail be generated by the system itself? Or is it possible to use another system which is better suited for carrying out analyses?
提问:审计追踪审核报告必须由系统本身生成吗?还是说可以使用另一个更为适当的系统来执行该分析?
Answer: Strictly speaking, the audit trail must be generated by the system itself ("system generated audit trail"). Which other system do you have in mind?
答:严格来说,审计追踪必须由系统本身生成(系统生成审计追踪)。你觉得有什么其它系统呢?
海螺研习社观点:结合10b的问题,我们不认为提问题的人理解什么是“audit trail”,但是从侧面我们也要注意,往往审计追踪功能是不能简单用软件补丁实现的。这点其实很好理解,在开发软件的时候如果一开始没有想好要将相关的代码执行自动捕捉并自动记录的话,后续补丁是很难实现这一基础功能的。在这里,我们不由自主的向Waters表达下敬意,他们的empower 3软件实现的功能不能不说是业内翘楚,其功能之强大和基础数据的审计追踪功能之强大真的是解释了什么叫做“全面”,进行过Empower 3软件计算机验证的同行应该会有共鸣。
Question 10b: I think, I did not express myself very clearly when asking the question: Is it only reviewed whether the process is still functioning in the course of the periodic reviews - hence, if the audit trail data is still recorded? Meaning: Functionality is documented by IT with a few samples.
提问:我想,我刚才问问题时没讲的太清楚:是否只是审核定期审核的时间间隔内,该流程仍在起作用---因而,是否仍有记录下审计追踪数据?也就是说,由IT记录采用少数样本来记录其功能。
Answer: Very correct!
答:非常正确!
海螺研习社观点:我还是没有看懂提问题的人的意思,我也不认为这个欧洲专家理解了。不过结合10a我们的评论,我们希望读者理解这个问题涉及的本质。从某个方面上看,我们比某些欧洲企业的人员还了解“数据完整性”系统了。
水果沙拉
Question 11: May the Head of Laboratory have admin rights for example to carry out the audit trail review?
提问:化验室的负责人是否可以持有管理员权限,例如,实施审计追踪审核?
Answer: Yes, as long as she/he does not operationally process analyses herself/himself.
答:可以,只要她/他并不亲自执行分析操作。
海螺研习社观点:实际操作中,欧美检察官都要求数据审核是由QA进行,且要求管理员权限应该是IT人员拥有。所以我们不认可这个欧洲专家的观点。在MHRA的数据可靠性指南中有说明,系统管理员的权限(例如允许数据删除,数据库修改或者系统设置改变的活动)不能给予与数据有直接利益相关(数据产生,数据修订或批注)的个人,因此化验室负责人持有系统管理员权限显然是不合适的。
Question 12: Is it possible for a user to have two system accounts? One as a user and one as administrator or reviewer?
提问:一个用户是否可以有2个系统账号?一个作为用户,另一个作为管理者或审核员?
Answer: Yes, in small organisational units. Guarantee by means of an SOP that the admin account will NOT be used operationally.
答:可以。在小型组织单元中是可以的。通过SOP的方法来保证管理者账号不会被用来进行操作。
海螺研习社观点:我们不建议按照这个欧洲专家的建议进行操作。公司的计算机化系统目前官方的要求是唯一的可以追溯到人的。再小的公司也应该至少有个QC有个QA人员把,不可能QC和QA是唯一的一个人兼的吧,希望大家不要被误导。在MHRA的数据可靠性指南中有说明,当因为组织机构的原因无法避免时,一个用户才可以拥有和使用2个不同权限的账号。基于上面提到的原因,此操作方式并不是一个推荐的方式,如果非不可避免,建议不要使用。
Question 13: Do you know a system that fulfils all requirements for the audit trail function of a CDS?
提问:你是否知道有哪个CDS系统满足审计追踪功能的所有要求?
Answer: So far there are hardly any systems on the market which allow to carry out the review with a minimum effort. Unfortunately, this is also true for modern systems as Empower 3.
