EMA GMP数据完整性问答(中英对照版)(2016.08)

EMA Data integrity Q&A (NEW August 2016) EMA数据完整性问答（2016年8月）

1. How can data risk be assessed? 1. 如何评估数据风险？

Data risk assessment should consider the vulnerability of data to involuntary or deliberate amendment, deletion or recreation. Control measures which prevent unauthorised activity and increase visibility / detectability can be used as risk mitigating actions.

数据风险评估应考虑无意或有意修改、删除或重建数据导致的隐患。可通过实施预防未授权活动的控制措施，以及增加可见性/可检测性来减少风险。

Examples of factors which can increase risk of data integrity failure include

complex, inconsistent processes with open-ended and subjective outcomes. Simple tasks which are consistent, well-defined and objective lead to reduced risk. 导致增加数据完整性风险的例子包括：结果开放主观的复杂且不一致的过程。一致、定义明确并且客观的简单任务风险较小。

Risk assessment should include a business process focus (e.g. production, QC) and not just consider IT system functionality or complexity. Factors to consider include: 风险评估应包括对业务（例如生产、QC）的关注，不能仅考虑IT系统的功能或复杂性。应考虑的因素包括：

       

Process complexity 工艺复杂性

Process consistency, degree of automation /human interface 工艺一致性，自动化程度/人性化界面 Subjectivity of outcome / result 结果的客观性

Is the process open-ended or well defined 工艺结果是否开放或定义是否明确

This ensures that manual interfaces with IT systems are considered in the risk assessment process. Computerised system validation in isolation may not result in low data integrity risk, in particular when the user is able to influence the reporting of data from the validated system.

在风险评估过程中，这将确保考虑人机（IT系统）界面的因素。对计算机化系统的验证并不会导致数据完整性的低风险，尤其当使用者能够影响验证系统中数据的报告时。

2. How can data criticality be assessed?

1

Translated by April from CPAPE, only for study and communication, not for commercialization

2. 如何评估数据的重要性？

The decision which data influences may differ in importance, and the impact of the data to a decision may also vary. Points to consider regarding data criticality include:

数据影响决策的重要性可能不同，数据对一个决策产生的影响也各种各样。考虑数据重要性的关键包括：

 

What decision does the data influence? 数据能影响哪些决策？

For example: when making a batch release decision, data which determines compliance with critical quality attributes is of greater importance than warehouse cleaning records.

例如：当做批次放行的决策时，决定关键质量属性合规的数据比仓库清洁记录的数据重要。

 

What is the impact of the data to product quality or safety? 数据对产品质量或安全性的影响有哪些？

For example: for an oral tablet, active substance assay data is of greater impact to product quality and safety than tablet dimensions’ data.

例如：对于口服片剂，活性成分化验数据对药品质量和安全性的影响比片剂分散性数据的影响更为重要。

3. What does ‘Data Lifecycle’ refer to? 3. “数据生命周期”是指？

‘Data lifecycle’ refers to how data is generated, processed, reported, checked, used for decision-making, stored and finally discarded at the end of the retention period. “数据生命周期”是指数据从产生、加工、报告、检查、用于制定决策、存储到最终在保存期结束时的销毁。

Data relating to a product or process may cross various boundaries within the lifecycle, for example:

涉及产品和工艺的数据可能在生命周期中跨越多个阶段，例如：

 

IT systems IT系统

o Quality system applications o 质量体系程序 o Production o 生产 o Analytical o 分析

2

Translated by April from CPAPE, only for study and communication, not for commercialization

o Stock management systems o 存储管理体系

o Data storage (back-up and archival) o 数据存储（备份和存档）  

Organisational 组织

o Internal (e.g. between production, QC and QA) o 内部（例如，在生产、QC和QA之间）

o External (e.g. between contract givers and acceptors) o 外部（例如在委托方和受托方之间） o Cloud-based applications and storage o 基于云的程序和存储

4. Why is ‘Data lifecycle’ management important to ensure effective data integrity measures?

4. 为何“数据生命周期”管理对确保数据完整性措施有效很重要？

Data integrity can be affected at any stage in the lifecycle. It is therefore important to understand the lifecycle elements for each type of data or record, and ensure controls which are proportionate to data criticality and risk at all stages.

