门禁系统属不属于GxP关键系统-Part 2

文摘   2024-10-05 07:39   江苏  

一个很有意思的事情是,节前休息前,被人问了下门禁系统属不属于GXP系统,要不要验证。这也是最近几年大家反复讨论的一个话题,这个系统确实卡边了。欧盟附录11其实针对的永远是critical这个词语,要识别关键的系统,只有关键系统要严格管理要严控,非关键的应该降低标准,这个其实也是ISPE调试与确认里 所谓 直接与间接影响的一个点,就算GMP系统内,也有所谓的区分,并不是gmp系统就得按照最高标准来。调试亦是一种验证,有SOP和充足培训亦能控制系统,其实对于门将亦是如此,一切还是回到那句

“这把刀杀猪还是杀人,取决于使用目的”

除了此前 有过一篇门禁系统属不属于GxP关键系统-Part 1

正好今天看到了ISPE 调试与确认一篇关于门禁验证的帖子

先做总结,大部分公司会将控制核心受控区域门禁系统(如b级以上洁净区、QC实验室、机房等)归为GxP系统。

但是 大部分会分为 非直接影响系统,调试 、SOP 和到位培训的合理组合可能就足够了。

如果它可能会为您提供更多的功能(列如产生批放行支持记录,有些公司会采集进入批记录中,或者您是个一大型工厂/设施包含多个用于门禁进出的套件和带有摄像头的受控物质区域,则验证将更加广泛,并将涵盖可配置的安全级别、报告、日期/时间戳验证、警报/通知等)。

当然,您需要解决两个问题,这个系统才能充分符合Annex11:

1.您必须真正了解您打算使用该系统的目的。

2.这套门禁系统必须有规定可靠地确保每次授权只有一个条目(例如,每次刷卡只允许一个人的旋转门),否则该系统不能完全验证(也即是防尾随,从西门经验来看,部分公司可能是基于设计,更衣间只能容纳一人的单向流,或者是门禁与CCTV/洁净服芯片化 联动)。

以下是ISPE 调试与验证 社区 回复原文,问题是“门禁系统属不属于GXP系统,是否需要验证


回复1

Typically we have only ever commissioned the security system for physical access. The reasons for that are because personnel and access levels are always changing, managing change for a security system can be difficult. That being said if you have an secure area of the facility (Cleanroom, Control Room, IT closet, etc.) managing access thru SOP may be a better approach than qualifying or validating your entire building wide security system.
通常,
我们只需要对门禁系统进行调试工作。这是因为人员和访问级别总是在变化,因此管理门禁系统的变更可能很困难。话虽如此,如果您有一个设施的受控安全区域(洁净室、中控室、IT机房等),那么通过 SOP 管理访问可能比确认或验证整个建筑物范围内的门禁更好。


回复2

Hi, yes, I have considered the security system (physical access control) as an impact system.
嗨,是的,我已经将
门禁系统(物理访问控制)视为一个直接影响系统

Not a hard system to qualify, and since it can be used to track Alcoa elements it was easiest to do it in past situation where I was asked my opinion and guidance.
不是一个很难验证确认的系统,而且由于它可以用来跟踪 Alcoa 元素,因此在过去询问我意见和指导的情况下,这样做是最容易的。

Major points were: 主要验证方向是:

System config documents (door sensor locations) and test
系统配置文档(门传感器位置)和测试

Admin access controls 
管理员访问控制

Audit logs 
审计日志

Data backup and archiving.
数据备份和归档。

Most systems are no P11 compliant, so backup of the audit log was difficult as I recall.
大多数系统都不符合 21CFR Part 11 标准,因此我觉得审计日志的备份很困难。


