审计追踪如何审核的范例

恨我不成钢

CFDA《药品数据管理规范（征求意见稿）》：

第二十条【审计追踪审核】应当对审计追踪进行审核，审核的频率和内容应当基于风险级别确定。

涉及直接影响患者安全或产品质量的关键数据更改（如最终产品检验结果、测试样品运行序列、测试样品标识、关键工艺参数的更改等），应当在做出决定前对更改的数据及其审计追踪一并进行审核。

正如红色字体所述，CFDA要求审计追踪的频率应基于风险级别确定，并明确规定对直接影响患者安全或者产品质量的数据（如批检验数据）应在对作出决定（如放行前）前进行审计追踪的审核。

如何应用风险确定审计追踪的频率呢？以下提供了范例供大家参考：

RISK BASED APPROACH

基于风险的方法

A risk based approach to audittrail reviews is critical for an implementation that provide a meaningfulprocess without having a negative impact on cost and resources. The fact isthat without taking a risk based approach audit trail reviews can have anegative impact on cost and resources. Audit trail reviews for GxP systems area time consuming activity that requires resources to execute and manage theinformation an actions related to the review.

基于风险的审计追踪审核的方法是非常重要的实现，提供一个有意义的过程，而无需对成本和资源的负面影响。事实上，审计追踪的审核若不采取基于风险的方法可能对成本和资源有负面影响。GXP系统的审计追踪审核是一个耗时的活动，需要资源来执行和管理需要审核的活动相关的信息。

In order to take a risk basedapproach to audit trail reviews the system risk level need to be identified.Prioritizing the audit trail assessment based on the level of risk is criticalto prioritize the assessments and implementation. Systems involved in thetesting of Critical Quality Attributes are high risk and should be the highestpriority during the assessments and implementation.

为了采取基于风险的审计跟踪审核，需要确定系统的风险水平。按照系统的风险水平关键程度的优先级别，来评估和实施。参与关键质量属性的测试系统是高风险的，应在评估和实施过程中最高优先考虑。

The system risk level shouldbe used to establish the frequency and scope of the audit trails periodicreviews. For high risk systems such as those used in Quality Control the audittrails should be reviewed with the test results to ensure the integrity of thetest data. The scope of this review should include assessing the accuracy andintegrity of the data using the audit trail. In this situation the audit trailwill be reviewed for the following:

系统风险水平应该被用来建立审计追踪定期审核的频率和范围。对于那些高风险的系统，如用于质量控制的，审计追踪应该与测试结果一起审核以确保试验数据的完整性。这种审核的范围应包括使用审计跟踪评估数据的准确性和完整性。在这种情况下，审计追踪将审核以下：

• Changes to test parameters
  测试参数的变化
• Changes to data processing parameters
  数据处理参数的变化
• Data deletion
  数据删除
• Data modifications
  
  

       数据修改

• Analyst actions
  分析人员的行为
• Data manipulation
  数据篡改
• Excessive integration of chromatography peaks
  色谱峰不合理积分
• Security breaches related to data
  与数据相关的安全漏洞
  
  

QC procedures need to definethe controls related to data integrity; this will ensure consistency during theaudit trail review.

QC程序应该定义数据完整性相关的控制；这将确保审计跟踪审核过程中的一致性。

For medium and low risksystems the approach will be less intensive that for high risk. For thesesystems it can be possible to review periodically the audit trails. Theperiodic review period should be established based on the level of system risk.Medium risk systems should be reviewed more frequently than low risk systems.For example a document management system is probably medium risk that should beon a periodic review schedule of every six months or a yearly schedule. Lowrisk system can be reviewed on a yearly or bi-annual basis.

对于中、低风险的系统，审计追踪的方法将没有高风险系统那么密集。这些系统可能定期审核审计追踪。定期审核的周期应根据系统风险水平建立。中等风险的系统应该比低风险的系统更频繁。例如，文档管理系统可能是中等风险，应定期计划每六个月或每年进行。低风险的系统可以每年或每年2次进行。

The scope of the audit trailreviews for medium and low risk systems should include the following:

对中、低风险的系统审计追踪的范围，应包括以下内容：

• Data changes
  数据的变化
• Data deletions
  数据删除
• Unauthorized access or transactions
  未经授权的访问或操作
  
  

To implement audit trailreviews is critical to take a risk based approach. A one size fits all approachcan have a significant impact on cost and resources.

实施审计追踪的审查是采取一种基于风险的方法的关键。它是一个放之四海而皆准的方法，可能对成本和资源有重大影响。

In summary a risk basedapproach is critical for the implementation of audit trail periodic reviews.

综上所述，基于风险的方法是实施审计追踪定期审核的关键。

IMPLEMENTATION

实施

Once the audit trailassessment are performed, system risk identified and all corrective actions areclosed the audit trail reviews can be implemented. Prior to implementation theimpact to resource need to be well understood based on the expected volume ofwork. Once this impact is understood hiring and reassigning of resource need tobe completed prior to formal implementation.

一旦进行审计追踪评估，识别出系统的风险并且所有纠正措施已关闭吗，就可以实施审计追踪的审核了。在实施之前，应该基于所期望的工作量好好理解对资源的影响。一旦理解这种影响，应该在正式实施之前完成资源的征用和重新分配。

Procedure may need to becreated or revised to include the approach of audit trails reviews for eachsystem based on the results of the assessment and system risk.

应该建立或修订规程，根据风险评估的结果将每个系统的审计追踪的审核写进去。

The last step is training allimpacted resources on the applicable procedures with an emphasis of dataintegrity.

最后一步是培训所有有关人员应用规程强调数据完整性。

毒手药王邓智先

实施审计追踪的审查是采取一种基于风险的方法的关键。它是一个放之四海而皆准的方法？可能对成本和资源有重大影响。

syhorchid

学习一下审计追踪

北重楼

审计追踪检查越来越受到重视

Whats

有相关的管理SOP吗？

foamemerald

如何写出具体的风险评估内容是难点

青霜冰

有审核记录吗？纠结权限的控制这些内容要不要审核

AlbertusMagnus

权限分配当然要审核！

清风居士

谢谢分享。。。。

按理来说

学习，谢谢分享。

wanpeng

请教一下，英文部分内容是参考的哪个指南？

来自安卓APP客户端

maliming

如何写出具体的风险评估内容是难点