PDA近期发布了TR 80《Data Integrity Management System for Pharmaceutical Laboratories制药实验室数据完整性管理系统》,详细描述了实验室数据完整性的监管趋势、实验室数据完整性控制的一般考虑点、微生物实验室数据完整性、分析实验室数据完整性、数据监管体系风险评估以及如何整改数据完整性缺陷。
目前GMP办公室正在组织翻译,有兴趣的同行可以加入GMP办公室翻译组参与讨论翻译校对完成后将于近期发出,敬请期待以下是关于实验室数据完整性的几个问答,分享给大家参考:Certificates of Software Validation or Capability:
Do They Provide Value?软件验证或能力证书:它们是否有用?Many software vendors provide a Certificate of Software Validation, or they may issue a certificate along the lines of 21 CFR Part 11 Readiness Claims. Such a certificate has limited value, because the FDA expects the software to be validated for its intended use by the users in the environment where it will be used. While vendors should engage customers to build and design systems according to customer needs, and spend considerable time testing that software before they deliver it, the development and testing work does not (and cannot) substitute for the customer declaring their intended use and then validating their system according to that intended use.
许多软件供应商提供了软件验证证书, 或者发布一份符合 21 CFR Part 11的声明此类证书的价值有限, 因为 FDA 希望该软件能够被使用环境中的用户用来验证其用途虽然供应商应与客户合作根据用户的需求来构建和设计系统, 并且在交付之前花费大量的时间测试该软件, 但开发和测试工作并不能代替客户声明他们的预期用途, 然后根据预期用途验证其系统。
Another related point is that the FDA does not have legal jurisdiction over a vendor’s informatics software organization. So (unless the software is registered as a Medical Device with the FDA) any documentation that the vendor might provide cannot be recognized by the FDA because of that lack of enforcement authority.
另一个相关的问题是 FDA 对供应商的信息软件机构没有法律管辖权因此 (除非该软件是注册为医疗器械的), 供应商可能提供的所有文件都不能被 FDA 认可, 因为缺乏执法监管Vendors may be able to provide detailed information about a product’s abilities relative to Part 11, but that information is based on the vendor’s interpretation of the regulations.This interpretation may or may not agree with various pharmaceutical manufacturers, or the FDA itself. The vendor’s interpretation cannot substitute for an audit to determine the software’s functional ability to satisfy regulatory concerns.。
供应商应该能够提供有关产品符合Part 11的能力的详细信息, 但该信息是根据供应商对这些法规的理解而制定的这种理解可能会与不同制药生产商, 或 FDA相同或不同供应商的理解不能替代审计, 以确定软件的功能能力, 以满足监管的关注。
Question: When software is updated my, how much revalidation is required?当软件更新时, 需要多少重新验证?Answer: The FDA guidance: General Principles of Software Validation focusses on two points related to revalidation. First, changes to the system must be evaluated for their relative impact to the particular company’s intended use for the system. For example, instrument support functionality changes may not be related to a user’s particular instrument configuration or may reflect unused features. From the vendor’s release documentation, it should be possible to determine what features and functionality have been updated, and what defects in the software have been corrected. Any changes should be compared against the intended use to determine any revalidation impact.
FDA 指南: 《软件验证一般原则》与重新确认相关要求集中在两点上首先, 必须对系统的更改进行评估, 以确定其对公司对系统的特定预期用途的影响例如, 仪表支持功能更改可能与用户仪器的某一配置无关, 或可能影响无用的功能。
应该从供应商的发行文档中确定哪些功能和特性已更新, 以及软件中的哪些缺陷已被纠正任何更改都应与预期的用途进行比较, 以确定任何重新验证的影响Second, whenever software is changed, the user should evaluate the change themselves, including some degree of regression testing to confirm that the change in the software or the updated software has not broken something else in some way that may have had unintended consequences. It is not uncommon, for example, when updating software for home computers or phones to find that features that worked before the update may not work afterwards.
其次, 当软件变更时, 用户应该评估变更本身, 包括某种程度的回归测试(回归测试是指修改了旧代码后,重新进行测试以确认修改没有引入新的错误或导致其他代码产生错误自动回归测试将大幅降低系统测试、维护升级等阶段的成本。
), 以确认软件的变更或更新没有以某种方式破坏其他东西而导致意想不到的后果这一点其实并不少见,例如, 在更新家用计算机或电话软件时,确认在更新之前的功能是否在更新之后失效Question: When a new PC is implemented, is it necessary to revalidate the software?
