软件安全性级别划分(计算机化系统/数据完整性管理规范)

Data Integrity and Your E-recs During Processing数据运行状态下的数据完整性问题The controls applicable to the preservation of the integrity of the electronic records (e-records) are mostly pertinent with the e-records in storage, during processing, and while in transit[1].

以下IT控制措施适用于针对在数据存储，数据运行以及数据传输状态下保证其数据完整性的相关措施（举例：根据GAMP5 risk-based approach, 分析Data Integrity数据完整性问题，。

越靠近成品放行，Data Priority and Criticality 越高毫无疑问，Data during processing 运行中的数据是风险最大，受关注程度最高的阶段）The validation/qualification process to the application functionality, component and/or interfaces handling e-records is the basics to achieve the validity and reliability of data objects. After deployment of the computer system, these applications, component and/or interfaces are maintained following all CGMP related controls applicable to computer systems during the operational and maintenance phases of the system life cycle.。

应用程序，部件以及界面的验证/确认是实现电子数据有效性和可靠性的基础计算机化系统服役之后，在系统生命周期的运行和维护阶段，其软件、部件以及界面应该保持CGMP（举例：例如验证项目周期的 V-model 从URS到 3Q文件；和系统运行周期的 performance monitor，变更控制， CAPA 还有系统衰亡阶段 data migration plan 数据迁移计划， decommissioning plan 退役计划等）。

Audit trails[6].审计追踪功能As part of the reliability of e-records, audit trails refer to a journal that records modifications to these records. An audit-trail mechanism provides the capability to reconstruct the modified data and therefore does not obscure previously recorded data. The tracking mechanism includes a computer-generated time stamp that indicates the time of the entry.

作为电子数据可靠性的一部分，审计追踪功能是一个追溯所有涉及数据相关变更的记录（举例：至少有操作者ID，操作时间，变更内容，如果是重要系统或者重要变革 – 比如系统的红色OOS报警记录，还可以有audit trail comments 和电子签名功能）。

审计追踪的机制提供了一个途径去重现数据被修改的过程，因此不得覆盖之前的记录数据而这个追踪机制包含了一个系统生成的时间戳功能来记录数据录入的时间………The date and time of an audit trail should be synchronized to a trusted date-time service.

审计追踪的时间和日期功能应该同步于一个受信赖的日期时间源（举例：来自网络服务器的时间和日期，并锁定保护）Controls to the audit trails include:审计追踪功能的管控措施包括

• record-audit linkage.数据和审计追踪记录的关联（举例：至少有操作者ID，操作时间，变更内容）• Cannot be modified.（其内容）不能被修改• Access to the audit trials will be limited to print–read only.

（其内容）只能被打印出来（举例：不应该有删除，编辑和覆盖审计追踪记录的权限）Operational checks.运行情况检查Operational checks are application dependent manufacturing procedures, control, instructions to the operators, specifications, algorithms, workflows[7], sequencing of operations[8], critical embedded requirements, I/Os checks[9], and safety related precautions built into hardware and/or software. These operational checks come to life in the computer program(s) managing the system.

运行情况检查包括：应用程序的制造程序，控制，操作员指令，规范，算法，工作流程[7]，操作顺序[8]，关键嵌入式要求，I / O检查[9]以及内置于硬件中的安全相关预防措施和/或软件这些运行情况检查应体现在计算机程序中的管理体系中。

（举例：对于电脑化系统运行状况的好坏，应该有一个performance monitor系统监控一些指标 i.e. CPU usage， network package loss之类的，监控系统是否运行妥当

）The purpose of performing operational checks is to ensure that operations are not executed outside of the predefined order established by the operating organization[10].

执行运行情况检查的目的是确保系统运行中不会在超出系统预先设定的程式逻辑之外执行One example of the I/Os checks is the electronic interfaces. These must be qualified to demonstrate security and no corruption of data, in particular where the receiver transforms the e-records in a different structure and format[11].

电子化界面的一个例子是I / O（输入和输出测试）检查应证实安全并没有数据损坏，特别是在电子数据以不同结构和格式在系统不同部分传输的情况下（举例：做I/O测试时，应该不仅关注输入预设input时，能不能得到预期的output。

还应该关注其data flow，经历了几次转换，那些步骤可能是数据完整性损坏的环节）These application dependent and predicate rule related e-records processing controls are established[12] during the computer system development as part of the Project Phase and each control is re-evaluated during the periodic reviews.as part of the Operational Phase.。

在项目阶段，这些电子数据相关的管控措施和预设值就应该被建立好（举例：包括technical上对软件configuration setting up和相应SOP的建立记录 –EMS的预警值是多少，Backup Overload的百分比是多少）。

而在运行阶段，这些数据应该定期被周期性审核和评估（维护与再评价）Print-outs/reports[13].打印件记录/报告All e-records defined as critical records and associated metadata should be printable.。

所有有关重要数据和其元数据的电子数据应该都是支持打印功能的（举例：即就是检查部门不接受例如“硬盘损坏”导致重要数据或者审计追踪记录无法呈现）If these print-outs are used as quality records, then the design, qualification and controls of these print-outs are critical. The reports are validated as per applicable procedural control.

