您當前的位置:檢測資訊 > 法規標準
嘉峪檢測網 2025-07-29 20:52
自2025年7月7日起,EMA 網站上發布了3份新的指南草案——EU GMP 指南附錄 11“計算機化系統”、附錄 22“人工智能”和第4 章“文件記錄”,業界可以在 2025 年 10 月 7 日之前對其發表意見。這些文件由 EMA GMP/GDP 檢查員工作組與PIC/S 共同起草,將于 2026 年作為最終版本發布。
新版附錄11 計算機化系統 草案
自2022年發布新版EU GMP附錄11 概念文件后,新發布的EU GMP附錄 11草案對計算機化系統新法規的預期范圍提供了初步見解,已經可以預期重大創新。在丹麥檢查員 Ib Alstrup 的領導下,國際工作組考慮了 IT 領域現代技術的發展,并完善了許多不明確的問題。
The pharmaceutical quality management system mentioned in section 3. clarifies not only the usual topics (deviations, changes, self-inspections) but also the responsibility of senior management to regularly review all elements that influence the proper operation of the system.
第 3 節中提到的藥品質量管理體系。不僅闡明了通常的主題(偏差、變更、自查),而且還闡明了高級管理層定期審查影響系統正常運行的所有要素的責任。
The elements of risk management referred to in section 4. reference ICH Q9; there is also an initial reference to the IT security requirements mentioned later in the document.
第 4 節中提到的風險管理要素。參考 ICH Q9;該文件還初步提到了IT 安全要求。
Almost one page is reserved for requirements specifications (section 6. User Requirements), which are often neglected in practice, and there - as in many other places in the document - reference is made to the possibility of using modern electronic tools to compile them.
第 6 節 用戶需求:幾乎有一頁內容提到需求規范(URS),他們在實踐中經常被忽視,文件還提到了使用現代電子工具編寫它們的可能性。
Section 7. deals in detail with the services of external IT companies that are widely employed today and the various requirements for their control (audit, contract, documentation), where the expected contractual regulations are mentioned with nine subsections.
第 7 節:詳細處理了當今廣泛使用的外部 IT 公司的服務及其控制(審計、合同、文件)的各種要求,其中通過九個小節提到了預期的合同法規。
A new topic is the very detailed specification under 8. for the requirements for alarms and their verification with associated documentation, for example in the batch record. A non-erasable/deactivatable record (log) with a corresponding annotation, similar to an audit trail, is expected here.
第 8 節是一個非常詳細的新的主題——報警及其確認的要求,使用相關記錄,例如在批記錄中。這要求具有相應注釋的不可擦除/不可停用的記錄(日志),類似于審計追蹤。
|
8. Alarms8. 報警 |
Qualification and validation of the computerized system (Section 9.) correspond to the regulations in the old Annex 11, but reference is made to the possibility of using an application in a limited scope even if validation has not been fully completed, provided that this is explicitly stated in the validation report.
計算機化系統的確認和驗證(第9節)與舊版附錄11中的規定相對應,但提到即使驗證尚未完全完成,也可以在有限范圍內使用該系統,但必須在驗證報告中明確說明。
|
9.8.Completion prior to use. Qualification and validation activities should be successfully completed and reported prior to approval and taking a system into use. Conditional approval to proceed to taking a system into use may be granted where certain acceptance criteria have not been met, or deviations have not been fully addressed. A condition for this is, that there is a documented assessment, that any deficiencies in the affected system functionality or Page 8 of 19 GMP processes, will not impact product quality, patient safety or data integrity. Where a conditional approval is issued, it should be explicitly stated in the validation report and there should be close follow-up on approval of outstanding actions according to plan.9.8. 使用前完成:確認和驗證活動應在批準并啟用系統之前成功完成并報告。在某些接受標準未滿足或偏差未完全解決的情況下,可有條件批準啟用系統。前提是應有書面的評估,證明受影響的系統功能或藥品GMP流程中的任何缺陷不會影響產品質量、患者安全或數據完整性。若有條件批準,應在驗證報告中明確說明,且應根據計劃密切跟進未完成行動的批準情況 。 |
The risk of manual data entry instead of electronic interfaces between systems is pointed out in section 10. This section also contains an initial reference to the encryption of critical data.
