1、MHRA GXP Data Integrity Guidance and Definitions; Revision 1: March 2018 Medicines Revision 1: March 2018 目录 1. Background 背景 3 2. Introduction 概述 3 3. The principles of data integrity 数据完整性原则 4 4. Establishing data criticality and inherent integrity risk 建立数据关键性和内在完整性风险 . 5 5. Designing systems and
2、 processes to assure data integrity; creating the right environment. 设计系统和流程确保数据完整性,创建 “正确环境 ” 7 6. Definition of terms and interpretation of requirements 术语定义和要求诠释 8 6.1. Data 数据 . 8 6.2. Raw data (synonymous with source data which is defined in ICH GCP) 原始数据(与ICH GCP中定义的 “源数据 ”为同义词) 9 6.3. Metadat
3、a 元数据 10 6.4. Data Integrity 数据完整性 . 10 6.5. Data Governance 数据管理 10 6.6. Data Lifecycle 数据生命周期 11 6.7. Recording and collection of data 数据记录和采集 11 6.8. Data transfer / migration 数据转移 /迁移 12 6.9. Data Processing 数据处理 . 12 6.10. Excluding Data (not applicable to GPvP): 除外数据(不适用于 GPvP) . 13 6.11. Orig
4、inal record and true copy 原始记录和真实副本 13 6. 11.1. Original record 原始记录 13 6.11.2. True copy 真实副本 14 6.12. Computerised system transactions: 计算机化系统处理 15 6.13. Audit Trail 审计追踪 . 15 6.14. Electronic signatures 电子签 名 . 17 6.15. Data review and approval 数据审核和批准 . 18 6.16. Computerised system user access/s
5、ystem administrator roles 计算机化系统用户权限 /系统管理员角色 . 19 6.17. Data retention 数据保存 . 20 6.17.1. Archive 归档 20 6.17.2. Backup 备份 21 6.18. File structure 文件结构 . 21 6.19. Validation for intended purpose (GMP; See also Annex 11, 15) 根据既定用途进行验证(参见附录 15和 GAMP5) . 22 6.20. IT Suppliers and Service Providers (inc
6、luding Cloud providers and virtual service/platforms (also referred to as software as a service SaaS/platform as a service (PaaS) / infrastructure as a service (IaaS). IT供应商和服务提供商(包括云服务提供商和虚拟服务 /平台(也请参见 SAAS/PAAS/IAAS) 22 7. Glossary 术语 . 24 8. References 参考文献 . 25 MHRA GXP Data Integrity Guidance a
7、nd Definitions; Revision 1: March 2018 1. Background 背景 The way regulatory data is generated has continued to evolve in line with the ongoing development of supporting technologies such as the increasing use of electronic data capture, automation of systems and use of remote technologies; and the in
8、creased complexity of supply chains and ways of working, for example, via third party service providers. Systems to support these ways of working can range from manual processes with paper records to the use of fully computerised systems. The main purpose of the regulatory requirements remains the s
9、ame, i.e. having confidence in the quality and the integrity of the data generated (to ensure patient safety and quality of products) and being able to reconstruct activities. 随着支持性技术的持续发展,法规数据的生成方式也在继续进化,例如 越来越多地 使用电子签名 捕获、系统自动化和使用远程技术;以及供应链复杂性和工作方式复杂性的增加 ,例如,通过第三方服务商提供服务。支持这些工作方式的系统可能包括有从手动处理纸质记录到
10、使用全面计算机化系统。法规要求的主要目的是保持不变的,即,质量和 所生成 数据 的 完整性具有可信度 (确保患者安全和药品质量),并且可以重建活动。 2. Introduction 概述 2.1 This document provides guidance for UK industry and public bodies regulated by the UK MHRA including the Good Laboratory Practice Monitoring Authority (GLPMA). Where possible the guidance has been harmo
11、nised with other published guidance. The guidance is a UK companion document to PIC/S, WHO, OECD (guidance and advisory documents on GLP) and EMA guidelines and regulations. 本文件为英国企业和英国 MHRA 管理的公共机构提供指南,包括优良实验室规范监测机构( GLPMA)。本指南已尽可能与其它已发行的指南保持一致。本指南是一份英国 指南文件 ,与PIC/S、 WHO、 OECD( GLP指南和建议文件)以及 EMA指南和
12、规范相 类似。 2.2 This guidance has been developed by the MHRA inspectorate and partners and has undergone public consultation. It is designed to help the user facilitate compliance through education, whilst clarifying the UK regulatory interpretation of existing requirements. 本指南由 MHRA 检查团和伙伴制订并发布征求了公众意见
