ISPE：数据完整性风险评估指南

ISPE：数据完整性风险评估指南 ISPE给出了其数据完整性成熟度分级（DATA INTEGRITY MATURITYLEVEL CHARACTERIZATION）的评估模型，翻译如下，供大家参考： DATA INTEGRITY MATURITY LEVEL CHARACTERIZATION 数据完整性成熟度分级 Level 1 一级 Level 2 二级 Level 3 三级 Cluture 文化 • DI Understanding and Awareness of the importance of data integrity, and understanding of awareness dataintegrity principles • 对数据完整性对数据完整性的重要性的认识，以及对数据完整性原则的理解 的理解和认识 Data integrity General principles Principles awareness of the fully reflected in topic, but not incorporated Low awareness, working fully reflected and applied in limited to SMEs practices, but not in establishedprocand specialists consistently workingpracticeesses and 认识不足，仅来自于applied s practices SMEs和专家 数据完整性原则反对主题有一定的数据完整性原则映在工作中，但是不认识，但没有充分充分纳入和应用能持续的应用 反映在工作中 于既定的过程和实践中 • Corporate culture and workingenvironment • 企业文化与工作环境 Formal ongoing awareness programme, proactively keeping abreast ofindustry developments 制定正式的持续改进计划，积极跟进行业发展 Level 4 四级 Level 5 五级 A culture of willing and open reporting for errors, omissions andabnormal results, and willing collaboration to achieve data integrityobjectives 一种愿意和公开报告错误、遗漏和异常结果的文化，并愿意协作以实现数据完整性目标 Policies and Full openness DI problems may procedures and Anticipating Unwillingness or be reported but encourage collaboration potential future no motivation to mitigation is openness, but not achieved DI weaknesses and report errors and either implemented in through such applying abnormal inadequate allcases. behaviour appropriatecontroresults. orignored Mitigation beingmotivated ls 不愿意或没有动机可能会报告数据generally limited by management 预测未来潜在的数报告错误和异常结完整性问题，但采to the specific behaviour. 据完整性弱点并应果 取措施要么不够instance Mitigation 用合适的控制 充分，要么被忽略 和程序鼓励暴considers wider 露问题，但不适用于implication 所有情形。采取措施通过管理行为激通常局限于个别事励实现了充分的例 公开和协作。采取的措施考虑了更广泛的影响 • Quality Culture • 质量文化 An environment in which employees habitually follow quality standards,take taking quality-focused actions, and consistently see others doing so. 员工按照习惯遵循质量标准，采取以质量为中心的行动，并且看到周围人也这么做的环境 Low awareness and application of quality Ad-hoc quality. principles and Activities standards. performed, but Aculture of not relying on reporting what individual management efforts would rather not 仅限于某种目的hear 设置的质量。仅依对质量原则和标准赖于个别努力开的认识和应用不足。展活动。 管理层不愿听到的就不报告的文化 General application of some quality principles, but not fully ingrainedor consistent. 普遍应用一些质量原则，但不完全彻底和一致 Quality and Quality continuous considerations improvement incorporated in incorporated in normal working normal practice workingpractice 质量因素纳入日质量和持续改进纳常工作实践 入日常工作实践 Governance and Organization 治理与组织 • Leadership Objectives defined and communicated by executive management. • 领导力 目标界定和行政管理沟通 Objectives Leadership silent defined in or inconsistent on policies and high Management the need for data level statements, actions and integrity. Leadership state but not priorities Otherbusiness need for DI, but alwaysfully fully reflect priorities do not lead by reflected in stated typically example. management objectives override. 领导强调需要数priorities. 管理行为和优先领导对数据完整性据完整性，但不以和高层声明中级充分反映所规的需求保持沉默或身作则 定义了数据完整性定的数据完整性不一致。其他业务优的目标，但并不总是目标 先级通常高于数据充分反映在管理优完整性 先事项中 • Sponsorship • 资源支持 DI aspects routinely addressed and improved as part of management review 数据完整性的常规处理和改进作为管理评审的一部分 Executive management providing appropriate resources and support. 行政管理提供合适的资源支持 Appropriate resources

Appropriate available in resources only principle, but made available in often not be emergencies (e.g. availablein criticalcitation)practice due to . other

仅在紧急情况下提pressures. 供资源（如关键引大体上有适当的证） 资源,但由于其他

方面的压力，通常在实践中不可用 • Structure • 组织架构 No consideration of specific data governance in roles

andresponsibilities.

