11月16日，EMA發布了關于修訂GMP 附錄11– 《計算機化系統》的概念文件，文件指出將對當前版本EU GMP 附錄11《計算機化系統》指南的33點修訂意見，如下：

 

更新文件以取代EMA GMP網站上的附錄11問答和數據完整性問答的相關部分。

 

關于數據完整性，新的附錄11將包括對“動態數據”和“靜態數據”（備份、存檔和處置）的要求。

 

將考慮更新文件對“數字化轉型”和類似的新概念提出監管期望。

 

關于“范圍”的調整，不僅應包括計算機化系統“代替手動操作”的情況，還應涵蓋用以代替“另一個系統或手動過程”的情況。

 

服務清單應包括“操作”計算機化系統，例如“云”服務。

 

對于由服務提供商驗證和/或運營的關鍵系統（例如“云”服務），要求應不僅僅是“必須有正式協議”。受監管的用戶應可以訪問完整的文檔，以對系統進行驗證和安全運行，并能夠在監管檢查期間出示這些文檔，例如在服務提供商的幫助下。

 

概念文件表示，“商用現貨產品”（COTS）一詞的定義并不充分，而且很容易理解得過于寬泛。關鍵的 COTS 產品，即使是“廣泛用戶”使用的產品，也應由供應商或受監管用戶進行確認，并且應提供相關文檔以供檢查。應澄清該術語的使用以及對此類（例如“云”）系統的確認、驗證和安全操作的要求。

 

需要澄清“驗證”（和“確認”）一詞的含義。應該強調的是，這兩項活動都包括對用戶需求規范 （URS） 或類似內容中所述的必需和指定功能的確認。

 

文件表示，計算機化系統確認和驗證應特別挑戰用于做出GMP決策的系統的關鍵部分，確保產品質量和數據完整性的部分以及專門設計或定制的部分。

 

文件指出，關于“用戶需求應在整個生命周期中可追溯”這句話的含義還不夠清楚。用戶需求規范或類似內容，描述所有需要實施和必需的GMP關鍵自動化功能，并且受監管用戶所依賴，應成為系統任何確認或驗證的基礎，無論是由受監管用戶還是由供應商執行。用戶需求規范應在整個系統生命周期中保持更新并與實施的系統保持一致，并且用戶需求、任何底層功能規范和測試用例之間應有書面的可追溯性。

 

文件將包含對敏捷開發過程的指導和關鍵數據和關鍵系統的分類指南。

 

關于備份，文件指出，對易失性介質的長期備份（或存檔）應基于經過驗證的程序（例如，通過“加速測試”）。在這種情況下，測試不應側重于備份是否仍可讀，而應驗證備份在給定時間段內是否可讀。

 

文件中缺少對備份過程的重要要求，例如備份涵蓋的內容（例如，僅數據還是數據和應用程序），進行哪些類型的備份（例如增量或完整），進行備份的頻率（所有類型），備份保留多長時間，備份使用哪種介質以及備份的保存位置（例如物理分離）。

 

文件指出，在用戶，數據或設置可以手動更改的情況下，審計追蹤功能應被視為強制性的，該功能可自動記錄GMP關鍵系統上的所有手動交互；不僅僅是“基于風險評估考慮”。在沒有審計追蹤功能的情況下控制流程或捕獲、保存或傳輸此類系統中的電子數據是不可接受的；此方面內的任何寬限期早已過期。

 

審計追蹤審查的概念和目的描述不充分。這一過程應側重于審查對系統進行的人工更改的完整性，例如核實更改的原因以及更改是否在不尋常的日期、時間以及由不尋常的用戶進行。

 

應提供可接受的審計追蹤審查頻率指南。對于關鍵參數的審計追蹤，例如在BMS系統中設置報警以對無菌灌裝相關的壓差發出警報，審計追蹤審查應成為批放行的一部分，遵循基于風險的方法。

 