回复3

I've seen them classified in various ways. Really depends on how you use it.  Realize that even just building access is GMP (CFR 210 and 211).  But not necessarily direct impact.  Add in access to clean production rooms with access based on individual employee training, you may be crossing over to more direct impact.  You absolutely need to have SOPs in place to manage the system and about how to manage people in the system.  If you deal with controlled substances, you may additional regulations to deal with.  Maybe you have video monitoring of areas where controlled substances are handled.  (DEA I think).  You must first really understand what you intend to use the system for.  Later, if you change what you use the system for, you may need to re-evaluate.
我见过它们以各种方式分类。真的取决于你如何使用它。要意识到,即使只是建筑物通道也是 GMP(CFR 210 和 211)。但
不一定是直接影响再加上对洁净区的访问权和基于个人员工培训的访问权,您可能会产生更直接的影响。您绝对需要制定 SOP 来管理系统以及如何管理系统中的人员。如果您处理受控物质,您可能需要遵守额外的法规。也许您对处理受控物质的区域有视频监控。(我想是 DEA)。您必须首先真正了解您打算使用该系统的目的。稍后,如果您更改了系统使用的目的,则可能需要重新评估。

This has been the subject of discussion on several projects. Remember that validating a computerized system requires demonstrating  the "process" that it controls is reliably performed; in this case, authorized entry into a restricted area.  Unless there are provisions that reliably ensure only one entry per authorization (e.g., a revolving door that allows only one person per card swipe)  then the system is not fully validatable.  Even in the case where such programming is implemented, the system must be configured to prevent a single person from using their token (e.g., card, badge, fob, retinal scan) to give access to an unauthorized person.  Although there may be such a system in practice, I have yet to see it.  I usually recommend that security systems be commissioned (functionally tested and accepted) with effective training and procedures in place.

这一直是几个项目讨论的主题。请记住,验证计算机化系统需要证明它控制的 “过程” 是可靠地执行的;在这种情况下,授权进入限制区域。除非有规定可靠地确保每次授权只有一个条目(例如,每次刷卡只允许一个人的旋转门),否则该系统不能完全验证。即使在实施此类编程的情况下,系统也必须配置为防止单个人使用其令牌(例如,卡、门禁、密钥卡、视网膜扫描)向未经授权的人员提供访问权限。虽然实践中可能存在这样的系统,但我还没有看到它。我通常建议在进行有效培训和程序的情况下调试门禁系统(功能测试和验收)。

I am answering in accordance with details given so far, it is my impression that a sensible combination of commissioning SOPs and Training in place might suffice your case. However if it might give you a bit more of structure I would suggest you follow the approach as described in ISPE Baseline volume : Commissioning and Qualification by gathering a team and starting by conducting a System risk assessment level 1. Once the system has been classified and documented then it would be possible to proceed as per local SOPs and Policies.
我是根据目前给出的细节来回答的,在我的印象中,
调试 、SOP 和到位培训的合理组合可能就足够了。但是,如果它可能会为您提供更多的结构,我建议您遵循 ISPE 基线卷:调试和确认中描述的方法,召集一个团队并从执行初始系统风险评估开始。一旦系统被分类和记录,就可以按照本地的 SOP 和策略进行。

The 1st question should always be, what does the system control? Using a risk assessment or othe gxp classification tool. For example a system which only controls main door access and not lab access is likely so far down the risk and gxp categorization that it not would be worth the effort. However, a system which controls sensitive areas like labs or sterile fill and links to a video system would need at least some level of verification. Systems that may supply data for investigations would need some level of verification/validation to confirm the intended use and integrity of the data. The effort should align to the risk and usage.
第一个问题应该始终是,系统控制什么?使用风险评估或其他 gxp 分类工具。例如,一个只控制主门访问而不控制实验室访问的系统可能比风险和 gxp 分类低得多,因此不值得付出努力。但是,控制敏感区域(如实验室或无菌灌装区)并链接到视频系统的系统至少需要一定程度的验证。可能为调查提供数据的系统需要一定程度的验证/确认,以确认数据的预期用途和完整性。这项工作应与风险和使用情况保持一致。