答:截止目前,市场上几乎没有任何系统可以不费吹灰之力就执行审核。不幸的是,先进如Empower 3的系统也是这样。
海螺研习社观点:的确目前市场上符合要求的CDS系统是没有的。但是说empower 3不符合要求,这点我们是不同意的,实际empower 3是我们看到的最能符合所有要求的系统了。要注意的是,单机版存在的缺陷在网络版中是可以被弥补的。Empower 3的system audit trail功能其实弥补了不少单纯functional audit trail 的功能。我们提醒那些使用单机版的国内用户,选择性的备份单机版数据并不安全,因为empower 3 的system audit trail 会记录所有的系统创建/备份/删除project的信息。安捷伦/岛津/变色龙的软件体系中的“system audit trail”信息并不存在这样的记录,从而可以选择备份数据,所以单机版都存在一定的缺陷。
Question 14: File based data retention: Deletion is possible
outside the software. How is it possible to "build in" safety?
提问:基于数据保存的文件:在软件以外可以删除。怎么才能“增强”安全?
Answer: Yes, in systems that can store locally on the HD of the user it is possible to set up two local user profiles. Then, for instance, the system stores data only on the profile the user cannot access.
答:对于可以将数据存贮于本地用户硬盘上的系统,是可以设定2种本地用户配置的。所以,比如,可以让系统将数据存贮在用户角色不能进入的地方。
海螺研习社观点:这次我们赞成这位欧洲专家的观点,实际上我们对于很多单机版的软件数据备份和数据锁定都是利用WIN 7的这一功能去实现的,这也是我们常规说的”硬盘锁定”,类似的我们还会对单机版系统进行”时间锁定”来防止操作软件时间的恶意串改。对于带有服务器的网络版而言,这一问题由于授权级别的不同被轻松解决了。
Question 15: What are metadata?
提问:什么是元数据?
Answer: Data concerning data, such as the timestamp.
答:数据的数据,例如时间戳。
海螺研习社观点:可能这个问题过于简单,这位欧洲专家的回答非常简化,但是其举得例子看得出他的理解还是正确的。我们这边引用MHRA对元数据的定义:
Metadata is data that describe the attributes of other data, and provide context and meaning. Typically, these are data that describe the structure, data elements, inter-relationships and other characteristics of data. It also permits data to be attributable to an individual.
元数据是指表述其他数据属性的数据,提供语境和含义。一般来说,这些数据描述数据的结构、数据要素、内在关系和其他数据特性。它还允许数据追溯到产生数据的个人。比如 氯化钠批号1234,3.5mg J.Smith 01/07/14 [斜体部分就是元数据]
Question 16: What are manufacturing execution systems?
提问:什么是生产执行系统?
Answer: Process control systems.
答:工艺控制系统。
海螺研习社观点:这个问题和这个答案因为上下文语境不够,我们没有办法做出评论,应该是针对培训过程中的一些术语的问答,和本文主题数据完整性关联不大,建议删除。
Question 17: What do you do with legacy equipment? If no audit trail is available or if "user login" is not possible?
提问:遗留系统要怎么办?如果没有审计追踪,也没办法执行“用户登录”?
Answer: The systems have to be replaced in the short or in the long run - according to the risks.
答:必须在短期内替换这些系统,或者根据风险程度,制订长期计划来替换。
海螺研习社观点:基本逻辑我们赞成这个欧洲专家的意见,但是具体执行我们建议大家参考本文问答的第5题,我们强调的是对历史数据的及时回顾和风险评估,并采取必要的措施来证明历史遗留系统的潜在影响。新的硬件的投资是不可避免的,观望者迟早为此付出更大的代价,除非选择彻底退出欧美市场。
Question 18: Equipment often has a standard audit trail function. A lot of data is recorded (on/off), but only a small part of it is critical or relevant for a review. What is the best way to proceed when carrying out a review?
提问:设备通常有一个标准的审计追踪功能。它记录了许多数据(开关),但只有一小部分是关键的或与审核有关。在执行审核时最好的处理方法是什么?