文件指出，許多系統生成了大量的警報和事件數據，并且這些數據經常與審計追蹤條目混淆。雖然警報和事件可能需要自己的日志、確認和審查，但這不應與手動系統交互的審計追蹤審查相混淆。因此，至少應該能夠對這些進行排序。

 

應增加配置審查的概念。配置審查不應增加系統上已知變更的數量（升級歷史記錄），而應基于一段時間內硬件和軟件基準的比較。這應包括對任何差異的說明以及對再確認/驗證需求的評估。

 

根據ISO 27001，關于IT安全的部分應包括對系統和數據的機密性，完整性和可用性的關注。

 

應該明確指出，關鍵系統上的身份驗證應高度確定地識別受監管的用戶。因此，僅通過“通行卡”進行身份驗證可能是不夠的，因為它可能會被丟失并隨后被任何人發現。

 

應定期審查系統訪問和角色，以確保刪除被遺忘和不需要的訪問。

 

由于工業界已經在實施這項技術，因此在關鍵的GMP應用中使用人工智能（AI）和機器學習（ML）模型方面迫切需要監管指導和期望。主要關注點應放在用于測試這些模型的數據的相關性、充分性和完整性以及此類測試的結果（指標）上，而不是選擇、訓練和優化模型的過程。

 

指南將考慮關于計算機軟件保證（CSA）方面的內容。

 

翻譯如下：

 

Concept Paper on the revision of Annex 11 of the guidelines on Good Manufacturing Practice for medicinal products – Computerised Systems

 

關于修訂GMP 附錄11– 計算機化系統的概念文件

 

This concept paper addresses the need to update Annex 11, Computerised Systems, of the Good Manufacturing Practice (GMP) guide. Annex 11 is common to the member states of the European Union (EU)/European Economic Area (EEA) as well as to the participating authorities of the Pharmaceutical Inspection Co-operation Scheme (PIC/S). The current version was issued in 2011 and does not give sufficient guidance within a number of areas. Since then, there has been extensive progress in the use of new technologies.

 

本概念文件包括更新良好生產規范（GMP）指南附錄11（計算機化系統）的必要性。附錄11是歐盟（EU）/歐洲經濟區（EEA）成員國以及藥品檢查合作計劃（PIC/S）參與當局的共同內容。當前版本于2011年發布，在許多領域沒有提供足夠的指導。自此之后，新技術的使用取得了廣泛的進展。

 

Reasons for the revision of Annex 11 include, but are not limited to the following (in non-prioritised order and with references to existing sections in sharp brackets). More improvements may prove to be necessary as inputs will be received by the drafting group:

 

修訂附錄11的理由包括但不限于以下內容（按非優先順序排列，并在括號內提及現行章節）。隨著起草小組的介入，可能還需要作出更多的改進：

 

1.[New] The document should be updated to replace relevant parts of the Q&A on Annex 11 and the Q&A on Data Integrity on the EMA GMP website.

 

[新增]該文件應更新，以取代EMA GMP網站上的附錄11問答和數據完整性問答的相關部分。

 

2. [New] With regards to data integrity, Annex 11 will include requirements for ‘data in motion’ and ‘data at rest’ (backup, archive and disposal). Configuration hardening and integrated controls are expected to support and safeguard data integrity; technical solutions and automation are preferable instead of manual controls.

 

[新增]關于數據完整性，新的附錄11將包括對“動態數據”和“靜態數據”（備份、存檔和處置）的要求。配置強化和集成控制有望支持和保護數據完整性;技術解決方案和自動化比手動控制更可取。

 

3.[New] An update of the document with regulatory expectations to ‘digital transformation’ and similar newer concepts will be considered.

 

[新]將考慮更新文件對“數字化轉型”和類似的新概念提出監管期望。

 

4.[Principle] The scope should not only cover where a computerised system “replaces of a manual operation”, but rather, where it replaces ‘another system or a manual process’.