数据生命周期任何阶段都可影响数据完整性。因此，理解每种类型的数据或记录的生命周期元素，并确保根据各阶段数据的重要性和风险程度进行控制很重要。

5. What should be considered when reviewing the ‘Data lifecycle’? 5. 在审查“数据生命周期”时应考虑什么？

The ‘Data lifecycle’ refers to the: “数据生命周期”指的是：

          

Generation and recording of data 数据的产生和记录

Processing into usable information 处理成可用信息

Checking the completeness and accuracy of reported data and processed information

检查报告数据和已处理信息的完整性和准确性 Data (or results) are used to make a decision 使用数据（或结果）来制定决策

Retaining and retrieval of data which protects it from loss or unauthorised amendment

数据的保留和回复，避免数据丢失或避免未经授权对数据进行修改

Retiring or disposal of data in a controlled manner at the end of its life

3

Translated by April from CPAPE, only for study and communication, not for commercialization



在数据生命周期末尾以受控的方式对数据进行停用或处置

‘Data Lifecycle’ reviews are applicable to both paper and electronic records, although control measures may be applied differently. In the case of computerised systems, the ’data lifecycle’ review should be performed by business process owners (e.g. production, QC) in collaboration with IT personnel who understand the system architecture. The description of computerised systems required by EU GMP Annex 11 paragraph 4.3 can assist this review. The application of critical thinking skills is important to not only identify gaps in data governance, but to also challenge the effectiveness of the procedural and systematic controls in place. Segregation of duties between data lifecycle stages provides safeguards against data integrity failure by reducing the opportunity for an individual to alter, mis-represent or falsify data without detection.

尽管控制措施可能有所不同，审查“数据生命周期”对纸质记录和电子记录同样适用。在计算机化系统实例中，应该由业务负责人（例如生产人员、QC）与理解系统架构的IT人员联合对“数据生命周期”进行审查。EU GMP附件11中4.3段里对计算机化系统要求的描述可有助于审查。关键思维技术的应用不仅对于数据管理中识别差距很重要，而且对于保证流程有效性和合理控制系统提出了挑战。

在数据生命周期中，隔离的任务能通过减少在未检测状态下进行个人改变、误传或伪造数据的机会减少数据完整性问题的风险。

Data risk should be considered at each stage of the data lifecycle review. 在数据生命周期审查各阶段都应考虑数据的风险。

6. ‘Data lifecycle’: What risks should be considered when assessing the generating and recording of data?

6. “数据生命周期”：在评估产生和记录数据时应考虑什么风险？

The following aspects should be considered when determining risk and control measures:

在确定风险和控制措施时应考虑以下因素：

  

How and where is original data created (i.e. paper or electronic) 原始数据如何产生？在何处产生？（例如纸质还是电子版）

What metadata is associated with the data, to ensure a complete, accurate and traceable record, taking into account ALCOA principles. Does the record permit the reconstruction of the activity

  

元数据与数据进行关联，如何确保按照ALCOA原则保证记录的完整性、准确性和可追溯性。记录是否会活动的重建。

Where is the data and metadata located 数据和元数据存放在哪里？

4

Translated by April from CPAPE, only for study and communication, not for commercialization

 

Does the system require that data is saved to permanent memory at the time of recording, or is it held in a temporary buffer

系统是否要求记录时按照永久性方式存储数据，还是临时性存储？ In the case of some computerised analytical and manufacturing equipment, data may be stored as a temporary local file prior to transfer to a permanent storage location (e.g. server). During the period of ‘temporary’ storage, there is often limited audit trail provision amending, deleting or recreating data. This is a data integrity risk. Removing the use of temporary memory (or reducing the time period that data is stored in temporary memory) reduces the risk of undetected data manipulation.

在一些计算机分析和生产设备的案例中，数据可能有限存储在当地临时文件中，之后转移到永久存储地点（例如：服务器）。在“临时”存储期间，审计追踪关于修改、删除或重建数据规定受限。这是数据完整性风险。停止使用临时存储（或减少数据临时存储的时间）将减少未检测状态下操作数据的风险。

 

Is it possible to recreate, amend or delete original data and metadata; 是否有可能对原始数据和元数据进行重建、修改或删除？ Controls over paper records are discussed elsewhere in this guidance. 指南中每处都讨论了对纸质记录的控制。

Computerised system controls may be more complex, including setting of user privileges and system configuration to limit or prevent access to amend data. It is important to review all data access opportunities, including IT helpdesk staff, who may make changes at the request of the data user. These changes should be procedurally controlled, visible and approved within the quality system.

