1-对于电子数据的审核,建议参考PIC/S数据完整性指南 GOOD PRACTICES FOR DATA MANAGEMENT AND INTEGRITY IN REGULATED GMP/GDP ENVIRONMENTS,监管期望时:检查是否有数据准确性、是否有修改、删除、覆盖、是否有未报告的数据等,指南仅要求需建立SOP规定电子数据审核职责,但明确要求审计追踪应由质量部门实施。以下是法规原文:
9.8 Review of data within computerised systems
The regulated user should perform a risk assessment in order to identify all the GMP/GDP relevant electronic data generated by the computerised
systems, and the criticality of the data. Once identified, critical data should be audited by the regulated user and verified to determine that operations
were performed correctly and whether any change (modification, deletion or overwriting) have been made to original information in electronic records,
or whether any relevant unreported data was generated. All changes should be duly authorised.
The company’s quality unit should establish a program and schedule to conduct ongoing reviews of audit trails based upon their criticality and the
system’s complexity in order to verify the effective implementation of current controls and to detect potential non-compliance issues. These reviews
should be incorporated into the company’s self-inspection programme. Procedures should be in place to address and investigate any audit trail
discrepancies, including escalation processes for the notification of senior management and national authorities where necessary.
2-对于审计追踪的审核:建议参考 Practical risk-based guide for managing Data Integrity Revision 2, April 2022,审计追踪分为data audit 和 system audit.
数据审核追踪主要为了产品放行,需事前评估审核哪些数据哪些检测项,关注数据修改、报警、动态数据积分、重复测试等,系统审计追踪主要检查登录失败、数据删除、权限分配、账号、远程访问等。
7.2 Data Audit Trail Review
The review of audit trail should be conducted systematically as due diligence in order to ensure that data used
in support of the lot release is valid and correctly managed.
Some computerized systems may be pre-configured by the vendor to present changes or deletions of certain
data or meta-data in a specific report, commonly referred to as an exception report, or to record and present
specific data within audit trails. Other systems are not so configured as such, and the audit trail shows most,
or all of the operations completed. For these systems, the audit trail functionality might require activation,
either for all or for specific data items. Finally, some systems do not have audit trail functionality at all.
Independently from the vendor choices, the company should review and define which data should be subject
to audit trail. This will ensure important data is captured and checked as well as limiting the amount of
information to be checked, with potential associated benefits to system performance and the ability of users
to read and analyse the audit trail information.
Therefore, the content and frequency of a data audit trail review should be based on a risk assessment which
considers
• the potential impact of the data on product safety and efficacy
• the probability of a data integrity issue to occur
• the likelihood of detection of a data integrity issue once it has occurred.
7.4 System Audit Trail Review • Examples of areas to be included, but not limited to; o Failed user log-in attempts o Data deletions o Configuration changes e.g., scan and compression rates, audit trail activation/deactivation, file path or database locations … o List of users and their authorisation levels o Significant errors, alerts or warnings as defined by company e.g., back up failures or issues o Remote access events (successful and unsuccessful)
Typical frequency annual. Higher frequency may be necessary based upon factors such as the
severity of the data, system usage and data audit trail review frequency. Shall be clearly risk based
and justified.
电子数据审核和Audit Trail 日志审核的侧重点是不同的。
电子数据审核注重检查电子文件的完整性和正确性,包括文件内容、格式、结构和可用性,完整性,符合性,以确保其有效性和安全性,且元数据和原数据都包括在内。
Audit Trail 日志审核则注重检查其记录的审核日志,以追溯事件,确定责任方和责任范围,帮助用户追溯系统的变更历史,有无异常,以确保和保证其安全性。
QA 介入审核时,应该参与电子数据审核和Audit Trail 日志审核,抽查监督所有审核内容,确保审核准确性和有效性。
每批放行批也应该进行电子数据审核,AuditTrail 则可以在QC 审核过程中,由QA 加以监督抽查。
这{{threadTextType}}正{{isAdminText}}
为帮助审核人员更快处理,请填写举报原因:
为帮助审核人员更快处理,请填写举报原因: