欧洲官方药品控制实验室网络

General European OMCL Network (GEON)

QUALITY MANAGEMENT DOCUMENT

PA/PH/OMCL (08) 69 R7

VALIDATION OF COMPUTERISED SYSTEMS

CORE DOCUMENT
计算机化系统验证
核心文件
Full document title and Validation of Computerised Systems – Core document
reference PA/PH/OMCL (08) 69 R7
Document type Guideline
Legislative basis -
Date of first adoption May 2009
Date of original entry into July 2009
force
Date of entry into force of August 2018
revised document 2018 年 8 月
修订后的文件生效日期
Previous titles/other PA/PH/OMCL (08) 69 3R
references / last valid
version
Custodian Organisation The present document was elaborated by the OMCL Network /
EDQM of the Council of Europe
Concerned Network GEON

重庆求败首发于计算机化系统验证群二
QQ 群号 569962302
 PA/PH/OMCL (08) 69 R7 – 计算机化系统验证 –核心文件

VALIDATION OF COMPUTERISED SYSTEMS CORE DOCUMENT

计算机化系统验证核心文件

Note: Mandatory requirements in this guideline and its annexes are defined
using the terms «shall»or «must». The use of «should»indicates a
recommendation. For these parts of the text other appropriately justified
approaches are acceptable. The term «can»indicates a possibility or an example
with non-binding character.
注释：本指南及其附件的强制性要求是使用术语“应该”和“必须”来定义的。使
用“应该”表示推荐，对于这些部分，用其他适当的合理方法是可以接受的。术
语“能”表示一个可能性或一个具有非约束性特征的例子。

1. SCOPE 范围

This guideline defines basic principles for the validation of computerised systems
used within Official Medicines Control Laboratories (OMCLs) and having impact
on the quality of results, document control and data storage [1]. The purpose of this
validation is to guarantee confidence in the laboratory data captured, processed,
reported or stored by computerised systems. A validated system ensures accurate
results and reduces any risks to data integrity.
本指南定义了在官方药物控制实验室（OMCLs）中使用的计算机化系统的验证
的基本原则，并对质量结果、文档控制和数据存储产生了影响。这种验证目的
是为了保证计算机化系统获取、处理、报告或存储的实验室数据是可信的。经
过验证的系统可以确保准确的结果，并减少数据完整性的任何风险。

This document applies to all types of computerised systems used in OMCLs.

However, depending on their complexity, the extent of testing and documentation
will differ. Computerised systems can be categorised into three types: exempted,
simple and complex (see table I in section 3). This document describes a scalable
validation approach for simple and complex computerised systems.
本文件适用于在 OMCLs 中使用的所有类型的计算机化系统。然而，根据其复
杂性，测试和文档的范围将有所不同。计算机化的系统可以分为三种类型：豁
免系统、简单系统和复杂系统（参见第 3 部分中的表 1）。该文档描述了一种
可扩展的验证方法，用于简单和复杂的计算机化系统。

2. INTRODUCTION 介绍

This guideline outlines general validation principles for computerised systems of

OMCLs in accordance with ISO/IEC 17025. It defines general minimum
requirements for the validation of different types of computerised systems and
additionally gives recommendations for the practical implementation and practical
examples specific for OMCLs.
该指南概述了 OMCLs 计算机化系统的一般验证原则，该原则与 ISO/IEC 17025
一致。它定义了对不同类型的计算机化系统进行验证的一般最低要求，此外为
实际实现给了建议，也给了示例。

The extent of validation activities should be defined based on risk assessment,

第 2 页/共 18 页
 PA/PH/OMCL (08) 69 R7 – 计算机化系统验证 –核心文件

considering the dependency of the correctness and traceability of test results of the
OMCL on the computerised systems.
验证活动的范围应该根据风险评估来定义，并考虑 OMCL 在计算机化系统上检
测结果的正确性和可追溯性。

Due to the great variety of computerised systems available, it is not possible to

state in a single document all the specific validation elements that are applicable.
由于可用的计算机化系统的种类繁多，所以不可能在单个文档中陈述所有适用
的特定验证因素。

This guideline is intended for use by OMCLs working under Quality Management
Systems based on the ISO/IEC 17025 standard, which use computerised systems
for a part or the totality of the processes related to the quality control of medicines.
该指南旨在供 OMCLs 在基于 ISO/IEC 17025 标准的质量管理系统下工作，该标
准使用计算机化的系统来完成与药物质量控制相关的部分或全部过程。

In order to simplify the guideline, the present core document contains a general
introduction and general requirements for different types of computerised systems.
This core document is supplemented with system-related annexes containing
additional requirements and/or practical examples of validation documentation,
which are to be used in combination with the general requirements given here.
为了简化指导方针，本核心文件包含了对不同类型的计算机化系统的一般介绍
和一般要求。本核心文件补充了与系统有关的附件，其中包含额外的需求和/或
验证文档的实际示例，这些文档将与这里给出的一般需求结合使用。

