电子数据复核谁来做？QA or SO？

文摘 2024-07-16 06:25 中国香港

嗯，老话说的好，如果说每半年回顾你半年前的某个想法，你没有觉得自己当时是个傻X，那么你着半年大概率没有任何思考和进步。全文很长，虽然基于时间，我没法整排版，有点ugly，但是建议通读，尤其最后一个来自ISPE的回复，很有启发。

省流：国外的DI同仁们众口一词的是，数据审核和业务审计追踪审核，应在数据复核第一时间由业务部门的SME执行，QA的职责是确保电子数据审核方式方法和频次已在SOP中存在，并确保有效执行。按风险，定期执行系统审计追踪审核（可抽查、可使用关键词，必须有自己账号）

1. 之前的想法

2018年，FDA定稿了数据完整性指南，其中第七问，是谁应该进行审计追踪审核，这也是我过往思考来源的一个点

7. Who should review audit trails?
7. 谁应该审查审计跟踪？
Audit trail review is similar to assessing cross-outs on paper when reviewing data. Personnel responsible for record review under CGMP should review the audit trails that capture changes to data associated with the record as they review the rest of the record (e.g., §§ 211.22(a),211.101(c) and (d), 211.103, 211.182, 211.186(a), 211.192, 211.194(a)(8), and 212.20(d)). For example, all production and control records, which includes audit trails, must be reviewed and approved by the quality unit (§ 211.192). The regulations provide flexibility to have some activities reviewed by a person directly supervising or checking information (e.g., § 211.188).FDA recommends a quality system approach to implementing oversight and review of CGMP records.
审核跟踪审查类应与纸质审查数据时等同。CGMP下负责记录审查的人员在审查记录的其余部分时，应审查记录与记录相关的数据变更的审计追踪(例如，211.22(a)、211.101(c)和(d)、211.103、211.182、211.186(a)、211.192、211.194(a)(8)和212.20(d))。例如，所有生产和控制记录，包括审计追踪，必须由质量部门审查和批准(211.192)。这些规定提供了由直接监督或检查信息的人员审查某些活动的灵活性(例如，211.188)。FDA推荐一种质量系统方法来实施CGMP记录的监督和审查。

黄字，第一段，一直是我纠结的源头，我一直认为qa必须审核所有批放行电子数据……而忽略了最后一句，法规的要求是，QA的职责在于确保方式方法的落地。

关于电子数据复核，老实说，我之前的从业经历来看。

数据生成、处理、报告后-》peer review同级复核（一般是SME）这一步最重要，因为这个人最为熟悉这个系统和业务，他应该审核最全面-》line 审核-》QC final review-》QA review-》Product release-》Periodical Review 这一层层的审核，应该确保所有人都进入了系统中审核，部分人员可以用exception audit trail review即关键词审核方式来审核。但所有人加一起必须是全面的。这往往很挑战流程设计能力，和人性。所以我一般遇到情况……是尽力设计成交叉审核。尤其国内公司，QA的审核，往往又是一次全面的审核，批放行相关的审核，会要求对于电子数据的全面核查，对于其他电子数据和配置/系统层面的审核会是抽查。

2. 调研结果

最近两三天，我做了个简短的调研。只收上来81份，仅作分享。

结果有点出乎我的意料，反而是针对国内产品，QA负责电子数据审核的多，定期审核检查法多于批放行前审核……

3. 来自国际友人的回复

3.1. 来自我敬爱的 DI巨佬 Bob 的回复

Tell QC and Production to get off their lazy arses. At and raw data review is their job not yours.
告诉QC和生产部别再偷懒了。审查原始数据是他们的工作，不是你的。
QA job is oversight and this is achieved by DI spot checks NOT doing the work.
QA工作是监督，这是通过DI抽查来实现的，而不是数据审核。

AT review is the responsibility of the originating Department not yours. Read FDA DI guidance questions 7 and 8 from memory. Also PIC/S PI 041 states the same.
审计追踪审查是原始部门的责任，不是你的责任。根据记忆阅读FDA DI指南问题7和8。PIC/S PI 041也有同样的表述。（西门：bob知道我是个QA……）

Which is why QC and Production have to do the work. Its in the regulations. For labs its 21 CFR 211.194(a) 7 and 8 and Chapter 6.19
这就是为什么QC和生产必须做这项工作。这是规定。对于实验室，来自 21 CFR 211.194(a) 7和8以及第6.19章

