欧盟GMP附录11-计算机系统中英文对照

总则PrincipleThis annexapplies to all formsof computerised systems usedas partof aGMPregulated activities.A computerised system isa setof softwareand hardwarecomponentswhich togetherfulfill certainfunctionalities.此附件适用于符合GMP生产要求的所有形式的计算机系统计算机系统是实现某项特定功能的软件和硬件的组合The applicationshould bevalidated;IT infrastructureshould bequalified.应用程序应验证，IT基础设施应有权限设置Where acomputerised systemreplaces a manual operation,there should be noresultantdecrease inproduct quality,process controlor qualityassurance.There should be noincreasein theoverall riskof theprocess.用计算机系统代替手动操作应不对产品质量、过程控制和质量保证以及过程的整体风险产生影响常规General

1.Risk Management风险管理Risk managementshould beapplied throughout the lifecycleof the computerised systemtakinginto accountpatient safety,data integrityand productquality.As partof a riskmanagement system,decisions on the extentof validation and dataintegrity controlsshould be based on ajustified anddocumented risk assessment of the computerisedsystem.风险管理应贯穿整个计算机系统生命周期，以保证病人安全、数据完整性和产品质量作为风险管理系统的一部分，由计算机系统风险评估决定验证范围和数据完整性控制

2.Personnel人员There should be closecooperation betweenall relevantpersonnel such as ProcessOwner,System Owner,Qualified Personsand IT.All personnelshould haveappropriatequalifications,level of access anddefined responsibilitiesto carryout theirassigned duties.所有有关人员（如工艺管理员、系统管理员、质检员和IT人员）应紧密合作这些人员应具有相应的资格证书、使用权限和定义好的相关工作职责

3.Suppliers andService Providers供应商和服务供应商（）

3.1When third parties e.g.suppliers,service providersare usede.g.to provide,install,（）configure,integrate,validate,maintain e.g.via remoteaccess,modify orretain acomputerisedsystem orrelated serviceor for data processing,formal agreementsmustexist betweenthe manufacturerand anythirdparties,and theseagreements should includeclear statementsof theresponsibilities of the thirdparty.IT-departments should beconsidered analogous.

3.2当第三方（如供应商、服务供应商）为计算机系统、相关服务或数据处理提供如供货、安装、配置、整合、验证、维护（如通过远程访问）、修改或保持时，厂商和任何第三方之间必须有正式协议，且在协议中应当明确第三方责任IT部门类似

3.3The competenceand reliabilityof asupplier arekey factorswhen selectinga productorservice provider.The needfor anaudit should be basedon arisk assessment.

3.4供应商的实力和可靠性是选择供应商产品或服务的关键因素，所以需要一个以风险评估为基础的审计

3.5Documentation suppliedwith commercialoff-the-shelf productsshould bereviewedby regulatedusers tocheck thatuser requirementsare fulfilled.

3.6商业性标准文件应通过用户审核并符合用户需求

3.7Quality system and auditinformation relatingto suppliersor developersof softwareandimplemented systemsshould bemade availableto inspectorson request.

3.8软件和应用系统开发商或供应商的质量体系和审计信息应便于核查人员查询项目阶段Project Phase

4.Validation验证

4.1The validationdocumentation andreports shouldcover therelevant stepsof the lifecycle.Manufacturers should be ableto justifytheir standards,protocols,acceptancecriteria,procedures andrecords basedon theirrisk assessment.

4.2验证文件和报告应包含系统生命周期的相关阶段厂商应能够证明其标准、协议、验收标准、规程和记录都是基于其内部风险评估的（）

4.3Validation documentationshould includechange controlrecords ifapplicable andreportson anydeviations observedduring thevalidation process.

4.4验证文件应包含验证过程中的变更控制记录（如适用）和偏差报告（）

4.5An up to datelisting of all relevantsystems and their GMPfunctionality inventoryshould be available.

4.6相关系统和其GMP功能（详细目录）的最新清单应有效For criticalsystems anuptodate systemdescription detailingthe physical and logicalarrangements,data flowsand interfaceswith other systems orprocesses,any hardwareandsoftware pre-requisites,and securitymeasures shouldbe available.为对一个最新的关键系统进行详细的系统描述（如物理、逻辑流程、数据流和与其他系统或进程的接口），任何硬件和软件都是必须的，并应有安全措施

4.7User RequirementsSpecifications shoulddescribe therequired functionsof thecomputerisedsystem andbe basedon documentedriskassessmentand GMPimpact.Userrequirements shouldbe traceablethroughoutthelife-cycle.

4.8URS应基于风险评估和GMP影响性文件描述计算机系统的功能需求用户需求应贯穿整个系统生命周期

4.9The regulateduser shouldtake allreasonable steps,to ensurethat the system hasbeendeveloped in accordance with an appropriatequality managementsystem.The suppliershouldbe assessedappropriately.