This document should be considered as a guide to OMCLs for planning,

performing and documenting the validation of their computerised systems. It is left
to the professional judgement and background experience of each OMCL to decide
on the most relevant procedures to be undertaken in order to give evidence that their
computerised systems are working properly and are appropriate for their intended use.
本文件应被视为对计划、执行和记录其计算机化系统的验证的指南。由 OMCL
的专业判断和背景经验决定最相关的程序，以便提供证据，证明他们的计算机
化系统运行正常，并且适合他们的预期使用。

3. DEFINITIONS 定义

Following definitions should be used in order speak the same language in

OMCL´s documents. Some of these terms are also used in environments
subjected to Good Manufacturing Practice requirements (GMP). It is stressed that
GMP requirements do not apply to OMCLs, though for practical reasons the
commonly used terms are also used in this document.
在 OMCL 的文档中，应该使用以下定义来表示相同的语言。其中一些术语也被
用于在良好的生产实践要求（GMP）的环境中使用。强调 GMP 的要求不适用
于 OMCLs，但由于实际原因，在本文档中也使用了这些术语。

Computer system: A system containing one or more computers and associated

software.
计算机系统：包含一个或多个计算机和相关软件的系统。

第 3 页/共 18 页
 PA/PH/OMCL (08) 69 R7 – 计算机化系统验证 –核心文件

Computerised system: A broad range of systems including, but not limited to,
automated laboratory equipment, laboratory information management, and
document management systems. The computerised system consists of the hardware,
software, and network components, together with the controlled functions and
associated documentation.
计算机化系统：广泛的系统包括但不限于自动化实验室设备、实验室信息管理
和文档管理系统。计算机化系统包括硬件、软件和网络组件，以及控制功能和
相关文档。

Commercial (off-the-shelf, configurable) computerised system: Software defined

by a market- driven need, commercially available, and whose fitness for use has
been demonstrated by a broad spectrum of commercial users; also known as COTS.
商业（现成的，可配置的）计算机化系统：软件由市场驱动的需求，市场上可
以买到的，已经被广大的商业用户所证明其适用性;也称为 COTS。

In-house developed (custom-made or bespoke) computerised system: a system

produced for a customer, specifically to order, to meet a defined set of user
requirements set out in a user requirement specification.
内部开发的（定制的或定制的）计算机化系统：为客户特别定制的系统，以满
足用户需求规范中规定的一组用户需求。

User Requirement Specifications (URS): describes what the system should do.
The user requirements contain scientific, business, legal, regulatory, safety,
performance and quality aspects of the future system. The user requirements serve
as the basis for the Performance Qualification (PQ).
用户需求规范（URS）：描述系统应该做什么。用户需求包含了将来系统的科
学、商业、法律、法规、安全性、性能和质量方面。用户需求作为性能确认
（PQ）的基础。

Black Box: a black box in this guideline is a system whose inner working is unknown.
黑盒：这个指南中的一个黑盒子是一个系统，它的内部工作是未知的。

Computerized System validation plan: The validation plan shall be an approved

document, which describes the validation activities and responsibilities. The
validation plan specifies the Computerized System subjected to validation and
compiles the validation activities to be performed and the validation targets/criteria to
be fulfilled. The validation plan shall be prepared and approved prior to conducting
the test.
计算机化系统验证计划：验证计划应该是一个经过批准的文档，它描述了验证
活动和责任。验证计划指定了经过验证的计算机化系统，并编译要执行的验证
活动和要实现的验证目标/标准。验证计划应在进行测试前准备和批准。

DQ (Design Qualification): Documented verification that the proposed design of

facilities, systems, and equipment is suitable for the intended purpose
DQ（设计确认）：文档证明，设计的设施、系统和设备的设计适合于预期的用
途。

第 4 页/共 18 页
 PA/PH/OMCL (08) 69 R7 – 计算机化系统验证 –核心文件

IQ (Installation qualification): Documented verification that a system is installed

according to written and pre-approved specifications
IQ（安装确认）：记录验证系统是按照书面和预先批准的规范安装的。

OQ (Operational qualification): Documented verification that a system operates

according to written and pre-approved specifications throughout specified operating
ranges at the customer.
OQ（运行确认）：记录验证系统在客户指定的操作范围内按照书面和预先批准
的规范操作。

PQ (Performance qualification) or User Acceptance Testing (UAT):

Documented verification that a system is capable of performing the activities of
the processes it is required to perform, according to written and pre-approved
specifications, within the scope of the business process and operating environment
PQ（性能确认）或用户验收测试（UAT）：文档化的验证，即系统能够按照书
面和预先批准的规范在业务流程和操作环境的范围内执行流程的活动。

Black-Box Validation: Validation based on the fact that, for a given

computerised system, its source code or design is unknown to the user.
Validation is performed from the computerised system or computer system userś
point of view.
黑盒验证：基于这样一个事实，对于一个给定的计算机化系统，它的源代码或
设计对用户来说是未知的。验证是从计算机化系统或计算机系统用户的角度进
行的。