Answer: The best way is to configure a report that only shows the critical data but leaves out all the unnecessary elements (such as login/logout). But this has to be programmed and is expensive.
答:最好的方法是对报告进行参数设置,使其仅显示关键数据,筛除掉所有不必要的要素(例如登录和退出)。但这就必须进行重新编程,这可是很昂贵的。
海螺研习社观点:问问题的人不了解什么是全面审计追踪功能“audit trail”,将简单的日志和这个功能画了等号。这个欧洲专家关于审计追踪数据的选择性审核是可取的。目前的实验室分析软件都具有“筛选”的功能,可以定向审核数据的创建、修改和删除等信息,减少了工作量又不用增加成本。但是,生产设备采用自动化设备的话,相关的数据完整性投入是很大的。这也是我们目前不建议国内企业轻易上自动化生产设备的原因,当然,一定要上,那么就必须要求设备提供商进行符合数据完整性的所有功能的软件并进行符合规范的计算机系统验证服务。
针对此问题的具体解决方法,建议采取风险评估的方式进行处理,请参考问题4中的观点。
Question 19: What is the way to proceed in the case of facilities in the production area such as AP production, mixers, filling lines with variable parameters as concerns classification of data/systems, extent and intervals of review?
提问:如果生产区域如API生产的设施,混合器、灌装线具有可变参数,有什么办法处理其数据/系统分类,以及审核的程度和时间间隔?
Answer: It is best to classify systems and facilities according to
ISA95. Then you will notice that at the bottom levels (field level, PLC,
SCADA) no interactions of the user are permitted. Hence no audit trail review is required. Basis is the risk analysis of the systems and data.
答:最好对系统和设施依据ISA95进行分类。然后你会发现最底下一层(现场层面,PLC,SCADA)不是允许用户互动的。因此,不要求有审计追踪。其基础是对系统和数据所做的风险分析。
海螺研习社观点:这个观点我们不能同意,因为虽然底层数据是不会互动的,但是会有基础数据的设置,不同产品之间的修改以及异常数据的报警信息,这些信息的全面审计记录是非常重要的,也是对系统的可靠性的重要保障。所以理论上这些数据一样需要符合数据完整性,具备全面数据审计的功能软件来执行和记录。当然,现实的官方检查过程中还没有这样的先例,我们将密切关注官方的审计要求的变化。
Question 20: Whose job is it to carry out the audit trial review in the laboratory?
提问:在化验室执行审计追踪审核是谁的工作?
Answer: This can be a colleague. The FDA requires "Quality Unit" (=QA) in the Draft Guideline. All other Draft Guidelines allow for a peer review.
答:可以是一个同事。FDA在其指南草案中要求“质量部门”(=QA)来做。所有其它指南草案则允许同行审核。
海螺研习社观点:实际操作中和FDA 现场检查中的期望是由QA进行审核。需要提醒下,对于历史数据的不符合数据完整性的审核,FDA甚至期望的是没有利益冲突的部门或独立第三方进行审核,以确保审核的客观性。
欧式杯具中的水果沙拉
Question 21: Must all electronic data be stored and archived in the case of a process in the sterile area or is the batch record sufficient?
提问:无菌区的工艺,以及批记录充分时,是否所有电子数据都必须存贮和归档?
Answer: You must define what the raw data are. These have to be stored in addition to the batch record.
答:你必须定义什么是原数据。除了批记录以外,这些是必须存贮的。
海螺研习社观点:这个问题我们赞成这个欧洲专家的意见。
Question 22: Would you consider changes of the parameters /formulations at production facilities as dynamic data? Do I have to consider them at every batch?
提问:你认为生产设施中参数/配方的变更是否动态数据?我是否必须在每批中都考虑他们呢?
Answer: This data is governed by the change control and is not part of the data for a review.
答:这些数据是受到变更控制管理的,并不是要审核的数据的一部分。
海螺研习社观点:这些数据的确是变更控制管理的,但是不需要审核吗?任何参数和配方的变更应该都是有目的的,按照一般常识理解,这些变动会是特别需要关注的,正是应该重点审核的关键数据中的一部分才对,所以这点我们不能认可这个欧洲专家的意见。
另外我们认为提问题的人可能也没有把问题问清楚,我们只能很遗憾,欧洲人对数据完整性的理解和认知来说其实也远远不够!
