​生产系统数据完整性速成方法

ISPE近期发布的《生产记录数据完整性指南》给出了关于生产系统数据完整性的速成方法，在有限资源的情况下最大限度提高生产系统数据完整性的措施。以帮助用户评估各种数据可靠性改进措施的优先度并采取措施。

Quick Wins

生产系统数据完整性速成

In this Guide, the term “quick wins” describes actions that can create considerable improvement in the integrity of manufacturing system data with modest resources. This section may be useful when prioritizing actions to improve data integrity.

在本指南中，“数据完整性速成方案”是指在有限资源的情况下最大限度提高生产系统数据完整性的措施。以帮助用户评估各种数据可靠性改进措施的优先度并采取措施。

As stated in Section 3.3, if a process is well defined (“we know exactly how to do this”) and consistent (“if we do it like this, we always end up with the correct result”) and has little or no manual intervention (“it all happens automatically”) and an objective output (“we all agree on the result”), issues of protecting data integrity can be reduced to those of validating the system and maintaining it in a validated state. Where any of these criteria are not met, there is likely to be a need for additional risk mitigation activities.

如第3.3节所述，如果一个工艺定义清晰（“即，我们可以清楚知道如何做”）且稳定（“即，如果按照工艺操作，总是可以得到正确的结果”）并且有很少或者几乎没有人为干预（“这一切都自动发生”），并有明确可预期的结果，保护数据完整性可以简化为验证系统并将其保持在验证状态的问题。如果不满足上述任何一条标准，则可能需要进行额外的降低风险活动。

Quick Wins for Existing Systems

现有系统数据完整性速成

Using the technology available, look to implement quick wins with immediate data integrity impact, including but not limited to:

使用现有技术，寻求快速解决数据完整性影响的方案，包括但不限于：

• Implement individual logins

• 实现人员登录

• Restrict access to validated settings or CPPs

• 限制访问已验证的设置或CPPs

• Ensure segregation of duties

• 确保权限分离

• Remove shared and generic user accounts
  

• 禁止共用和通用账户

• Restrict the ability to change date and time
  

• 限制更改时间的能力

• Secure PC desktops to prevent navigation to data files
  

• 安全的电脑桌面（锁定用户操作界面），以防止进入后台数据文件夹（让用户在desktop桌面操作，不能点开C盘，d盘文件夹））

• Eliminate manual transcription into GMP records

• 禁止人为誊抄GMP记录

• Create and validate automated data collation into reports
  

• 在系统报告功能中，启用并验证其数据校对功能

• Ensure backup frequency is appropriate and backup success is monitored
  

• 确保备份频率适宜和成功备份的测试

• Implement electronic review of critical data (e.g., tests, runs, cycles, failed, passed, aborted)
  

• 审核关键电子数据（如测试、运行、程序、失败、成功、废弃）

Quick Wins – Quality of Input Data

快速制胜—输入数据的质量

• Sensors and instruments introduce a degree of uncertainty to measurements in the production record. These can be mitigated by following good installation practices and calibrating to the required accuracy during installation and at the recommended schedule throughout the use of the sensor or instrument. Filtering and smoothing can be applied to sensor readings, appropriate to the noise and the dynamics of the attribute being measured, to reduce excursions or alarms based on noise or interference.

• 生产设备及其传感器的测量准确性可能影响到生产记录的准确性。这要求在安装期间遵循良好安装规范和在整个使用期间按照推荐的周期进行校准。传感器读数可以应用平滑滤波，适用于天噪声和动态的被测属性，以减少基于噪声或干扰的偏移或警报。

• Maintain clock synchronicity in different parts of the system and in different systems, and prevent access to make unauthorized changes to the time stamp. Have a procedure detailing how to make any manual intervention required to adjust for daylight saving time changes.

• 维护同一系统或不同系统间时钟的一致性，防止未授权对时间戳进行更改。应有程序详细描述如何调节时间以适应夏令时的时间改变（中国目前已暂停实行夏令时）

• Know the CPPs and which systems impact them. The production of data flow diagrams will assist with this. Understanding the data flows and the impact on CPPs will help focus efforts on the areas with the highest risk to the integrity of the data. Identify the data that shows whether the CPPs have been kept in range and review regularly. For multipurpose plants, recognize that the critical data items may change with the change of product.