计算机化系统控制可能更为复杂，包括使用者权限的设置，以及或阻止修改数据的系统设置。审查所有接触数据的机会很重要，包括IT技术支持维护员工，该员工可能按照数据使用者的要求改动数据。这些改动应该程序受控、可视化，并且在质量体系中得到批准。



How data is transferred to other locations or systems for processing or storage; Data should be protected from possibility of intentional or unintentional loss or amendment during transfer to other systems (e.g. for processing, review or storage). Paper records should be protected from amendment, or substitution. Electronic interfaces should be validated to demonstrate security and no corruption of data, particularly where systems require an interface to present data in a different structure or file format.

如何转移数据到其他地方或系统以进行处理或存储；在转移到其他系统过程中（例如出于处理、审查或存储的目的），应避免有意或无意丢失或修改数据的可能性。应避免修改或替换纸质文件。应对电子界面进行验证，证明数据安全无破坏，尤其当系统要求以不同结构或文件格式显示数据时。

5

Translated by April from CPAPE, only for study and communication, not for commercialization Does the person processing the data have the ability to influence what data is reported, or how it is presented.

处理数据的人员是否有能力影响报告哪些数据，或者如何呈现数据。

7. ‘Data lifecycle’: What risks should be considered when assessing the processing data into usable information?

7. “数据生命周期”：当评估处理数据为有效信息时应考虑何种风险？

The following aspects should be considered when determining risk and control measures:

在确定风险和控制措施时应考虑以下因素：

 

How is data processed; 如何处理数据；

Data processing methods should be approved, identifiable and version controlled. In the case of electronic data processing, methods should be locked where appropriate to prevent unauthorised amendment.

 

How is data processing recorded; 如何记录数据处理（情况）；

The processing method should be recorded. In situations where raw data has been processed more than once, each iteration (including method and result) should be available to the data checker for verification.

 

Does the person processing the data have the ability to influence what data is reported, or how it is presented;

处理数据的人员是否有能力影响报告哪些数据，或者如何呈现数据。

Even ‘validated systems’ which do not permit the user to make any changes to data may be at risk if the user can choose what data is printed, reported or transferred for processing. This includes performing the activity multiple times as separate events and reporting a desired outcome from one of these repeats. 如果使用者可选择性的打印、报告或转移处理数据，即使不允许使用者改变数据的“确认后系统”也会承担风险。包括多次进行活动作为分开的事件，以及在重复结果中报告理想的结果。 Data presentation (e.g. changing scale of graphical reports to enhance or reduce presentation of analytical peaks) can also influence decision making, and therefore impact data integrity.

数据呈现（例如：改变图像报告的比例以加强或减弱分析峰值的展现）也能影响决策的制定，因此影响数据完整性。

8. ‘Data lifecycle’: What risks should be considered when checking the completeness and accuracy of reported data and processed information? 6

Translated by April from CPAPE, only for study and communication, not for commercialization

8. “数据生命周期”：当检查报告数据和处理后信息的完整性和准确性时应考虑何种风险?

The following aspects should be considered when determining risk and control measures:

在确定风险和控制措施时应考虑以下因素：

 

Is original data (including the original data format) available for checking; 能否检查原始数据（包括原始数据的格式）；

The format of the original data (electronic or paper) should be preserved, and available to the data reviewer in a manner which permits interaction with the data (e.g. search, query). This approach facilitates a risk-based review of the record, and can also reduce administrative burden for instance utilising validated audit trail ‘exception reports’ instead of an onerous line-by-line review.

应保留原始数据的格式（电子数据或纸质数据），并能数据审查员对数据的操作（例如：检索，查询）。此方法促进对记录进行基于风险的审查，也能减少监管压力，例如使用验证后审计追踪“异常报告”替代繁重的逐行检查。

 

Are there any periods of time when data is not audit trailed; 有没有不能对数据进行审计追踪的时期；

This may present opportunity for data amendment which is not subsequently visible to the data reviewer. Additional control measures should be implemented to reduce risk of undisclosed data manipulation.

