| DATA INTEGRITY MATURITY LEVEL CHARACTERIZATION | ||||||
| Maturity Area | Maturity Factors | Maturity Level Characterization | ||||
|
|
|
Level 1 | Level 2 | Level 3 | Level 4 | Level 5 |
| Cluture |
|
|
|
|
|
|
|
• DI Understanding and awareness • 对数据完整性的理解和认识 |
Awareness of the importance of data integrity, and understanding of data integrity principles 对数据完整性的重要性的认识,以及对数据完整性原则的理解 |
Low awareness, limited to SMEs and specialists 认识不足,仅来自于SMEs和专家 |
General awareness of the topic, but not fully reflected in working practices 对主题有一定的认识,但没有充分反映在工作中 |
Principles reflected in working practices, but not consistently applied 对原则的理解反映在工作中,但是不能持续的应用 |
Data integrity principles fully incorporated and applied in established processes and practices 数据完整性原则在既定的过程和实践中充分纳入和应用 |
Formal ongoing awareness programme, proactively keeping abreast of industry developments 制定正式的持续改进计划,积极跟进行业发展 |
|
• Corporate culture and working environment • 企业文化与工作环境 |
A culture of willing and open reporting for errors, omissions and abnormal results, and willing collaboration to achieve data integrity objectives 一种愿意和公开报告错误、遗漏和异常结果的文化,并愿意协作以实现数据完整性目标 |
Unwillingness or no motivation to report errors and abnormal results. 不愿意或没有动机报告错误和异常结果 |
DI problems may be reported but mitigation is either inadequate or ignored 可能会报告数据完整性问题,但 缓解 要么不够充分,要么被忽略 |
Policies and procedures encourage openness, but not implemented in all cases. Mitigation generally limited to the specific instance 政策和程序鼓励暴露问题,但不适用于所有情形。 缓解 通常局限于具体的实例 |
Full openness and collaboration achieved through such behaviour being motivated by management behaviour. Mitigation considers wider implication 通过管理行为激励实现了充分的开放和协作。 缓解 考虑更广泛的影响 |
Anticipating potential future DI weaknesses and applying appropriate controls 预测未来潜在的数据完整性弱点并应用合适的控制 |
|
• Quality Culture • 质量文化 |
An environment in which employees habitually follow quality standards, take taking quality-focused actions, and consistently see others doing so. 员工习惯遵循质量标准的环境,采取以质量为中心的行动,并且周围人也在这样做 |
Low awareness and application of quality principles and standards. A culture of not reporting what management would rather not hear 对质量原则和标准的认识和应用不足。管理层不愿听到的就不报告的文化 |
Ad-hoc quality. Activities performed, but relying on individual efforts 仅为这次的质量文化。开展活动,但是仅依赖于个人的努力 |
General application of some quality principles, but not fully ingrained or consistent. 普遍应用一些质量原则,但不完全彻底和一致 |
Quality considerations incorporated in normal working practice 质量因素纳入日常工作实践 |
Quality and continuous improvement incorporated in normal working practice 质量和持续改进纳入日常工作实践 |
|
Governance and Organization 治理与组织 |
|
|
|
|
|
|
|
• Leadership • 领导力 |
Objectives defined and communicated by executive management. 目标界定和行政管理沟通 |
Leadership silent or inconsistent on the need for data integrity. Other business priorities typically override. 领导对数据完整性的需求保持沉默或不一致。其他业务优先级通常高于数据完整性 |
Leadership state need for DI, but do not lead by example. 领导强调需要数据完整性,但不以身作则 |
Objectives defined in policies and high level statements, but not always fully reflected in management priorities. 政策和高级别声明中定义了数据完整性的目标,但并非总是充分反映在管理优先事项中 |
Management actions and priorities fully reflect stated objectives 管理行为和优先级充分反映所规定的数据完整性目标 |
DI aspects routinely addressed and improved as part of management review 数据完整性的常规处理和改进作为管理评审的一部分 |
|
• Sponsorship • 资源支持 |
Executive management providing appropriate resources and support. 行政管理提供合适的资源支持 |
Appropriate resources only made available in emergencies (e.g. critical citation). 仅在紧急情况下提供资源(如 关键引文 ) |
