11月16日，EMA发布了关于修订GMP 附录11– 《计算机化系统》的概念文件，文件指出将对当前版本EU GMP 附录11《计算机化系统》指南的33点修订意见，如下：

 

更新文件以取代EMA GMP网站上的附录11问答和数据完整性问答的相关部分。

 

关于数据完整性，新的附录11将包括对“动态数据”和“静态数据”（备份、存档和处置）的要求。

 

将考虑更新文件对“数字化转型”和类似的新概念提出监管期望。

 

关于“范围”的调整，不仅应包括计算机化系统“代替手动操作”的情况，还应涵盖用以代替“另一个系统或手动过程”的情况。

 

服务清单应包括“操作”计算机化系统，例如“云”服务。

 

对于由服务提供商验证和/或运营的关键系统（例如“云”服务），要求应不仅仅是“必须有正式协议”。受监管的用户应可以访问完整的文档，以对系统进行验证和安全运行，并能够在监管检查期间出示这些文档，例如在服务提供商的帮助下。

 

概念文件表示，“商用现货产品”（COTS）一词的定义并不充分，而且很容易理解得过于宽泛。关键的 COTS 产品，即使是“广泛用户”使用的产品，也应由供应商或受监管用户进行确认，并且应提供相关文档以供检查。应澄清该术语的使用以及对此类（例如“云”）系统的确认、验证和安全操作的要求。

 

需要澄清“验证”（和“确认”）一词的含义。应该强调的是，这两项活动都包括对用户需求规范 （URS） 或类似内容中所述的必需和指定功能的确认。

 

文件表示，计算机化系统确认和验证应特别挑战用于做出GMP决策的系统的关键部分，确保产品质量和数据完整性的部分以及专门设计或定制的部分。

 

文件指出，关于“用户需求应在整个生命周期中可追溯”这句话的含义还不够清楚。用户需求规范或类似内容，描述所有需要实施和必需的GMP关键自动化功能，并且受监管用户所依赖，应成为系统任何确认或验证的基础，无论是由受监管用户还是由供应商执行。用户需求规范应在整个系统生命周期中保持更新并与实施的系统保持一致，并且用户需求、任何底层功能规范和测试用例之间应有书面的可追溯性。

 

文件将包含对敏捷开发过程的指导和关键数据和关键系统的分类指南。

 

关于备份，文件指出，对易失性介质的长期备份（或存档）应基于经过验证的程序（例如，通过“加速测试”）。在这种情况下，测试不应侧重于备份是否仍可读，而应验证备份在给定时间段内是否可读。

 

文件中缺少对备份过程的重要要求，例如备份涵盖的内容（例如，仅数据还是数据和应用程序），进行哪些类型的备份（例如增量或完整），进行备份的频率（所有类型），备份保留多长时间，备份使用哪种介质以及备份的保存位置（例如物理分离）。

 

文件指出，在用户，数据或设置可以手动更改的情况下，审计追踪功能应被视为强制性的，该功能可自动记录GMP关键系统上的所有手动交互；不仅仅是“基于风险评估考虑”。在没有审计追踪功能的情况下控制流程或捕获、保存或传输此类系统中的电子数据是不可接受的；此方面内的任何宽限期早已过期。

 

审计追踪审查的概念和目的描述不充分。这一过程应侧重于审查对系统进行的人工更改的完整性，例如核实更改的原因以及更改是否在不寻常的日期、时间以及由不寻常的用户进行。

 

应提供可接受的审计追踪审查频率指南。对于关键参数的审计追踪，例如在BMS系统中设置报警以对无菌灌装相关的压差发出警报，审计追踪审查应成为批放行的一部分，遵循基于风险的方法。

 

文件指出，许多系统生成了大量的警报和事件数据，并且这些数据经常与审计追踪条目混淆。虽然警报和事件可能需要自己的日志、确认和审查，但这不应与手动系统交互的审计追踪审查相混淆。因此，至少应该能够对这些进行排序。

 

应增加配置审查的概念。配置审查不应增加系统上已知变更的数量（升级历史记录），而应基于一段时间内硬件和软件基准的比较。这应包括对任何差异的说明以及对再确认/验证需求的评估。

 

根据ISO 27001，关于IT安全的部分应包括对系统和数据的机密性，完整性和可用性的关注。

 

应该明确指出，关键系统上的身份验证应高度确定地识别受监管的用户。因此，仅通过“通行卡”进行身份验证可能是不够的，因为它可能会被丢失并随后被任何人发现。

 

应定期审查系统访问和角色，以确保删除被遗忘和不需要的访问。

 

由于工业界已经在实施这项技术，因此在关键的GMP应用中使用人工智能（AI）和机器学习（ML）模型方面迫切需要监管指导和期望。主要关注点应放在用于测试这些模型的数据的相关性、充分性和完整性以及此类测试的结果（指标）上，而不是选择、训练和优化模型的过程。

 

指南将考虑关于计算机软件保证（CSA）方面的内容。

 

翻译如下：

 

Concept Paper on the revision of Annex 11 of the guidelines on Good Manufacturing Practice for medicinal products – Computerised Systems

 

关于修订GMP 附录11– 计算机化系统的概念文件

 

This concept paper addresses the need to update Annex 11, Computerised Systems, of the Good Manufacturing Practice (GMP) guide. Annex 11 is common to the member states of the European Union (EU)/European Economic Area (EEA) as well as to the participating authorities of the Pharmaceutical Inspection Co-operation Scheme (PIC/S). The current version was issued in 2011 and does not give sufficient guidance within a number of areas. Since then, there has been extensive progress in the use of new technologies.

 

本概念文件包括更新良好生产规范（GMP）指南附录11（计算机化系统）的必要性。附录11是欧盟（EU）/欧洲经济区（EEA）成员国以及药品检查合作计划（PIC/S）参与当局的共同内容。当前版本于2011年发布，在许多领域没有提供足够的指导。自此之后，新技术的使用取得了广泛的进展。

 

Reasons for the revision of Annex 11 include, but are not limited to the following (in non-prioritised order and with references to existing sections in sharp brackets). More improvements may prove to be necessary as inputs will be received by the drafting group:

 

修订附录11的理由包括但不限于以下内容（按非优先顺序排列，并在括号内提及现行章节）。随着起草小组的介入，可能还需要作出更多的改进：

 

1.[New] The document should be updated to replace relevant parts of the Q&A on Annex 11 and the Q&A on Data Integrity on the EMA GMP website.

 

[新增]该文件应更新，以取代EMA GMP网站上的附录11问答和数据完整性问答的相关部分。

 

2. [New] With regards to data integrity, Annex 11 will include requirements for ‘data in motion’ and ‘data at rest’ (backup, archive and disposal). Configuration hardening and integrated controls are expected to support and safeguard data integrity; technical solutions and automation are preferable instead of manual controls.

 

[新增]关于数据完整性，新的附录11将包括对“动态数据”和“静态数据”（备份、存档和处置）的要求。配置强化和集成控制有望支持和保护数据完整性;技术解决方案和自动化比手动控制更可取。

 

3.[New] An update of the document with regulatory expectations to ‘digital transformation’ and similar newer concepts will be considered.

 

[新]将考虑更新文件对“数字化转型”和类似的新概念提出监管期望。

 

4.[Principle] The scope should not only cover where a computerised system “replaces of a manual operation”, but rather, where it replaces ‘another system or a manual process’.

 

[原则]范围不仅应包括计算机化系统“代替手动操作”的情况，还应涵盖用以代替“另一个系统或手动过程”的情况。

 

5.[1] References should be made to ICH Q9.

 

[1] 应参考ICH Q9。

 

6.[3.1] The list of services should include to ‘operate’ a computerised system, e.g. ‘cloud’ services.

 

[3.1] 服务清单应包括“操作”计算机化系统，例如“云”服务。

 

7. [3.1] For critical systems validated and/or operated by service providers (e.g. ‘cloud’ services), expectations should go beyond that “formal agreements must exist”. Regulated users should have access to the complete documentation for validation and safe operation of a system and be able to present this during regulatory inspections, e.g. with the help of the service provider. See also Notice to sponsors and Q&A #9 on the EMA GCP website and Q&A on the EMA GVP website)

 

[3.1] 对于由服务提供商验证和/或运营的关键系统（例如“云”服务），要求应不仅仅是“必须有正式协议”。受监管的用户应可以访问完整的文档，以对系统进行验证和安全运行，并能够在监管检查期间出示这些文档，例如在服务提供商的帮助下。另请参阅EMA GCP网站上的申办方通知和问答#9以及EMA GVP网站上的问答）

 

8.[3.3] Despite being mentioned in the Glossary, the term “commercial off-the-shelf products” (COTS) is not adequately defined and may easily be understood too broadly. Critical COTS products, even those used by “a broad spectrum of users” should be qualified by the vendor or by the regulated user, and the documentation for this should be available for inspection. The use of the term and the expectation for qualification, validation and safe operation of such (e.g. ‘cloud’) systems should be clarified.