 

[原則]范圍不僅應包括計算機化系統“代替手動操作”的情況，還應涵蓋用以代替“另一個系統或手動過程”的情況。

 

5.[1] References should be made to ICH Q9.

 

[1] 應參考ICH Q9。

 

6.[3.1] The list of services should include to ‘operate’ a computerised system, e.g. ‘cloud’ services.

 

[3.1] 服務清單應包括“操作”計算機化系統，例如“云”服務。

 

7. [3.1] For critical systems validated and/or operated by service providers (e.g. ‘cloud’ services), expectations should go beyond that “formal agreements must exist”. Regulated users should have access to the complete documentation for validation and safe operation of a system and be able to present this during regulatory inspections, e.g. with the help of the service provider. See also Notice to sponsors and Q&A #9 on the EMA GCP website and Q&A on the EMA GVP website)

 

[3.1] 對于由服務提供商驗證和/或運營的關鍵系統（例如“云”服務），要求應不僅僅是“必須有正式協議”。受監管的用戶應可以訪問完整的文檔，以對系統進行驗證和安全運行，并能夠在監管檢查期間出示這些文檔，例如在服務提供商的幫助下。另請參閱EMA GCP網站上的申辦方通知和問答#9以及EMA GVP網站上的問答）

 

8.[3.3] Despite being mentioned in the Glossary, the term “commercial off-the-shelf products” (COTS) is not adequately defined and may easily be understood too broadly. Critical COTS products, even those used by “a broad spectrum of users” should be qualified by the vendor or by the regulated user, and the documentation for this should be available for inspection. The use of the term and the expectation for qualification, validation and safe operation of such (e.g. ‘cloud’) systems should be clarified.

 

[3.3] 盡管在術語表中提到，但“商用現貨產品”（COTS）一詞的定義并不充分，而且很容易理解得過于寬泛。關鍵的 COTS 產品，即使是“廣泛用戶”使用的產品，也應由供應商或受監管用戶進行確認，并且應提供相關文檔以供檢查。應澄清該術語的使用以及對此類（例如“云”）系統的確認、驗證和安全操作的要求。

 

9. [4.1] The meaning of the term ‘validation’ (and ‘qualification’), needs to be clarified. It should be emphasised that both activities consist of a verification of required and specified functionality as described in user requirements specifications (URS) or similar.

 

[4.1] 需要澄清“驗證”（和“確認”）一詞的含義。應該強調的是，這兩項活動都包括對用戶需求規范 （URS） 或類似內容中所述的必需和指定功能的確認。

 

10. [4.1] Following a risk-based approach, system qualification and validation should especially challenge critical parts of systems which are used to make GMP decisions, parts which ensure product quality and data integrity and parts, which have been specifically designed or customised.

 

[4.1] 遵循基于風險的方法，系統確認和驗證應特別挑戰用于做出GMP決策的系統的關鍵部分，確保產品質量和數據完整性的部分以及專門設計或定制的部分。

 

11. [4.4] It is not sufficiently clear what is implied by the sentence saying “User requirements should be traceable throughout the life-cycle”. A user requirements specification, or similar, describing all the implemented and required GMP critical functionality which has been automated, and which the regulated user is relying on, should be the very basis for any qualification or validation of the system, whether performed by the regulated user or by the vendor. User requirements specifications should be kept updated and aligned with the implemented system throughout the system life-cycle and there should be a documented traceability between user requirements, any underlying functional specifications and test cases.

 

[4.4] “用戶需求應在整個生命周期中可追溯”這句話的含義還不夠清楚。用戶需求規范或類似內容，描述所有需要實施和必需的GMP關鍵自動化功能，并且受監管用戶所依賴，應成為系統任何確認或驗證的基礎，無論是由受監管用戶還是由供應商執行。用戶需求規范應在整個系統生命周期中保持更新并與實施的系統保持一致，并且用戶需求、任何底層功能規范和測試用例之間應有書面的可追溯性。

 

12. [4.5] It should be acknowledged and addressed that software development today very often follows agile development processes, and criteria for accepting such products and corresponding documentation, which may not consist of traditional documents, should be clarified.