这条能显示使数据审查员无法看到数据修改的机会。应采取额外的控制措施，减少隐蔽操纵数据的风险。

 

Does the data reviewer have visibility and access to all data generated; 数据审查员是否有权限能看到所有产生的数据；

This should include any data from failed or aborted activities, discrepant or unusual data which has been excluded from processing or the final decision-making process. Visibility of all data provides protection against selective data reporting or ‘testing into compliance’.

这应包括所有失败或中止活动的数据，被处理过程或最终制定决策过程排除掉的不一致或异常的数据。所有数据的可视性避免选择性使用数据进行报告或“测试到合规”。

 

Does the data reviewer have visibility and access to all processing of data; 数据审查员是否有权限能看到所有数据的处理情况；

This ensures that the final result obtained from raw data is based on good science, and that any data exclusion or changes to processing method is based on good science. Visibility of all processing information provides protection against undisclosed ‘processing into compliance’.

7

Translated by April from CPAPE, only for study and communication, not for commercialization 这确保最终结果应包含基于良好科学的原始数据，以及所有基于良好科学的处理方法中排除或改变的数据。所有处理信息的可视化能避免隐蔽的“测试到合规”。

9. ‘Data lifecycle’: What risks should be considered when data (or results) are used to make a decision?

9. “数据生命周期”：当使用数据（或结果）来制定决策时应考虑何种风险？

The following aspects should be considered when determining risk and control measures:

在确定风险和控制措施时应考虑以下因素：

 

When is the pass / fail decision taken; 何时做出通过/不通过决策；

If data acceptability decisions are taken before a record (raw data or processed result) is saved to permanent memory, there may be opportunity for the user to manipulate data to provide a satisfactory result, without this change being visible in audit trail. This would not be visible to the data reviewer.

如果在永久保存记录（原始数据或处理结果）之前做出可接受数据的决策，使用者可能有机会操纵数据以得到满意的结果，而审计追踪看不到这种变化。数据审查员看不到这个过程。 This is a particular consideration where computerised systems alert the user to an out of specification entry before the data entry process is complete (i.e. the user ‘saves’ the data entry), or saves the record in temporary memory.

在完成数据处理前或记录临时保存前，计算机化系统警告使用者出现OOS，对这种情况应特别加以考虑。

10. ‘Data lifecycle’: What risks should be considered when retaining and retrieving data to protect it from loss or unauthorised amendment? 10. “数据生命周期”：当保留和取回数据以避免丢失或未授权修改时应考虑何种风险？

The following aspects should be considered when determining risk and control measures:

在确定风险和控制措施时应考虑以下因素：

 

How / where is data stored; 如何/何处存储数据；

Storage of data (paper or electronic) should be at secure locations, with access limited to authorised persons. The storage location must provide adequate protection from damage due to water, fire, etc. 应把数据（纸质或电子）存放到安全的位置，并仅使得到授权的人员可获得。存储处必须提供充足保护措施以防止水、火等破坏。



What are the measures protecting against loss or unauthorised amendment;

8

Translated by April from CPAPE, only for study and communication, not for commercialization



保护数据丢失或未授权修改的措施有哪些？

Data security measures should be at least equivalent to those applied during the earlier Data lifecycle stages. Retrospective data amendment (e.g. via IT helpdesk or data base amendments) should be controlled by the pharmaceutical quality system, with appropriate segregation of duties and approval processes.

数据安全性措施至少应与数据生命周期早期应用相一致。药品质量体系应通过适当的任务隔离与申请过程来控制可追溯性数据修复（例如，通过IT帮助或数据为基础的修复）。

 

Is data backed up in a manner permitting reconstruction of the activity; 以一定方式备份数据能否允许活动重建；

Back-up arrangements should be validated to demonstrate the ability to restore data following IT system failure. In situations where metadata (including relevant operating system event logs) are stored in different file locations from raw data, the back-up process should be carefully designed to ensure that all data required to reconstruct a record is included.