在使用新的 PC 时, 是否需要重新验证软件?Answer: If the new PC has the same or greater capabilities than the original and is using the same version of the operating system and software, revalidation is not necessary since the functionality of the system is the same. However, repeating the installation qualification activities to confirm that the software has been properly installed or restored properly from the backup onto the new PC is required.
如果新 PC 的功能与原始计算机相同或更大, 并且使用相同版本的操作系统和软件, 则无需重新验证, 因为系统的功能是相同的但是, 必须进行安装确认以证实软件已正确安装或从备份位置正确地恢复到新 PC 上。
One detail that can make this process more efficient is to avoid overly detailed specification documents. Avoid specifying
a particular model of PC, particular processor speed, or a particular memory or disk capacity. Use of the designation “or higher” will prevent having to continually update the documentation as technology advances.
一个可以使此过程更高效的细节是避免过于详细的规范文档避免指定特定型号的 PC、特定处理器速度或特定内存或磁盘容量使用指定 "或更高" 将防止在技术进步时必须不断更新文档Question: How can I ensure and prove that SOPs are followed?。
我如何确保和证明 sop 得到遵循?Answer: Through audits. Audits are the only way to follow up to make sure that people are doing what they have been trained to do.
答: 通过审计审计是跟进以确保人们在做他们已经被培训做的事情的唯一方法Question: How do you deal with automatic updates of Windows or antivirus programs?。
如何处理 Windows 或防病毒程序的自动更新?Answer: Another item the FDA has started discussing more in the last few years, in conjunction with the ISPE GAMP v5 Guidance, is the concept of risk and risk-based validation. One of the things to think about with operating system and antivirus updates is the relative risk of having e.g. a security problem or a virus vulnerability in a system. Sometimes the update risk may be greater than the original risk to the system itself (or vice versa). Some companies have the luxury of staff to deal with networks and server infrastructure qualification and can insulate operating systems from the software validation itself, having the responsibility to make sure that the systems are being kept current with security and antivirus updates. As a general practice companies should periodically run a small set of standard regression tests, triggered by operating system or antivirus updates or simply on a periodic basis, to make sure that changes do not have any adverse impact on the system.
FDA讨论在过去几年中开始更多讨论的另外一个项目, 结合ISPE GAMP 5 指南, 是风险和基于风险的验证的概念与操作系统和防病毒更新一起思考的一件事是, 在系统中有安全问题或病毒漏洞的相对风险有时, 更新风险可能大于系统本身的原始风险 (反之亦然)。
一些公司拥有大量负责确保系统保持最新安全和防病毒更新的员工来处理网络和服务器基础设施的确认, 并且可以将操作系统与软件验证隔离开来通常情况下, 公司应定期运行一小套标准回归测试, 在操作系统或防病毒更新之后或简单地定期进行, 以确保这些变更不会对系统产生任何不利影响。
Question:What is regression testing?什么是回归测试?Answer: Regression testing is a way toconfirm that featuresworkingprior to any change are still working. Regression testing should involve eitherthe most commonly used functions in the system and/or the most high-riskfunctions determined during risk-analysis to determine whether or not aparticular software update has changed something not directly addressed in thevendor’s documentation. That is to confirm that the system itself has notregressed or that a change has not introduced some kind of an unintended failure.
答: 回归测试是确认功能在任何变更之后仍然在工作的一种方法回归测试应包括系统中最常用的函数和/或风险分析确定的最高风险函数, 以确定特定软件更新是否更改了未直接体现在供应商文档中的内容这是为了确认系统本身并没有倒退, 或者变更没有引入某种意想不到的失败。
公众号GMP办公室
专业的GMP合规性研究组织国内外(FDA、EMA、MHRA、CFDA、WHO、PIC/S等)GMP法规解读;国内外制药行业GMP监管动态;GMP技术指南(ISPE、PDA、ISO、ASTM等)分享
亲爱的读者们,感谢您花时间阅读本文。如果您对本文有任何疑问或建议,请随时联系我。我非常乐意与您交流。
发表评论:
◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。