This discussion has come up at several facilities that I have supported. In general, I agree with the suggestions to perform a risk assessment and to apply appropriate measures to confirm that the system meets the intended requirements.  The problem that I have often encountered, however, is that the requirements for these access control systems are undocumented or otherwise unclear.  Exactly what are they intended to accomplish?  "Prevent unauthorized access" is the obvious answer, but that is overly simplistic.  It is probably fairly simple to "validate" that a singular unauthorized attempt at entry is denied, but is that all that is required?  How do you verify that an authorized person does not hold the door open for a second person?  How about swiping an authorized card (or some other authorization method) to facilitate another's unauthorized access?  Most systems I have encountered have not considered all such "risks".  Without a highly sophisticated configuration the desired primary function (preventing unauthorized access) may or may not be "validated" to a high degree of assurance.  The cost of such sophisticated detection and programming may be costly with little actual benefit.  More often than not, we have commissioned these systems and depended upon training and written procedures to ensure compliance.  
我支持的几个公司都提出了这个讨论。总的来说,我同意执行风险评估并采取适当措施来确认系统满足预期要求的建议。然而,我经常遇到的问题是,
这些访问控制系统的要求没有记录或不清楚。他们究竟打算实现什么目标?“防止未经授权的访问”是显而易见的答案,但这过于简单化了。“验证”单个未经授权的进入尝试被拒绝可能相当简单,但这就是全部要求吗?您如何验证授权人员没有为第二个人开门?刷一张授权卡(或其他授权方法)来方便他人未经授权的访问怎么样?我遇到的大多数系统都没有考虑所有这些 “风险”。如果没有高度复杂的配置,所需的主要功能(防止未经授权的访问)可能会也可能不会得到高度保证的“验证”。这种复杂的检测和编程的成本可能很高,但几乎没有实际收益。通常情况下,我们调试了这些系统,并依靠培训和书面程序来确保合规性。



回复4

I've only seen a few companies willing to classify their badge systems as "GXP", though I would recommend they do so as the output from this system can be requested by FDA inspectors. When that happens, you want that data to be reliable.
我只见过少数几家公司愿意将他们的门禁系统归类为“GXP”,但我建议他们这样做,因为 FDA 检查员可以要求该系统的输出。发生这种情况时,您希望该数据是可靠的。

"Intended use" includes not just the physical purpose of the system at that moment (who is trying to get in right now), but the use of the historic data later on (who has been in the room over the last year). For example, when an FDA inspector wants to know who was in the manufacturing suite on March 7th, they may ask for the historic badge access data. If the signatures on the batch record that day do not agree with the badge access history, the company may need to explain how this happened, and the badge system may be used to find out that operators did not witness what they claimed to witness.
“预期用途”不仅包括系统当时的物理目的(谁现在正试图进入),还包括以后对历史数据的使用(谁在过去一年里一直在房间里)。例如,当 FDA 检查员想知道 3 月 7 日谁在生产车间时,他们可能会要求提供历史门禁访问数据。如果当天批次记录上的签名与门禁访问历史不一致,公司可能需要解释这是如何发生的,并且可能会使用门禁系统来查明操作员没有目睹他们声称目睹的事情。

Unless a computer system uses biometrics such as fingerprint or eye scans, one person can always pass their badge to another person, just as easily as one person can write their user ID and password on a post-it note, or log in and let the second person control the keyboard. What is "validatable" is limited to what the computer system and associated components can control, i.e., an authorized badge swiped against the door sensor unlocks the door and adds an entry to the historical log, and an unauthorized badge does not unlock the door and adds an "access denied" entry to the historical log. When you deactivate a badge, it no longer lets you in. There should be a history of access so you can see when a badge was activated/deactivated. If there are different levels that can be configured, then that is also part of the intended use and can be validated.
除非计算机系统使用指纹或眼睛扫描等生物识别技术,否则一个人总是可以将他们的门禁权限传递给另一个人,就像一个人可以在便利贴上写下他们的用户 ID 和密码,或者登录并让第二个人控制键盘一样容易。“可验证”的内容仅限于计算机系统和相关组件可以控制的内容,即,在门传感器上滑动的授权门禁会解锁门并将一个条目添加到历史日志中,而未经授权的门禁不会解锁门并将“拒绝访问”条目添加到历史日志中。停用门禁后,它不再允许您进入。应该有访问历史记录,以便您可以查看门禁的激活/停用时间。如果可以配置不同的级别,那么这也是预期用途的一部分,可以进行验证。