Question 23: Many of our production processes are documented by means of a batch record on paper. What should we do as concerns the review of the audit trail? Should we review the good documentation practice in the batch record by means of an audit trail review?
提问:我们许多生产工艺是记录在纸质批记录上的。关于审计追踪审核,我们要做些什么呢?我们是否需要采用审计追踪审核方法来审核批记录中的优良记录规范?
Answer: As long as you only document on paper the audit trail review is not relevant for you, but the 4-eyes-principle for all critical steps. The following is stated in the FDA Guidelines: "Critical process steps have to be verified by a second individual".
答:如果你只是使用纸质记录,那么审计追踪审核与你不相干,但双人原则适用所有关键步骤。FDA指南中讲到了以下内容“关键工艺步骤必须由第二人审核”。
海螺研习社观点:这点我们同意这个欧洲专家的意见。但是他不能说“审计追踪审核与你无关”。应该强调的是,审核的方式和方法是不一样的,采用传统方式确保第二人审核关键操作即可。
Question 24: Dynamic data <-> static data. A small filtration facility (pressure measurement/ flow measurement/temperature) with a locally installed SCADA system would then rather deliver static data?
提问:动态数据VS静态数据。一个小的过滤设施(压力测量/流量测量/温度)有一个就地SCADA系统,这算是静态数据吗?
Answer: That's correct. Static data as the user is not able to change the data.
答:是。如果用户是无法修改这些数据,它就是静态数据。
海螺研习社观点:根据FDA的相关指南中的解释和定义,所谓静态数据指的是固定的数据记录,例如纸质记录以及电子图片记录;而动态数据指的是任何允许用户和记录内容发生交互关系的记录格式,例如动态的图谱记录允许使用者修改基线并对图谱数据进行再处理,这样报告出来的峰可能会显示更大或更小(这个意义上说HPLC/GC图谱都属于这类性质的数据)。另一个例子就是可以允许用户修改公式的表单记录工具,用于计算收率或其他测试结果信息的记录。换句话来说,静态数据是指用户无法和系统进行互动,对原始数据进行再处理的情况;而动态数据是指用户可以根据自己的判断和需要对原始数据进行再处理以后再报告出来的数据。FDA的指南请参考以下链接:https://www.fda.gov/downloads/Dr ... ances/UCM495891.pdf
Question 25: Batch records are considered to be carriers of raw data for the documentation of processes. What about trend data that have been printed and enclosed to the batch record?
提问:批记录被认为是记录工艺原数据的载体。如果将趋势数据打印出来并附入批记录呢?
Answer: I do not consider it necessary to always review trend data.
答:我不认为有必要每次都去审核趋势数据。
海螺研习社观点:是的,我们也认为没有必要每次都是打印数据趋势。但是实际上,如果公司做好了数据分析体系,完全可以实现数据趋势被及时观察到,我们建议企业采用控制图工具监控每一批的工艺参数等原始数据,在目前的技术背景和行业的实际情况下每个月汇总分析下数据趋势是完全可行的,也是很有帮助的。对于制剂企业,如果设备的自动化程度较高,完全可以实现每批次的数据趋势汇报和分析,可以设定警告限或OOT规则去要求自动化系统对于偏离数据进行自动上报QA。
Question 26: Slide 9: What do you include in systems and equipment?
提问:在第9张幻灯中,系统和设备中包括哪些东西?
Answer: Everything that has to be validated and qualified?
答:需要验证和确认的所有东西。
海螺研习社观点:这个问题涉及范围,理论上的确是全厂范围内的所有计算机化的系统都应该有验证和确认,有客户审计提出要求企业建立一个自动化系统档案并按照GAMP5的要求对系统进行归类和分级管理,然后将相关的验证确认汇总到验证主计划中去。有条件的企业可以逐步开展这一工作,对于一般原料药企业,在目前的监管要求和背景下,这部分工作可以延后。
Question 27: Is it necessary to perform an audit trail review (ATR) after each measurement/ analysis carried out at the equipment in the laboratory? Who carries out the ATR - laboratory personnel (operator) or the Head of the Laboratory?