Appropriate resources available in principle, but often not be available in practice due to other pressures. 原则上有适当的资源,但由于其他方面的压力,通常不可用在实践中 |
Appropriate resources available, but may be diverted or diluted due to other pressures. 适当的可用资源,但由于其他压力,可能被转移或稀释 |
Required and planned resources are available and safeguarded due to ongoing commitment to data integrity 由于持续致力于数据完整性,所需和计划的资源得到保障。 |
Management looking ahead to identify future resource needs, based on experience 管理层展望未来,根据经验确定未来的资源需求 |
|
• Structure • 结构 |
Appropriate roles and reporting structures. 适当的角色和报告结构 |
No consideration of specific data governance in roles and responsibilities. 不在角色和职责制定中考虑数据管理 |
Data governance roles only recently established, or in flux. 最近才建立数据管理角色,或一直在变化 |
Data governance roles established, but not always effective. 建立数据管理角色,但是不是一直有效 |
Data Governance roles are well integrated into the management structures and systems 数据管理的角色很好地融入管理结构和系统 |
Management reviewing and adapting organizational structures based on experience 基于经验的管理评审与组织结构调整 |
|
• Stakeholder Engagement • 相关人员参与 |
Engagement of business Process Owners, Quality Assurance, and key supporting technical groups (e.g. IT) 参与业务流程所有者、质量保证和关键支持技术组织(例如:IT) |
Data integrity and governance seen as either an IT issue or a Quality Issue. No real Process Owner involvement 数据完整性和治理视为IT问题或质量问题。没有真正的过程所有者参与 |
Ad-hoc involvement of Process Owners, and Quality Assurance. High person dependence. 过程所有者和QA “仅仅这次”参与。高度依赖于人 |
Process Owners, and Quality Assurance typically involved, but not consistently 过程所有者和QA通常涉及,但不是一贯的 |
Process Owners, Quality Assurance, and IT work together through the data and system life cycles 过程所有者、QA和IT在数据和系统生命周期中一起协作 |
All stakeholders consistently work together to identify further co-operation opportunities, based on experience. 所有利益相关者不断合作,根据经验确定进一步的合作机会 |
|
• Data Ownership • 数据所有权 |
Clear ownership of data and data-related responsibilities 明确数据所有权和数据相关的责任 |
Process, system, and data owners not defined 没有定义过程、系统和数据的所有者 |
Process, system, and data owners identified in few areas. 在小范围内定义过程、系统和数据的所有者 |
Process, system, and data owners typically defined in many, but not all cases, and responsibilities not always clear 过程、系统和数据所有者在大范围内定义,但是并非所有情况下,而且职责也不是一直都清晰, |
Process, system, and data owners are well defined and documented. 流程、系统和数据所有者都被很好的定义并且文档化 |
Process, system, and data owner responsibilities considered and clarified during management review. 在管理评审中对过程、系统和数据所有者的职责进行考虑和阐述 |
|
• Policies and Standards • 政策和标准 |
Defined polices and standards on data integrity 定义关于数据完整性的政策和标准 |
No established policies and standards for data integrity 没有建立政策和标准用于数据完整性 |
Ad-hoc policies and standards for data integrity in some cases 在某些情况下有用于数据完整性的政策和标准 |
Polices and standards exist, but not fully integrated into the QMS and business process. 政策和标准存在,但没有完全纳入质量管理体系和业务流程 |
Policies and standards fully integrated into the QMS and fully reflected in business processes and practices 政策和标准完全纳入质量管理体系并且充分反映在业务流程和实践中 |
Policies and standards regularly reviewed and improved based on experience 基于经验。定期评审和改进政策和标准 |
|
• Procedures • 规程 |
Established procedures defining key activities and processes 建立规程描述关键活动和流程 |
No established procedures for key data integrity related activities 没有建立管理数据完整想相关活动的规程 |
Ad-hoc procedures for data integrity in some cases 针对数据完整性的某些情况制定了有限的规程 |
Some procedures and standards exist, but not covering all data integrity related activities. 有一些规程,但是没有覆盖所有的数据完整性相关活动 |
