EuropeanMedicinesAgencyQ欧洲药品管理局问答数据完整性

1、European Medicines Agency Q&A on Data Integrity欧洲药品管理局问答数据完整性Data integrity数据的完整性Data integrity enables good decision-making by pharmaceutical manufacturers and regulatory authorities.It is a fundamental requirement of the pharmaceutical quality system described in EU GMP chapter 1, applying equ

2、ally to manual (paper) and electronic systems.数据完整性由药品生产企业和监管部门提供良好的决策。这是在欧盟GMP 1章所述的制药质量体系的基本要求，平等地应用手册（纸）和电子系统。Promotion of a quality culture together with implementation of organisational and technical measures which ensure data integrity is the responsibility of senior management. It requires pa

3、rticipation and commitment by staff at all levels within the company, by the companys suppliers and by its distributors.促进质量文化与组织和技术措施，确保数据的完整性是高级管理人员的责任。它需要在公司内的各级员工的参与和承诺，由公司的供应商和其分销商。Senior management should ensure that data integrity risk is assessed, mitigated and communicated in accordance wit

4、h the principles of quality risk management. The effort and resource assigned to data integrity measures should be commensurate with the risk to product quality, and balanced with other quality assurance resource demands. Where long term measures are identified in order to achieve the desired state

5、of control, interim measures should be implemented to mitigate risk, and should be monitored for effectiveness.高级管理人员应确保数据完整性风险评估，减轻和沟通，按照质量风险管理的原则。分配给数据完整性措施的努力和资源应与产品质量的风险相适应，并与其他质量保证资源的需求相平衡。确定长期措施，以达到所需的控制状态，应实施临时措施，以减轻风险，并应进行监测的有效性。The following questions and answers describe foundational princ

6、iples which facilitate successful implementation of existing guidance published by regulatory authorities participating in the PIC/S scheme. It should be read in conjunction with national guidance, medicines legislation and the GMP standards published in Eudralex volume 4 .下面的问题和答案描述的基本原则，有助于成功实施现有的

7、指导意见公布的监管当局参与的照片/ s计划。它应该与国家指导一起读，药品立法和出版4卷eudralex GMP标准。The importance of data integrity to quality assurance and public health protection should be included in personnel training programmes.数据完整性对质量保证和公共卫生保护的重要性应包括在人员培训计划中。WHO - Annex 5: guidance on good data and record management practices谁-附件5：

8、良好的数据和记录管理实践的指导1. How can data risk be assessed?1。如何评估数据风险？Data risk assessment should consider the vulnerability of data to involuntary or deliberate amendment, deletion or recreation. Control measures which prevent unauthorised activity and increase visibility / detectability can be used as risk m

9、itigating actions.数据风险评估应考虑数据的脆弱性，故意或故意的修正案，删除或娱乐。控制措施，防止未经授权的活动，提高知名度/检测可作为风险控制措施。Examples of factors which can increase risk of data integrity failure include complex, inconsistent processes with open-ended and subjective outcomes. Simple tasks which are consistent, well-defined and objective lead

10、 to reduced risk.可以增加数据完整性失败的风险的因素的例子包括复杂的，不一致的过程与开放式和主观的结果。简单的任务是一致的，明确的和客观的导致降低的风险。Risk assessment should include a business process focus (e.g. production, QC) and not just consider IT system functionality or complexity. Factors to consider include:风险评估应包括一个业务流程的重点（例如，生产，QC），而不是只考虑它的系统功能或复杂性。考虑的因

11、素包括：Process complexity过程的复杂性Process consistency, degree of automation /human interface过程一致性，自动化程度/人机界面Subjectivity of outcome / result结果/结果的主观性Is the process open-ended or well defined是开放式的或定义良好的过程This ensures that manual interfaces with IT systems are considered in the risk assessment process. Comp

12、uterised system validation in isolation may not result in low data integrity risk, in particular when the user is able to influence the reporting of data from the validated system.这确保了在风险评估过程中，被认为是与信息系统的手动接口。孤立的计算机系统验证不可能导致低数据完整性的风险，特别是当用户能够影响从验证系统数据报告。2. How can data criticality be assessed?2。数据临界性