• 绘制数据流程图将有助于我们更深层次了解生产工艺CPP，并认识到有哪些系统会影响到CPP。理解数据流和对CPPs的影响将有助于将工作重点放在对数据完整性风险最大的领域。识别可以显示CPPs保持在规定范围内的数据，并定期检查。对于多产品生产工厂，要认识到不同产品的关键数据可能有所不同。

• For critical data entered manually during the manufacture of a batch, have an additional check on the completeness and accuracy of the data. This check may be done by a second operator or by validated electronic means. The criticality and the potential consequences of data entered into a system erroneously or incorrectly should be addressed through a risk management process.

• 对于在批量生产过程中手工输入的关键数据，需要额外检查数据的完整性和准确性。这种检查可以由第二名操作员进行，也可以通过已验证的电子手段进行。错误或不正确输入系统的数据的严重性和潜在后果应通过风险管理过程加以处理。

• When recording input manually, consider whether the time needs to be recorded as well as the date, such as for sterilization monitors.

• 当记录手动输入，考虑是否需要记录时间和日期，如灭菌监测。

• Introduce training, SOPs, or automated prompts that support operators in performing tasks dependably and correctly. When doing this, take the opportunity to review how each activity is done. Can it be improved, simplified, or further automated?

• 采用培训、sop或自动提示，来帮助操作员可靠而正确地执行任务。如果通过此方式，尽可能回顾一下每项活动是如何完成的。它是否可以改进、简化或进一步自动化吗？

Quick Wins – Security and Access

快速制胜——安全和访问

If not previously implemented, configure individual logins to ensure actions are attributable.

如在此之前没有实行（安全登录和访问），系统需要重新为每位用户配置单独登陆账号，以确保其操作可追溯。

Where a system does not support individual (unique) user accounts, consider establishing procedural controls such as managing access to the system by recording who uses the system (and when) in a paper log book. This should ensure that the data entered and actions performed on the system are attributable. For the long-term fix, the implementation of technical solutions needs to be considered.

如果系统没有提供独立的用户账户，考虑建立程序性控制，如通过在纸质日志中记录谁使用系统(以及何时使用)来管理对系统的访问。这可以确保在系统上输入数据和执行的活动可以归属至人。长期的解决方案，则需要考虑技术解决办法。

Once the configuration settings are defined and tested, protect them from unauthorized access using logical or physical means. In this way only those variable settings that relate to each manufacturing batch need to be considered as original data and retained within the production record for that batch.

一旦配置被定义并测试，应使用逻辑或物理方法保护它们免受未经授权的访问。这样，只有那些与批次相关的可变设置需要视为原始数据，并保留在该批次的生产记录中。

Where operators can change the alarm settings, the risk to the integrity of the data may be mitigated through controls such as:

如操作人员可以改变报警设置，数据完整性的风险可以通过如下控制降低：

• Including the alarm setting in the final production report to confirm the settings during product release

• 在生产批报告中包含“报警参数设定”相关记录信息，以确保产品放行时报警参数设定未被非法修改

• Change control, to ensure a second person approval of the change in advance of implementing the change
  

• 修改控制，以确保修改在实施前被第二人批准。

• Configuration management, to baseline and record the system settings and parameters

• 配置管理，以确保基准和记录系统设置和参数。

• Access controls to ensure only authorized operators are making the change (and thus prevent inappropriate access)
  

• 访问控制，以确保仅授权的操作员可以更改（从而防止非法访问）

• Logging or audit trailing changes to provide an independent record of who made the change, when the change was made, the before and after values, and a justification why. The log or audit trail should be reviewed to detect any inappropriate or unauthorized changes.
  

• 对修改建立日志或审计追踪，提供一份谁/何时/为何进行了修改？以及修改前后的值。日志或审计追踪应该被审核以检查是否有任何的不合适或者非授权的修改。

Keep the role of system administrator independent from the routine work carried out within the system by assigning the administrator role to someone with no direct interest in the data. Where it is unavoidable for one user to have multiple roles within a system (for example, operator and system administrator, or engineer and system administrator, within a very small organization), they should use the role appropriate for the task, such as using the operator role for running batches, and audit trail review should confirm the administrator role was only used for the administration functions [11].