不在角色和职责制定中考虑数据管理

Required and planned

Appropriate

resources are Management

resources

available and looking ahead to

available, but may

safeguarded due identify future

be diverted or

toongoing resource needs,

diluted due

commitment to based

toother

data onexperience

pressures.

integrity 管理层展望未来，根

适当的可用资源,但

由于持续致力于据经验确定未来的

由于其他压力，可能

数据完整性，所需资源需求

被转移或打折扣

和计划的资源得到保障。

Appropriate roles and reporting structures. 适当的角色和报告结构 Data governance roles only recently

established, or in flux. 最近才建立数据管理角色，或一直在变化

Data Governance

Management

Data governance roles are well

reviewing and

roles integrated into

adapting

established, but the management

organizational

not always structuresand

structures based

effective. systems

onexperience

建立数据管理角色，数据管理的角色

基于经验的管理评

但是不是一直有效 很好地融入管理

审与组织结构调整

架构和体系

• Stakeholder Engagement of business Process Owners, Quality Assurance, and Engagement keysupporting technical groups (e.g. IT)

• 相关人员参与 业务流程所有者、QA部门和关键技术支持部门(例如：IT) 的参与 Data integrity and Ad-hoc

governance seen as involvement of either an IT issue Process Owners, or a QualityIssue. and Quality No real Process Assurance. High Owner persondependencinvolvement e.

数据完整性和治理流程所有者和QA 视为IT问题或质量“仅仅这次”参问题。没有真正的流与。高度依赖于个程所有者参与 人 • Data Ownership • 数据所有权 Process, system, and data owners not defined 没有定义流程、系统

All stakeholders

Process Owners,

consistently work

Process Owners, Quality

together to

and Quality Assurance, and

identify

Assurance IT work together

furtherco-operati

typically through the

on opportunities,

involved, but dataand system

based on

notconsistently life cycles

experience.

流程所有者和QA通过程所有者、QA

所有利益相关者不

常参与，但不是一贯和IT在数据和系

断合作，根据经验确

的 统生命周期中一

定进一步的合作机

起协作

会

Clear ownership of data and data-related responsibilities 明确数据所有权和数据相关的责任

Process, system, Process, system, Process, Process, system, and data owners and data owners system, and data and data owner identified in typically defined owners are well responsibilities few areas. in many, but not defined and considered

和数据的所有者 在小范围内定义allcases, and documented. 流程、系统和数据responsibilities 流程、系统和数据的所有者 not always clear 所有者都被很好流程、系统和数据所的定义并且形成有者在大范围内定文件 义，但不是所有情况，而且职责不总是很清晰 andclarified during management review. 在管理回顾中对流程、系统和数据所有者的职责进行考虑和阐述 • Policies and Defined polices and standards on data integrity Standards 定义关于数据完整性的和标准 • 和标准 Policies and standards fully Polices and integrated into Ad-hoc policies standards exist, the QMS and Policies and No established and standards but not fully fully standards policies and for data integrated into reflectedin regularly standards for data integrity in the QMS business reviewed and integrity some cases andbusiness processes and improved based 没有建立数据完整数据完整性的政process. practices onexperience 性的和标准 策和标准仅在在有和标准，但没和标准完全根据实践定期回顾某些情况下可用 有完全纳入质量管纳入质量管理体和改进和标准 理体系和业务流程 系并且充分反映在业务流程和实践中 • Procedures • 规程 Established procedures defining key activities and processes 建立规程描述关键活动和流程 Procedures for all key areas fully Some procedures No established integrated into Ad-hoc and standards Procedures procedures for key the QMS procedures for exist, but not regularly data integrity andreflecting data integrity covering all data reviewed and related established in some cases integrityrelated improved based on activities policies and 针对数据完整性activities. experience 没有建立管理数据standards. 的某些情况制定有一些规程，但是没根据实践定期回顾完整想相关活动的将所有关键领域了有限的规程 有覆盖所有的数据和改进规程 规程 的规程充分纳入完整性相关活动 质量管理体系并反映既定的和标准 • Awareness and Training • 认识和培训 Awareness and training on regulatory requirements and organizationalpolices and standards. 对法规要求、组织、标准的认识和培训 Formal training needs analysis, No real awareness Some awareness General awareness Comprehensive of regulatory of regulatory of well-known training requirements and requirements and regulations, and company policy in company policy, the existence thisarea inpockets. ofcompany 在这方面没有真正对于法规要求和policies