应验证备份情况，以保证按照IT系统出问题时可修复数据。对于原始数据的元数据（包括相关操作系统事件记录）存储在不同文件位置，应谨慎设计程序以保证所有数据可重建记录。 Similarly, ‘true copies’ of paper records may be duplicated on paper, microfilm, or electronically, and stored in a separate location.

同样的，应对纸质记录的“真实副本”可在纸上，微缩胶卷或者以电子形式复制，并存储在不同位置。

 

What are ownership / retrieval arrangements, particularly considering outsourced activities or data storage;

什么是所有权/恢复安排，尤其考虑外包活动或数据存储；

A technical agreement should be in place which addresses the requirements of Part I Chapter 7 and Part II Section 16 of the GMP guide.

应按照GMP指南Part I第7章和Part II第16节要求适当考虑技术合作。

11. ‘Data lifecycle’: What risks should be considered when retiring or disposal of data in a controlled manner at the end of its life?

11. “数据生命周期”：当在数据生命末期以受控方式对数据进行停用或处置时应考虑什么风险？

The following aspects should be considered when determining risk and control measures:

在确定风险和控制措施时应考虑以下因素：

 

The data retention period 数据保存期 This will be influenced by regulatory requirements and data criticality. When considering data for a single product, there may be different data retention needs

9

Translated by April from CPAPE, only for study and communication, not for commercialization for pivotal trial data and manufacturing process / analytical validation data compared to routine commercial batch data.

这个会受到监管要求和数据重要性的影响。当考虑单个产品数据时，与常规商业批次数据相比，关键试验数据和生产工艺/分析验证数据的数据保存需求可能不同。

 

How data disposal is authorized 如何授权数据处理

Any disposal of data should be approved within the quality system and be

performed in accordance with a procedure to ensure compliance with the required data retention period.

对数据的任何处理都应经质量体系批准，并按照确保数据保存期要求合规性程序进行。

12. Is it required by the EU GMP to implement a specific procedure for data integrity?

12. EU GMP是否要求为数据完整性实施明确的程序？

There is no requirement for a specific procedure, however it may be beneficial to provide a summary document which outlines the organisations total approach to data governance.

无特殊要求，但提供概述组织数据管理全部方法的总结文件会有利。

A compliant pharmaceutical quality system generates and assesses a significant amount of data. While all data has an overall influence on GMP compliance, different data will have different levels of impact to product quality.

一个合规的药品质量体系会产生大量的数据并对其进行评估。当所有数据对GMP合规产生全体影响时，不同的数据对产品质量会产生不同水平的影响。

A quality-risk management (ICH Q9) approach to data integrity can be achieved by considering data risk and data criticality at each stage in the Data lifecycle. The effort applied to control measures should be commensurate with this data risk and criticality assessment. 可通过考虑数据生命周期各个阶段数据的风险和重要性，采取质量风险管理（ICH Q9）方法来完成数据完整性。控制措施的程度应与数据风险和关键性评估相一致。

The approach to risk identification, mitigation, review and communication should be iterative, and integrated into the pharmaceutical quality system. This should provide senior management supervision and permit a balance between data integrity and general GMP priorities in line with the principles of ICH Q9 & Q10. 风险识别、减弱、审评和交流的方法应当迭代，并整合进药品质量体系中。这会按照ICH Q9&Q10要求在数据完整性和一般GMP优先权之间提供高层管理（参考）并达到平衡。

10

Translated by April from CPAPE, only for study and communication, not for commercialization

13. How are the data integrity expectations (ALCOA) for the pharmaceutical industry prescribed in the existing EU GMP relating to active substances and dosage forms published in Eudralex volume 4?