3.2. 来自ISPE DI Group Leader 的回复

Audit trail review should be performed by someone who understands the data in the audit trail. In addition, regulators are starting to expect QA to perform regular sample checks of audit trails, looking for anything unusual. These samples might be 3-4 systems checked monthly.
审核跟踪审查应由了解审核跟踪中数据的人员执行。此外，监管机构开始期望QA对审计跟踪进行定期抽样检查，寻找任何异常情况。这些样本可能是每月检查3-4个系统。

3.3. 来自ISPE DI Group 其他大佬的回复（这里十分推荐使用ISPE会员才能登陆的COP，也就是所谓的ISPE社区，哈哈哈，打个广告，跟国外一线的老师们交流技术）

西门的问题：QA必须审核电子数据么？频次和深度应如何定义？

3.3.1 第一个回复

First part of your question: I do not believe that it is a regulatory requirement that QA must review system audit trails. This should be performed by SME's who are knowledgeable on the business process and data in question, and be defined in SOP's as part of daily work for those persons working with the system. QA should not participate actively in the review, but ensure that it is being performed according to defined SOP's.
您问题的第一部分：我不认为 QA 必须审查系统审计跟踪是监管要求。这应该由了解相关业务流程和数据的SME执行，并在 SOP 中定义为使用该系统的人员日常工作的一部分。QA不应积极参与审查，但应确保按照定义的SOP进行审查。

Second part, frequency and depth. Audit trail review should be performed at the time of data review and approval. Scope should be audit trails relating to all data relevant for the record being produced. Reasons for not performing audit trail review on certain data may exist, and it is my recommendation that you describe these reasons - if they exist - as part of your business process risk assessment.
第二部分，频率和深度。审计跟踪审查应在数据审查和批准时执行。范围应是与所生成的记录相关的所有数据相关的审计跟踪。可能存在不对某些数据执行审计跟踪审查的原因，我建议您描述这些原因（如果存在）作为业务流程风险评估的一部分。

3.3.2 第2个回复

PIC/S Guideline on Data Integrity section 9.8 substep 2 (https://picscheme.org/docview/4234) "The company's quality unit should establish a program and schedule to conduct ongoing reviews of audit trails based upon their criticality and the system's complexity in order to verify the effective implementation of current controls and to detect potential non-compliance issues. These reviews should be incorporated into the company's self-inspection programme."
PIC/S 数据完整性指南第 9.8 节第 2 子步骤（https://picscheme.org/docview/4234） “公司的质量部门应制定一个计划和时间表，根据审计跟踪的重要性和系统的复杂性对审计跟踪进行持续审查，以验证当前控制措施的有效实施并检测潜在的不合规问题。这些审查应纳入公司的自查计划。

I answered this more in depth where you posted in in the other community.
我在您在其他社区中发帖的地方更深入地回答了这个问题。

Differentiate between data and system audit trails (section 9.8 does).
区分数据和系统审计跟踪（第 9.8 节）。

Identify critical data 识别关键数据
Perform risk assessment 执行风险评估
Have appropriate data audit trial review proceduralized at (before) time of decision (use)
在决定（使用）时（之前）程序化适当的数据审计试验审查
Create program run by quality unit for system audit trial review
创建由质量单位运行的程序，用于系统审计追踪审查

3.3.3 第3个回复

As an example, if a test result is to be reviewed and approved, it is required that any audit trail related to that test result is reviewed as part of that approval process. The audit trail review should not be something that happens separately from the review and approval of those results.
例如，如果要审查和批准测试结果，则要求在与该测试结果相关的任何审计跟踪都作为该批准过程的一部分进行审查。审计跟踪审查不应与这些结果的审查和批准分开进行。

Separate from that are what some might call system audit trails. This would be audit trail data that is not related directly to results that are being reviewed and approved as part of a record review. Those should take place as part of a periodic review with periodicity based on risk assessment.
与此不同的是一些人可能称之为系统审计跟踪的东西。这将是与作为记录审查的一部分正在审查和批准的结果没有直接关系的审计跟踪数据。这些措施应作为定期审查的一部分进行，并定期进行，并基于风险评估进行定期审查。

As another example, when reviewing a batch record, all audit trails associated with that batch record should be presented as part of that review and approval. Audit trails around user accounts would not be directly relevant to the batch record review and would not be required to be reviewed as part of reviewing the batch record.
再举一个例子，在审阅批处记录时，与该批处理记录关联的所有审计跟踪都应作为该审阅和审批的一部分呈现。围绕用户帐户的审核跟踪与批次记录审查没有直接关系，并且不需要在审查批理记录时进行审查。

3.3.4 第4个回复

the asked question is a recurrent topic as soon as we have to discuss the "how-to" regarding audit trail review.
一旦我们必须讨论有关审计跟踪审查的“操作方法”，所提出的问题就是一个反复出现的话题。