 

[3.3] 尽管在术语表中提到，但“商用现货产品”（COTS）一词的定义并不充分，而且很容易理解得过于宽泛。关键的 COTS 产品，即使是“广泛用户”使用的产品，也应由供应商或受监管用户进行确认，并且应提供相关文档以供检查。应澄清该术语的使用以及对此类（例如“云”）系统的确认、验证和安全操作的要求。

 

9. [4.1] The meaning of the term ‘validation’ (and ‘qualification’), needs to be clarified. It should be emphasised that both activities consist of a verification of required and specified functionality as described in user requirements specifications (URS) or similar.

 

[4.1] 需要澄清“验证”（和“确认”）一词的含义。应该强调的是，这两项活动都包括对用户需求规范 （URS） 或类似内容中所述的必需和指定功能的确认。

 

10. [4.1] Following a risk-based approach, system qualification and validation should especially challenge critical parts of systems which are used to make GMP decisions, parts which ensure product quality and data integrity and parts, which have been specifically designed or customised.

 

[4.1] 遵循基于风险的方法，系统确认和验证应特别挑战用于做出GMP决策的系统的关键部分，确保产品质量和数据完整性的部分以及专门设计或定制的部分。

 

11. [4.4] It is not sufficiently clear what is implied by the sentence saying “User requirements should be traceable throughout the life-cycle”. A user requirements specification, or similar, describing all the implemented and required GMP critical functionality which has been automated, and which the regulated user is relying on, should be the very basis for any qualification or validation of the system, whether performed by the regulated user or by the vendor. User requirements specifications should be kept updated and aligned with the implemented system throughout the system life-cycle and there should be a documented traceability between user requirements, any underlying functional specifications and test cases.

 

[4.4] “用户需求应在整个生命周期中可追溯”这句话的含义还不够清楚。用户需求规范或类似内容，描述所有需要实施和必需的GMP关键自动化功能，并且受监管用户所依赖，应成为系统任何确认或验证的基础，无论是由受监管用户还是由供应商执行。用户需求规范应在整个系统生命周期中保持更新并与实施的系统保持一致，并且用户需求、任何底层功能规范和测试用例之间应有书面的可追溯性。

 

12. [4.5] It should be acknowledged and addressed that software development today very often follows agile development processes, and criteria for accepting such products and corresponding documentation, which may not consist of traditional documents, should be clarified.

 

[4.5] 应该承认并解决的是，今天的软件开发通常遵循敏捷开发过程，应澄清用以接受此类产品和相应文档的标准，这些文档可能不包含传统文档。

 

13. [6] Guidelines should be included for classification of critical data and critical systems.

 

[6] 应包括关键数据和关键系统的分类指南。

 

14. [7.1] Systems, networks and infrastructure should protect the integrity of GMP processes and data. Examples should be included of measures, both physical and electronic, required to protect data against both intentional and unintentional loss of data integrity.

 

[7.1] 系统、网络和基础设施应保护GMP流程和数据的完整性。应举例说明为保护数据免遭有意和无意丧失数据完整性而需要采取的物理和电子措施。

 

15.  [7.2] Testing of the ability to restore system data (and if not otherwise easily recreated, the system itself) from backup is critically important, but the required periodic check of this ability, even if no changes have been made to the backup or restore processes, is not regarded necessary. Long-term backup (or archival) to volatile media should be based on a validated procedure (e.g. through ‘accelerated testing’). In this case, testing should not focus on whether a backup is still readable, but rather, validating that it will be readable for a given period.

 

[7.2] 测试通过备份还原系统数据（如果没有其他方式，则通过系统本身）的能力至关重要，但对此功能进行定期检查的要求，即使没有对备份或还原过程进行任何变更，也不是必须。对易失性介质的长期备份（或存档）应基于经过验证的程序（例如，通过“加速测试”）。在这种情况下，测试不应侧重于备份是否仍可读，而应验证备份在给定时间段内是否可读。

 

16. [7.2] Important expectations to backup processes are missing, e.g. to what is covered by a backup (e.g. data only or data and application), what types of backups are made (e.g. incremental or complete), how often backups are made (all types), how long backups are retained, which media is used for backups, and where backups are kept (e.g. physical separation).

 

[7.2] 文件中缺少对备份过程的重要要求，例如备份涵盖的内容（例如，仅数据还是数据和应用程序），进行哪些类型的备份（例如增量或完整），进行备份的频率（所有类型），备份保留多长时间，备份使用哪种介质以及备份的保存位置（例如物理分离）。

 

17. [8] The section should include an expectation to be able to obtain data in electronic format including the complete audit trail. The requirement to be able to print data may be reconsidered.