13、如何评估？The decision which data influences may differ in importance, and the impact of the data to a decision may also vary. Points to consider regarding data criticality include:数据影响的决定可能会有所不同的重要性，以及数据对一个决定的影响也可能会有所不同。考虑数据关键性的要点包括：What decision does the data influence?数据影响什么样的决策？For example: when maki

14、ng a batch release decision, data which determines compliance with critical quality attributes is of greater importance than warehouse cleaning records.例如：在做一个批处理发布决定时，确定与关键质量属性的符合性的数据比仓库清洁记录更重要。What is the impact of the data to product quality or safety?数据对产品质量或安全的影响是什么？For example: for an oral tab

15、let, active substance assay data is of greater impact to product quality and safety than tablet dimensions data.例如：对于一个口服片剂，活性物质检测数据对产品质量和安全性的影响比片剂尺寸的数据更大。3. What does Data Lifecycle refer to?三.“数据生命周期”指的是什么？Data lifecycle refers to how data is generated, processed, reported, checked, used for decis

16、ion-making, stored and finally discarded at the end of the retention period.“数据生命周期”是指数据是如何产生、处理、报告、检查的，用于决策、存储和最后在保留期结束时丢弃的。Data relating to a product or process may cross various boundaries within the lifecycle, for example:关于一个产品或过程的数据可能会在生命周期内跨越各种界限，例如：IT systemsIT系统oQuality system applications质

17、量体系应用oProductiono生产oAnalytical分析oStock management systems库存管理系统oData storage (back-up and archival)数据存储（备份和归档）Organisational组织oInternal (e.g. between production, QC and QA)内部（如生产，QC和质量保证）oExternal (e.g. between contract givers and acceptors)外部（如外包方和承包方之间）oCloud-based applications and storage基于云的应用和存

18、储4. Why is Data lifecycle management important to ensure effective data integrity measures?4。为什么“数据生命周期”管理很重要，以确保有效的数据完整性的措施？Data integrity can be affected at any stage in the lifecycle. It is therefore important to understand the lifecycle elements for each type of data or record, and ensure contro

19、ls which are proportionate to data criticality and risk at all stages.数据完整性可以在生命周期的任何阶段受到影响。因此，重要的是要了解每种类型的数据或记录的生命周期元素，并确保控制，这是成比例的数据临界性和风险在所有阶段。5. What should be considered when reviewing the Data lifecycle?5。审查“数据生命周期”时应该考虑的是什么？The Data lifecycle refers to the:“数据生命周期”是指：Generation and recording

20、of data数据的生成和记录Processing into usable information处理成可用的信息Checking the completeness and accuracy of reported data and processed information检查报告数据和处理信息的完整性和准确性Data (or results) are used to make a decision数据（或结果）被用来做决定Retaining and retrieval of data which protects it from loss or unauthorised amendment

21、保留和数据可以保护它免受损失或未经授权的修改检索Retiring or disposal of data in a controlled manner at the end of its life在其生命结束时以一种可控的方式退休或处置数据Data Lifecycle reviews are applicable to both paper and electronic records, although control measures may be applied differently. In the case of computerised systems, the data life

22、cycle review should be performed by business process owners (e.g. production, QC) in collaboration with IT personnel who understand the system architecture. The description of computerised systems required by EU GMP Annex 11 paragraph 4.3 can assist this review. The application of critical thinking

23、skills is important to not only identify gaps in data governance, but to also challenge the effectiveness of the procedural and systematic controls in place.“数据生命周期”的评论是适用于纸质和电子记录，虽然控制措施可能会不同的应用。在计算机系统的情况下，“数据生命周期的审查应该由业主进行业务流程（如生产、QC）与IT人员了解系统架构的合作。计算机系统通过欧盟GMP附件11第4.3段所需的描述可以帮助审查。批判性思维技能的应用是重要的，不仅

