Q1. Audit Trail Review required before Each Batch Release?
是否需要在每批放行前审核审计追踪?
A1. The requirements for the Audit Trail and its review are formulated in Annex 11 of the EU GMP Guidelines: 9 Audit Trails: "Consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated "audit trail"). For change or deletion of GMP-relevant data the reason should be documented. Audit trails need to be available and convertible to a generally intelligible form and regularly reviewed". The reason for the change or deletion of GMP-relevant data should be documented. Audit Trails must be available, convertible into a generally readable form and regularly reviewed.
EU GMP 指南附录 11 中规定了审计追踪及其审核的要求(第 9 条 “审计追踪”):“应基于风险评估,考虑在系统中建立所有与 GMP 相关的变更和删除的记录(系统生成的‘审计追踪’)。对于与 GMP 相关数据的变更或删除,应记录原因。审计追踪需可供查阅、可转换为通用可理解的形式,并且定期审核。” 与 GMP 相关数据变更或删除的原因应予以记录。审计追踪必须可供查阅、可转换为通用可读形式,并且定期审核。
If one first looks at the information provided by the legal basis of EU-GMP Annex 11 Section 9 Audit Trails, there are no concrete instructions as to when an Audit Trail is to be reviewed. Here, you can only find the specification concerning the regular examination: "Audit Trails must be available, convertible into a generally readable form and checked regularly".
如果首先查看EU GMP 附录 11 第 9 条 “审计追踪” 的法律依据所提供的信息,其中并未就审计追踪应于何时审核给出具体指示。在此处,你只能找到有关定期检查的规范:“审计追踪必须可供查阅、可转换为通用可读形式,并且定期检查。”
The EU GMP Annex 11 Section 8 "Printouts" is much more concrete: "8.2 - For records supporting batch release it should be possible to generate printouts indicating if any of the data has been changed since the original entry."
EU GMP 附录 11 第 8 条 “打印输出” 则具体得多:“8.2 - 对于支持批次放行的记录,应能够生成打印输出,以表明自原始录入以来是否有任何数据发生过变更。”
Conclusion:This clearly addresses the documentation related to lot release and involves modified data. This can only mean that an Audit Trail check of the data to be seen in connection with the batch release must also be checked before the release.
结论:这明确涉及与批次放行相关的文件记录,并且涉及经修改的数据。这只能意味着,与批次放行相关联的数据的审计追踪审查也必须在放行前进行。
Although the PIC/S document PI 041 GOOD PRACTICES FOR DATA MANAGEMENT AND INTEGRITY IN REGULATED GMP/GDP ENVIRONMENTS doesn't constitute a legal basis, it can be assumed that inspectors worldwide will follow the provisions and requirements of this guidance. Here, it is again confirmed that all Audit Trails to be seen in connection with batch release must also be reviewed before release: "9.4 Audit trails for computerised systems: Critical audit trails related to each operation should be independently reviewed with all other records related to the operation and prior to the review of the completion of the operation, e.g. prior to batch release, so as to ensure that critical data and changes to it are acceptable."
尽管 PIC/S 文件 PI 041《受管制的 GMP/GDP 环境中数据管理和完整性的良好实践》并不构成法律依据,但可以推测,全球的检查员都会遵循该指南的规定和要求。在此处,再次确认了所有与批次放行相关联的审计追踪都必须在放行前进行审核:“9.4 计算机化系统的审计追踪:与每项操作相关的关键审计追踪应与该操作的所有其他记录一起,在对操作完成情况进行审核之前(例如,在批次放行之前)进行独立审核,以确保关键数据及其变更均可接受。”
遗留系统整改
Q1. Most of the equipment in QC is 'off the shelf' and preconfigured. The audit trail cannot be adjusted or is preconfigured. How should this be handled?
QC大多数设备为 “现成产品” 且已预先配置。审计追踪无法调整或已预先配置。应当如何处理这种情况?
A1. If the audit trail cannot be configured, a risk assessment must first be carried out to check whether it covers all the essential requirements for this device. If this is not the case, another supplier should be chosen whose audit trail meets the requirements. If this is not possible, the only solution is to manually log the uncovered actions in a logbook and a corresponding SOP.
若审计追踪无法配置,则必须首先开展风险评估,核查该设备是否符合所有必要的要求。如不符合,应选择另一个符合审计追踪要求的供应商。若无法实现,唯一的解决方案是在手动在日志中记录未涵盖的操作,并制定相应的SOP。
Q2. How to handle Legacy Systems if no audit trail is available or a "user login" is not possible?