English language is not always very clear and unambiguous. The sentence mentioned by Philip could/should be understood in the following way:
英语并不总是非常清晰和明确。菲利普提到的这句话可以/应该这样理解：

All production and control records, which includes audit trails, must be reviewed.
必须审查所有生产和控制记录，包括审计跟踪。
The outcomes of the review process must be approved by the quality unit.
审查过程的结果必须得到质量部门的批准。

Step #1 shall be performed by people with process knowledge, ergo the originate department having generated the records during process execution; e.g.:
步骤 #1 应由具有流程知识的人员执行，即在流程执行期间生成记录的原始部门;例如：

Manufacturing unit 生产部门
Analytical lab 分析实验室

Obviously the 4-eyes principle must be followed, i.e. the person reviewing the records incl. audit trail is not the person having generated those records.
显然，必须遵循四眼原则，即审查记录（包括审计跟踪）的人不是生成这些记录的人。

The very often made mistake is to introduce a long delay between the generation of the process relevant audit trail entries and the day that these audit trails will be reviewed.
经常犯的错误是在生成流程相关审计跟踪条目和审查这些审计跟踪的日期之间时间过长导致的延迟。

The review of "control records, including audit trail entries" must be part of the release activities:
对“检验记录，包括审计跟踪条目”的审查必须是放行活动的一部分：

Batch release 批放行
Release of analytical results and certificates of analysis
发布分析结果和分析证书
Release of a GLP study
放行GLP研究
Review and release of clinical results
临床结果的审查和放行
...

There is no valid nor acceptable reasons to not perform the audit trail review during the process review and release activities.
在流程审查和放行活动期间，没有正当理由或可接受的理由不执行审计跟踪审查。

It is Quality Unit duty to ensure that the review activities are adequately specified (SOP) and properly conducted at the right time (review and approval of the release activities), i.e. Step #2.
质量部门的职责是确保审查活动得到充分规定（SOP）并在正确的时间正确进行（审查和批放行活动），即步骤#2。

For systems not being directly considered during a release process as well as for the "administrative audit trail" (sometime also called "technical audit trail"), a reasonable frequency for reviewing audit trail entries must be defined.
对于在放行过程中未直接考虑的系统以及“管理审计跟踪”（有时也称为“技术审计跟踪”），必须定义审查审计跟踪条目的合理频率。

For "mission critical" and globally used systems - such as CDS, DMS, ERP, LES, LIMS, MES, PV applications, ... - it is advisable to schedule such routine review on a monthly base (maybe even considering a shorter review period depending on the amount of data to be reviewed and on the business relevance of the system: i.e. what is the resulting impact of discovering that something went wrong? product recall? invalidation of the clinical results? necessity to repeat the GLP study? ...).
对于“关键任务”和全球使用的系统，例如CDS、DMS、ERP、LES、LIMS、MES、PV应用，... - 建议每月安排一次此类例行审查（甚至可以考虑缩短审查期，具体取决于要审查的数据量和系统的业务相关性：即发现问题会产生什么影响？产品召回？临床结果无效？重复的必要性GLP研究？...).

For systems with less important business impact, a longer period (e.g. every 2 months or quarterly) could be considered.
对于业务影响较小的系统，可以考虑更长的时间（例如每 2 个月或每季度一次）。

The definition of the review frequency depends on the outcomes of the risk management activities, keeping in mind that the processes must be kept under control!
审查频率的定义取决于风险管理活动的结果，请记住，必须控制流程！

These audit trail review activities - for audit trail entries not being reviewed within the scope of a release process - are part of the periodic evaluation activities which should be defined in a scalable way.
这些审计跟踪审查活动（针对未在放行过程范围内审查的审计跟踪条目）是定期评估活动的一部分，应以可扩展的方式进行定义。

3.3.5 第5个回复

As you can see, audit trail review is a complicated topic with many regulations, guidance, and opinions. There is no single answer because QA audit trail review depends on:
如您所见，审计跟踪审查是一个复杂的话题，有许多法规、指南和意见。没有单一的答案，因为 QA 审计跟踪审查取决于：

1. The criticality of the system and type of system (lab, manufacturing, enterprise, in process, final results)
1. 系统的关键性和系统类型（实验室、制造、企业、在制品、最终结果）