 

[4.5] 應該承認并解決的是，今天的軟件開發通常遵循敏捷開發過程，應澄清用以接受此類產品和相應文檔的標準，這些文檔可能不包含傳統文檔。

 

13. [6] Guidelines should be included for classification of critical data and critical systems.

 

[6] 應包括關鍵數據和關鍵系統的分類指南。

 

14. [7.1] Systems, networks and infrastructure should protect the integrity of GMP processes and data. Examples should be included of measures, both physical and electronic, required to protect data against both intentional and unintentional loss of data integrity.

 

[7.1] 系統、網絡和基礎設施應保護GMP流程和數據的完整性。應舉例說明為保護數據免遭有意和無意喪失數據完整性而需要采取的物理和電子措施。

 

15.  [7.2] Testing of the ability to restore system data (and if not otherwise easily recreated, the system itself) from backup is critically important, but the required periodic check of this ability, even if no changes have been made to the backup or restore processes, is not regarded necessary. Long-term backup (or archival) to volatile media should be based on a validated procedure (e.g. through ‘accelerated testing’). In this case, testing should not focus on whether a backup is still readable, but rather, validating that it will be readable for a given period.

 

[7.2] 測試通過備份還原系統數據（如果沒有其他方式，則通過系統本身）的能力至關重要，但對此功能進行定期檢查的要求，即使沒有對備份或還原過程進行任何變更，也不是必須。對易失性介質的長期備份（或存檔）應基于經過驗證的程序（例如，通過“加速測試”）。在這種情況下，測試不應側重于備份是否仍可讀，而應驗證備份在給定時間段內是否可讀。

 

16. [7.2] Important expectations to backup processes are missing, e.g. to what is covered by a backup (e.g. data only or data and application), what types of backups are made (e.g. incremental or complete), how often backups are made (all types), how long backups are retained, which media is used for backups, and where backups are kept (e.g. physical separation).

 

[7.2] 文件中缺少對備份過程的重要要求，例如備份涵蓋的內容（例如，僅數據還是數據和應用程序），進行哪些類型的備份（例如增量或完整），進行備份的頻率（所有類型），備份保留多長時間，備份使用哪種介質以及備份的保存位置（例如物理分離）。

 

17. [8] The section should include an expectation to be able to obtain data in electronic format including the complete audit trail. The requirement to be able to print data may be reconsidered.

 

[8] 該部分應包括能夠以電子格式獲取數據的要求，包括完整的審計追蹤。可以重新考慮能夠打印數據的要求。

 

18. [9] An audit trail functionality which automatically logs all manual interactions on GMP critical systems, where users, data or settings can be manually changed, should be regarded as mandatory; not just ‘considered based on a risk assessment’. Controlling processes or capturing, holding or transferring electronic data in such systems without audit trail functionality is not acceptable; any grace period within this area has long expired.

 

[9] 在用戶，數據或設置可以手動更改的情況下，審計追蹤功能應被視為強制性的，該功能可自動記錄GMP關鍵系統上的所有手動交互；不僅僅是“基于風險評估考慮”。在沒有審計追蹤功能的情況下控制流程或捕獲、保存或傳輸此類系統中的電子數據是不可接受的；此方面內的任何寬限期早已過期。

 

19. [9] The audit trail should positively identify the user whomade a change, it should give a full account of what was changed, i.e. both the new and all old values should be clearly visible, it should include the full time and date when the change was made, and for all other changes except where a value is entered in an empty field or where this is completely obvious, the user should be prompted for the reason or rationale for why the change was made.