13、。其设计是为了 通过教育来 帮助用户 符合法规要求,同时澄清英国法规的现有要求。 2.3 Users should ensure their efforts are balanced when safeguarding data from risk with their other compliance priorities. 用户应确保其 在保护数据不受风险威胁时 所做工作 与这些数据的其它符合性优先级别相平衡。 2.4 The scope of this guidance is designated as GXP in that everything contained within th
14、e guide is GXP unless stated otherwise. The lack of examples specific to a GXP does not mean it is not relevant to that GXP just that the examples given are not exhaustive. Please do however note that the guidance document does not extend to medical devices. 本指南的范围指定为“ GXP”, 因此除另有说明外,在本指南中所有对象均指 GXP
15、。对某个 GXP没有具体的例子并不表示它与该 GXP 不相关,而只是因为能给出的例子比较有限。请注意本指南文件不涵盖医疗器械。 2.5 This guidance should be considered as a means of understanding the MHRAs position on data integrity and the minimum expectation to achieve compliance. The guidance does not describe every scenario so engagement with the MHRA is enco
16、uraged where your approach is different to that described in this guidance. 本指南应作为是了解 MHRA 对数据完整性立场的一种方法,以及达成符合性要求的最低期望。本指南并未描述所有情形,因此鼓励各方 在采用不同于本指南所述方法时与 MHRA进行沟通。 2.6 This guidance aims to promote a risk-based approach to data management that includes data risk, criticality and lifecycle. Users of
17、 this guidance need to understand their data processes (as a lifecycle) to identify data with the greatest GXP impact. From that, the identification of the most effective and efficient risk-based control and review of the data can be determined and implemented. 本指南目的是促进基于风险的数据管理方法,其中包括数据风险、关键性和生命周期
18、。 本指南的用户需要了解其数据流程(从生命周期的角度),识别具有最大 GXP 影响的数据。由此点出发, 可以MHRA GXP Data Integrity Guidance and Definitions; Revision 1: March 2018 确定及实施如何识别基于风险的 最高效 控制和数据审核。 2.7 This guidance primarily addresses data integrity and not data quality since the controls required for integrity do not necessarily guarantee
19、the quality of the data generated. 本指南主要谈的是数据完整性问题,并不是数据质量问题,因为完整性所需的控制并不一定 保证所生成数据的质量。 2.8 This guidance should be read in conjunction with the applicable regulations and the general guidance specific to each GXP. Where GXP-specific references are made within this document (e.g. ICH Q9), considerat
20、ion of the principles of these documents may provide guidance and further information. 本指南应与各 GXP 专用的适用规范与通用指南一起解读。如果在本文件中引用了某 GXP 专用参考文件(例如 ICH Q9),则 考虑 这些文件的原则 可以提供一些指南和更多信息。 2.9 Where terms have been defined; it is understood that other definitions may exist and these have been harmonised where p
21、ossible and appropriate. 如果术语已有定义,应理解可能存在其它定义,这种情况已尽可能进行了适当的协调。 3. The principles of data integrity 数据完整性原则 3.1 The organisation needs to take responsibility for the systems used and the data they generate. The organisational culture should ensure data is complete, consistent and accurate in all its
22、 forms, i.e. paper and electronic. 组织机构应为其所用系统及所生成的数据承担责任。组织机构文化 应确保所有形式数据的完整、一致和准确,即纸质和电子。 3.2 Arrangements within an organisation with respect to people, systems and facilities should be designed, operated and, where appropriate, adapted to support a suitable working environment, i.e. creating the
23、 right environment to enable data integrity controls to be effective. 一个组织机构内在人员、系统和设施方面的安排设计、操作以及(适当时)采纳应支持适当的工作环境,即创建正确的环境导向有效的数据完整性控制。 3.3 The impact of organisational culture, the behaviour driven by performance indicators, objectives and senior management behaviour on the success of data govern
24、ance measures should not be underestimated. The data governance policy (or equivalent) should be endorsed at the highest levels of the organisation. 不应低估组织机构文化 、绩效指示驱动的行为、目标和高级管理人员行为对成功的数据管理措施的影响。 组织机构的最高层应采纳 数据管理方针(或等同 者)。 3.4 Organisations are expected to implement, design and operate a documented
25、 system that provides an acceptable state of control based on the data integrity risk with supporting rationale. An example of a suitable approach is to perform a data integrity risk assessment (DIRA) where the processes that produce data or where data is obtained are mapped out and each of the form
