确保计算机系统数据完整性的十个步骤

确保计算机系统数据完整性的十个步骤

数据完整性(DI)问题存在于纸质数据和电子数据。数据完整性的误解之一，认为只有存储在计算机系统上的电子数据会有数据完整性问题。这种想法是错误的，只要是GMP数据/记录，都有可能造成数据完整性问题。

由于大家对于电子数据的数据完整性较为陌生，在此特别介绍关于确保计算机系统数据完整性的十个步骤：

1. Identify each user uniquely 每个用户有唯一的识别方式

Attributing work to an individual is a key GMP compliance requirement. In the paper world, identification of each operator/analyst is easily achieved through each person’s initials or signature.

每件事情都要有制定的人员来进行并负责，这是GMP合规的关键要求。如果使用纸质文件，操作人员/分析人员的身份就是通过签名来识别的。

2. Implement adequate passwordcontrols 进行充分的密码控制

Password needs to be strong enough so that it cannot be guessed by others, but not so strong that the user has to write it down to remember it. Periodic enforcement of password change, no reuse of previously password etc.

密码的复杂度应适当，确保不易被他人**，且用户能够可以记住自己的密码。应定期强制用户对密码进行更换，且不能使用之前使用过的密码。

3. Establish different user types withdifferent access privileges 设置不同的用户类型和用户权限

U.S.GMP regulations in §211.68(b) require systems and equipment to be limited to authorized individuals only. Each user type should be allocated with different access privileges based upon the assigned role that they will perform in the system. U.S. GM §211.68(b)要求只有有权限的人员可以访问系统和设备。应根据用户在系统中的角色，为不同的用户类型设置不同的用户权限。

4. Establish and maintain a list ofcurrent and historical users 建立并维护当前和历史用户的清单

21 CFR part 11 and Annex 11 require authorized users with different access privileges. A list of current and historic users of systems needs to be established and maintained, as it is easy for an inspector to ask to see the list of accounts and, if somebody has recently left, ask to see if the account is still active or has been disabled.

21 CFR part 11和附件11要求对授权用户设置不同的访问权限。应建立并维护当前和历史用户的清单，以便检察官检查，如果某工作人员已经离职，检察官可以检查其账户是否还未被注销或被暂停使用。

5. Control changes to the computersystem 控制对计算机系统的变更

U.S GMP. in §211.68(b) requires that changes are only made by authorized individuals. However, when you share user identities, unattributed changes to the

systems would be impossible to identify individuals making changes.

U.S GMP. in §211.68(b)要求只有授权人员可以进行变更。然而，如果将用户权限随意分享，就无法确定到底是谁执行的变更。

6. Only trained staff must operatethe computer system 只有经过培训的人员可以操作计算机系统

Under GMP, there is the requirement for all staff to have the “combination of education, training and experience to perform their job”as stated in §211.25.If unqualified user are allowed to operate, there is an increase risk of wrong operations that may result in loss of GMP data etc.

U.S GMP. in §211.2要求所有人员应有相应的教育背景和工作经验，并接受过相关的培训。如果允许不合格人员对系统进行操作，那么就会加大操作错误的风险，从而导致GMP数据的丢失等。

7. Understand predicate rules forGMP records 理解有关GMP记录的法规

U.S.GMP regulations for laboratory records, there is a specific statement in the beginning of §211.194(a) that states: “Laboratory records shall include complete data derived from all tests necessary to assure compliance with established specifications and standards, including examinations and assays, as follows….”The key phrase in this is “complete data”i.e. everything and everything. Note: This include manufacturing data too.

U.S. GMP§211.194(a)要求“实验室记录应包括所有完整的检验（包括检查和试验）数据，确保符合质量标准”。这句话的关键词是“完整数据”。注：也包括生产数据。