如果这些打印件将作为质量记录的证据（举例：稳定箱的长期温湿度监控数据来证明没有OOS），则对其（打印）功能的设计，验证和控制是非常重要的并且这个报告功能也将按照合适的流程控制来验证其有效性和可靠性（举例：比如说打印数据前是否存在编辑，修改数据的风险，打印数据中是否及时的产生正确的审计追踪数据，打印报告之后是否有漏洞可以让用户伪造/隐藏相应报告，比如数据发现不理想就删除or临检前突击打印报告）。

In cases of internal audits inspections by regulatory agencies or competent authorities, it must be possible to obtain printed reports of e-records that were not specified nor validated during the implementation of the normal required reports. These reports can be considered ad-hoc reports.

在监管机构或主管部门进行内部审计检查的情况下，必须立刻能够获得印刷的电子记录报告，这些电子记录在执行正常要求的报告期间未被指定或验证这些报告可以被认为是即席报告（举例：检察官除了查阅已经生成并签字的报告，可以要求当场生成一份报告来测试系统是否按照设计运行，模拟日常工作中是否存在数据完整性风险）。

In the case of ad-hoc reports, a report generator can be utilized to take data from a source such as a database or a spreadsheet, and use it to produce a document in a format which satisfies a particular human readership.

针对这种即场报告，报告生成可以利用来自数据库或者电子数据表的数据，以一定的格式生成一份满足（检察官/操作者）阅读需求的报告文件If the printout is created by a report generator, then a verification of the printout must be performed before providing the printout to the auditor/inspector.。

如果打印件由报告生成器制作（举例：HPLC的报告生成，EMS自动绘制的温湿度曲线图，即不经人工，纯粹依靠系统确保其正确性）在检察官莅临前，应对相应系统做验证The printout must also be clear. “Clear printed” means printouts that apart from the values themselves, the units and the respective context can also be seen in the printout. Units and the respective context are considered metadata.。

这个打印件必须清晰无误“清晰无误”意味着除了结果数值本身，还应该包含（计算）单位和相应（计算）环境数据也必须在报告上体现出来这里的单位和对应环境就被认为是元数据（举例：元数据可以理解：支持确保GMP电脑化系统产生正确数据的系统环境参数，比如HPLC程序里面预设的formula，比如生产设备PLC在生产前定的系数，这些metadata应该是在验证阶段被确认正确，风控阶段施加IT control确保其数据可靠性，最后在运行阶段做定期的复查）。

Security[14].系统安全As a function related to security, e-records integrity service maintains information exactly as it was entered, and is auditable to affirm its reliability.

作为一个系统安全的功能的设计需求，电子数据的完整性要求信息自其输入开始，一直保持不变同时数据的可靠性应该经得起挑战（举例：在OQ test设置中，应该就data Integrity的read-only, accuracy 还有Non-editable的特性设置相应positive test 或者negative test以及 challenged test。

）Security controls must be established for all computer systems as a mean of ensuring e-records protection. Computer security is the principal enabler to create the integrity of e-records.

系统安全性管控应该作为一个电子数据的保护措施，对所有的GMP电脑化系统实施系统的安全是数据完整性得以确保的一个重要前提For those users allowed to access computer resources (networks, servers, applications, databases and so on) the precise security access level must be assigned based on the intended need. In all moments, it must be documented the creation, change, and cancellation of access authorizations and the level of authorization.。

对于允许访问计算机资源（网络，服务器，应用程序，数据库等）的用户，必须根据预期的需求分配准确的安全访问级别在任何时刻，必须记录访问授权的创建，更改和取消以及授权级别（举例：保障系统安全的措施包括-SOD segregation of duty职责划分，User Group用户群组，User Privileges用户权限，least Privilege最少权限， auto-aging自动失效等等。

）As part of the critical computer resources that must be controlled is the time server. The time server may be a local network time server. It reads the actual time from a reference clock and distributes this information to the regulated entity infrastructure needing the time using a computer network. The synchronized time coming from the time server is the time to be used for time stamping the e-records, including the audit trails.

作为必须控制的关键计算机资源的一部分是时间服务器时间服务器可以是本地网络时间服务器它从参考时钟读取实际时间，并将这些信息分配给需要使用计算机网络的时间的受监管实体基础设施来自时间服务器的同步时间是用于时间标记电子记录的时间，包括审计追踪功能。

（举例：这个要求是 Data Integrity 中 Time stamp的要求,服务器建议统一同步在一个时间服务器下，而stand-alone系统则要求锁定调整Time&Date 的功能）The security procedures should be in writing, including entering data and amending incorrect entries. This procedure must include who are authorized to create back-ups.

系统安全的SOP应该被合理地撰写，包括如何正确输入数据和如何正确修改不正确输入同时这个SOP应该明确谁（哪个级别的用户）可以去为系统做备份Security should also extend to devices used to store programs and/or data. Physical access to these devices should be controlled as well.。

系统安全应该拓展到存储数据或者程序的设备中针对这些设备的物理安全同样应该被考虑（举例：比如对重要服务器房加门禁，用带锁的机柜装服务器，又比如用防脱落的插口接驳服务器电源，服务器机房防火不得使用卤代烷、二氧化碳灭火筒等等。

，可以参考ISO27001 来设计相关安全需求）Security must be instituted at several levels. Procedural controls must govern the physical access to computer systems (physical security). As part of the physical security it must be considered security to devices used to store programs, such as tapes, disks and magnetic strip cards.

系统安全必须建立在几个层面上程序控制必须控制对计算机系统的物理访问（物理安全）作为物理安全的一部分，必须考虑到用于存储程序的设备（如磁带，磁盘和磁条卡）的安全性（举例：比如一个干燥安全环境来存储磁带卡，比如考虑药品有效期和data retention 要求，一些廉价的磁盘存数据可能有数据丢失风险，总之。

IT应该有一个SOP来指导用户部门/自己操作这些电子数据安全的问题）The access to individual computer system platforms is controlled by network specific security procedures (network security and database server). Access to these devices should be controlled (logical security).

对个人计算机系统平台的访问受网络特定安全程序（网络安全和数据库服务器）的控制应该控制对这些设备的访问（逻辑安全-对应physical Security 物理手段保证安全）（举例：这个引申自BYOD（Bring Your Own Device）指携带自己的设备办公，这些设备包括个人电脑、手机、平板等，如果有个人电脑【非GMP电脑化系统】可以接触到GMP电脑化系统，或者说BYOD(Become Your Office Device)即在你自己的设备上安装很多公司的软件，以便可以让你使用公司的资源。

当员工的设备比如iphone上安装了这样的管理软件，员工自己的手机就变成了公司的手机，那个Agent就不停的和服务器同步（不知道同步的程序和数据的细节）虽然这是一个员工的“Own Device”，但此时BYOD从“Bring Your Own Device”变成了“Become Your Office Device”。

总之这种非GMP电子化设备和GMP设备混用，可能成为检察官挑战Data Integrity的一个突破口 – 例如员工私人电脑上的 PDF editor， Photoshop软件可能用以修改GMP report

）[1] NIST SP 800-33.[2] http://blog.ispe.org/[3] ISPE, “Data Integrity and Your Interfaces,” M. E. Newton, March 2016, http://blog.ispe.org/data-integrity-interfaces.。

[4] ISPE, “Data Integrity and Your E-recs Storage Devices,” O. López, July 2016, http://blog.ispe.org/data-integrity-e-records-storage-devices

[5] López, O., " Electronic Record Controls: During Processing," in Best Practices Guide to Electronic Records Compliance, CRC Press, (Taylor & Francis Group, Boca Raton, Fl, 1st ed., 2016), pp. 179-185

[6] López, O., “A Computer Data Integrity Compliance Model”, Pharmaceutical Engineering, Volume 35 Number 2, March/April 2015.

[7] US FDA, Guidance for Industry - Data Integrity and Compliance with CGMP (Draft), April 2016.

[8] 21 CFR Part 11.10(f).[9] 21 CFR 211.68 and EU Annex 11-5.[10] Comment #79 in the US FDA 21 CFR Part 11 Preamble.

[11] EU Annex 11-4.8.[12] Establish is defined as meaning to define, document, and implement.

[13] López, O., “A Computer Data Integrity Compliance Model”, Pharmaceutical Engineering, Volume 35 Number 2, March/April 2015.

[14] López, O., “A Computer Data Integrity Compliance Model”, Pharmaceutical Engineering, Volume 35 Number 2, March/April 2015.

原博客作者：Orlando promotes the understanding of e-compliance and e-records integrityregulations and guidelines (21 CFR Part 11, Annex 11, MHRA, WHO, PIC/C, CFDA,USFDA, EU OMLC). He has detailed knowledge of the computer life cycle andsoftware quality assurance in a regulated environment. He recently published abook about Electrical record integrity best practices.

翻译及中文解读：胡大伟，现供职于香港幸福制药 IT GxP 系统专家主要负责自动化生产系统搭建，IT项目实施，数据完整性风险以及GxP, FDA,EU PIC/S迎检培训曾参与 SAP（GSK Asia葛兰史素克亚太），CERP（TCS 塔塔信息咨询公司），WMS （自动物流货仓管理系统香港澳美制药），MES（制造企业生产过程执行管理系统香港幸福制药）多个项目。