意识到法规要求和公司，有一些普遍了解众所周知公司 局限的认识 的法规，以及公司政

策的存在

program ensures taking into an appropriate account level of regulatorydevelopknowledgeof ments. Training specific effectiveness regulatory and assessment for company ongoing

requirements improvement 综合培训计划确正式的培训需求分保对特定的规章析，考虑法规发展。制度和公司要求培训效果评估以持有适当的了解 续改善。

Quality

Management System 质量管理体系

Established and effective Quality Management System, focused on patientsafety, product quality and data integrity.

建立有效的质量管理体系,关注患者安全,产品质量和数据的完整性

Established and effective Quality

Established Management

Some procedures

Quality System,

and quality

Few procedures in Management consistentlyach

control

place focused on System, but ieving data QMS subject to

processes, but

patient safety, compliance and integrity goals regular

not

product quality data in support of management review

consistentlyach

anddata integrityactivitipatient safety and continuous

ieving quality

integrity. es are not fully and improvement

goals.

几乎没有规程关注effective productquality质量体系定期管理

有一些规程和质

患者安全,产品质量建立了质量管理体 回顾和持续改善

量控制流程，但不

和数据的完整性 系，但合规性和数据建立有效的质量

能始终如一地实

完整性活动并不完管理体系，始终如

现质量目标

全有效 一地实现数据完

整性目标，以保证病人安全和产品质量 Business process Clear and accurate definitions of regulated business processes, definition coveringall key GxP areas 业务流程定义 清晰和准确定义需要监管的业务流程，涵盖所有GxP关键领域 Some business Most business Business Business Few business processes processes processes processes defined processes formally defined defined, but not defined and supported by formally defined and documented consistently following appropriate and documented on an followingconventiestablished tools, 几乎没有业务流程ad-hocbasis, ons or standards, conventions andconsistently 被正式定义，也没有either by and not always andstandards. maintained. 形成文件 project or complete and 按照既定规定和业务流程通过适当

operational up-to-date. 标准确定业务流工具定义和支持，并

groups 只有一些业务流程被定义并仅在某些情况下被记录 Supplier and service provider management 供应商和服务提供商管理 定义了大多数业务程 流程,但不能一致遵循规定或标准,且并不总是完整实时。 持续维护 Assessment of suppliers and service providers against agreed standards,and setting up and monitoring of contracts and agreements to deliver thosestandards. 根据商定的标准评估供应商和服务供应商，并建立和监测合同和协议，以交付这些标准 Established process for supplier Established Many suppliers and management, but process for Some suppliers providers with a not supplier and providers potential impact appliedconsistentmanagement, with a potential on data ly. Data integrity consistently impact on data integritynot implications not applied, integrityinformassessed or always fully andincluding a ally assessed managed covered data integrity 少数供应商对数许多供应商和供应byassessments or risk review. 据完整性的潜在商对数据完整性的agreements 建立供应商管理影响进行非正式潜在影响没有评估建立供应商管理流的流程并一贯地的评估 或管理 程,但不是一贯地应应用，包括数据完用。评估或协议并不整性风险审查 总是完全覆盖数据完整性的影响 Strategic Planning and Data Integrity Program 战略规划和数据完整性计划 • Planning • 计划 Effectiveness of supplier management subject to regular managementreview based on metrics. 通过定期管理回顾确认供应商管理的有效性 Executive level strategic planning and programs for improving and/ ormaintaining data governance and data integrity. 领导层级别的战略规划，用于改进 和/或 维护数据管理和数据完整性 Limited planning for data Successful Data Data integrity No planning for integrity or Integrity integral to Specific Data data integrity or data governance, programs ongoing Integrity program data governance at typically achieving organizational or equivalent executive level drivenby stated strategic underway. 没有领导层级的针emergencies objectives planning 具备特定数据完整对数据管理和数据有限的数据完整成功的数据完整数据完整性是持续性程序或等效系统 完整性的计划 性和数据治理规性程序以实现既组织性战略规划的划,通常由突发事定目标 重要部分 件驱动的 • CommunicatioCommunication and change management processes, supported by a n suitablerepository of information and resources. • 沟通 沟通和变更管理过程，由适当的信息资源库支持 Some informal