提问:在化验室,是否有必要每次在仪器上执行测量/分析之后均执行审计追踪审核(ATR)?谁来做ATR---化验员人员(操作员)还是化验室负责人?
Answer: A SOP is required for the ATR for each system that describes the details. The review after completion of the analysis is important.
答:每个系统都需要有一个SOP来描述详细内容。分析完成之后的审核是很重要的。
海螺研习社观点:更多的情况下,我们会建议企业安排专职QA来进行这个数据的审核,当然审核是在检验完成之后进行。相关审核时间周期的讨论参见本问答4的讨论。
Important Questions and Answers concerning the Audit Trail Review
Actually, the topic "data integrity" has moved into the focus of many national and international inspections. The American FDA has sent many Warning Letters concerning comprehensive deviations observed. Therefore the regulatory authorities request not only an assurance of the product quality but they also demand that each company has a clear strategy how the integrity of critical data can be assured over its complete life cycle. Here, the review of the audit trail plays a decisive role. Despite the numerous guidelines published on this topic since 2015 it often remains unclear which requirements exist concerning the audit trail review and how they can be implemented in practice.
For this reason the Webinar "Audit Trail Review" was carried out in February 2017. Its aim was to address the main elements of data integrity and audit trail reviews:
Regulatory overview with emphasis on the requirements of MHRA and Annex 11
Classification of data - which are critical data?
Classification of systems - which systems are relevant?
What Audit Trails are important?
What shall I do with legacy systems without audit trail?
Who shall review Audit Trails?
How is the review documented?
Process and documentation in case of deviations?
Dr. Wolfgang Schumacher has been the speaker. He looks back on more than 30 years experience in the pharmaceutical industry.
He has received more than 50 questions concerning the webinar. Naturally, he could not reply to all them immediately after the webinar. Thankfully, Dr. Schuhmacher has answered all questions in writing. Hereinafter you find the first part of the questions and answers. A further selection is planned for a later time.
1. Are the analytical data arising in the course of the validation of analytical procedures critical data?
Answer: No, since these data are released with the completion of the validation process and it only presents the basis for future analyses.
Therefore there is only an indirect criticality; no audit trail review is required.
2. The calibration of equipment influences the correctness of data. Does this mean that the calibration is critical?
Answer: Since the calibration influences the patient safety only indirectly no audit trail review is required.
3a.: Practical example: What about a reactor control from production that has neither user management nor a password or an audit trail etc.? Is it allowed to continue using this control?
Answer: It is definitively recommended to plan a replacement. The time of replacement depends on the product manufactured with the reactor. This defines the criticality.
3b. Practical example: What about a reactor control from production that has neither user management nor a password or an audit trail etc.? (The control concerned is the control of a reactor which is used for the manufacture of intermediates and APIs but not of final products). Is it allowed to continue using this control or does it have to be withdrawn from use?
Answer: Thank you for clarifying the question. I do not think it is necessary to replace the reactor control immediately if it is used for the production of an intermediate. Recommendation: Assess all systems and equipment and arrange them according to priority classes (for instance by using a rather simple FMEA). This is used to define when to deal with the priority classes, for example Prio 1= until the end of 2017, Prio 2= until the end of 2018 etc…
4. Is the audit trail review prior to the release of each batch a regulatory requirement or is it only recommended so far?
Answer: Annex 11 requires the audit trail review. Inspectors consider the release of batches to be the most critical process of all.
5. Hybrid systems: No audit trail retrofitting possible. What can be done?
Answer: First of all I would clarify all other criteria (access, user/admin profile, safety). How critical is this data? Plan a replacement according to the classification of the criticality (= priority) if the data is critical.