Procedures for all key areas fully integrated into the QMS and reflecting established policies and standards. 将所有关键领域的规程充分纳入质量管理体系并反映既定的政策和标准 |
Procedures regularly reviewed and improved based on experience 基于经验。定期评审和改进规程 |
|
• Awareness and Training • 认识和培训 |
Awareness and training on regulatory requirements and organizational polices and standards. 对法规要求、组织政策、标准的认识和培训 |
No real awareness of regulatory requirements and company policy in this area 在这方面没有真正意识到法规要求和公司政策 |
Some awareness of regulatory requirements and company policy, in pockets. 对于法规要求和公司政策,有一些局限的认识 |
General awareness of well-known regulations, and the existence of company policies 普遍了解众所周知的法规,以及公司政策的存在 |
Comprehensive training program ensures an appropriate level of knowledge of specific regulatory and company requirements 综合培训计划确保对特定的规章制度和公司要求有适当的了解 |
Formal training needs analysis, taking into account regulatory developments. Training effectiveness assessment for ongoing improvement 考虑到法规的发展,进行正规培训需求分析。持续改进的培训效果评估 |
|
Quality Management System 质量管理体系 |
Established and effective Quality Management System, focused on patient safety, product quality and data integrity. 建立有效的质量管理体系,关注患者安全,产品质量和数据的完整性 |
Few procedures in place focused on patient safety, product quality and data integrity. 几乎没有规程关注患者安全,产品质量和数据的完整性 |
Some procedures and quality control processes, but not consistently achieving quality goals. 一些规程和质量控制过程,但不能始终如一地实现质量目标 |
Established Quality Management System, but compliance and data integrity activities are not fully effective 建立了质量管理体系,但合规性和数据完整性活动并不完全有效 |
Established and effective Quality Management System, consistently achieving data integrity goals in support of patient safety and product quality 建立有效的质量管理体系,始终如一地实现数据完整性目标,以保证病人安全和产品质量 |
QMS subject to regular management review and continuous improvement 定期管理评审和持续改进的质量管理体系 |
|
Business process definition 业务流程定义 |
Clear and accurate definitions of regulated business processes, covering all key GxP areas 规范业务流程的清晰和准确的定义,涵盖所有GxP关键领域 |
Few business processes formally defined and documented 几乎没有业务流程被正式定义和文档化 |
Some business processes formally defined and documented on an ad-hoc basis, either by project or operational groups 一些业务流程被定义和文档化 |
Most business processes defined, but not consistently following conventions or standards, and not always complete and up-to-date. 定义了大多数业务流程,但不是一贯遵循惯例或标准,并不总是完整的和最新的 |
Business processes defined following established conventions and standards. 业务流程定义遵循既定惯例和标准 |
Business processes defined and supported by appropriate tools, and consistently maintained. 业务流程通过适当工具定义和支持,并一直维护 |
|
Supplier and service provider management 供应商和服务提供商管理 |
Assessment of suppliers and service providers against agreed standards, and setting up and monitoring of contracts and agreements to deliver those standards. 根据商定的标准评估供应商和服务供应商,并建立和监测合同和协议,以交付这些标准 |
Many suppliers and providers with a potential impact on data integrity not assessed or managed 许多供应商和供应商对数据完整性的潜在影响没有评估或管理 |
Some suppliers and providers with a potential impact on data integrity informally assessed 一些供应商对数据完整性的潜在影响进行评估 |
Established process for supplier management, but not applied consistently. Data integrity implications not always fully covered by assessments or agreements 建立供应商管理流程,但不是一贯地应用。数据完整性的影响并不总是完全覆盖评估或协议 |
Established process for supplier management, consistently applied, and including a data integrity risk review. 建立供应商管理的过程,始终如一地应用,包括数据完整性风险审查 |