4.10理者应采取合理措施保证系统更新与最新的质量管理系统一致，并对供应商作出适当的评估

4.11For thevalidation ofbespoke orcustomised computerised systems there should beaprocess inplace thatensures theformal assessmentand reportingof qualityandperformance measuresfor allthelife-cycle stagesof the system.

4.6为验证化或自定义计算机系统，应对系统生命周期的每个阶段都进行验证，以确认正式评估、质量报告和业绩评估报告

4.12Evidence ofappropriate testmethods andtest scenariosshouldbedemonstrated.Particularly,system processparameter limits,data limitsand errorhandling shouldbeconsidered.Automated testingtools andtest environmentsshould havedocumentedassessments for their adequacy.

4.13对测试方法和测试环境加以论证，特别是系统工艺参数范围、数据范围和错误处理自动化测试工具和测试环境的合适性应该有书面的评估报告

4.14If data are transferredto anotherdata formator system,validation shouldincludechecks thatdataarenot alteredin valueand/or meaningduring thismigration process.

4.15据转化成其他格式或传输到其他系统时，验证内容应包括检查其数据值和/或含义在转化或传输过程中没有被改变运行阶段Operational Phase

5.Data数据Computerised systemsexchanging dataelectronically withothersystemsshould includeappropriatebuilt-in checksfor thecorrect andsecure entryand processingof data,in ordertominimize therisks.计算机系统和其他系统之间交换数据时，应有适当的内部校验，以保证数据输入和数据处理的正确性及安全性，以期让风险降到最低

6.Accuracy Checks精度检查For criticaldata enteredmanually,thereshouldbe anadditional checkon theaccuracy ofthe data.This checkmay be done bya secondoperator orby validatedelectronic means.The criticalityand thepotential consequencesof erroneousor incorrectlyentered datato asystemshouldbecovered byrisk management.当手动输入关键数据时，应当复核数据的准确性此复核可以由另外的操作人员执行或通过经验证的电子方式进行风险管理应考虑系统错误和系统误输入数据所造成的危险或潜在影响

7.Data Storage数据存储

7.1Data shouldbe securedby bothphysicalandelectronic meansagainst damage.Storeddata shouldbe checked for accessibility,readability andaccuracy.Access todata shouldbeensured throughoutthe retentionperiod.

7.2数据应以物理和电子两种方式保存，以避免丢失存储的数据应易查询、可读和准确，并在有效期内

7.3Regular back-ups ofall relevant data shouldbedone.Integrity andaccuracy ofback-up dataandtheability torestore thedata shouldbe checkedduring validationandmonitored periodically.

7.4应定期备份相关数据在定期验证和检测时，应检查备份数据的完整性、准确性和其恢复数据库的能力

8.Printouts打印输出

8.1It shouldbe possible to obtainclear printedcopies ofelectronically storeddata.

8.2储存的电子数据应可被清晰打印

8.3For recordssupporting batch release itshouldbepossibletogenerate printoutsindicatingif anyofthedata hasbeen changedsince theoriginal entry.

8.4从最初开始的任何数据变更都应被打印在批放行纪录上

9.Audit Trails审计跟踪Consideration shouldbe given,basedonariskassessment,to buildinginto thesystem thecreationofarecord ofall GMP-relevant changesand deletionsa systemgenerated naudittrail

1.For changeor deletionof GMP-relevantdatathe reasonshouldbedocumented.Audit trailsneed to be availableand convertibleto agenerally intelligibleform andregularlyreviewed.基于风险评估，系统中应考虑建立所有与GMP相关的变更和删除记录（系统产生的“审计跟踪”）与GMP相关的数据,其变更或删除的原因应被记录审计跟踪需转换成一般可理解的形式并定期审核

10.Change andConfiguration Management变更和配置管理Any changestoacomputerisedsystemincluding systemconfigurations shouldonly bemadeinacontrolled mannerin accordancewithadefined procedure.计算机系统的任何变更（包括系统配置的更换）应当有控制地按照规定的程序进行

11.Periodic evaluation周期性评估Computerised systemsshouldbeperiodically evaluatedto confirmthat theyremain inavalid stateand arecompliant withGMP.Such evaluationsshouldinclude,whereappropriate,the currentrange offunctionality,deviation records,incidents,problems,upgrade history,performance,reliability,security andvalidation statusreports.计算机系统应该定期进行评估以确认其仍有效并符合GMP标准这样的评估应该包括适应性、功能性、偏差记录、事件、问题、历史追溯、性能、可靠性、安全性和验证状态报告

12.Security安全性

12.1Physical and/or logicalcontrols shouldbe inplace torestrict accessto computerisedsystemto authorisedpersons.Suitable methodsof preventingunauthorised entryto thesystemmay include the useof keys,pass cards,personal codeswith passwords,biometrics,restricted accessto computer equipment and data storageareas.