6. Role concept: Is a user allowed to carry out a reintegration? (GC-system)
Answer: As far as I can see, the answer to this is 'no'. This should first be authorised by the Head of Laboratory stating the reason.
7. It is difficult to carry out the separation between the persons of administrator and user in the CDS. Is it possible that the admin and the user being the same person?
Answer: This is possible but it needs to be described in a SOP.
8. Process validation data are category 3 data - therefore no audit trail review is required. But isn't it required to carry out a review for the generation of validation measuring data?
Answer: As you have stated correctly, validation data have the criticality of category 3.
It is very unlikely that the user will carry out changes since there is no reason for falsification - in contrast to the batch release.
9. Hello, is is useful to review the "windows eventviewer" for GxP devices?
Answer: This is a good idea but it will probably not be realistic as too many events would be reported. Its use would anyway only be worth considering for systems which save data locally, and thank God this isn't done by many modern systems anymore.
10a.: Must the report for a riew of the audit trail be generated by the system itself? Or is it possible to use another system which is better suited for carrying out analyses?
Answer: Strictly speaking, the audit trail must be generated by the system itself ("system generated audit trail"). Which other system do you have in mind?
10b. I think, I did not express myself very clearly when asking the question: Is it only reviewed whether the process is still functioning in the course of the periodic reviews - hence, if the audit trail data is still recorded? Meaning: Functionality is documented by IT with a few samples.
Answer: Very correct!
11. May the Head of Laboratory have admin rights for example to carry out the audit trail review?
Answer: Yes, as long as she/he does not operationally process analyses herself/himself.
12. Is it possible for a user to have two system accounts? One as a user and one as administrator or reviewer?
Answer: Yes, in small organisational units. Guarantee by means of an SOP that the admin account will NOT be used operationally.
13. Do you know a system that fulfils all requirements for the audit trail function of a CDS?
Answer: So far there are hardly any systems on the market which allow to carry out the review with a minimum effort. Unfortunately, this is also true for modern systems as Empower 3.
14. File based data retention: Deletion is possible outside the software. How is it possible to "build in" safety?
Answer: Yes, in systems that can store locally on the HD of the user it is possible to set up two local user profiles. Then, for instance, the system stores data only on the profile the user cannot access.
15. What are metadata?
Answer: Data concerning data, such as the timestamp.
16. What are manufacturing execution systems?
Answer: Process control systems.
17. What do you do with legacy equipment? If no audit trail is available or if "user login" is not possible?
Answer: The systems have to be replaced in the short or in the long run - according to the risks.
18. Equipment often has a standard audit trail function. A lot of data is recorded (on/off), but only a small part of it is critical or relevant for a review. What is the best way to proceed when carrying out a review?
Answer: The best way is to configure a report that only shows the critical data but leaves out all the unnecessary elements (such as login/logout). But this has to be programmed and is expensive.
19. What is the way to proceed in the case of facilities in the production area such as AP production, mixers, filling lines with variable parameters as concerns classification of data/systems, extent and intervals of review?
Answer: It is best to classify systems and facilities according to ISA95. Then you will notice that at the bottom levels (field level, PLC, SCADA) no interactions of the user are permitted. Hence no audit trail review is required. Basis is the risk analysis of the systems and data.
20. Whose job is it to carry out the audit trial review in the laboratory?
Answer: This can be a colleague. The FDA requires "Quality Unit" (=QA) in the Draft Guideline. All other Draft Guidelines allow for a peer review.
21. Must all electronic data be stored and archived in the case of a process in the sterile area or is the batch record sufficient?
Answer: You must define what the raw data are. These have to be stored in addition to the batch record.
22. Would you consider changes of the parameters / formulations at production facilities as dynamic data? Do I have to consider them at every batch?
Answer: This data is governed by the change control and is not part of the data for a review.
23. Many of our production processes are documented by means of a batch record on paper. What should we do as concerns the review of the audit trail? Should we review the good documentation practice in the batch record by means of an audit trail review?
Answer: As long as you only document on paper the audit trail review is not relevant for you, but the 4-eyes-principle for all critical steps. The following is stated in the FDA Guidelines: "Critical process steps have to be verified by a second individual".