Effectiveness of supplier management subject to regular management review based on metrics. 对供应商管理的有效性是基于度量的定期管理评审 |
|
Strategic Planning and Data Integrity Program 战略规划和数据完整性计划 |
|
|
|
|
|
|
|
• Planning • 计划 |
Executive level strategic planning and programs for improving and/ or maintaining data governance and data integrity. 领导层级别的战略规划,用于改进 和/或 维护数据管理和数据完整性 |
No planning for data integrity or data governance at executive level 没有领导层级的针对数据管理和数据完整性的计划 |
Limited planning for data integrity or data governance, typically driven by emergencies 有限的数据完整性和数据治理规划,通常由突发事件驱动的 |
Specific Data Integrity program or equivalent underway. 特定数据完整性程序或等效运行 |
Successful Data Integrity programs achieving stated objectives 成功的数据完整性程序达到既定目标 |
Data integrity integral to ongoing organizational strategic planning 数据完整性是正在进行的组织战略规划的组成部分 |
|
• Communication • 沟通 |
Communication and change management processes, supported by a suitable repository of information and resources. 沟通和变更管理过程,由适当的信息资源库支持 |
No communication and change management process for DI 没有针对数据完整性的沟通和变更管理过程 |
Some informal and person dependent communication and change management. 一些非正式和依赖个人的沟通和变更管理 |
Formal communication and change management for DI in place, but on a per-project or per-site basis, with ad hoc repositories. 对数据完整性进行正式的沟通和变更管理, 但在每一个项目或每一个站点基础上,使用临时资源库 |
Communication and change management for DI integral to QMS, supported by tools and central repository. 在工具和中央资源库的支持下,针对数据完整性的沟通和变更管理纳入质量管理体系 |
Communication and change management for DI subject to review and improvement, supported by defined metrics. 对数据完整性进行沟通和变更管理,在定义的指标支持下进行评审和改进 |
|
Regulatory 法规 |
|
|
|
|
|
|
|
• Awareness • 认识 |
Awareness of applicable regulatory requirements 对适用法规要求的认识 |
No awareness of key regulatory requirements. 没有关键法规要求的意识 |
Some awareness of detailed regulatory requirements, based on individual experience and effort. 基于个人的经验和努力,对监管要求的细节有一些认识 |
Formal regulatory awareness-raising underway, including training on regulations and guidance. 正在进行正式的监管意识提高,包括法规和指导方面的培训 |
All staff aware of regulatory requirements affecting their work. 全体员工意识到监管要求影响他们的工作 |
Formal training needs analysis and action, taking into account regulatory and industry developments. 考虑到法规和行业发展,正式培训需求分析和行动 |
|
• Traceability • 可追溯性 |
Traceability to applicable regulatory requirements from, e.g., Quality Manual, polices or procedures 可追溯到适用的法规要求,例如质量手册、政策或规程 |
No traceability to regulations 不可追溯到法规 |
Little traceability of policies and procedures to specific regulations. 政策和程序对具体法规的可追溯性很小 |
Traceability in place, but limited to key regulatory requirements. 可追溯,但限于关键监管要求 |
Full traceability, e.g. from Quality Manual or policies, to specific regulatory requirements. 完整的可追溯性,如从质量手册或政策到具体的监管要求 |
Traceability effectively maintained and updated taking into account regulatory developments 考虑到法规的发展,对可追溯性进行有效地维护和更新 |
|
• Inspection readiness • 检查准备 |
Preparation for inspection, including responsibilities, and inspection readiness documentation. 检查准备工作,包括责任,检查准备文档 |
No inspection readiness preparation 无检查准备 |
Limited inspection readiness preparation - ad-hoc and dependent on individual Process and System Owners 检查准备有限,是“仅仅这次”的和依赖过程和系统所有者个人的 |
Inspection readiness activities in place, but inconsistent in level, content, and approach 检查准备活动到位,但水平、内容和方法不一致 |
Established process for inspection readiness covering all systems maintaining regulated data and records. 建立了过程检验准备覆盖所有系统维护管理数据和记录 |
Inspection readiness processes regularly reviewed and refined based on regulatory and industry developments. 根据监管和产业发展情况,定期检查准备过程回顾和改进 |