通过将管理员角色分配给对数据没有直接利益相关的人，使系统管理员的角色无需参与系统的日常GMP生产任务。如果一个用户在系统中不可避免地具有多个角色的（例如，操作员和系统管理员，或工程师和系统管理员），应该使用适合其任务的角色，例如使用操作员角色来生产批次，审计追踪审查应确认仅在系统管理时使用管理员角色[11]。

Manufacturing systems may have commissioning or test user accounts created for early test phases. Such accounts often have a wide range of permissions to support efficient commissioning and qualification. These accounts, along with any default or shared accounts, should be removed or disabled prior to production.

生产系统可能具有用于早期测试阶段创建的调试或测试的用户帐户。此类帐户通常具有广泛的权限，以支持有效的调试和确认。在生产之前，应删除或禁用这些帐户以及任何默认帐户或共享帐户。

At the level of the PCS, it may be impossible to effectively address logical security controls. As an alternative, consider adding physical security controls to prevent access to local operator panels but ensure the physical locks are secure and unique to the individual cabinet. See Section 6.5.2 for suggestions.

对于PCS（工艺控制系统）级别，可能无法有效地解决逻辑安全控制问题。作为替代方案，应考虑增加物理安全控制以防止访问本地操作员面板，但应确保物理锁是安全的并且对于单个机柜是唯一的。有关建议，请参见第6.5.2节。

Care should be taken when allocating guest accounts to visiting support personnel.

应该慎重为访问人员分配系统访客账号

Where a system relies on an unsupported operating system, the system should be isolated from the rest of the network, perhaps by use of a firewall. Such unsupported systems should not be accessible remotely [11].

如果系统依赖于不再支持（如 windows XP）的操作系统，则系统应与网络隔离，或使用防火墙。同时这些隐患系统也不能允许远程访问 [11]。

Analytics for Identifying Data Integrity Weaknesses

分析以识别数据完整性薄弱环节

Many larger PCS and most MES offer trending packages, some degree of statistical analysis, and at least a basic

form of multivariate analysis.

许多大型PCS（工艺控制系统）和大多数MES系统都含有能够一定程度进行统计、多变量趋势分析的程序包。

• Trending packages allow one or more signals to be viewed over a selected time period.

• 趋势分析程序允许查看选定时间段内一项或多项数据。

• Statistical analysis likely includes the ability to pull out maximum, minimum, and mean values for a signal during a selected time period. It may also produce measures of the spread in values, such as standard deviation.

• 统计分析图一般包含所选定时间段提取的某信号通道最大、最小、平均值水平。它还可以体现值的离散度，如标准差。

• Multivariate analysis refers to any statistical technique used to analyze data that arises from more than one variable. This permits analysis of a selection of variables to determine interactions between them. For example, identifying the relative impact of each variable on a CQA, or distinguishing the normal pattern of behavior from a potentially worrying outlier.
  

• 多变量分析是指用于分析多个变量所产生数据的统计技术，它可以分析选择的变量以确定他们之间的相互作用关系。例如，确定每个变量对关键质量属性的影响，或识别图形中潜在的离群值。

Sometimes, an evaluation of the data itself can lead to the identification of data integrity or other GMP issues.

有时，对数据本身的评估有助于识别数据完整性或其他GMP问题。

Examples of issues that could be identified using analytics include:

使用分析方法识别的问题示例包括：

Shift by shift analysis can reveal “interesting” discrepancies. For example, why can one shift always produce a batch 30 minutes quicker than anyone else – are they doing two steps in parallel, and does that present a risk to the integrity of the data for each operation?

生产班组与班组之间分析可以揭示“有趣”差异。例如，为什么一个班组生产完一批产品的时间比其他班组要快30分钟，效率高的班组他们是否两步并作一步地执行操作，这样会不会留下数据完整性隐患呢？

An analysis of OOS incidents identifying patterns such as:

通过OOS事件分析识别数据完整性问题的例子：

• A high warehouse temperature that always happens on hot sunny days may indicate that the HVAC system is inadequate or incorrectly set, and such temperature inconsistencies may impact product quality.