24 Dynamic data <-> static data. A small filtration facility (pressure measurement/flow measurement/temperature) with a locally installed SCADA system would then rather deliver static data?
Answer: That's correct. Static data as the user is not able to change the data.
25. Batch records are considered to be carriers of raw data for the documentation of processes. What about trend data that have been printed and enclosed to the batch record?
Answer: I do not consider it necessary to always review trend data.
26. Slide 9: What do you include in systems and equipment?
Answer: Everything that has to be validated and qualified?
27. Is it necessary to perform an audit trail review (ATR) after each measurement/analysis carried out at the equipment in the laboratory? Who carries out the ATR - laboratory personnel (operator) or the Head of the Laboratory?
Answer: A SOP is required for the ATR for each system that describes the details. The review after completion of the analysis is important.
We'd like to thank Dr. Schumacher for his comprehensive answers to all questions.
Of course, this webinar is also available as a recording.
1.提问:在分析方法验证过程中产生的分析数据是否属于关键数据?
答:不是。因为这些数据在验证过程完成之后即放行,只能代表将来分析的基础。因此这只是间接关键性,不需要进行审计追踪审核。
2. 提问:设备校正会影响数据的正确性。这是否意味着校正是关键的?
答:由于校正只会间接影响患者安全,因此不需要审计追踪审核。
3a.提问:实例:如果反应釜的生产控制没有用户管理,也没有密码或审计追踪等,会怎么样?是否允许继续使用此类控制?
答:绝对建议计划对此进行更换。更换的时间取决于反应釜所生产的药品。这是关键的。
3b. 提问:实例:如果反应釜的生产控制没有用户管理,也没有密码或审计追踪等,会怎么样?(让你涉及的受控反应釜是用于中间体和API生产,但不用于制剂生产)。是否可以继续使用这些控制,还是必须停止使用?
答:谢谢你对问题的澄清。如果反应釜用于中间体的生产,我不觉得有必要立即替换此反应釜控制。建议:评估所有系统和设备,依据优先级别来对其进行安排(例如,使用相对简单的FMEA)。用此种方法来界定需要在何时处理不同优先级别,例如,第1优先=2017年年底,第2优先=2018年年底等……
4. 提问:在放行每批产品之前,是否有法规要求执行审计追踪审核,还是说目前为止只是建议?
答:附录11要求进行审计追踪审核。检查员认为批放行是所有内容中最关键的过程。
5. 提问:混合系统:审计追踪是无法翻新的。这要怎么办呢?
答:首先,我要澄清所有其它标准(登入、用户/管理概况、安全性)。这些数据有多关键?如果数据关键,则依据关键等级(=优先级)来计划替换。
6. 提问:角色概念:一个用户是否允许执行重新积分?(GC系统)
答:依我之见,回答是“不允许”。这首先需要化验室最高领导授权,并说明理由。
7. 提问:在CDS里面很难将管理者与用户分开来。是否可能将管理者和用户授予同一人?
答:可以,但需要在SOP里描述。
8. 提问:工艺验证数据是第3类数据---因此,不需要审计追踪审核。但是否需要对验证测量数据生成情况进行审核呢?
答:你是对的,验证数据的关键类别为3。由于并没有造假理由,因此用户不大可能对其进行修改----这与批放行情况是相反的。
9.提问:你好,对GXP装置审核“视窗事件查看器”是否有用?
A: 答:这是个好主意,但可能并不现实,因为这里面会报告太多事件。只有当数据保存于本机时才认为值得考虑使用此方法,谢天谢地,许多现代化系统已经不再这么做了。
10a.提问:审计追踪审核报告必须由系统本身生成吗?还是说可以使用另一个更为适当的系统来执行该分析?
答:严格来说,审计追踪必须由系统本身生成(系统生成审计追踪)。你觉得有什么其它系统呢?
10b. 提问:我想,我刚才问问题时没讲的太清楚:是否只是审核定期审核的时间间隔内,该流程仍在起作用---因而,是否仍有记录下审计追踪数据?也就是说,由IT记录采用少数样本来记录其功能。
答:非常正确!