|
• Regulatory Relationship and communications • 监管关系和沟通 |
Effectiveness of communication with regulatory authorities, and effectiveness of dealing with concerns and citations. 与监管部门沟通的有效性,以及处理关注点和引用的有效性 |
No communication except during inspections, when specific citations are addressed. 没有沟通除非检查期间 |
Ad-hoc , informal communication as-and-when required, not following a defined procedure. 临阵磨枪式的沟通,而不是遵循规程 |
Communication as-and-when required, following a defined procedure. 按照既定的规程,在需要时进行沟通 |
Effective, consistent, communication with regulatory bodies following a defined procedure. 有效、一致、与监管机构按照既定程序进行沟通 |
Clear communication lines to key regulatory bodies, with internal specialists following an established process. Concerns and citations are proactively managed. 明确与关键监管机构的沟通渠道,内部专家遵循既定程序。主动管理关注和引用。 |
|
Data Life Cycle 数据生命周期 |
|
|
|
|
|
|
|
• Data life cycle definition • 数据生命周期定义 |
Data life cycle(s) defined in standards and/or procedures 在标准和/或规程中定义的数据生命周期 |
Data life cycles not defined. 数据生命周期没有定义 |
Some data life cycles defined on an ad-hoc basis. 一些数据生命周期被临时定义 |
Data life cycles generally defined following procedures. Not consistently applied. 数据生命周期通常 在规程中定义,不是一致的应用 |
Data life cycle defined in procedures, and applied consistently to all key regulated data and records. 在规程中定义数据生命周期,并始终适用于所有关键规范数据和记录 |
Data life cycles defined f and maintained, supported by effective automated tools 数据生命周期的定义和维护,由有效的自动化工具支持 |
|
• Quality Risk Management • 质量风险管理 |
Application of risk management (including justified and documented risk assessments) through the data life cycle. 通过数据生命周期应用风险管理(包括合理和有记录的风险评估) |
No documented and justified assessment of risks to data integrity 对数据完整性的风险没有记录和合理的评估 |
Limited data integrity risk assessments performed on an ad-hoc basis. 有限的数据完整性风险评估是在临时性的基础上进行的 |
Data integrity considered in risk assessment procedures, but not performed to a consistent level. 风险评估过程中考虑到的数据完整性,但没有达到一致的水平 |
Data integrity risk management established as an integral part of the data life cycle and system life cycle. 数据完整性风险管理是数据生命周期和系统生命周期的一个组成部分 |
Quality Risk Management activities subject to continuous improvement 持续改进的质量风险管理活动 |
|
• Data Management processes and tools • 数据管理流程和工具 |
Established data management processes, supported by appropriate tools. 建立适当的工具支持的数据管理流程 |
No data management processes 没有数据管理流程 |
Some data management processes defined by individual Process Owners 由个体流程所有者定义的一些数据管理过程 |
Data management procedures defined, but not always effectively implemented 定义了数据管理规程,但并不总是有效地执行 |
Well established and effective data management processes. 建立数据管理流程 ,并有效的执行 |
Well established common data management processes, maintained, updated, supported by appropriate automated tools 已建立的通用数据管理流程,通过适当的自动化工具维护、更新 |
|
• Master and reference data management • 主数据和引用数据管理 |
Established processes to ensure the accuracy, consistency, and control of master and reference data. 建立规程以确保主数据和引用数据的准确性、一致性和控制 |
No master/reference data management processes 没有主数据引用数据的管理规程 |
Some master/reference data management processes defined by individual Process Owners 由独立的进程所有者定义的一些主/引用数据管理规程 |
Master/reference Data management procedures defined, but not always effectively implemented 建立了主/引用数据管理规程,但并不总是有效地执行 |
Well established and effective master/reference data management processes. 建立了主/引用数据管理规程,并得到有效执行 |
Well established common master/reference data management processes, maintained, updated, supported by appropriate automated tools 已建立的通用主/引用数据管理规程,通过适当的自动化工具维护、更新 |