13. 现有EU GMP Eudralex卷4关于活性成分和制剂的内容如何描述对制药企业数据完整性的要求（ALCOA）？

The main regulatory expectation for data integrity is to comply with the

requirement of ALCOA principles. The table below provide for each ALCOA principle the link to EU GMP references (Part I, Part II and Annex 11):

数据完整性的主要监管要求是符合ALCOA原则。下表罗列了EU GMP参考（Part I, Part II和附件11）中与ALCOA原则相关的内容：

Basic Requirements for Medicinal Products 药物制剂的基本要求 Basic Requirements for Active Substances used as Starting Materials Annex 11 (Computerised System) 作为起始物料的活性成分基本要求 (Part II) : 计算机化体系 (4) (Part I): Chapter 4 / Chapter 6 Attributable (data can be assigned to the individual performing the task) Legible (data can be read by eye or electronically and retained in a permanent format) Contemporaneous (data is created at the time the activity is performed) Original (data is in the same format as it was initially generated, or as a ‘verified copy’, which retains content and meaning) [Paragraph \"Record\"] [4.9], [4.27], [4.8] [6.14] [4.1], [4.2], [4.7], [4.8], [4.9], [4.10] (1)(2)Chapter 6 / Chapter 5 (3)[4.20, c & f], [4.21, c & i], [6.14], [6.18], [6.52] [4.29, e] [2], [12.4], [15] [5.43] [6.11], [6.14], [6.15], [6.50] [7.1], [9], [10], [17] [12.4], [14] [6.14], [6.15], [6.16] [8.2], [9] 11

Translated by April from CPAPE, only for study and communication, not for commercialization

Accurate (data is true / reflective of the activity or measurement performed) 123[4.1], [6.17] [5.40], [5.45], [6.6] [Paragraph \"Principles\"],[5], [6], [10], [11] Chapter 4 (Part I): Documentation文件 Chapter 6 (Part I): Quality Control质量控制 Chapter 5 (Part II): Process equipment (Computerized system)工艺设备（计算机化Chapter 6 (Part II): Process equipment工艺设备 系统） 4

14. How should the company design and control their paper documentation system to prevent the unauthorised re-creation of GMP data? 14. 应如何用计算机设计和控制其纸质文件体系，以避免未授权的重建GMP数据？

The template (blank) forms used for manual recordings may be created in an electronic system (Word, Excel, etc.). The corresponding master documents should be approved and controlled electronically or in paper versions. The following expectations should be considered for the template (blank) form:

应在电子系统（Word, Excel等）中创建用于人工记录的模板（空白）表单。应批准并控制电子化或纸质版的类似主文档。以下是创建模板（空白）表单应考虑的要求：

     

have a unique reference number (including version number) and include reference to corresponding SOP number

设置参考编号（包括版本编号），并包括相关SOP编码的参考

should be stored in a manner which ensures appropriate version control 应以确保版本适当受控的方式进行存储

if signed electronically, should use a secure e-signature 如果有电子签名，应该使用安全的电子签名

The distribution of template records (e.g. ‘blank’ forms) should be controlled. The following expectations should be considered where appropriate, based on data risk and criticality:

模板记录（例如：“空白”表格）的分发应该受控。以下是基于数据风险和重要性应考虑的相关要求：



enable traceability for issuance of the blank form by using a bound logbook with numbered pages or other appropriate system. For loose leaf template forms, the distribution date, a sequential issuing number, the number of the copies distributed, the department name where the blank forms are distributed, etc. should be known

12

Translated by April from CPAPE, only for study and communication, not for commercialization

 

通过使用一个页面编码或其他合适体系的受约束的记录表，是空白表单的分发可追溯。对于活页模板表格，应知道分发日期，序列分发编号，分发副本编号，空白表单分发到的部门名称等。 Distributed copies should be designed to avoid photocoping either by using a secure stamp, or by the use of paper colour code not available in the working areas or another appropriate system.



对分发的副本进行设计，避免通过使用安全戳进行复印，或在工作区域或其他适当系统使用纸质色标进行复印。

15. What controls should be in place to ensure original electronic data is preserved?

15. 确保存储原始电子数据应进行什么适当的控制？

Computerised systems should be designed in a way that ensures compliance with the principles of data integrity. The system design should make provisions such that original data cannot be deleted and for the retention of audit trails reflecting changes made to original data.

计算机化系统应按照确保符合数据完整性原则的方式进行设计。系统设计应预作安排，以确保不能删除原始数据，以及保留反应原始数据变更的审计追踪情况。

16. Why is it important to review electronic data? 16. 审查电子数据为什么重要？

In the case of data generated from an electronic system, electronic data is the original record which must be reviewed and evaluated prior to making batch release decisions and other decisions relating to GMP related activities (e.g. approval of stability results, analytical method validation etc.). In the event that the review is based solely on printouts there is potential for records to be excluded from the review process which may contain un-investigated out of specification data or other data anomalies. The review of the raw electronic data should mitigate risk and enable detection of data deletion, amendment, duplication, reusing and fabrication which are common data integrity failures.