 

[9] 審計追蹤應明確識別進行更改的用戶，應充分說明所更改的內容，即新的值和所有舊值都應清晰可見，應包括進行更改的完整時間和日期，以及所有其他更改，除非在空白字段中輸入值或完全明顯，應提示用戶進行更改的原因或理由。

 

20. [9] It should not be possible to edit audit trail data or to deactivate the audit trail functionality for normal or privileged users working on the system. If these functionalities are available, they should only be accessible for system administrators who should not be involved in GMP production or in day-to-day work on the system (see ‘segregation of duties’).

 

[9] 對于在系統上工作的普通或特定權限用戶，應該不能編輯審計追蹤數據或停用審計追蹤功能。如果這些功能可用，則只有不應參與GMP生產或系統日常工作的系統管理員才能訪問它們（參見“職責分離”）。

 

21. [9] The concept and purpose of audit trail review is inadequately described. The process should focus on a review of the integrity of manual changes made on a system, e.g. a verification of the reason for changes and whether changes have been made on unusual dates, hours and by unusual users.

 

[9] 審計追蹤審查的概念和目的描述不充分。這一過程應側重于審查對系統進行的人工更改的完整性，例如核實更改的原因以及更改是否在不尋常的日期、時間以及由不尋常的用戶進行。

 

22. [9] Guidelines for acceptable frequency of audit trail review should be provided. For audit trails on critical parameters, e.g. setting of alarms in a BMS systems giving alarms on differential pressure in connection with aseptic filling, audit trail reviews should be part of batch release, following a risk-based approach.

 

[9] 應提供可接受的審計追蹤審查頻率指南。對于關鍵參數的審計追蹤，例如在BMS系統中設置報警以對無菌灌裝相關的壓差發出警報，審計追蹤審查應成為批放行的一部分，遵循基于風險的方法。

 

23. [9] Audit trail functionalities should capture data entries with sufficient detail and in true time, in order to give a full and accurate picture of events. If e.g. a system notifies a regulated user of inconsistencies in a data input, by writing an error message, and the user subsequently changes the input, which makes the notification disappear; the full set of events should be captured.

 

[9] 審計追蹤功能應及時捕獲足夠詳細的數據條目，以便全面準確地了解事件。例如，是否系統通過錯誤消息通知受監管用戶數據輸入中的不一致，并且用戶隨后更改輸入，從而使通知消失;應捕獲完整的事件集。

 

24. [9] It should be addressed that many systems generate a vast amount of alarms and event data and that these are often mixed up with audit trail entries. While alarms and events may require their own logs, acknowledgements and reviews, this should not be confused with an audit trail review of manual system interactions. Hence, as a minimum, it should be possible to be able to sort these.

 

[9] 應該解決的是，許多系統生成了大量的警報和事件數據，并且這些數據經常與審計追蹤條目混淆。雖然警報和事件可能需要自己的日志、確認和審查，但這不應與手動系統交互的審計追蹤審查相混淆。因此，至少應該能夠對這些進行排序。

 

25. [11] The concept of configuration review should be added. Instead of taking onset in the number of known changes on a system (upgrade history), it should be based on a comparison of hardware and software baselines over time. This should include an account for any differences and an evaluation of the need for re-qualification/validation.

 

[11] 應增加配置審查的概念。配置審查不應增加系統上已知變更的數量（升級歷史記錄），而應基于一段時間內硬件和軟件基準的比較。這應包括對任何差異的說明以及對再確認/驗證需求的評估。

 

26. [12.1] The current section has only focus on restricting system access to authorised individuals; however, there are other important topics. In line with ISO 27001, a section on IT security should include a focus on system and data confidentiality, integrity and availability.

 

[12.1] 本節僅關注限制授權個人訪問系統;但是，還有其他重要主題。根據ISO 27001，關于IT安全的部分應包括對系統和數據的機密性，完整性和可用性的關注。

 

27. [12.1] The current version says that “Physical and/or logical controls should be in place to restrict access to computerised system to authorised persons”. However, it is necessary to be more specific and to name some of the expected controls, e.g. multi-factor authentication, firewalls, platform management, security patching, virus scanning and intrusion detection/prevention.