Black-Box Test: Periodic check of a computer, computerised system or computerised

system based on the black-box validation approach. Black box testing examines
the functionality of a system without peering its inner structure or workings.
黑盒测试：对计算机的定期检查、计算机化的系统或基于黑盒验证方法的计算
机化系统。黑盒测试检查系统的功能，而不需要观察它的内部结构或工作原理。

Table 1: Categorisation of computerised systems (based on Reference 6)

Definition Examples Action
Calculator, microscope, photo or video
camera, standard office PC, Microwave,
No calibration etc.
function None
Exempted Operating system (e.g. Windows, Linux,
Framework/layered Unix), network software, security
software software (virus check, firewall), office
application software (Word, Excel),
database software (e.g. Oracle, SQL,
Access), etc.
pH meter, oxidisers, incubator, titration Simplified
Small part of processor, colorimeter, thermo validation
software hygrograph/hygrometer, balance, particle - Calibration
Simple sizer, UV/VIS spectrometer, liquid - Function
Restricted scintillation counter, TLC analyser, AAS, control test

第 5 页/共 18 页
 PA/PH/OMCL (08) 69 R7 – 计算机化系统验证 –核心文件

customisation micro plate counter, image analyser,

polarimeter, CombiStats, etc.
LIMS (Laboratory Information
Management
System), ERP (Enterprise Resource
Extended amount Planning), eDMS (electronic Document
of functionality Management System), ELN (Electronic
software Laboratory Notebooks), user-developed
Complex Excel spreadsheet, user-developed Validation
Extended Access application, automated sample
customisation processing systems, liquid
chromatograph (LC, HPLC), gas
chromatograph (GC) including auto
sampler and detection systems (UV, VIS,
IR, MS, NMR, radioactivity or
fluorescence monitor, etc.), biological
analyser, ECG, etc.

表 1: 计算机化系统的分类（基于参考文献 6）

定义 举例 活动

计算器，显微镜，照相机，摄像机，标准办
公电脑，微波炉等。
无校准功能
操作系统 (例如 windows 系统，linux 系
豁免系统 无
统，Unix 系统),网络软件,安全软件 (例如
框架/分层软件 杀毒软件，防火墙), office 办公软件 (例
如 Word, Excel), 数据库软件(例如：
Oracle, SQL, Access), 等.

pH 计, 氧化剂, 细菌培养箱, 滴定处理器,

一小部分的软 色度计, 温湿计/湿度计, 天平, 颗粒分筛,
件 UV/VIS 光谱仪, 液体闪光计数器, TLC 分析 简化验证
简单系统
器, 原子吸收光度计, 微型平板计数器, 图 -校准
有限定制 像分析器, 旋光计, CombiStats 数据分析软 -控制功能检查
件, 等.
LIMS (实验室信息管理系统), ERP (企业资
源规划), eDMS (电子文档管理系统), ELN
扩展的功能软 (电子实验室笔记本), 定制开发的 Excel 电
件 子表格，定制开发的数据库应用程序，自动
复杂系统 验证
样品处理系统, 液相色谱仪(LC, HPLC), 气
扩展的定制 相色谱仪(GC) 包括自动采样器和检测系统
(UV, VIS, IR, MS, NMR, 放射性或荧光显示
器, 等.), 生化分析仪, 心电图, 等.

Remark: Operating systems, office applications, databases and framework packages

such as Windows, Excel, Oracle, SAS do not have to be validated by the OMCL.
However, user applications written within or by means of these packages, such as

第 6 页/共 18 页
 PA/PH/OMCL (08) 69 R7 – 计算机化系统验证 –核心文件

SAS procedures, ORACLE applications, and Excel spreadsheets (including

complex calculations and macros) shall be validated.
备注：操作系统、办公应用软件、数据库和框架包，如 Windows、Excel、
Oracle、SAS，不需要由 OMCL 来验证。然而，在这些包的内部或通过这些包
编写的用户应用程序，如 SAS 程序、ORACLE 应用程序和 Excel 电子表格（包
括复杂的计算和宏），应该被验证。

4. GENERAL REQUIREMENTS FOR COMPUTERISED SYSTEMS

计算机化系统的一般要求
a) Inventory 详细清单
An inventory or equivalent listing of all computerised systems shall be available.
应提供所有计算机化系统的清单或同等清单。

The following minimum information shall be included in the computerised systems

inventory:
- identification & version
- purpose
- validation status
- physical or storage (drive and files path) location of the computerised
system and related documentation
- responsible or contact person.
计算机化系统清单应包括下列最低限度的资料：
- 许可标识和版本
-目的
-验证状态
-计算机化系统和相关文件的物理或存储位置(驱动器和文件路径)
-负责人或联系人。

For equipment software, this information can be recorded in the equipment logbook.
对于设备软件，这些信息可以记录在设备日志中。

In the case of local installation (workstation), each individual copy of the

software installed on several computers needs its own unique identification (e.g.
license).
在本地安装（工作站）的情况下，安装在几个计算机上的软件的每个单独的副
本需要它自己的唯一标识（例如许可）。

b) Validation 验证
Prior to routine use, the computerised system shall be validated.
在常规使用前，计算机化系统应该验证。