对于数据产生于电子系统的情况，电子数据是原始数据，必须经过审批，并且在做出批次放行决策或其他GMP相关活动（例如：稳定性结果审批，分析方法验证等）的决策之前进行评估。当仅基于打印件进行审查时，审查过程可能排除记录（可能包括未经调查的OOS数据或其他数据异常）。原始电子数据的审查应减弱风险，并确保检测出数据删除、修改、复制、再利用和制造，以上是常见的数据完整性问题。 Example of an inspection citing:

检查引用的例子：

Raw data for HPLC/GC runs which had been invalidated was stored separately to the QC raw data packages and had not been included in the review process. 已无效的HPLC/GC运行的原始数据单独存储在QC原始数据文件包中，并未对其进行审查。 In the above situation, the procedure for review of chromatographic data packages did not require a review of the electronic raw data or a review of relevant audit

13

Translated by April from CPAPE, only for study and communication, not for commercialization trails associated with the analyses. This lead to the exclusion of records from the review process and to lack of visibility of changes made during the processing and reporting of the data. The company was unable to provide any explanation for the data which had been invalidated.

对以上情况，色谱数据包的审查程序未要求对电子原始数据进行审查，或未对与分析相关的审计追踪进行审查。这会导致记录从审查过程中排除，并且在数据处理和报告过程中缺乏变更的可视性。企业不能提供关于宣告无效的数据的任何解释。

17. Is a risk-based review of electronic data acceptable? 17. 对电子数据基于风险的审查是否可行？

Yes. The principles of quality risk management may be applied during the review of electronic data and review by exception is permitted, when scientifically justified.

可行。在电子数据审评过程中可应用质量风险管理原则，当科学验证后排除审查是允许的。 Exception Reporting is used commonly as a tool to focus the review of electronic data such as (but not limited to) electronic batch records. Exception reporting rapidly highlights to the reviewer one of the most critical elements of batch review, i.e. the exceptions. The level of review of the full electronic batch record can vary based on the exceptions as well as the level of confidence and experience with a particular process. Appropriate testing and validation must be completed for the automated system and the output Batch Exception Report to ensure its functionality meets the business and regulatory requirements as per GMP.

异常审查常用作聚焦电子数据审查的工具，例如（但不限于）电子批次记录。异常报告迅速向审查中强调批次审查最关键的元素之一，例如：异常情况。全部电子批次记录的审查水平可根据异常和保密级别和特殊过程的经验有所不同。必须为自动化体系和产出批次异常报告进行适当检验和验证，以确保其功能复合商业和GMP监管要求。

18. What are the expectations for the self-inspection program related to data integrity?

18. 数据完整性相关的自审体系有什么要求？

Ongoing compliance with the company’s data governance policy/procedures should be reviewed during self-inspection, to ensure that they remain effective. This may also include elements of the Data lifecycle discussed in Q3-Q9.

在自审过程中应审查企业数据管理/程序的持续合规情况，以确保其仍然有效。这可能也包括Q3-Q9中讨论的数据生命周期元素。

19. What are my company’s responsibilities relating to data integrity for GMP activities contracted out to another company?

19. 关于外包给其他企业的GMP活动的数据完整性，企业自身有什么职责？

Data integrity requirements should be incorporated into the company’s contractor/vendor qualification/assurance program and associated procedures.

14

Translated by April from CPAPE, only for study and communication, not for commercialization 数据完整性的要求应纳入企业承包商/供应商资质/担保程序及相关程序。

In addition to having their own data governance systems, companies outsourcing activities should verify the adequacy of comparable systems at the contract acceptor. The contract acceptor should apply equivalent levels of control to those applied by the contract giver.

除了拥有自身数据管理体系外，企业外包活动应在受托方验证比较系统的充分性。受托方应申请与委托方等效的控制水平。

Formal assessment of the contract acceptors competency and compliance in this regard should be conducted in the first instance prior to the approval of a

contractor, and thereafter verified on a periodic basis at an appropriate frequency based on risk.

在这方面，应在审批合同方之前首次进行受托方完整性和合规性的正式评估，然后以适当的频率定期验证风险。

20. How can a recipient (contract giver) build confidence in the validity of documents such as Certificate of Analysis (CoA) provided by a supplier (contract acceptor)?

20. 供应商（合同接收方）如何使接收方（合同提供方）在文件有效性（例如CoA）建立自信？

The recipient should have knowledge of the systems and procedures implemented at the supplier for the generation of the CoA. Arrangements should be in place to ensure that significant changes to systems are notified and the effectiveness of these arrangements should be subjected to periodic review.

供应商（合同接收方）应了解供应商在生成CoA时建立的系统和程序。为确保系统发生显著变化的情况得到通知，应采取适当的措施，这些措施的有效性应定期进行审查。

Data related to activities which are outsourced are routinely provided as summary data in a report format (e.g. CoA). These summary documents are reviewed on a routine basis by the contract acceptor and therefore the review of data integrity at the contract acceptor site on a regular periodic basis (e.g. during on-site audit) takes on even greater significance, in order to build and maintain confidence in the summary data provided.

外包活动相关数据通常作为报告（例如CoA）中的总结数据。接收方按照例行程序审查上述总结文件，因此对接收方进行常规周期性的数据完整性审查更为重要，以便建立和维持提供总结数据的信心。

21. What are the expectations in relation to contract calibration service providers who conduct calibrations on-site and/or off-site? Are audits of these companies premises required?

21. 对现场和/或非现场实施校准的委托校准服务供应商有什么要求？是否要求对这些公司厂房进行审计？

15

Translated by April from CPAPE, only for study and communication, not for commercialization Using the principles of QRM to assess data criticality and risk, the company should include assessment of data governance systems implemented by the service provider when making decisions on service contracts. This may be achieved by on-site audit or desk-based assessment of information submitted by the service provider.

当企业制定服务合同决策时，应通过使用QRM原则来评估数据重要性和风险，应包括评估由服务提供方制定的数据管理系统。这可能由服务提供方通过现场审计或基于办公桌的信息评估来完成。

22. What is expected of my company in the event that one of my approved contractors (e.g. active substance manufacturer, finished product manufacturer, quality control laboratory etc.) is issued with a warning letter/statement of non-compliance concerning data integrity, from a regulatory authority?

22. 当批准的合约商（例如：原料药厂家，成品厂家，质量控制实验室等）收到来自监管部门关于数据完整性的警告信/不合规说明时，对公司本身有什么要求？

It is considered that the company should evaluate the risk to its products manufactured/released using the principles of quality risk management. Risk assessments should be made available to Inspectors, on request.

企业应通过使用质量风险管理原则来评估产品生产/放行的风险。检查员可要求获得风险评估（结果）。

Depending on the outcome of the risk assessment, appropriate action should be taken which may entail delisting the contractor from the approved contractor list. In the event that abnormal disruption in supply may result from a contractor compliance situation, relevant regulatory authorities should be consulted in this regard.

依据风险评估的结果，应采取从批准供应商名单中撤销某供应商的适当措施。供应链异常中断可能源于供应商的合规情况，相关监管机构应考虑这一点。

23. Where does my company’s responsibility begin and end in relation to data integrity aspects of the supply chain for medicinal products? 23. 在药品供应链中企业关于数据完整性的责任从哪里开始？从哪里结束？

All actors in the supply chain play an important part in overall data integrity and assurance of product quality.

在全部数据完整性和产品质量保证对供应链发挥作用的所有成员。

Data governance systems should be implemented from the manufacture of starting materials right through to the delivery of medicinal products to persons authorised or entitled to supply medicinal products to the public.

应从起始物料生产到药物制剂交付给授权个人或有权使药品发给公众的所有过程，都应制定数据管理体系。

16

Translated by April from CPAPE, only for study and communication, not for commercialization Relative responsibilities and boundaries should be documented in the contracts between the relevant parties. Final responsibility of ensuring compliance throughout the supply chain rests with batch certifying QP.

在有关各方的合同中应记录相关职责和界限。确保全部供应链合规性的最终职责在于批次认证QP。

17