• 仓库高温报警为什么常常发生在炎热的晴天，这可能表明HVAC系统设置不合理或不正确，这种反常的温度报警可能会影响产品质量。

Long-term trending can highlight issues, for instance:

数据的长期趋势可突出质量问题，例如：

• Drift over time (perhaps a calibration issue)

• 随时间发生漂移（可能是校准问题）

• Sudden changes in the data value (an unexplained jump when a repair was carried out might be because a previous configuration was accidentally restored)
  

• 数据突然变化，可能来自于不恰当的系统维修导致的系统配置重置。

• Sudden changes in the data quality (a slightly noisy signal becomes completely smooth may indicate the addition of a filter that is inappropriate to the signal dynamics, perhaps masking genuine problems)

• 数据质量突然变化（略微嘈杂的信号变得完全平滑可能表示添加了一个不适合信号动态的滤波器，这样可能掩盖了真实问题）
  

Multivariate analysis can allow normal and unusual patterns to be seen in the way variables move. (If pressure, temperature, and humidity in a cleanroom normally behave in a particular way in response to personnel entering through the airlock, then the pressure values deviating from this pattern might indicate a leak in the pressure sensor pipework, or a blocked sensor head, or even an individual who deliberately props the door open thus presenting another form of risk to product quality.)

多变量分析可以允许变量在变换过程中呈现正常或不正常的图形。（如洁净室压力、温湿度通常以特定方式响应有人员进出，如偏离此模式的压力值，可能表示压力传感器管道泄漏或感应探头堵塞，甚至人为长时间开启洁净室的门，这也是对产品质量的另一种风险。）

Analysis of Variance (ANOVA or MANOVA if multivariate) can be an exploratory tool to explain observed distributions of data. (Perhaps it is suspected that a key ingredient bought from different suppliers is not as identical as their supplied test data suggests. The CPP readings from each batch can be grouped according to ingredient source and tested to see how well the hypothesis explains the observed results.)

方差分析（ANOVA或MANOVA，如果是多变量）可作为解释观察到的数据分布探索工具。（也许从不同供应商处购买的同一关键物料出具不同的测试结果数据值得怀疑，可根据物料来源和测试结果进行分组统计的批关键工艺参数来证实我们的怀疑。）

Some of these may be performed as part of a data integrity audit, during system periodic review, as well as during the annual product review.

在系统定期审查及年度产品回顾期间，可用上述方法进行数据完整性审计。

Quick Wins – Quality of Outputs

快速制胜——数据输出质量

• Ensure that data retrieval modes are clear on final reports (e.g., interpolation on trends, averaging, filtering, and clarity about suppression status on alarm history). This may be achieved by simply adding an appropriate title or label to the report.

• 确保最终报告中的数据检索模式清晰（例如，趋势插值、平均值、筛选以及有关报警历史记录的禁止状态的清晰度。）这可以通过简单地向报告添加适当标题或标签来实现。

• Review how alarms are presented to operators for ease of interpretation. Consider the application of color, notation, and priority. Make the presentation as simple, uniform, and logical as possible to help prevent errors, particularly when workloads are high or unusual alarms occur.

• 查看警报如何呈现以便于操作员理解。考虑报警呈现颜色、报警符号、报警优先级的设置应用。使图表呈现尽可能简单明了，逻辑合理，保持一致，防止出现错误，尤其是在系统工作负载较高或发生异常报警时。

• Verify that there is a suitable automatic or second person check of manual activities using system outputs in decision making (e.g., reconciliation of manual rejection activities). Ensure the manual activities are traceable to the relevant electronic records.

• 在使用输出数据做出质量决策之前，确认有可靠的自动化控制手段或双人复核检查手动操作（例如，手动拒绝活动账目核对）。确保人员活动可追溯到相关电子记录。

• Confirm alarm logs are reviewed as part of product release, as appropriate.