26、ats and their controls are identified and the data criticality and inherent risks documented. 要求组织机构实施、设计和操作有记录的系统, 基于数据完整性风险和支持性理由提供可接受的控制水平。一个适当的方法例子是实施数据完整性风险评估( DIRA) ,规划出生成数据的过程 或从何处获取数据,识别出每种数据格式及其控制, 记录下数据关键程度和内在风险。 3.5 Organisations are not expected to implement a forensic approach to data c
27、hecking on a routine basis. Systems should maintain appropriate levels of control whilst wider data governance measures should ensure that periodic audits can detect opportunities for data integrity failures within the organisations systems. 要求组织机构实施 严谨 的方法定期进行数据检查。 系统应维持在适当的控制水平,同时更宽范围的数据管理措施应确保定期审
28、计可以发现组织机构内的系统中数据完整性失败情形。 3.6 The effort and resource applied to assure the integrity of the data should be commensurate with the risk and impact of a data integrity failure to the patient or environment. Collectively these arrangements fulfil the concept of data governance. 用于确保数据完整性所做的工作与所投入的资源应与数据
29、完整性失败对患者或环境的风险和影响相称。 所有安排的总和应满足数据管理的概念。 MHRA GXP Data Integrity Guidance and Definitions; Revision 1: March 2018 3.7 Organisations should be aware that reverting from automated or computerised systems to paper-based manual systems or vice-versa will not in itself remove the need for appropriate data
30、 integrity controls. 组织机构应了解从自动化或计算机化系统转回到纸质手动系统或反向转换本身并不能减少适当的数据完整性控制需求。 3.8 Where data integrity weaknesses are identified, companies should ensure that appropriate corrective and preventive actions are implemented across all relevant activities and systems and not in isolation. 如果发现了数据完整性弱点,公司应确保
31、在所有相关活动和系统中实施适当的 CAPA,而不是独立实施。 3.9 Appropriate notification to regulatory authorities should be made where significant data integrity incidents have been identified. 如果发现重大数据完整性事件,应适当通知药监当局。 3.10 The guidance refers to the acronym ALCOA rather than ALCOA +. ALCOA being Attributable, Legible, Contemp
32、oraneous, Original, and Accurate and the + referring to Complete, Consistent, Enduring, and Available. ALCOA was historically regarded as defining the attributes of data quality that are suitable for regulatory purposes. The + has been subsequently added to emphasise the requirements. There is no di
33、fference in expectations regardless of which acronym is used since data governance measures should ensure that data is complete, consistent, enduring and available throughout the data lifecycle. 本指南 中 采用了“ ALCOA”而不是“ ALCOA+”。 ALCOA 是可追溯性、清晰、同步、原始和准确,“ +”是完整、一致、持久和可及性。 ALCOA 在历史上被作为是定义数据质量的属性,适用于法规监管
34、。“ +” 在后来加上去是为了强调需求。无论采用哪个术语要求并无差异,因为数据管理措施应确保数据 在生命周期中的 完整、一致、持久和可及性。 4. Establishing data criticality and inherent integrity risk 建立数据关键性和内在完整性风险 4.1 Data has varying importance to quality, safety and efficacy decisions. Data criticality may be determined by considering how the data is used to inf
35、luence the decisions made. 数据对于质量、安全性和有效性决策具有不同的重要性。数据关键程度可以通过考虑如何使用数据来影响 所做决策而确定。 4.2 The risks to data are determined by the potential to be deleted, amended or excluded without authorisation and the opportunity for detection of those activities and events. The risks to data may be increased by co
36、mplex, inconsistent processes with open- ended and subjective outcomes, compared to simple tasks that are undertaken consistently, are well defined and have a clear objective. 数据风险是由未经授权被删除、修改或排除的可能性,以及发现这些活动和事件的机会来确定的。数据风险可能由于其复杂性、过程不一致 导致开放和主观结果而增加,相比于 具有一致性、 简单任务, 4.3 Data may be generated by: 数据
37、可通过以下方式生成 : (i) Recording on paper, a paper-based record of a manual observation or of an activity or 纸质记录 ,人工观察结果或活动的纸质记录,或 (ii) electronically, using equipment that range from simple machines through to complex highly configurable computerised systems or 电子记录, 使用从简单设备至可设置参数的高度复杂计算机化系统的设备,或 (iii) b
38、y using a hybrid system where both paper-based and electronic records constitute the original record or 使用混合系统,既有纸质记录又有电子记录构成原始记录,或 (iv) by other means such as photography, imagery, chromatography plates, etc. 其它方式如照片、成像、色谱板等 MHRA GXP Data Integrity Guidance and Definitions; Revision 1: March 2018 P
39、aper 纸质 Data generated manually on paper may require independent verification if deemed necessary from the data integrity risk assessment or by another requirement. Consideration should be given to risk-reducing supervisory measures. 在纸上由人工生成的数据 ,如果从数据完整性风险评估或其它需求考虑认为有必要时, 可能会需要有独立的核查 。要考虑降低风险的监管措施。
40、 Electronic 电子的 The inherent risks to data integrity relating to equipment and computerised systems may differ depending upon the degree to which the system generating or using the data can be configured, and the potential for manipulation of data during transfer between computerised systems during
41、the data lifecycle. 与设备和计 算机化系统有关的数据完整性内在风险可能依 生成或使用数据 系统的参数可设置 的程度 ,以及数据生命周期中计算机化系统之间传输时数据的 操控可能性 不同而不同。 The use of available technology, suitably configured to reduce data integrity risk, should be considered. 应 考虑 使用可用的技术,经适当的参数设置以降低数据完整性风险。 Simple electronic systems with no configurable software
42、 and no electronic data retention (e.g. pH meters, balances and thermometers) may only require calibration, whereas complex systems require validation for intended purpose. 无可设置参数的软件,无电子数据保存的简单电子系统(如 pH 计、天平和温度计)可能只需要进行校正,而复杂的系统则需要“ 依其既定用途进行验证”。 Validation effort increases with complexity and risk (
43、determined by software functionality, configuration, the opportunity for user intervention and data lifecycle considerations). It is important not to overlook systems of apparent lower complexity. Within these systems, it may be possible to manipulate data or repeat testing to achieve the desired ou
44、tcome with limited opportunity for detection (e.g. stand-alone systems with a user-configurable output such as ECG machines, FTIR, UV spectrophotometers). 验证工作程度随着风险和复杂程度的增加而增加(由软件功能、参数设置、用途干预的机会和数据生命周期考量而确定)。不能忽略 复杂程度明显较低的系统。在这些系统中,有可能可以捏造数据或重复测试以达到想要的结果,而发现的机会却比较有限(例如, 用户可设置参数输出的 单机系统 如 ECG机器、 FTI
45、R、 UV光谱仪)。 Hybrid 混合形式 Where hybrid systems are used, it should be clearly documented what constitutes the whole data set and all records that are defined by the data set should be reviewed and retained. Hybrid systems should be designed to ensure they meet the desired objective. 如果使用了混合方式,则应有文件清楚说明
46、完整的数据系列由什么构成,被数据系列所定义的所有记录均应进行审核并保留。混合系统的设计应确保其符合所要达成的目的。 Other 其它 Where the data generated is captured by a photograph or imagery (or other media), the requirements for storage of that format throughout its lifecycle should follow the same considerations as for the other formats, considering any ad
47、ditional controls required for that format. Where the original format cannot be retained due to degradation issues, alternative mechanisms for recording (e.g. photography or digitisation) and subsequent storage may be considered and the selection rationale documented (e.g. thin layer chromatography)
48、. 如果所产生的数据是由照相方式或成像方式(或其它介质)捕获,则此类格式在其生命周期的存贮要求应遵守与其它格式相同的考虑因素,同时考虑这些格式所需的所有其它控制。如果原始格式由于降解原因不能保存,可以考虑采用替代的记录原理(例如,照相或数字化) 和后续的存贮方法,并记录做出该选择的理由(例如,薄层色谱)。 4.4 Reduced effort and/or frequency of control measures may be justified for data that has a lesser impact to product, patient or the environment
49、if those data are obtained from a process that does MHRA GXP Data Integrity Guidance and Definitions; Revision 1: March 2018 not provide the opportunity for amendment without high-level system access or specialist software/knowledge. 如果数据 获取过程中,没有高水平系统权限或专业软件 /专家知识就不允许修改 ,减少工作努力和 /或降低控制措施频率可能需要论证数据对产品、患者或环境影响较小。 4.5 The data integrity risk assessment (or equivalent) should consider factors required to follow a process or perform a function. It is expected to consider not only a computerised system but also the supporting people, guidance, training and qualit