The purpose of validation is to confirm that the computerised system specifications

conform to the user needs and intended uses by examination and provision of
objective evidence and that the particular requirements can be consistently fulfilled.
验证的目的是确认计算机化系统性能通过检查和提供客观的证据来满足用户的
需要和预期的使用，并且可以一贯地满足特定的需求。

第 7 页/共 18 页
 PA/PH/OMCL (08) 69 R7 – 计算机化系统验证 –核心文件

The extent of validation will depend on the complexity and intended use of the
computerised system being validated. The validation effort can be scaled and
adapted to the type of system justified by documented risk assessment. The
categories mentioned in this guideline (see table I in Section 3) can be used in
OMCLs for risk assessment。
验证的程度将取决于被验证的计算机化系统的复杂性和预期用途。可以对验证
工作进行扩展，并根据文档化的风险评估来调整系统的类型。本准则中提到的
类别（见第 3 节表 1）可用于 OMCLs 进行风险评估。

URS, validation plans, test and release can also be performed on a rolling basis,
if an iterative process (agile software development) is used.
如果使用迭代过程（敏捷软件开发），则可以在滚动的基础上执行验证计划、
测试和发布。

Use of the supplier activities 使用供应商活动

Validation documents and results of tests performed by the supplier of the software
can be incorporated into the OMCL's validation file and does not need to be repeated
again by the OMCL. The supplier must be subject to supplier evaluation (e.g. by a
questionnaire or an audit).
验证文件和由软件供应商执行的测试结果可以被合并到 OMCL 的验证文件中，
并且不需要由 OMCL 再次重复。供应商必须接受供应商评估（例如，通过问卷
调查或审计）。

Validation documents shall verify the computerized system performance, confirming

that the system is performing correctly and to standard specifications. Using a
supplier´s validation documents, validation in the OMCLs can be reduced to the
performance qualification (PQ) phase and ongoing controls indicating the system is
working properly.
验证文件应验证计算机化系统的性能，确认系统的性能正确，并符合标准规范。
使用供应商的验证文档，OMCLs 中的验证可以简化为性能确认（PQ）阶段和不
间断的控制，表明系统正在正常工作。

Validation plan 验证计划

To ensure the correct implementation of a validation, a plan is needed. The validation

plan describes all activities such as review of the URS, review of the development
plan (design), test strategy, verification of the data migration (if applicable), review
of the validation documents and the acceptance testing of the whole system.
为了确保验证的正确实施，需要制定一个计划。验证计划描述了所有活动，如
对 URS 的审查、对开发计划(设计)的审查、测试策略、数据迁移的验证(如果适
用)、验证文件的审查和整个系统的验收测试。

The plan includes the date, the responsible person and the acceptance criteria for
each review or test, or at least a reference to these tests.
该计划包括日期，负责人和验收标准，每一次审查或测试，或至少是对这些测
试的参考。

第 8 页/共 18 页
 PA/PH/OMCL (08) 69 R7 – 计算机化系统验证 –核心文件

The validation plan is to be authorised by a responsible person before starting the

validation. The test cases and descriptions can be described later, if an iterative
process is used.
验证计划在开始验证之前必须得到负责人的授权。如果使用迭代过程，测试用
例和描述可以在以后描述。

Black-Box Validation is an approach to establish by adequate testing that the

computerised system meets user needs and intended use, and can involve:
“黑匣子验证”是一种通过适当测试确定计算机化系统满足用户需要和预期用
途的方法，可以包括：

(1) Checking correctness of calculations and formulas and/or analytical

results for dedicated samples, references and calibrators;
(1)检查专用样品、参考文献和校准器的计算公式和/或分析结果的正确性；
and/or 和/或

(2) Manual calculation of computerised system calculation data (see Annex 1);
and/or
计算机化系统计算数据的手工计算(见附件 1)；和/或
(3) Using a second, independent computerised system tool to review correctness
of calculations and/or analytical results;
使用第二个独立的计算机化系统工具审查计算和/或分析结果的正确性；

and/or 和/或

(4) Documentation of simulations of invalid or OOS data input and

flagging/mistake signals.
模拟无效或 OOS 数据输入和标记/错误信号的文档。

For the validation of a computerised system that does not belong to the OMCL (e.g. a
computerised system from the Agency/Authority), a simplified validation (e.g.: a
Function Control Test) can be performed by the OMCL, taking into consideration
the specific functionalities for the OMCL, to check compliance with the ISO 17025
requirements and the OMCL guidelines.
为了验证不属于 OMCL 的计算机化系统(例如机构/管理局的计算机化系统)，
OMCL 可以执行简化的验证(例如：控制功能测试)，同时考虑到 OMCL 的具体功
能，以检查符合 ISO 17025 要求和 OMCL 指南的情况。