24、要确定数据治理的差距，但也挑战了程序和系统的控制的有效性。Segregation of duties between data lifecycle stages provides safeguards against data integrity failure by reducing the opportunity for an individual to alter, mis-represent or falsify data without detection.数据生命周期阶段之间的职责分离减少一个人改变的机会提供了对数据完整性破坏的保护措施，管理代表或伪造数据而不检测。Data ris

25、k should be considered at each stage of the data lifecycle review.数据生命周期评审中的每一个阶段都应考虑数据风险。6. Data lifecycle: What risks should be considered when assessing the generating and recording of data?6。“数据生命周期”：在评估数据的产生和记录时，应该考虑什么样的风险？The following aspects should be considered when determining risk and con

26、trol measures:确定风险和控制措施时，应考虑以下几个方面：How and where is original data created (i.e. paper or electronic)如何和哪里是原始数据（即纸质或电子版）What metadata is associated with the data, to ensure a complete, accurate and traceable record, taking into account ALCOA principles. Does the record permit the reconstruction of th

27、e activity什么元数据与数据相关联，确保完整、准确、可追溯的记录，考虑到美铝原则。记录允许活动的重建Where is the data and metadata located在哪里是数据和元数据Does the system require that data is saved to permanent memory at the time of recording, or is it held in a temporary buffer该系统要求数据在记录时保存到永久性存储器，或者它在一个临时缓冲区中保存In the case of some computerised analyt

28、ical and manufacturing equipment, data may be stored as a temporary local file prior to transfer to a permanent storage location (e.g. server). During the period of temporary storage, there is often limited audit trail provision amending, deleting or recreating data. This is a data integrity risk. R

29、emoving the use of temporary memory (or reducing the time period that data is stored in temporary memory) reduces the risk of undetected data manipulation.在一些计算机分析和制造设备的情况下，数据可以被存储为一个本地临时文件转移到一个永久性的存储位置之前（如服务器）。临时存储期间的期间，经常有有限的审计线索提供修改、删除或重新创建数据。这是一个数据完整性风险。删除临时内存的使用（或减少数据存储在临时内存中的时间段）减少了未被发现的数据操作的风

30、险。Is it possible to recreate, amend or delete original data and metadata;是否有可能重新创建、修改或删除原始数据和元数据；Controls over paper records are discussed elsewhere in this guidance.在本指南的其他地方的文件记录的控制进行了讨论。Computerised system controls may be more complex, including setting of user privileges and system configuration

31、 to limit or prevent access to amend data. It is important to review all data access opportunities, including IT helpdesk staff, who may make changes at the request of the data user. These changes should be procedurally controlled, visible and approved within the quality system.计算机系统控制可能更复杂，包括用户权限、系

32、统配置来限制或阻止访问修改数据设置。这是审查所有的数据访问的机会很重要，包括IT人员，他们可能在数据用户的要求做出改变。这些变化应该是程序控制，质量体系在可见光和批准。How data is transferred to other locations or systems for processing or storage;如何将数据传输到其他位置或系统进行处理或存储；Data should be protected from possibility of intentional or unintentional loss or amendment during transfer to ot

33、her systems (e.g. for processing, review or storage). Paper records should be protected from amendment, or substitution. Electronic interfaces should be validated to demonstrate security and no corruption of data, particularly where systems require an interface to present data in a different structu

34、re or file format.在将数据传输到其他系统（例如用于处理、审查或存储）时，应保护数据不受有意或无意的损失或修改的可能性。纸质记录应该保护，修改或替代。应验证电子接口，以证明安全性和无损坏的数据，特别是在系统需要一个接口，以目前的数据在一个不同的结构或文件格式。Does the person processing the data have the ability to influence what data is reported, or how it is presented.是否对数据进行处理的人有能力影响报告的数据，或它是如何提出的。7. Data lifecycle:

35、What risks should be considered when assessing the processing data into usable information?7。“数据生命周期”：当评估处理数据到可用的信息时，应考虑哪些风险？The following aspects should be considered when determining risk and control measures:确定风险和控制措施时，应考虑以下几个方面：How is data processed;如何处理数据；Data processing methods should be appro

36、ved, identifiable and version controlled. In the case of electronic data processing, methods should be locked where appropriate to prevent unauthorised amendment.数据处理方法应该被批准，可识别和版本控制。在电子数据处理的情况下，方法应锁定在适当的地方，以防止未经授权的修改。How is data processing recorded;如何记录数据处理；The processing method should be recorded.

