自2025年7月7日起，EMA 网站上发布了3份新的指南草案——EU GMP 指南附录 11“计算机化系统”、附录 22“人工智能”和第4 章“文件记录”，业界可以在 2025 年 10 月 7 日之前对其发表意见。这些文件由 EMA GMP/GDP 检查员工作组与PIC/S 共同起草，将于 2026 年作为最终版本发布。

新版附录11 计算机化系统 草案

自2022年发布新版EU GMP附录11 概念文件后，新发布的EU GMP附录 11草案对计算机化系统新法规的预期范围提供了初步见解，已经可以预期重大创新。在丹麦检查员 Ib Alstrup 的领导下，国际工作组考虑了 IT 领域现代技术的发展，并完善了许多不明确的问题。

The pharmaceutical quality management system mentioned in section 3. clarifies not only the usual topics (deviations, changes, self-inspections) but also the responsibility of senior management to regularly review all elements that influence the proper operation of the system.

第 3 节中提到的药品质量管理体系。不仅阐明了通常的主题（偏差、变更、自查），而且还阐明了高级管理层定期审查影响系统正常运行的所有要素的责任。

The elements of risk management referred to in section 4. reference ICH Q9; there is also an initial reference to the IT security requirements mentioned later in the document.

第 4 节中提到的风险管理要素。参考 ICH Q9；该文件还初步提到了IT 安全要求。

Almost one page is reserved for requirements specifications  (section 6. User Requirements), which are often neglected in practice, and there - as in many other places in the document - reference is made to the      possibility of using modern electronic tools to compile them.

第 6 节 用户需求：几乎有一页内容提到需求规范（URS），他们在实践中经常被忽视，文件还提到了使用现代电子工具编写它们的可能性。

Section 7. deals in detail with the services of external IT companies that are widely employed today and the various requirements for their control (audit, contract, documentation), where the expected contractual regulations are mentioned with nine subsections.

第 7 节：详细处理了当今广泛使用的外部 IT 公司的服务及其控制（审计、合同、文件）的各种要求，其中通过九个小节提到了预期的合同法规。

A new topic is the very detailed specification under 8. for the requirements for alarms and their verification with associated documentation, for example in the batch record. A non-erasable/deactivatable record (log) with a corresponding annotation, similar to an audit trail, is expected here.

第 8 节是一个非常详细的新的主题——报警及其确认的要求，使用相关记录，例如在批记录中。这要求具有相应注释的不可擦除/不可停用的记录（日志），类似于审计追踪。

Qualification and validation of the computerized system (Section 9.) correspond to the regulations in the old Annex 11, but reference is made to the possibility of using an application in a limited scope even if validation has not been fully completed, provided that this is explicitly stated in the validation report.

计算机化系统的确认和验证（第9节）与旧版附录11中的规定相对应，但提到即使验证尚未完全完成，也可以在有限范围内使用该系统，但必须在验证报告中明确说明。

The risk of manual data entry instead of electronic interfaces between systems is pointed out in section 10. This section also contains an initial reference to the encryption of critical data.

第10节指出了系统之间手动输入数据而不是电子接口的风险。本节还包含对关键数据加密的初始引用。

The correct management of access to computerized systems (Section 11.) is discussed in detail in a number of subsections. In 11.3 it is outlined that system access by means of a smart card, which could be used by another person, for example, is not adequate. Requirements for secure passwords can be found in 11.5; the working group limits this to the general requirements, but does not specify a minimum length or a maximum validity period for passwords, nor for the regular verification of user accounts (11.11). The need to separate administrator rights from user rights (Segregation of Duties, SoD) is briefly discussed in 11.10.

对计算机化系统的访问的正确管理（第 11 节）在一些小节中进行了详细讨论。11.3 中概述了通过智能卡（例如，门禁卡）进行系统访问是不够的，例如，智能卡（例如，门禁卡）可以被另一个人使用。安全密码的要求可以在 11.5 中找到;工作组将此限制在一般要求范围内，但没有规定密码的最短长度或最长有效期，也没有规定用户帐户的定期验证（11.11）。11.10 简要讨论了将管理员权限与用户权限（职责分离，SoD）分开的必要性。

The fact that there was no details on the management of audit trails in the old Annex 11 has been taken into account in section 12: the requirements for the technical setup and an on-time review are clarified in ten neatly structured subsections.

第12节考虑到了旧版附录11中没有关于审计追踪管理的细节这一事实：结构整齐的十个小节澄清了技术设置和及时审查的要求。

Electronic signatures are addressed in Section 13, which also uses some of the definitions listed in 21 CFR Part 11 (e.g. Open Systems) and also discusses hybrid solutions.

第 13 节涉及电子签名，该节还使用了 21 CFR 第 11 部分中列出的一些定义（例如开放系统），并讨论了混合解决方案。

The periodic reviews of the systems (Section 14), which were not included in the old Annex 11, take up a lot of space. The expectations      of the periodic review are listed in twelve subsections.

对旧版附录11中未包括的系统的定期审查（第14节）占用了大量篇幅。定期审查的要求列在十二个小节中。

It is positive that the current topic of IT security (Section 15.) is treated in detail, with clearly defined requirements for the IT infrastructure (firewalls, disaster recovery - RTO/RPO, patches, virus protection, etc.). In this context, the necessity of regular penetration tests for critical systems is also emphasized, which will unfortunately have a considerable impact on costs.

积极的是，当前的 IT 安全主题（第 15 节）得到了详细处理，并明确定义了对 IT 基础设施的要求（防火墙、灾难恢复 - RTO/RPO、补丁、病毒防护等）。在此背景下，还强调了对关键系统进行定期渗透测试的必要性，不幸的是，这将对成本产生相当大的影响。

The topic of back-up can be found in section 16 with a definition of the requirements for physical and logical separation as well as regular restore tests.

备份主题可以在第 16 节中找到，其中定义了物理和逻辑分离以及定期恢复测试的要求。

It is most welcome that - as in the OECD GLP guidelines - the new Annex 11 addresses the archiving of data (Section 17.), as this was previously handled very briefly in the GMP regulations.

与OECD GLP 指南一样，新的附录 11 涉及数据归档（第 17 节），这是非常受欢迎的，因为此前在 GMP 法规中对此仅进行了非常简短的处理。

At the end of the document there is a glossary where a large number of technical terms are explained.

在文件的末尾有一个词汇表，其中解释了大量技术术语。