If there is an interface between computerised systems, for example, exchange

of information between an analytical system and LIMS, validation of the interface
should be considered.
如果计算机化系统之间存在接口，例如分析系统与 LIMS 之间的信息交换，则应
考虑接口的验证。

i. Validation of simple systems

简单系统的验证

第 9 页/共 18 页
 PA/PH/OMCL (08) 69 R7 – 计算机化系统验证 –核心文件

Validation of simple computerised systems, e.g. systems with no or limited

customisation, will usually rely on instrument calibration and/or a system
function test, depending on the type of system.
简单的计算机化系统的验证，例如
没有或有限定制的系统通常依赖于仪器校准和/或系统功能测试，这取决于系统
的类型。

For analytical instruments where the raw data cannot be modified by the user
(e.g. stand-alone balance, pH meter) instrument calibration is considered as sufficient
to demonstrate the system is fit for purpose.
对于用户无法修改原始数据的分析仪器(例如，独立天平、pH 计)，仪器校准被
认为足以证明该系统适合于使用。

For off-the-shelf applications, commercial or supplied by a public agency/authority, a

function test shall be performed by the user in order to demonstrate that the
application performs properly in the OMCL environment. An example of this
approach is given below for CombiStats.
对于商用或由公共机构/当局提供的现成应用程序，用户应进行功能测试，以证
明该应用程序在 OMCL 环境中运行正常。下面给出了 CombiStats 软件的这种方
法的一个例子。

The appropriateness and correctness of the calculations performed by CombiStats is

pre- checked and demonstrated by the provider (mainly by the comparison with
data published in the book by D.J. Finney [7], a standard reference for statistics in
bioassays) so that the computerised system can be considered as fit for purpose (i.e.,
it fulfils the user requirements). However, an OMCL shall verify that CombiStats
works properly in its hardware configuration, once downloaded from the EDQM
website. This can be done by comparing the output of the same example reported
both in the User Manual (in .pdf format, that will be the “Reference”) and in the
“example” Directory (in .epa format) automatically downloaded in each user PC
Hard Disk. The conclusion regarding the validation status based on this comparison
shall be documented.
CombiStats 所作计算的适当性和正确性是由供应商预先检查和证明的(主要是通
过与 D.J.Finney[7]出版的数据进行比较，这是生物分析中统计数据的一个标准参
考)，这样计算机化系统就可以被认为符合目的(即它满足了用户的要求)。但是，
OMCL 一旦从 EDQM 网站下载，就应该验证 CombiStats 在其硬件配置中是否正
常工作。这可以通过比较“用户手册”(.pdf 格式，即“参考”)和“示例”目录
(.epa 格式)中自动下载到每个用户 PC 硬盘中的相同示例的输出来实现。基于这
一比较的验证状态的结论应记录在案。

CombiStats templates and data sheets shall be protected from accidental mistakes and
editing. Four different levels of protection are available (each one with or without
the use of a password). The User Manual can be used by the OMCL for further
details, and to choose the strategy, depending on the internal policy and decision.
CombiStats 模板和数据表应防止意外错误和编辑。有四种不同级别的保护(每个
级别都有或不使用密码)。OMCL 可以使用“用户手册”获得更多细节，并根据
内部政策和决定选择策略。

第 10 页/共 18 页
 PA/PH/OMCL (08) 69 R7 – 计算机化系统验证 –核心文件

ii. Validation of complex systems

复杂系统的验证

Validation of complex computerised systems begins with the definition of the User
Requirements Specification (URS), which will serve as a basis for the validation
requirements. A validation plan is needed, based on risk assessment, describing the
different validation activities planned for the system, and the responsibilities of the
different persons involved in the validation process. Then test protocols for IQ, OQ
and PQ shall be prepared taking into consideration the user requirements and the
acceptance criteria. Test protocols or checklists provided by the supplier can be used
for IQ and OQ, when available. The process is finalised after the issuing of the
various test reports and a final validation report with the statement that the
computerised system is suitable for the intended use. If deviations are identified
during validation, they must be addressed and the impact on the adequate
functioning of the system shall be evaluated.
复杂的计算机化系统的验证始于用户需求规范(URS)的定义，它将作为验证要求
的基础。需要在风险评估的基础上制定一项验证计划，说明为系统规划的不同
验证活动，以及参与验证过程的不同人员的责任。然后，应考虑到用户要求和
验收标准，制定 IQ、OQ 和 PQ 确认方案。供应商提供的测试方案或清单可以用
于 IQ 和 OQ(当可用时)。在发出各种测试报告和最后确认报告后，该程序即告
完成，并说明该计算机化系统适合于预期用途。如果在验证过程中发现了偏差，
则必须处理这些偏差，并评估对系统充分运作的影响。

In the case of a computerised system for analytical procedures such as an assay, the
software is an integrated part of the test procedure. The respective SOP should
include or make reference to the sample, the reference standard, reagent preparations,
use of apparatus and its computerised system as a unit, generation of calibration
curve by means of a computerised system tool, use of calculation formulas, etc.
在分析程序的计算机化系统中，如分析程序，软件是测试过程的一个完整的部
分。相应的 SOP 应包括或参考样品、参考标准、试剂配制、仪器及其计算机化
系统作为一个单元的使用、利用计算机化系统工具生成校准曲线、使用计算公
式等。

Examples of validation of complex systems are given for Excel spreadsheets (see
Annex 1) and LIMS/ELN/ERP/CDS (see Annex 2).
Excel 电子表格(见附件 1)和 LIMS/ELN/ERP/CDS(见附件 2)给出了复杂系统的验
证实例。

c) Logging of issues 记录问题

A record of the issues identified by the users and the actions taken should be kept.
应保存用户查明的问题和采取的行动的记录。

d) Change control 变更控制

In the event of changes in the computerised system, including version updates, these
should ideally be done first in a test environment after which the validation status

第 11 页/共 18 页
 PA/PH/OMCL (08) 69 R7 – 计算机化系统验证 –核心文件

needs to be re-established. If a revalidation is needed, it should be conducted not

just for validation of the individual change, but also to determine the extent and
impact of that change on the entire computerised system.
如果计算机化系统发生变化，包括版本更新，最好首先在测试环境中完成，然
后需要重新建立验证状态。如果需要重新确认，则不仅要对个别更改进行验证，
而且还要确定这种变化对整个计算机化系统的影响和范围。

The extent of the revalidation will depend on assessment of the change(s), which
shall be documented. One possible approach could be the use of logbooks as it is done
for equipment, and/or using a documented change control procedure.
重新确认的范围将取决于对变更的评估，并应记录在案。一种可能的方法可以
是使用日志，就像对设备使用日志一样，和/或使用记录在案的更改控制程序。

Automatic system updates should ideally be controlled by IT or a system administrator

and installed at pre-defined dates to minimise both disruption and unexpected
behaviour of the system. It can be necessary to check the operation of the
computerised system following any system updates.
理想情况下，自动系统更新应由 IT 或系统管理员控制，并在预定义的日期安装，
以最大限度地减少系统的中断和意外行为。在任何系统更新后，可能需要检查
计算机化系统的运行情况。

e) Periodic review 定期检查

The OMCL should endorse a policy to check the computerised system periodically,
to avoid any error and guarantee the maintained validated status of the system.
The frequency of the reviews should be defined on a risk-based approach.
OMCL 应批准一项定期检查计算机化系统的政策，以避免任何错误，并保证系
统保持有效状态。应根据基于风险的方法确定审查的频率。

Computerised systems shall be covered by the internal audit strategy.

计算机化系统应包括在内部审计战略中。

f) Security and environmental conditions 安全和环境条件

Computerised systems must be protected against any intrusion that could change the
data and affect the final results.
计算机化的系统必须受到保护，以防任何的入侵，这可能改变数据并影响最终
结果。

Server rooms should have restricted access and have the conditions necessary to
ensure the correct functioning of equipment (control of temperature, firefighting
measures, Uninterruptible Power Supply - UPS, etc.).
服务器机房应受到限制进入，并具备确保设备正确运行所必需的条件(温度控制、
消防措施、不间断电源-UPS 等)。

Systems should be accessed only by authorised personnel, using personalised

accounts and password or equivalent identification method. The use of shared and

第 12 页/共 18 页
 PA/PH/OMCL (08) 69 R7 – 计算机化系统验证 –核心文件

generic accounts should be avoided to ensure that actions documented in

computerised systems can be attributed to a unique individual. Where personal
accounts are not available or feasible, combinations of paper and electronic
records should be used to trace actions to the personnel responsible.
系统应仅由授权人员使用，使用个人账户和密码或等效身份识别方法。应该避
免使用共享和通用帐户，以确保计算机化系统中记录的行为可以归因于一个独
特的个体。如果个人帐户不可用或不可行，则应使用纸张和电子记录的组合来
追踪对责任人的行动。

Only the responsible person(s) or designated IT personnel should have

administrative rights to implement any computerised system updates and/or
installations, change critical system settings(e.g. audit trail, time/date) and manage
permissions for other users. All routine tasks, such as for analysis, should be based
on a user account and password which does not have administrative rights.
只有负责人或指定的 IT 人员应该拥有执行任何计算机化的系统更新和/或安装
的管理权限，更改关键的系统设置（例如审计跟踪、时间/日期）和管理其他用
户的权限。所有的常规任务，例如分析，都应该基于没有管理权限的用户帐号
和密码。

Administrative rights should be documented and only be granted to personnel with

system maintenance roles (e.g. IT) that are fully independent of the personnel
responsible for the content of the records (e.g. laboratory analysts, laboratory
management). Where these independent security role assignments are not feasible,
other control strategies should be used to reduce data integrity risks.
行政权利应该被记录在案，并且只授予那些完全独立于负责记录内容的人员
（例如，实验室分析人员，实验室管理）的系统维护人员（例如，IT）。当这
些独立的安全角色分配不可行时，应该使用其他控制策略来降低数据完整性风
险。

Computers should be locked after use and the users should not be allowed to change
date and time settings.
计算机应该在使用后被锁定，用户不应该被允许更改日期和时间设置。