• 必要时，将报警日志作为产品放行的一部分进行审核

• Assess how data is handled as systems are shut down (in a controlled or uncontrolled manner) and restarted, given that PCS are more likely to be shut down than other types of systems during planned maintenance of equipment, or for production changes.

• 评估数据该如何处理在系统关闭或重启时（以受控或不受控的方式），因为PCS系统在计划性设备维护期间或生产计划变更期间，相比其他类型系统大概率会关机。

• Know the capacity of the manufacturing system’s data storage areas and monitor use so that areas where technical system logs, alarm histories, or data items reside do not fill up and become overwritten before the data can be archived. If the data is overwritten, subsequent reports on that data may become corrupted, which might not be easily detected. This may be included as part of routine performance monitoring on the system.

• 掌握生产系统的电子数据存储区域容量并监控使用情况，以便技术系统日志、报警历史记录或其他数据项目所在区域在数据归档之前不会被写满并覆盖。如果历史数据被覆盖，随之有关该数据的报告可能会被破坏，这可能并不容易被发现。这项检查可作为系统日常性能监控的一部分。

• Check that archived data is retained as expected (e.g., archive location), and can be restored for viewing and processing.

• 检查存档数据是否按计划保存（例如，存档位置），并可被恢复查看和处理。

Quick Wins – Critical Thinking

快速制胜-关键考虑点

Confirm during periodic review that the configuration management for the system and subcomponents remain current and accurate.

在定期审查时确认系统及其组件的配置管理保持现行且准确。

To detect issues with systems where data seems to be wrong either because of intentional or unintentional activity, watch people using the system. Confirm they are following the procedures and work instructions. Ask them to explain what they are doing and how it relates to the process. When data is saved, watch and ask if it is possible to delete or modify data entries before or after a transaction. Ask whether they are using a unique user ID.

当因为有意的或无意的行为导致数据看起来错误时去检查系统的问题，观察使用该系统的人们。确定他们是按照程序和工作指令执行的，让他们解释他们做了什么，与工艺有怎样的联系。当数据保存后，观察和询问他们在交接班前后是否有可能删除或修改数据输入，询问是否使用一个唯一的用户账户。

Find out if any of the manufacturing systems have data audit trail functionality not in use. If so, assess the value of turning it on. If a new audit trail is turned on, confirm there is sufficient storage space to hold the extra data. Check at periodic review that the data audit trail tracking changes to GMP data remains enabled. Often the default setting for an audit trail is off, or it may turn off automatically if the memory becomes full.

在生产系统找出任何有数据审计追踪功能是否有没投入使用的情况。如果有，评估打开这个功能的价值。如果一个新的审计追踪功能启用，确认有足够的空间存储这些特定数据。定期审查追溯GMP数据修改的审计追踪数据保持可用。通常，审计追踪的默认设置是关闭的，也可能会因为内存满了之后自动关闭。

When a change is made to a system, confirm whether the change has introduced or removed any materials, equipment, or personnel, in particular, items that affect CPPs or CQAs. If yes, has this been adequately handled through to the production report and product release process?

当一个系统发生变更，确认这个变更是否引入或移除任何物料、设备或人员，特别是影响CPPs或者CQA的项目。如果有，这些项目在生产过程和产品放行过程是否有充足的控制？

Ensure that reviewers and auditors understand how to access, review, and interpret the data audit trail for a

system as part of the data review procedure.

保证审核人员和审计人员理解如何访问、审查和解释系统的数据审计追踪作为数据检查程序的一部分。

来源：GMP办公室

编辑整理：德斯特GMP（深圳）咨询服务

版权及免责声明：本公众号所有文章除标明原创外，均来自网络。登载本文的目的为传播行业信息，内容仅供参考，如有侵权请联系德斯特删除。文章版权归原作者及原出处所有。本公众号拥有对此声明的最终解释权。

德斯特（深圳）咨询服务有限公司cGMP团队一直致力于国际GMP认证咨询；针对美国GMP认证, EU-GMP认证, PIC/S认证, WHO认证以及中国GMP认证，可为客户提供完整的GMP认证解决方案；同时，在产品注册和产品技术转移，以及新建项目的设计、验证服务可提供专业的咨询服务。