During an investigation I worked on, a result was obtained using the wrong parameters. When I interviewed the operator, he told me, "Oh, that wasn't me. Bob didn't have access to the computer so I logged in for him and let him run the instrument." Shortly after my interview with the operator, he was no longer employed at the company. People violate procedures, whether it's a badge system where I hold the door open for the guy behind me whose hands are full, or a computer system where IT hasn't given the new guy his own computer account yet. However, in compliance-focused companies, it better be clear that if you share your badge or share your computer account, then you better update your resume because you'll be looking for a new job. Occasional spot checks of badge report vs. cameras or badge report vs. batch record signatures will keep people honest and encourage compliance with procedures.
在我进行的一项调查中,使用错误的参数获得了结果。当我采访操作员时,他告诉我,“哦,那不是我。Bob 无法访问计算机,所以我为他登录并让他运行仪器。在我与运营商面谈后不久,他就不再在公司工作了。人们会违反程序,无论是我为身后双手已满的人开门的门禁系统,还是 IT 部门尚未为新人提供自己的计算机帐户的计算机系统。但是,在注重合规性的公司中,最好明确表示,如果您分享您的门禁或共享您的计算机帐户,那么您最好更新您的简历,因为您将寻找一份新工作。偶尔抽查门禁报告与相机或门禁报告与批量记录签名将使人们保持诚实并鼓励遵守程序。

Most companies are not going to have Fort Knox-level biometrics controls with facial recognition cameras, etc. If the risk of someone not following the procedures and sharing their badge is great, such as if you had a controlled substance area, then you'd better have a secondary camera system to ensure that two people did not badge in or that the person on camera looks like the person who owns the badge. Someone would then routinely review the camera footage for unauthorized badge sharing. An unauthorized card swipe to a controlled substance area might send an immediate text/alert to security to search the area, which would be part of the "intended use" that you would want to verify.
大多数公司不会拥有带有面部识别摄像头等的 Fort Knox 级生物识别控制。如果有人不遵守程序和分享他们的门禁的风险很大,例如,如果您有一个受控区域,那么您最好有一个辅助摄像头系统,以确保两个人没有门禁进入,或者摄像头上的人看起来像拥有门禁的人。然后,有人会定期查看摄像机镜头,以发现未经授权的门禁共享。未经授权的刷卡到受控物质区域可能会立即向安保人员发送文本/警报以搜索该区域,这将是您要验证的“预期用途”的一部分。

If you have a small site and badge access only covers the front door access, and there's no badge swipe to leave, you don't have much data or validation to worry about and it should be quick and easy to validate the intended use of the system.
如果您有一个小型站点,并且门禁访问权限仅涵盖前门访问,并且无需刷卡即可离开,则无需担心太多数据或验证,并且应该可以快速轻松地验证系统的预期用途。

If you have a large site with multiple suites to badge in/out and controlled substance areas with cameras, validation will be more extensive and will cover configurable security levels, reports, date/time stamp verification, alerts/notifications, etc. Camera footage can sometimes be used as part of investigations and could also be considered GxP. If badge and camera systems are integrated, an approved or unauthorized badge swipe may snap a picture of the person and store it with the badge entry. This would make validation for intended use more involved.
如果您有一个大型站点,其中包含多个用于门禁进出的套件和带有摄像头的受控物质区域,则验证将更加广泛,并将涵盖可配置的安全级别、报告、日期/时间戳验证、警报/通知等。摄像机镜头有时可以用作调查的一部分,也可以被视为 GxP。如果集成了门禁和摄像头系统,则已批准或未经授权的门禁刷卡可能会拍摄此人的照片,并将其与门禁条目一起存储。这将使预期用途的验证更加复杂。

My recommendation is to consider the badge system a lower-risk GXP system and do some basic testing to make sure the system is configured correctly and reports come out readable and complete. When FDA asks for who was in the room last year, you don't want to have to tell them you didn't validate the system, there's no logons, no historic data reports, and you don't back up the data.
我的建议是将门禁系统视为风险较低的 GXP 系统,并进行一些基本测试,以确保系统配置正确,报告可读且完整。当 FDA 询问去年谁在房间里时,您不想告诉他们您没有验证系统,没有登录,没有历史数据报告,并且您没有备份数据。

--------------------------------------------------------

BasicPharma搬砖工
散修,非团队,非咨询公司,西门君个人的学习笔记,欢迎交流学习申明:所有文章,均为西门君本人一人所思所想,与任何企业/组织/个人,无关,可能不全面,也在变化,请谅解。
 最新文章