The hardware used must fulfil the technical requirements so that the work to be
completed can be carried out. Such requirements include e.g. minimum system
requirements indicated by the manufacturer of the equipment. These requirements
should be predefined in accordance with the intended use.
所使用的硬件必须满足技术要求，以便完成工作。这些要求包括设备制造商所
指出的最低系统要求。这些需求应该按照预期的使用进行预定义。

The hardware components must be installed by skilled personnel (e.g. staff from
the Information Technology (IT) Unit, a technician from the manufacturer of the
equipment, or other trained personnel), and must be checked for their functionality
and compared with the requirements.
硬件组件必须由技术人员（如信息技术（IT）部门的工作人员、设备制造商的
技术人员或其他受过培训的人员）安装，并且必须检查其功能，并与需求进行
比较。

第 13 页/共 18 页
 PA/PH/OMCL (08) 69 R7 – 计算机化系统验证 –核心文件

Computerised systems that are part of test equipment must be labelled

unambiguously and records must be kept on relevant hardware configuration,
installation and changes. These records can be entered in the logbook/equipment
record of the test equipment.
作为测试设备一部分的计算机化系统必须被明确标注，并且必须将记录保存在
相关的硬件设置、安装和变更上。这些记录应被录入测试设备的日志/设备记录。

g) Audit trail 审计追踪

The computerised system should keep a record of any critical actions that occur, for
example who has accessed it and when, any deletion or change of data, etc. If a
computerised system does not automatically record an audit trail, an alternative
record shall be kept by the OMCL.
计算机化系统应该记录任何发生的关键动作，例如谁访问过它，什么时候，任
何删除或更改数据等等。如果一个计算机化的系统不能自动记录审计跟踪，那
么另一个可供替代的记录将由 OMCL 保持。

Users shall not be allowed to amend or switch off the audit trails or alternative
means of providing traceability of user actions.
不允许用户修改或关闭审计跟踪或提供用户行为可跟踪性的替代方法。

The need for the implementation of appropriate audit trail functionality should be
considered for all new computerised systems. Where an existing computerised system
lacks computer-generated audit trails, personnel shall use alternative means such as
procedurally controlled use of logbooks, change control, record version control or
other combinations of paper and electronic records to meet the requirement for
traceability to document the what, who, when and why of an action.
对于所有新的计算机化系统，应该考虑实现适当的审计跟踪功能。在现有的计
算机化系统缺乏计算机生成的审计跟踪,人员应当使用替代方法等过程控制使用
日志,变更控制,记录版本控制或其他组合的纸张和电子记录符合要求的可追溯性
记录，做了什么,谁,时间和为什么行动。

h) Electronic Signatures 电子签名

If electronic signatures are used, a statement about the equivalence of the electronic
signature to the handwritten signature or similar legal statement must be available.
如果使用电子签名，必须提供关于电子签名与手写签名或类似法律声明的等效
性的声明。

i) Backup 备份

Traceability must be ensured from raw data to test results. If all or part of the
traceability of parameters relevant for the quality of the results is available only
in electronic form, a backup process must be implemented to allow for recovery
of the system following any failure which compromises its integrity. Backup
frequency depends on data criticality, amount of stored data and frequency of data
generation.

第 14 页/共 18 页
 PA/PH/OMCL (08) 69 R7 – 计算机化系统验证 –核心文件

可追溯性必须从原始数据到测试结果。如果所有或部分与结果质量相关的参数
的可追溯性仅以电子形式保存，则必须实现备份过程，以便在任何损害其完整
性的失败之后恢复系统。备份频率取决于数据的临界程度、存储的数据量和数
据生成的频率。

Based on risk assessment and considering the dependency on computerised systems,

the OMCLs should have a policy and procedure in place for ensuring the integrity
of backups (secure storage location, adequately separated from the primary storage
location, retention time, etc.) – this can be part of a more general „disaster recovery
plan‟.
基于风险评估和考虑依赖于计算机化系统,OMCLs 应该有一个政策和程序,以确
保备份的完整性(安全的存储位置,与主存储位置充分分离,保存时间,等等),这可
以作为一般的“灾难恢复计划”的一部分。

A procedure for regular testing of backup data (restore test), to verify the proper
integrity, readability of the electronic record and accuracy of data, should also be in
place. This restore test can be integrated into the periodic review of the system.
定期测试备份数据（恢复测试）、验证电子记录的完整性、易读性和数据准确
性的程序也应该到位。这个恢复测试可以集成到系统的定期检查中。

j) Archive of superseded computerised system versions 被取代的

计算机化系统版本的档案

Superseded versions of software should be archived in a retrievable form if required

for access to historical data, according to the OMCL Guideline “Management of
Documents and Records”. For commercial off-the shelf software, the obligation to
archive superseded software versions can be subject to the contract with the provider.
被替代的计算机化系统应该被存档，可以取回。如果需要访问历史数据，根据
OMCL 准则“文档和记录的管理”。
对于商业以外的软件，被取代的软件版本的存档义务可以与供应商签订合同确
定。

k) Training 培训

Correct use and validation of the computerised system shall be ensured. This can be
done either by appropriate and documented training or through detailed
information in the relevant SOPs or context related information in the software.
对计算机化系统的正确使用和验证应予以保证。这可以通过适当的和有记录的
培训，或者通过软件中相关的 SOPs 或上下文相关信息的详细信息来完成。