2. The type of audit trails in the system (each system is different)
2. 系统中审计跟踪的类型（每个系统都不同）

3. Risk of mistakes or potential for unreported changes or results
3. 错误风险或未报告的变更或结果的可能性

4. organization structure of the company
4. 公司组织架构

From a regulatory standpoint, QA needs to ensure that all SOPs for data review have been followed and all results have been accounted for. There are many FDA Warning Letters that say that QA did not electronically review data or audit trails and did not know that there were results that were not printed and given to them, or that there were unauthorized changes made to configuration, settings, or methods that were unapproved. So QA cannot rely only on paper and hope that Managers/data reviewers have done their job. Whether this electronic review is done at the time of batch record/QC result review or during a periodic review is up for discussion. This is based on the criticality of the system and the risk of unreported results/changes. On my Taiwan project, they decided QA batch record review team would double-check HPLC result audit trails (for reprocessing/manual integration) and QA Audit team would check HPLC system audit trails (for unreported results) once every 3 months.
从监管的角度来看，QA需要确保所有数据审查的SOP都得到遵守，所有结果都已考虑在内。有许多 FDA 警告信说，QA 没有以电子方式审查数据或审计跟踪，也不知道有结果没有打印和提供给他们，或者对未经批准的配置、设置或方法进行了未经授权的更改。因此，QA不能只依靠纸面上谈兵，并希望经理/数据审查员已经完成了他们的工作。这种电子复审是在批记录/QC结果复审时还是在定期复审期间进行，还有待商榷。这是基于系统的重要性和未报告的结果/变化的风险。在我的台湾项目中，他们决定 QA 批记录审查团队将仔细检查 HPLC 结果审计跟踪（用于再处理/手动积分），QA 审计团队将每 3 个月检查一次 HPLC 系统审计跟踪（未报告的结果）。

Each system has different audit trails and logs. Do not be concerned about what the vendor has named the logs but check all of them for content. I am currently working on an Agilent GCMS with 10 audit trails/logs. Some of the things called "audit trails" are configuration that should never get changed once the system is installed and validated. On the other hand, there is something called a "Sequence log" which shows that all injections have been completed and uploaded to the server. There is also something called a "logbook" which shows the user logging in, run started, details of the acquisition run, the acquisition method used, and any error messages, pauses, or aborts that occurred during the run. Since the injections are saved as individual files which can be included and processed separately, these logs would be useful to see if there are unreported injections. QA may need to look at these logs from time to time.
每个系统都有不同的审计跟踪和日志。不要担心供应商对日志的命名，而是要检查所有日志的内容。我目前正在开发具有 10 个审计跟踪/日志的安捷伦 GCMS。一些称为“审计跟踪”的东西是一旦系统安装和验证就不应该改变的配置。另一方面，有一种叫做“序列日志”的东西，它显示所有注入都已完成并上传到服务器。还有一种称为“日志”的东西，它显示用户登录、运行开始、采集运行的详细信息、使用的采集方法以及运行期间发生的任何错误消息、暂停或中止。由于注入保存为可以单独包含和处理的单个文件，因此这些日志对于查看是否存在未报告的注入非常有用。QA 可能需要不时查看这些日志。

On my China project, FDA had cited the client for having 998 aborts in their system audit trail and cited it as "unreported results". Most of them were from powering up the system in the wrong order, but nobody in the company had ever looked at that audit trail before, even though the QC Reviewer had looked at the result audit trails all the time. QA did not have computer accounts to the lab instruments. QC printed the result and method audit trails for the specific batch so QA could see if the QC analyst changed a method or reprocessed results, but they did not know about the 998 aborts in the system audit trail. IT then created view-only roles in the Lab Instruments for QA so they could view the system audit trail and double-check that the paper printouts they received were accurately printed. QA would then scan audit trails for specific keywords that had excluded results (e.g. "abort")
.在我的中国项目中，FDA引用了客户在其系统审计跟踪中有998次中止，并将其称为“未报告的结果”。他们中的大多数是以错误的顺序启动系统造成的，但公司中没有人以前看过该审计跟踪，即使 QC 审查员一直在查看结果审计跟踪。QA没有实验室仪器的计算机帐户。QC 打印了特定批次的结果和方法审计跟踪，以便 QA 可以查看 QC 分析师是否更改了方法或重新处理了结果，但他们不知道系统审计跟踪中的 998 次中止。然后，IT 部门在 Lab Instruments 中创建了仅查看角色，以便他们能够查看系统审计跟踪，并仔细检查他们收到的纸质打印输出是否准确打印。然后，QA 将扫描审计跟踪以查找排除结果的特定关键字（例如“中止”）。