若遗留系统既无审计追踪可用,也无法实现 “用户登录”,应如何处理?
A2. First of all, it can be deduced from the contents of the EU GMP Guidelines Annex 11 that an audit trail in connection with GMP-relevant data and their modification should be available in a computerised system. If this functionality was not yet available at the time the system was purchased, it should first be checked whether an update with the audit trail functionality is now available for this system. If this is not the case, an appropriate alternative should be introduced. EU GMP Annex 11 does not describe what this alternative should look like.
首先,从EU GMP 指南附录 11 的内容可推知,与 GMP 相关数据及其修改相关的审计追踪,应在计算机化系统中可用。若该系统采购时此功能尚未具备,则应首先检查当前是否有针对该系统的、含审计追踪功能的更新。若不存在此类更新,则应引入适当的替代方案。EU GMP 附录 11 未阐述该替代方案应具备何种形式。
Possible solution:One possibility would be to use handwritten audit trail logbooks. This alternative is also proposed by the PIC/S document PI 041 GOOD PRACTICES FOR DATA MANAGEMENT AND INTEGRITY IN REGULATED GMP/GDP ENVIRONMENTS:
可能的解决方案:一种可能性是使用手写的审计追踪日志。PIC/S 文件 PI 041《受监管的 GMP/GDP 环境中数据管理和完整性的良好实践》也提出了这种替代方案:
9.4 Audit trails for computerised systems:If no electronic audit trail system exists a paper based record to demonstrate changes to data may be acceptable until a fully audit trailed (integrated system or independent audit software using a validated interface) system becomes available. These hybrid systems are permitted, where they achieve equivalence to integrated audit trail, such as described in Annex 11 of the PIC/S GMP Guide.
9.4 计算机化系统的审计追踪:若不存在电子审计追踪系统,则在具备完整审计追踪功能(集成系统或使用经验证接口的独立审计软件)的系统可用之前,用以证明数据变更的纸质记录可能是可接受的。若这些混合系统能达到与集成审计追踪等效的效果(如 PIC/S GMP 指南附录 11 中所述),则允许使用。
Q3. Does the audit trail have to be printable?
审计追踪必须可打印吗?
A3. Everything must always be printable.
所有内容必须始终可打印。
EU GMP附录11计算机化系统 第8章:
8.1 It should be possible to obtain clear printed copies of electronically stored data.
应该能够获取电子存储数据的清晰打印副本。
8.2 For records supporting batch release it should be possible to generate printouts indicating if any of the data has been changed since the original entry.
对于用以支持批放行的记录,应可以生成打印输出,表明自原始条目以来是否有任何数据被更改。
国家药监局-《药品记录与数据管理要求》:
第二十一条 采用电子记录的计算机(化)系统至少应当满足以下功能要求:
(一)保证记录时间与系统时间的真实性、准确性和一致性;
(二)能够显示电子记录的所有数据,生成的数据可以阅读并能够打印;
(三)系统生成的数据应当定期备份,备份与恢复流程必须经过验证,数据的备份与删除应有相应记录;
(四)系统变更、升级或退役,应当采取措施保证原系统数据在规定的保存期限内能够进行查阅与追溯。
检查缺陷
Deficiencies related to the audit trail found during inspections:
检查中发现的与审计追踪相关的缺陷:
A staff member in a quality control laboratory has the rights of a system administrator. For example, he/she was able to make undetectable changes to the audit trail during self-performed analyses or to turn the audit trail on or off.
质量控制实验室的一名员工拥有系统管理员权限。例如,其在自行开展分析期间,能够对审计追踪进行无法察觉的修改,或开启 / 关闭审计追踪功能。
There was no described action to be taken if problems were found during the audit trail review.
对于审计追踪审核过程中发现问题时应采取的行动,未作明确规定。
There was no clear policy on who is allowed to disable the audit trail functionality of system XYZ and how this should be documented.
对于何人有权禁用系统 XYZ 的审计追踪功能,以及该操作应如何记录,未制定清晰政策。
A HPLC station was used in the laboratory to determine the API content of a tablet. The batch release is done without review of relevant audit trail data. Entries in the audit trail could indicate a deviation; the QP should be aware of this deviation prior to release.
实验室使用某高效液相色谱(HPLC)工作站测定片剂的活性药物成分(API)含量,但批次放行时未审核相关审计追踪数据。审计追踪中的记录可能揭示偏差,质量受权人(QP)应在放行前知晓该偏差。
There is no documented guidance and instructions on how to handle the audit trail.
对于如何处置审计追踪,未制定书面指导文件及操作规范。