 

[12.1] 現行版本規定，“應實施物理和/或邏輯控制，以限制授權人員使用計算機化系統”。但是，有必要更具體地明確一些預期的控制措施，例如多因素身份驗證、防火墻、平臺管理、安全補丁、病毒掃描和入侵檢測/預防。

 

28.  [12.1] It should be specified that authentication on critical systems should identify the regulated user with a high degree of certainty. Therefore, authentication only by means of a ‘pass card’ might not be sufficient, as it could have been dropped and later found by anyone.

 

[12.1] 應該明確指出，關鍵系統上的身份驗證應高度確定地識別受監管的用戶。因此，僅通過“通行卡”進行身份驗證可能是不夠的，因為它可能會被丟失并隨后被任何人發現。

 

29. [12.1] Two important expectations for allocation of system accesses should be added either here or elsewhere; i.e. ‘segregation of duties’, that day-to-day users of a system do not have admin rights, and the ‘least privilege principle’, that users of a system do not have higher access rights than what is necessary for their job function.

 

[12.1] 應在此處或其他地方添加對系統訪問分配的兩個重要要求;即“職責分離”，即系統的日常用戶沒有管理員權限，以及“權限最小化原則”，即系統用戶沒有高于其工作職能所需的訪問權限。

 

30. [12.3] The current version says that “Creation, change, and cancellation of access authorisations should be recorded”. However, it is necessary to go further than just recording who has access to a system. Systems accesses and roles should be continually managed as people assume and leave positions. System accesses and roles should be subject to recurrent reviews in order to ensure that forgotten and undesired accesses are removed.

 

[12.3] 當前版本規定“應記錄訪問權限的創建、更改和取消”。但是，有必要走得更遠，而不僅僅是記錄誰可以訪問系統。隨著人員的任職和離開職位，應持續管理系統訪問和角色。應定期審查系統訪問和角色，以確保刪除被遺忘和不需要的訪問。

 

31. [17] As previously mentioned (see 7.2), it is not sufficient to re-actively check archived data for accessibility, readability and integrity (it would be too late to find out if these parameters were not maintained). Instead, archival should rely on a validated process. Depending on the storage media used, it might be necessary to validate that the media can be read after a certain period.

 

[17] 如前所述（見7.2），僅僅重新主動檢查存檔數據的可訪問性、可讀性和完整性是不夠的（如果不維護這些參數，現在就太晚了）。相反，存檔應依賴于經驗證的過程。根據所使用的存儲介質，可能需要驗證在特定時間段后是否可以讀取介質。

 

32. [New] There is an urgent need for regulatory guidance and expectations to the use of artificial intelligence (AI) and machine learning (ML) models in critical GMP applications as industry is already implementing this technology. The primary focus should be on the relevance, adequacy and integrity of the data used to test these models with, and on the results (metrics) from such testing, rather that on the process of selecting, training and optimising the models.

 

[新]由于工業界已經在實施這項技術，因此在關鍵的GMP應用中使用人工智能（AI）和機器學習（ML）模型方面迫切需要監管指導和期望。主要關注點應放在用于測試這些模型的數據的相關性、充分性和完整性以及此類測試的結果（指標）上，而不是選擇、訓練和優化模型的過程。

 

33. [New] After this concept paper has been drafted and prepared for approval of the EMA GMP/GDP Inspectors Working Group and the PIC/S Sub-committee on GMDP Harmonisation, the FDA has released a draft guidance on Computer Software Assurance for Production and Quality System Software (CSA). This guidance and any implication will be considered with regards to aspects of potential regulatory relevance for GMP Annex 11.

 

[新]在起草并準備本概念文件以供EMA GMP / GDP檢查員工作組和PIC/SGMDP協調小組委員會批準后，FDA發布了關于生產和質量體系軟件的計算機軟件保證（CSA）指南草案。該指南和任何影響將考慮與GMP附錄11的潛在監管相關的方面。