At another client, the client insisted that some manufacturing audit trails were "useless" because the static data was printed and put in the batch record. They claimed no audit trail review was required. I reminded them that the FDA would come in and push every button and look at every audit trail. If they find alarms not handled or the same batch number run twice but only printed once, they will write it up as an observation. I asked them, "Nobody is looking at this audit trail right now. Do you want the FDA inspector to be the first one to do so?" And they changed their mind and decided to put a periodic review of the audit trails in their procedures, even though the static data report was printed to paper.
在另一位客户中，客户坚持认为一些制造审计跟踪是“无用的”，因为静态数据被打印并放入批次记录中。他们声称不需要审计跟踪审查。我提醒他们，FDA会介入并按下每个按钮，查看每个审计线索。如果他们发现警报未处理，或者同一批号运行了两次但只打印了一次，他们会将其写为观察结果。我问他们，“现在没有人在看这个审计线索。你希望FDA检查员成为第一个这样做的人吗？他们改变了主意，决定在他们的程序中定期审查审计跟踪，即使静态数据报告是打印在纸上的。

The company organizational structure will also impact how much QA must review. 公司的组织结构也会影响 QA 必须审查的程度。

- If QC reports to QA, then both QA/QC can be considered part of the "quality unit" and QA can check less
.- 如果 QC 向 QA 报告，则 QA/QC 都可以被视为“质量单元”的一部分，而 QA 可以减少检查。

- If QC reports to manufacturing and is outside of QA, then QA must check more, because QC is no longer "independent" of manufacturing.
- 如果 QC 向制造部门报告并且不在 QA 范围内，则 QA 必须进行更多检查，因为 QC 不再“独立于”制造部门。

- If the electronic data is reviewed by a manager/department head who is not responsible for running the equipment, QA can check less.
- 如果电子数据由不负责运行设备的经理/部门负责人审查，则 QA 可以减少检查。

- If the electronic data is reviewed by a peer (QC analyst or manufacturing operator), then they are not considered "independent", and QA must check more.
- 如果电子数据由同级别（QC分析师或制造操作员）审查，则它们不被视为“独立”，QA必须检查更多。

- If you have an SME/Peer review, plus a department head/manager review, plus a QA review, QA can check less.
- 如果您有 SME/同行评审，加上部门主管/经理评审，再加上 QA 评审，则 QA 可以减少检查。

- If there is only one reviewer before QA, QA should check more.
- 如果在 QA 之前只有一个审阅者，则 QA 应该检查更多。

- If QA is the only reviewer, they must check everything.
- 如果 QA 是唯一的审阅者，他们必须检查所有内容。

One of my clients is a very small contract lab. The analyst performs the test and prints the results. The paper data packet goes to the QA person who is the only person to check that the method was followed properly, sample was weighed correctly, sample sequence set up correctly, and no unauthorized manual integration or reprocessing has occurred. In this case, it is mandatory that QA has a computer account because no one else is checking that electronic data.
我的一个客户是一个非常小的合同实验室。分析人员执行测试并打印结果。纸质数据包将发送给 QA 人员，QA 人员是唯一检查方法是否正确、样品称量是否正确、样品序列设置是否正确以及未发生未经授权的手动积分或重新处理的人。在这种情况下，QA 必须拥有计算机帐户，因为没有其他人在检查该电子数据。

One of the differences between QA review of audit trails versus SME/Manager review of audit trails is the amount of time spent reviewing and what they are looking for. The QC Manager/SME will look at all the detail in the audit trails to ensure the method was followed and calculations are correct. QA may quickly scan the same audit trail but look for key words like "abort", "reprocess", "manual integration", "delete", "warning", "fail", "alarm", or "error". QA does need to repeat everything the manager did. I would recommend a QA procedure or checklist that explains what to look for.
QA对审计跟踪的审查与对SME/经理对审计跟踪的审查之间的区别之一是审查所花费的时间以及他们正在寻找的内容。QC 经理/SME 将查看审计跟踪中的所有细节，以确保遵循方法并且计算正确。QA 可能会快速扫描相同的审计跟踪，但会查找关键字，例如“中止”、“重新处理”、“手动积分”、“删除”、“警告”、“失败”、“警报”或“错误”。QA确实需要重复经理所做的一切。我会推荐一个 QA 程序或清单来解释要寻找什么

http://mp.weixin.qq.com/s?__biz=MzUyMTAyMDg3OQ==&mid=2247487474&idx=1&sn=7fe4f63c1ceb53771fad5a695fd624f4

BasicPharma搬砖工

散修，非团队，非咨询公司，西门君个人的学习笔记，欢迎交流学习申明：所有文章，均为西门君本人一人所思所想，与任何企业/组织/个人，无关，可能不全面，也在变化，请谅解。