37、 In situations where raw data has been processed more than once, each iteration (including method and result) should be available to the data checker for verification.应记录处理方法。在原始数据已处理超过一次的情况下，每次迭代（包括方法和结果）应提供给验证的数据检查程序。Does the person processing the data have the ability to influence what data is re

38、ported, or how it is presented;是否处理数据的人有能力影响报告的数据，或它是如何提出的；Even validated systems which do not permit the user to make any changes to data may be at risk if the user can choose what data is printed, reported or transferred for processing. This includes performing the activity multiple times as separ

39、ate events and reporting a desired outcome from one of these repeats.即使是“验证的系统”，不允许用户对数据进行任何修改，可能是在风险，如果用户可以选择什么样的数据被打印，报告或转移的处理。这包括执行多次作为单独的事件的活动，并报告从这些重复的一个期望的结果。Data presentation (e.g. changing scale of graphical reports to enhance or reduce presentation of analytical peaks) can also influence de

40、cision making, and therefore impact data integrity.数据演示（例如，改变规模的图形报告，以提高或减少分析峰的介绍）也可以影响决策，因此影响数据的完整性。8. Data lifecycle: What risks should be considered when checking the completeness and accuracy of reported data and processed information?8。“数据生命周期”：在检查报告的数据和处理的信息的完整性和准确性时，应考虑哪些风险？The following aspe

41、cts should be considered when determining risk and control measures:确定风险和控制措施时，应考虑以下几个方面：Is original data (including the original data format) available for checking;是原始数据（包括原始数据格式）可用于检查；The format of the original data (electronic or paper) should be preserved, and available to the data reviewer in

42、a manner which permits interaction with the data (e.g. search, query). This approach facilitates a risk-based review of the record, and can also reduce administrative burden for instance utilising validated audit trail exception reports instead of an onerous line-by-line review.应保留原始数据（电子或纸质）的格式，并以允

43、许与数据交互的方式提供给数据审阅者（例如：搜索，查询）。这种方法有利于以风险为基础的审查的记录，也可以减少行政负担，例如利用验证的审计线索的异常报告，而不是一个繁重的行审查。Are there any periods of time when data is not audit trailed;有时间数据时不是审计跟踪；This may present opportunity for data amendment which is not subsequently visible to the data reviewer. Additional control measures should

44、be implemented to reduce risk of undisclosed data manipulation.这可能会提出的数据修正案的机会，这是不可见的数据审阅。应实施额外的控制措施，以减少未公开数据操作的风险。Does the data reviewer have visibility and access to all data generated;数据审阅者是否有可见性和对所有生成的数据的访问；This should include any data from failed or aborted activities, discrepant or unusual dat

45、a which has been excluded from processing or the final decision-making process. Visibility of all data provides protection against selective data reporting or testing into compliance.这应包括从失败或终止活动的任何数据，不一致的或不寻常的，被排除在加工或最终决策的过程数据。所有数据的可见性提供了保护，防止选择性的数据报告或“测试到合规性”。Does the data reviewer have visibility

46、 and access to all processing of data;数据审阅者是否有可见性和访问所有数据的处理；This ensures that the final result obtained from raw data is based on good science, and that any data exclusion or changes to processing method is based on good science. Visibility of all processing information provides protection against u

47、ndisclosed processing into compliance.这保证了从原始数据得到的最终结果是基于良好的科学，任何数据排除或更改处理方法是基于良好的科学。所有处理信息的可见性提供了对未公开的“处理成合规”的保护。9. Data lifecycle: What risks should be considered when data (or results) are used to make a decision?9。“数据生命周期”：当数据（或结果）被用来做决定时，应该考虑什么样的风险？The following aspects should be considered whe