|
• Data Incident and Problem Management • 数据事件和问题管理 |
Established processes to deal with data incidents and problems, linked with change management and deviation management as appropriate. 建立处理数据事件和问题的规程,并与变更管理和偏差管理联系在一起 |
No formal data incident and data problem management process 没有正式的数据事件和数据问题管理规程. |
Some data incident and data problem management processes defined by individual Process/System Owners 由独立的进程/系统所有者定义的一些数据事件和数据问题管理规程 |
Data incidents and problems typically effectively dealt with as a part of normal system or operational incident management, but with limited consideration of wider DI implications. 数据事件和问题通常作为正常系统或操作事件管理的一部分有效地处理,但? |
Established data incident and problem management process linked to CAPA and deviation management where necessary. 建立数据的事件和问题管理规程,并在需要的地方和CAPA和偏差管理联系在一起 |
Established data incident and problem management process, supported by tools and appropriate metrics, leading to process improvement. 建立数据事件和问题管理流程,由工具和适当的度量支持,过程改进 |
|
• Access and Security management • 访问和安全管理 |
Establishing technical and procedural controls for access management and to ensure the security of regulated data and records. 为访问管理建立技术和程序控制,并确保受管制数据和记录的安全性 |
Lack of basic access control and security measures allowing unauthorized changes 缺乏基本的访问控制和安全措施,允许未经授权的更改 |
Some controls, but group logins and shared accounts widespread. Password polices weak or not enforced 有一些控制,但组登录和共享账户普遍。密码策略弱或不强制执行 |
Established standards and procedures for security and access control, but not consistently applied 建立安全和访问控制的标准和规程,但不总是应用 |
Established system for consistent access control and security management, including regular review of security breaches and incidents 建立一致的访问控制和安全管理体系,包括定期审查安全漏洞和事件 |
Established integrated system for consistent access control and security management, supported by appropriate tools and metrics for continuous improvement. 建立一致的访问控制和安全管理的集成系统,支持适当的工具和持续改进的指标 |
|
• Archival and retention • 档案和保留 |
Establishing processes for ensuring accessibility, readability and integrity of regulated data in compliance with regulatory requirements including retention periods. 根据法规要求,建立规程确保受管制数据的可访问性、可读性和完整性,包括档案的保存期。 |
No consideration of long term archival and retention periods 没有考虑长期归档和保留时间 |
No effective process for identifying and meeting regulatory retention requirements. Few archival arrangements in place. 没有识别和满足法规对于保留要求的有效规程。很少有档案安排到位 |
Retention policy and schedule defined covering some, but not all regulated records. Some systems with no formal archival process. 保留策略和计划定义覆盖一些,但不是所有的监管记录。有一些系统做了非正式的归档 |
Retention Schedule includes all regulated records, and those policies supported by appropriate archival processes and tools. 保留时间表包括所有受管制的记录,以及那些由适当的档案过程和工具支持的政策。 |
Archival and data retention policies and processes regularly reviewed against regulatory and technical developments 对归档和数据保留政策和规程相关的法规和技术发展进行定期的审查 |
|
• Electronic Signatures • 电子签名 |
Effective application of electronic signatures to electronic records, where approval, verification, or other signing is required by applicable regulations. 电子签字在电子记录中的有效应用,如适用条例所要求的批准、验证或其他签字 |
No control of electronic signatures. 无电子签名控制 |
Lack of clear policy on signature application, and lack of consistent technical support for e-signatures. 对签名应用的缺乏明确的政策,缺乏对电子签名的一致性技术支持 |
Policies in place. Compliant e-signatures in place for some, but not all relevant systems. 政策到位,电子签名在一些地方合规,但并不是所有相关系统 |
Compliant e-signatures in place for all relevant systems, supported by consistent technology where possible 电子签名在所有相关系统中均合规,并得到一致性的技术支持 |
Electronic signature policies and processes regularly reviewed against current best practice and technical developments 针对现行最佳实践和技术发展定期审查电子签字政策和程序 |
|
• Audit trails • 审计追踪 |
Usable and secure audit trails recording the creation, modification, or deletion of GxP data and records, allowing effective review either as part of normal business process or during investigations. 使用和安全审计跟踪记录的创建,修改,或删除GXP的数据和记录,允许有效的审查作为正常业务过程的一部分或在调查期间 |
Lack of effective and compliant audit trails 缺乏有效的合规的审计追踪 |
Some limited use of audit trails. Often incomplete or not fit for purpose (e.g. in content and reviewability). Not typically reviewed as part of normal business process. 有限的使用审计追踪。往往不完整或不适用(例如在内容和审查)。通常不作为正常业务流程的一部分进行评审 |
Audit trail in place for most regulated systems, but with undefined and inconsistent use within business processes in some cases. 对大多数受监管系统进行审计跟踪,但在某些情况下业务流程未定义审计追踪或不一致使用 |
Effective audit trail in place for all regulated systems, and use and review of audit trail included in established business processes. 为所有受管制的系统进行有效的审计追踪,以及对既定业务流程中的审计追踪的使用和审核 |
Audit trail policies and use regularly reviewed against regulatory and technical developments 根据法规和技术发展,定期审查审计追踪政策和使用情况 |
|
Data Life Cycle Supporting Processes 数据生命周期支持过程 |
|
|
|
|
|
|
|
• Auditing • 审计 |
Auditing against defined data quality standards, including appropriate techniques to identify data integrity failures 对定义的数据质量标准进行审计,包括确定数据完整性故障的适当技术 |
No data quality or integrity audits performed 没有执行数据质量或完整性审计 |
Some audits performed on an ad-hoc and reactive basis, but no established process for data quality and integrity auditing. 有一些审计是在临时和被动基础上进行的,但没有建立数据质量和完整性审计的过程。 |
Data quality and integrity process defined, but audits not always effective and the level of follow-up inconsistent. 定义了数据质量和完整性过程,但审计并不总是有效的,后续的水平不一致 |
Effective data auditing fully integrated into wider audit process and schedule. 有效的数据审计完全集成到更广泛的审计过程和计划中 |
Auditing process and schedule for subject to review and improvement, based on audit results and trends. 根据审计结果和趋势进行审核,并改进审核过程和进度表 |
|
• Metrics • 度量 |
Measuring the effectiveness of data governance and data integrity activities 衡量数据治理和数据完整性活动的有效性 |
No data related metrics captured. 没有捕获与数据相关的指标 |
Limited metrics captured, on an ad-hoc basis 有限指标捕获,在一个特设的基础上 |
Metrics captured for most key systems and datasets. Level, purpose, and use inconsistent. 为大多数关键系统和数据集捕获的度量。水平、用途和使用不一致 |
Metrics captured consistently, according to an established process. 根据既定的过程,一致地度量指标 |
Metrics captured consistently, and fed into a continuous improvement process for data governance and integrity 度量一致地被捕获,并加入到数据治理和完整性的持续改进过程中。 |
|
• Classification and assessment • 分级和评估 |
Data and system classification and compliance assessment activities 数据和系统分类以及合规性评估活动 |
No data classification. 无分级 |
Limited data classification, on an ad-hoc basis. No formal process 有限的数据分级,临时的。非正式规程 |
Data classification performed (e.g. as a part of system compliance assessment), but limited in detail and scope. 执行的数据分类(如系统遵从性评估的一部分),但细节和范围有限 |
Established process for data classification, based on business process definitions and regulatory requirements. 基于业务流程定义和监管要求,建立数据分级规程 |
Classification process subject to review and improvement, based outcomes and trends. 根据结果和趋势,审查和改进分级规程 |
|
• CS Validation and compliance 计算机化系统验证和合规性 |