第10節指出了系統之間手動輸入數據而不是電子接口的風險。本節還包含對關鍵數據加密的初始引用。
The correct management of access to computerized systems (Section 11.) is discussed in detail in a number of subsections. In 11.3 it is outlined that system access by means of a smart card, which could be used by another person, for example, is not adequate. Requirements for secure passwords can be found in 11.5; the working group limits this to the general requirements, but does not specify a minimum length or a maximum validity period for passwords, nor for the regular verification of user accounts (11.11). The need to separate administrator rights from user rights (Segregation of Duties, SoD) is briefly discussed in 11.10.
對計算機化系統的訪問的正確管理(第 11 節)在一些小節中進行了詳細討論。11.3 中概述了通過智能卡(例如,門禁卡)進行系統訪問是不夠的,例如,智能卡(例如,門禁卡)可以被另一個人使用。安全密碼的要求可以在 11.5 中找到;工作組將此限制在一般要求范圍內,但沒有規定密碼的最短長度或最長有效期,也沒有規定用戶帳戶的定期驗證(11.11)。11.10 簡要討論了將管理員權限與用戶權限(職責分離,SoD)分開的必要性。
|
11.3.Certain identification. The method of authentication should identify users with a high degree of certainty and provide an effective protection against unauthorised access. Typically, it may involve a unique username and a password, although other methods providing at least the same level of security may be employed (e.g. biometrics). Authentication only by means of a token or a smart card is not sufficient, if this could be used by another user.11.3. 可靠識別:身份驗證方法應能高度可靠地識別用戶,并有效防止未經授權的訪問。通常,這可能涉及唯一用戶名和密碼,不過也可采用其他至少具備同等安全級別的方法(如生物識別 )。僅通過令牌或智能卡進行身份驗證是不夠的,如他們可以被其他用戶使用。 |
The fact that there was no details on the management of audit trails in the old Annex 11 has been taken into account in section 12: the requirements for the technical setup and an on-time review are clarified in ten neatly structured subsections.
第12節考慮到了舊版附錄11中沒有關于審計追蹤管理的細節這一事實:結構整齊的十個小節澄清了技術設置和及時審查的要求。
Electronic signatures are addressed in Section 13, which also uses some of the definitions listed in 21 CFR Part 11 (e.g. Open Systems) and also discusses hybrid solutions.
第 13 節涉及電子簽名,該節還使用了 21 CFR 第 11 部分中列出的一些定義(例如開放系統),并討論了混合解決方案。
The periodic reviews of the systems (Section 14), which were not included in the old Annex 11, take up a lot of space. The expectations of the periodic review are listed in twelve subsections.
對舊版附錄11中未包括的系統的定期審查(第14節)占用了大量篇幅。定期審查的要求列在十二個小節中。
It is positive that the current topic of IT security (Section 15.) is treated in detail, with clearly defined requirements for the IT infrastructure (firewalls, disaster recovery - RTO/RPO, patches, virus protection, etc.). In this context, the necessity of regular penetration tests for critical systems is also emphasized, which will unfortunately have a considerable impact on costs.
積極的是,當前的 IT 安全主題(第 15 節)得到了詳細處理,并明確定義了對 IT 基礎設施的要求(防火墻、災難恢復 - RTO/RPO、補丁、病毒防護等)。在此背景下,還強調了對關鍵系統進行定期滲透測試的必要性,不幸的是,這將對成本產生相當大的影響。
The topic of back-up can be found in section 16 with a definition of the requirements for physical and logical separation as well as regular restore tests.
備份主題可以在第 16 節中找到,其中定義了物理和邏輯分離以及定期恢復測試的要求。
It is most welcome that - as in the OECD GLP guidelines - the new Annex 11 addresses the archiving of data (Section 17.), as this was previously handled very briefly in the GMP regulations.
與OECD GLP 指南一樣,新的附錄 11 涉及數據歸檔(第 17 節),這是非常受歡迎的,因為此前在 GMP 法規中對此僅進行了非常簡短的處理。
At the end of the document there is a glossary where a large number of technical terms are explained.
在文件的末尾有一個詞匯表,其中解釋了大量技術術語。
來源:GMP辦公室