48、n determining risk and control measures:确定风险和控制措施时，应考虑以下几个方面：When is the pass / fail decision taken;什么时候是通过/失败的决定；If data acceptability decisions are taken before a record (raw data or processed result) is saved to permanent memory, there may be opportunity for the user to manipulate data to provide

49、 a satisfactory result, without this change being visible in audit trail. This would not be visible to the data reviewer.如果在记录（原始数据或处理结果）被保存到永久存储器之前，如果数据可接受的决定被记录（原始数据或处理结果），则可能有机会为用户操作数据提供一个令人满意的结果，而没有这种变化是可见的审计线索。这将是不可见的数据审阅。This is a particular consideration where computerised systems alert the u

50、ser to an out of specification entry before the data entry process is complete (i.e. the user saves the data entry), or saves the record in temporary memory.这是一个特别的考虑，电脑系统提醒用户超出规范的条目在数据录入过程完成后（即用户保存的数据输入），或保存在临时存储的记录。10. Data lifecycle: What risks should be considered when retaining and retrieving d

51、ata to protect it from loss or unauthorised amendment?10。数据生命周期：什么风险时应考虑保留和检索数据免受损失或未经授权的修改？The following aspects should be considered when determining risk and control measures:确定风险和控制措施时，应考虑以下几个方面：How / where is data stored;如何/在哪里存储的数据；Storage of data (paper or electronic) should be at secure loca

52、tions, with access limited to authorised persons. The storage location must provide adequate protection from damage due to water, fire, etc.存储的数据（纸质或电子）应在安全的位置，访问仅限于授权人员。存储位置必须提供足够的保护，由于水，火等造成的损失。What are the measures protecting against loss or unauthorised amendment;防止丢失或未经授权的修改措施是什么；Data security

53、measures should be at least equivalent to those applied during the earlier Data lifecycle stages. Retrospective data amendment (e.g. via IT helpdesk or data base amendments) should be controlled by the pharmaceutical quality system, with appropriate segregation of duties and approval processes.数据安全性

54、的措施应该至少相当于那些在早期的数据生命周期阶段所应用的数据安全性。回顾性数据修正（例如IT或数据库修改）应该由制药质量体系控制，适当的职责分工和审批程序。Is data backed up in a manner permitting reconstruction of the activity;以允许重建活动的方式进行数据备份；Back-up arrangements should be validated to demonstrate the ability to restore data following IT system failure. In situations where

55、metadata (including relevant operating system event logs) are stored in different file locations from raw data, the back-up process should be carefully designed to ensure that all data required to reconstruct a record is included.备份安排应进行验证，以证明在系统故障后恢复数据的能力。在元数据（包括相关的操作系统事件日志）存储在不同的文件位置从原始数据的情况下，备份过程

56、应仔细设计，以确保所有需要重建记录的数据包括。Similarly, true copies of paper records may be duplicated on paper, microfilm, or electronically, and stored in a separate location.同样，“纸上记录的副本可能被复制在纸上，缩微胶片，或电子，并存储在一个单独的位置。What are ownership / retrieval arrangements, particularly considering outsourced activities or data stor

57、age;什么是所有权/检索安排，特别是考虑外包活动或数据存储；A technical agreement should be in place which addresses the requirements of Part I Chapter 7 and Part II Section 16 of the GMP guide.技术协议应该在的地方的地址，第一部分7章和第II部分16的GMP指南的要求。11. Data lifecycle: What risks should be considered when retiring or disposal of data in a contro

58、lled manner at the end of its life?11。“数据生命周期”：在它的生命结束时，以控制的方式退休或处置数据时，应考虑什么样的风险？The following aspects should be considered when determining risk and control measures:确定风险和控制措施时，应考虑以下几个方面：The data retention period数据保留期This will be influenced by regulatory requirements and data criticality. When considering data for a single product, there may be different data retention needs for pivotal trial data an