Established framework for achieving and maintaining validated and compliant computerized systems 建立框架持续归档和维护计算机化系统验证和合规性 |
Systems supporting or maintaining regulated records and data are not validated 支持或维护受管制记录和数据的系统未经验证 |
No formal process for CS validation, The extent of validation and evidence dependent on local individuals. 没有正式的计算机化系统验证过程,验证的程度和证据依赖于当地个人 |
Most systems supporting or maintaining regulated records and data are validated according to a defined process, but approach is not always consistent between systems and does not fully cover data integrity risks 多数支持或维护受管制的记录和数据的系统都是按照定义的过程进行验证的,但是系统之间的方法并不总是一致的,也不能完全覆盖数据完整性风险 |
Established process in place for ensuring that all systems supporting and maintaining regulated records and data are validated according to industry good practice, and fully compliant with regulations, including effective and documented management of data integrity risks. 建立适当的程序,以确保所有系统支持和维护受管制的记录和数据,根据行业惯例进行验证,并完全符合规章,包括有效和记录的数据完整性风险管理 |
CS Validation policies and processes regularly reviewed against regulatory and industry developments 针对法规和行业发展定期审查计算机化系统验证政策和流程 |
|
• Control strategy • 控制策略 |
Proactive design and selection of controls aimed at avoiding failures and incidents, rather than depending on procedural controls aimed at detecting failure 主动设计和选择控制,以避免故障和事件,而不是依赖于旨在检测故障的过程控制。 |
No consideration of potential causes of data integrity failures and relevant controls 不考虑数据完整性失效的潜在原因和相关控制 |
Some application of controls, typically procedural approaches aimed at detecting failures 有一些控制策略的应用,通常旨在检测故障的过程方法 |
Technical and procedural controls applied, but dependent on individual project or system 应用技术和程序控制,但依赖于单个项目或系统 |
Technical and procedural controls are applied in most cases, based on an established risk-based decision process 基于既定的以风险为基础的决策过程,应用技术和程序控制在大多数情况下被应用 |
Integrity fully designed into processes before purchase of systems and technology, including appropriate controls 在购买系统和技术之前,设计完整的过程,包括适当的控制 |
|
IT Architecture IT架构 |
Appropriate IT architecture to support regulated business processes and data integrity 合理的IT架构来支持业务流程的合规性和数据完整性 |
No consideration of IT architecture strategy 没有考虑IT架构策略 |
IT architecture strategy and decisions not documented, and dependent on local SMEs. IT架构策略和决策没有文档化,依赖于本地SMEs |
IT architecture considered, and generally supports data integrity and compliance, but is typically defined on a system by system basis. 考虑IT架构,并通常支持数据完整性和合规性,但是通常只是临时性的考虑 |
Established IT architecture policy and strategy, with full consideration on how this supports data integrity. 建立IT架构政策和策略,充分考虑了如何支持数据完整性 |
IT architecture strategy regularly reviewed against industry and technical developments. 根据行业和技术发展,定期审查IT架构 |
|
IT Infrastructure IT基础设施 |
Qualified and controlled IT infrastructure to support regulated computerized systems 经确认的和受控的IT基础设施以支持受监管的计算机化系统 |
No infrastructure qualification performed 无基础设施确认 |
No established process for infrastructure qualification. Some performed, dependent on local SMEs. 没有建立基础设施确认规程。有一些,依赖于当地SMEs |
Infrastructure generally qualified, according to an established process, but is often a document driven approach, sometimes applied inconsistently 基础设施一般经过确认的,按照一个既定的过程,但往往是文档驱动的方法,有时应用不一致 |
Established risk-based infrastructure qualification process, ensuring that current good it practice is applied, supported by tools and technology 建立了基于风险的的基础设施确认规程,确保目前良好的IT实践得到应用,并得到工具和技术的支持 |
Infrastructure approach regularly reviewed against industry and technical developments. 根据行业和技术发展,定期审查IT基础设施 |