 

[8] 该部分应包括能够以电子格式获取数据的要求，包括完整的审计追踪。可以重新考虑能够打印数据的要求。

 

18. [9] An audit trail functionality which automatically logs all manual interactions on GMP critical systems, where users, data or settings can be manually changed, should be regarded as mandatory; not just ‘considered based on a risk assessment’. Controlling processes or capturing, holding or transferring electronic data in such systems without audit trail functionality is not acceptable; any grace period within this area has long expired.

 

[9] 在用户，数据或设置可以手动更改的情况下，审计追踪功能应被视为强制性的，该功能可自动记录GMP关键系统上的所有手动交互；不仅仅是“基于风险评估考虑”。在没有审计追踪功能的情况下控制流程或捕获、保存或传输此类系统中的电子数据是不可接受的；此方面内的任何宽限期早已过期。

 

19. [9] The audit trail should positively identify the user whomade a change, it should give a full account of what was changed, i.e. both the new and all old values should be clearly visible, it should include the full time and date when the change was made, and for all other changes except where a value is entered in an empty field or where this is completely obvious, the user should be prompted for the reason or rationale for why the change was made.

 

[9] 审计追踪应明确识别进行更改的用户，应充分说明所更改的内容，即新的值和所有旧值都应清晰可见，应包括进行更改的完整时间和日期，以及所有其他更改，除非在空白字段中输入值或完全明显，应提示用户进行更改的原因或理由。

 

20. [9] It should not be possible to edit audit trail data or to deactivate the audit trail functionality for normal or privileged users working on the system. If these functionalities are available, they should only be accessible for system administrators who should not be involved in GMP production or in day-to-day work on the system (see ‘segregation of duties’).

 

[9] 对于在系统上工作的普通或特定权限用户，应该不能编辑审计追踪数据或停用审计追踪功能。如果这些功能可用，则只有不应参与GMP生产或系统日常工作的系统管理员才能访问它们（参见“职责分离”）。

 

21. [9] The concept and purpose of audit trail review is inadequately described. The process should focus on a review of the integrity of manual changes made on a system, e.g. a verification of the reason for changes and whether changes have been made on unusual dates, hours and by unusual users.

 

[9] 审计追踪审查的概念和目的描述不充分。这一过程应侧重于审查对系统进行的人工更改的完整性，例如核实更改的原因以及更改是否在不寻常的日期、时间以及由不寻常的用户进行。

 

22. [9] Guidelines for acceptable frequency of audit trail review should be provided. For audit trails on critical parameters, e.g. setting of alarms in a BMS systems giving alarms on differential pressure in connection with aseptic filling, audit trail reviews should be part of batch release, following a risk-based approach.

 

[9] 应提供可接受的审计追踪审查频率指南。对于关键参数的审计追踪，例如在BMS系统中设置报警以对无菌灌装相关的压差发出警报，审计追踪审查应成为批放行的一部分，遵循基于风险的方法。

 

23. [9] Audit trail functionalities should capture data entries with sufficient detail and in true time, in order to give a full and accurate picture of events. If e.g. a system notifies a regulated user of inconsistencies in a data input, by writing an error message, and the user subsequently changes the input, which makes the notification disappear; the full set of events should be captured.

 

[9] 审计追踪功能应及时捕获足够详细的数据条目，以便全面准确地了解事件。例如，是否系统通过错误消息通知受监管用户数据输入中的不一致，并且用户随后更改输入，从而使通知消失;应捕获完整的事件集。

 

24. [9] It should be addressed that many systems generate a vast amount of alarms and event data and that these are often mixed up with audit trail entries. While alarms and events may require their own logs, acknowledgements and reviews, this should not be confused with an audit trail review of manual system interactions. Hence, as a minimum, it should be possible to be able to sort these.

 

[9] 应该解决的是，许多系统生成了大量的警报和事件数据，并且这些数据经常与审计追踪条目混淆。虽然警报和事件可能需要自己的日志、确认和审查，但这不应与手动系统交互的审计追踪审查相混淆。因此，至少应该能够对这些进行排序。

 

25. [11] The concept of configuration review should be added. Instead of taking onset in the number of known changes on a system (upgrade history), it should be based on a comparison of hardware and software baselines over time. This should include an account for any differences and an evaluation of the need for re-qualification/validation.