12.2物理和/或逻辑控制器应能独自限制进入计算机系统的授权人，并用适当方法防止未经授权的登录（可能包含密码、通行卡、个人密码、生物识别的使用），以此限制进入电脑设备和数据存储硬盘

12.3The extentof securitycontrols dependsonthecriticality ofthecomputerisedsystem.

12.4安全控制的程度取决于计算机系统的危险等级

12.5Creation,change,and cancellationof accessauthorisations shouldbe recorded.

12.6通行许可的创建、变更和注销都应被记录

12.7Management systemsfordataand fordocuments shouldbe designedto record theidentity ofoperators entering,changing,confirming ordeleting dataincluding dateandtime.

12.8数据和文件管理体系应记录登录人员的身份、变更内容以及包括日期和时间的确认或删除

13.Incident Management事件管理All incidents,not onlysystem failuresanddataerrors,shouldbereported andassessed.The rootcause ofa criticalincident shouldbe identifiedand shouldform thebasis ofcorrectiveand preventiveactions.所有事件（不仅指系统故障和数据错误）均应被记录及评估一个关键事件的根本起因也应该被鉴定并形成纠正和预防措施

14.Electronic Signature电子签名Electronic recordsmay besigned electronically.Electronic signaturesare expectedto:电子文件可用电子签名电子签名将a,have thesame impactas hand-written signatureswithin theboundaries ofthe company,在公司范围内电子签名应有与手写签名具有同等的效果，b・be permanentlylinked totheir respectiverecord,将永久与其各自的记录相关联，c,includethetime anddate thatthey wereapplied.应包括其使用的时间和日期

15.Batch release批放行When acomputerisedsystemis usedfor recordingcertification andbatchrelease,thesystem shouldallow onlyQualified Personsto certifythe releaseofthe batches anditshould clearlyidentify andrecordtheperson releasingor certifyingthebatches.Thisshould beperformed usingan electronicsignature.当一个计算机系统用来记录认证和批放行时，系统应该只允许质量人员确认批放行，并且要清楚地识别和记录放行人员的批动作或批证明这才是电子签名应履行的

16.Business Continuity业务连续性For the availability ofcomputerisedsystemssupporting criticalprocesses,provisionsshould bemade toensure continuityof supportfor thoseprocesses in the eventofasystem（）breakdown e.g.amanualor alternativesystem.The timerequired tobring thealternativearrangements intouse shouldbe basedon riskand appropriatefor aparticular systemandthe business process itsupports.These arrangementsshouldbeadequately documentedand tested.计算机系统所提供的关键工艺的有效性应被规定，以确保工艺流程在系统故障（如手动或替代系统）的情况下持续运行切换时间应基于风险，并适合特殊系统和其提供的工业流程这些设置应该有充分的记录和测试

17.Archiving归档Data maybe archived.This data shouldbecheckedforaccessibility,readability and（integrity.If relevantchanges aretobemade tothesysteme.g.computerequipmentorprograms）,then theability toretrieve thedatashouldbe ensuredandtested.数据应被存档，并作访问性、可读性和完整性检查如果系统作相关变更（如计算机设备或程序变更），其数据恢复能力应被保证和测试术语GlossaryApplication:Software installedonadefined platform/hardware providingspecificfunctionality应用程序在某个特定平台安装的软件或提供某种特殊功能的硬件Bespoke/Customized computerisedsystem:A computerisedsystem individuallydesignedto suita specificbusinessprocess化/自定义计算机系统适合某项特定业务流程的单个计算机系统Commercial ofthe shelfsoftware:Software commerciallyavailable,whose fitnessforuse isdemonstrated bya broadspectrum ofusers.商业软件此软件应市场化、功能适用并且得到广大用户的认可IT Infrastructure:The hardwareand softwaresuchasnetworking softwareand operationsystems,which makesit possiblefor theapplication tofunction.基础设施满足某项功能的硬件和软件（如网络软件和操作系统）ITLife cycle:All phasesinthelife ofthesystemfrom initialrequirements untilretirementincluding design,specification,programming,testing,installation,operation,andmaintenance.生命周期包含从初始要求提出到退役的所有系统生命阶段，其中包含设计、详述、程序编制、测试、安装、运行和维护Process owner:The personresponsible forthe businessprocess.工艺管理员为工艺流程负责的人员System owner:The personresponsible fortheavailability,and maintenanceof acomputerisedsystemandforthesecurity ofthedataresiding onthat system.系统管理员对计算机系统的有效性、维护和系统数据安全负责的人员Third Party:Parties notdirectly managedby theholder ofthe manufacturingand/orimport authorisation.第三方不直接受雇于制造厂商和/或被授权的组织。