11. 提问:化验室的负责人是否可以持有管理员权限,例如,实施审计追踪审核?
答:可以,只要她/他并不亲自执行分析操作。
12.提问:一个用户是否可以有2个系统账号?一个作为用户,另一个作为管理者或审核员?
答:可以。在小型组织单元中是可以的。通过SOP的方法来保证管理者账号不会被用来进行操作。
13. 提问:你是否知道有哪个CDS系统满足审计追踪功能的所有要求?
答:截止目前,市场上几乎没有任何系统可以不费吹灰之力就执行审核。不幸的是,先进如Empower 3的系统也是这样。
14. 提问:基于数据保存的文件:在软件以外可以删除。怎么才能“增强”安全?
答:对于可以将数据存贮于本地用户硬盘上的系统,是可以设定2种本地用户配置的。所以,比如,可以让系统将数据存贮在用户角色不能进入的地方。
15. 提问:什么是元数据?
答:数据的数据,例如时间戳。
16. 提问:什么是生产执行系统?
答:工艺控制系统。
17. 提问:遗留系统要怎么办?如果没有审计追踪,也没办法执行“用户登录”?
答:必须在短期内替换这些系统,或者根据风险程度,制订长期计划来替换。
18. 提问:设备通常有一个标准的审计追踪功能。它记录了许多数据(开关),但只有一小部分是关键的或与审核有关。在执行审核时最好的处理方法是什么?
A: 答:最好的方法是对报告进行参数设置,使其仅显示关键数据,筛除掉所有不必要的要素(例如登录和退出)。但这就必须进行重新编程,这可是很昂贵的。
19. 提问:如果生产区域如API生产的设施,混合器、灌装线具有可变参数,有什么办法处理其数据/系统分类,以及审核的程度和时间间隔?
答:最好对系统和设施依据ISA95进行分类。然后你会发现最底下一层(现场层面,PLC,SCADA)不是允许用户互动的。因此,没有不要求有审计追踪。其基础是对系统和数据所做的风险分析。
20. 提问:在化验室执行审计追踪审核是谁的工作?
答:可以是一个同事。FDA在其指南草案中要求“质量部门”(=QA)来做。所有其它指南草案则允许同行审核。
21. 提问:无菌区的工艺,以及批记录充分时,是否所有电子数据都必须存贮和归档?
答:你必须定义什么是原数据。除了批记录以外,这些是必须存贮的。
22. 提问:你认为生产设施中参数/配方的变更是否动态数据?我是否必须在每批中都考虑他们呢?
答:这些数据是受到变更控制管理的,并不是要审核的数据的一部分。
23. 提问:我们许多生产工艺是记录在纸质批记录上的。关于审计追踪审核,我们要做些什么呢?我们是否需要采用审计追踪审核方法来审核批记录中的优良记录规范?
答:如果你只是使用纸质记录,那么审计追踪审核与你不相干,但双人原则适用所有关键步骤。FDA指南中讲到了以下内容“关键工艺步骤必须由第二人审核”。
24 提问:动态数据VS静态数据。一个小的过滤设施(压力测量/流量测量/温度)有一个就地SCADA系统,这算是静态数据吗?
答:是。如果用户是无法修改这些数据,它就是静态数据。
25. 提问:批记录被认为是记录工艺原数据的载体。如果将趋势数据打印出来并附入批记录呢?
答:我不认为有必要每次都去审核趋势数据。
26. 提问:在第9张幻灯中,你在系统和设备中包括哪些东西?
答:需要验证和确认的所有东西。
27. 提问:在化验室,是否有必要每次在仪器上执行测量/分析之后均执行审计追踪审核(ATR)?谁来做ATP---化验员人员(操作员)还是化验室负责人?
答:每个系统都需要有一个SOP来描述详细内容。分析完成之后的审核是很重要的。 |
狗仔卡
提升卡
置顶卡
沉默卡
变色卡
抢沙发
千斤顶
显身卡