 

[11] 应增加配置审查的概念。配置审查不应增加系统上已知变更的数量（升级历史记录），而应基于一段时间内硬件和软件基准的比较。这应包括对任何差异的说明以及对再确认/验证需求的评估。

 

26. [12.1] The current section has only focus on restricting system access to authorised individuals; however, there are other important topics. In line with ISO 27001, a section on IT security should include a focus on system and data confidentiality, integrity and availability.

 

[12.1] 本节仅关注限制授权个人访问系统;但是，还有其他重要主题。根据ISO 27001，关于IT安全的部分应包括对系统和数据的机密性，完整性和可用性的关注。

 

27. [12.1] The current version says that “Physical and/or logical controls should be in place to restrict access to computerised system to authorised persons”. However, it is necessary to be more specific and to name some of the expected controls, e.g. multi-factor authentication, firewalls, platform management, security patching, virus scanning and intrusion detection/prevention.

 

[12.1] 现行版本规定，“应实施物理和/或逻辑控制，以限制授权人员使用计算机化系统”。但是，有必要更具体地明确一些预期的控制措施，例如多因素身份验证、防火墙、平台管理、安全补丁、病毒扫描和入侵检测/预防。

 

28.  [12.1] It should be specified that authentication on critical systems should identify the regulated user with a high degree of certainty. Therefore, authentication only by means of a ‘pass card’ might not be sufficient, as it could have been dropped and later found by anyone.

 

[12.1] 应该明确指出，关键系统上的身份验证应高度确定地识别受监管的用户。因此，仅通过“通行卡”进行身份验证可能是不够的，因为它可能会被丢失并随后被任何人发现。

 

29. [12.1] Two important expectations for allocation of system accesses should be added either here or elsewhere; i.e. ‘segregation of duties’, that day-to-day users of a system do not have admin rights, and the ‘least privilege principle’, that users of a system do not have higher access rights than what is necessary for their job function.

 

[12.1] 应在此处或其他地方添加对系统访问分配的两个重要要求;即“职责分离”，即系统的日常用户没有管理员权限，以及“权限最小化原则”，即系统用户没有高于其工作职能所需的访问权限。

 

30. [12.3] The current version says that “Creation, change, and cancellation of access authorisations should be recorded”. However, it is necessary to go further than just recording who has access to a system. Systems accesses and roles should be continually managed as people assume and leave positions. System accesses and roles should be subject to recurrent reviews in order to ensure that forgotten and undesired accesses are removed.

 

[12.3] 当前版本规定“应记录访问权限的创建、更改和取消”。但是，有必要走得更远，而不仅仅是记录谁可以访问系统。随着人员的任职和离开职位，应持续管理系统访问和角色。应定期审查系统访问和角色，以确保删除被遗忘和不需要的访问。

 

31. [17] As previously mentioned (see 7.2), it is not sufficient to re-actively check archived data for accessibility, readability and integrity (it would be too late to find out if these parameters were not maintained). Instead, archival should rely on a validated process. Depending on the storage media used, it might be necessary to validate that the media can be read after a certain period.

 

[17] 如前所述（见7.2），仅仅重新主动检查存档数据的可访问性、可读性和完整性是不够的（如果不维护这些参数，现在就太晚了）。相反，存档应依赖于经验证的过程。根据所使用的存储介质，可能需要验证在特定时间段后是否可以读取介质。

 

32. [New] There is an urgent need for regulatory guidance and expectations to the use of artificial intelligence (AI) and machine learning (ML) models in critical GMP applications as industry is already implementing this technology. The primary focus should be on the relevance, adequacy and integrity of the data used to test these models with, and on the results (metrics) from such testing, rather that on the process of selecting, training and optimising the models.

 

[新]由于工业界已经在实施这项技术，因此在关键的GMP应用中使用人工智能（AI）和机器学习（ML）模型方面迫切需要监管指导和期望。主要关注点应放在用于测试这些模型的数据的相关性、充分性和完整性以及此类测试的结果（指标）上，而不是选择、训练和优化模型的过程。

 

33. [New] After this concept paper has been drafted and prepared for approval of the EMA GMP/GDP Inspectors Working Group and the PIC/S Sub-committee on GMDP Harmonisation, the FDA has released a draft guidance on Computer Software Assurance for Production and Quality System Software (CSA). This guidance and any implication will be considered with regards to aspects of potential regulatory relevance for GMP Annex 11.

 

[新]在起草并准备本概念文件以供EMA GMP / GDP检查员工作组和PIC/SGMDP协调小组委员会批准后，FDA发布了关于生产和质量体系软件的计算机软件保证（CSA）指南草案。该指南和任何影响将考虑与GMP附录11的潜在监管相关的方面。