Training shall be performed before first use and after every major change in
the software(e.g. version upgrade). The persons responsible for the validation shall
have training on the validation process.
培训应在首次使用前进行，并在软件的每次重大更改之后进行（例如：版本升
级)。负责验证的人员应当对验证过程进行培训。

第 15 页/共 18 页
 PA/PH/OMCL (08) 69 R7 – 计算机化系统验证 –核心文件

l) Documentation 文件

Table II: Computerised system documentation

Information/documentation that shall be available Exempted Simple Complex
Inventory list, Name, version and unique identification X X X
of the
computerised system
Original files (CD-ROM…) or storage location to X X
install the
computerised system, and computerised system to manage the
computer environment
Date at which the computerised system was put into operation X X
Responsible person in charge of the computerised system X X
Manufacturer‟s name, licence number and serial number or X X
other unique
identification, where applicable
Conditions under which the computerised system runs, where X X
applicable
(hardware, operating system, …)
Manufacturer‟s validation certificate, if available X X
Manufacturer‟s instructions, if available, or reference to their X X
location
Documentation on validation of configurations/modifications X
performed
by the user that can impact the results
Name of the person who developed and validated the X
computerised
system, and the date of validation
Source code (if available) (X)
Operating instruction (SOP) X X
Documentation on computerised system periodic review and X
results of
audits
Documentation on computerised system validation X
Follow-up of failures encountered, maintenance of the process, X X
changes,
updated versions and , where appropriate, configuration
management
Training records (depending on the complexity of the system) (X) X
Records of the regular testing of backup data (restore test) X X

第 16 页/共 18 页
 PA/PH/OMCL (08) 69 R7 – 计算机化系统验证 –核心文件

表2: 计算机化系统文件
可被使用的信息/文件 豁免系统 简单系统 复杂系统

清单，名称，版本，计算机化系统的唯一标识 X X X
原始文件 (CD-ROM…) 或 者 计 算 机 化 系 统 安 装 的 存 储 位 置 ， 计算
X X
机化系统的计算机环境管理
计算机化的系统投入运行的日期 X X

负责计算机化系统的负责人 X X

在适用的情况下，制造商的名称、许可证号码和序列号或其他唯一标识 X X
在适用的条件下，计算机化系统运行的条件
X X
(硬件、操作系统、…)
如果有的话，制造商的验证证书 X X

制造商的说明，如果有的话，或者参考他们的位置 X X

关于用户执行的配置/修改的验证文档，这些文档可以影响结果 X

开发和验证计算机化系统的人的名字，以及验证日期 X

源代码(如果可用) (X)

操作指导(SOP) X X

关于计算机化系统定期审查和审计结果的文件 X

关于计算机化系统验证的文档 X

对失败的跟踪、过程的维护、变更、更新的版本，以及适当的配置管理 X X

培训记录（取决于系统的复杂性） (X) X

备份数据的常规测试记录（恢复测试） X X

5. REFERENCES AND FURTHER READING 参考文件和延伸阅读

[1] EN ISO/IEC 17025.

[2] Good Practices for Computerized Systems in regulated “GXP” environments.

Pharmaceutical Inspection Convention/Pharmaceutical Inspections Co-operation Scheme (PIC/S).

[3] EU Guidelines to Good Manufacturing Practice (GMP). Annex 11. Computerized Systems.

[4] OECD Series on Principles of Good Laboratory Practices and Compliance Monitoring.
Number
17. The Application of the Principles of GLP to Computerized Systems. Environment
Monograph no. 13 (2016).

[5] U.S. Food and Drug Agency (FDA) General Principles of Computerized system
Validation; FDA Glossary of computerized system and computerized system development
terminology.

[6] AGIT - Validation of Computerised Systems, V 2.0 (2007).

第 17 页/共 18 页
 PA/PH/OMCL (08) 69 R7 – 计算机化系统验证 –核心文件

[7] D. J. Finney - “Statistical Method in Biological Assay”, 3rd Edition, Griffin, London (1978). [8]
WHO TRS 996 Annex 5 - Guidance on good data and record management practices (2016).

6. LIST OF ANNEXES 附件清单

The latest version applies:

最终版本应用：
- Annex 1: Validation of Excel Spreadsheets - PA/PH/OMCL (08) 87;
附件 1： Excel 电子表格的验证
- Annex 2: Validation of complex computerised systems - PA/PH/OMCL (08) 88.
附件 2：对复杂的计算机化系统的验证

译者注：
1、本文件适用于检验室的计算机化系统。例如对于计算机化系统的分类，有点
粗糙，不应扩大其适用范围。
2、本文件在计算机化系统验证的深度和广度方面，都比较简单，希望读者认清，
而不应当做验证的全部内容。

翻译：重庆求败
不足之处敬请谅解，如有意见和建议，请提交到：计算机化系统验证群二 QQ
群号 569962302。

第 18 页/共 18 页