No communication and person and change dependent management communication process for DI and change 没有针对数据完整management. 性的沟通和变更管一些非正式和依理过程 赖个人的沟通和

变更管理

Formal

Communication

communication and

and change

change management

management for

for DI in place,

DI integral to

but on

QMS, supported

aper-project or

bytools and

per-site basis,

central

with ad hoc

repository.

repositories.

在工具和资

对数据完整性进行

源库的支持下，针

正式的沟通和变更

对数据完整性的

管理，但是在某个项

沟通和变更管理

目或某个场所的基

纳入质量管理体

础上，使用临时资源

系

库

Communication and change management for DI subject to review

andimprovement, supported by defined metrics.

对数据完整性进行沟通和变更管理，在定义的指标支持下进行评审和改进

Regulatory 法规

• Awareness • 认识

Awareness of applicable regulatory requirements 对适用法规要求的认识 Some awareness of detailed regulatory requirements, based on

individualexperience and effort. 基于个人的经验和努力，对监管要求的细节有一些认识

Formal regulatory Formal training awareness-raising All staff aware needs analysis and underway, of regulatory action, taking including requirements into training affecting their accountregulatory onregulations and work. and industry guidance. 全体员工意识到developments. 正在进行正式的监监管要求影响他正式培训需求分析管意识提高，包括法们的工作 和行动，考虑法规和规和指南的培训 行业发展

No awareness of

key regulatory requirements. 对关键法规要求没有意识

• TraceabilityTraceability to applicable regulatory requirements from, e.g., QualityManual, polices or procedures • 可追溯性 可追溯到适用的法规要求，例如质量手册、或规程 Full

traceability, Traceability

Little

e.g. from effectively

traceability of

Traceability in Quality Manual maintained and

policies and

place, but limited or policies, to updated taking

No traceability to procedures to

to key regulatory specificregulatinto

regulations specific

requirements. ory accountregulatory

不可追溯到法规 regulations.

可追溯，但限于关键requirements. developments

和程序对具

监管要求 完整的可追溯性,考虑到法规的发展，

体法规的可追溯

如从质量手册或对可追溯性进行有

性很小

到具体的监效地维护和更新 管要求

• Inspection readiness • 检查准备 Preparation for inspection, including responsibilities, and inspectionreadiness documentation. 检查准备工作,包括责任,检查准备文档 Limited inspection readiness

preparation - ad-hoc and dependent onindividual Process and System Owners 检查准备有限，是“仅仅这次”的和依赖流程和系统所有者个人的

Established process for

Inspection

inspection

readiness

readiness

activities in

covering all

place, but

systemsmaintain

inconsistent in

ing regulated

level,content,

data and

and approach

records.

检查准备活动到位，

建立了检查准备

但水平、内容和方法

流程覆盖所有系

不一致

统保存的数据和记录

Inspection readiness processes regularly reviewed and refined based onregulatory and industry

developments. 根据监管和行业发展情况，定期审核检查准备过程并改进

No inspection readiness

preparation 无检查准备

• Regulatory Relationship

Effectiveness of communication with regulatory authorities,

andcommunications

andeffectiveness of dealing with concerns and citations.

与监管部门沟通的有效性，以及处理关注点和引用的有效性

• 监管关系和沟通

Clear

communication lines to key

No communication

Ad-hoc , Effective, regulatory

except during

informal consistent, bodies, with

inspections, when Communication

communication communication internalspecialis

specific as-and-when

as-and-when with regulatory ts following an

citations required,

required, not bodies established

areaddressed. following a

following following process. Concerns

处理某个处罚时，除defined

adefined adefined and citations

检查过程外，没有沟procedure.

procedure. procedure. areproactively

通 按照既定的规程，在

临阵磨式的沟有效、一致、与监managed.

需要时进行沟通

通，而不是遵循规管机构按照既定明确与关键监管机

没有沟通除非检查

程 程序进行沟通 构的沟通渠道，内部

期间

专家遵循既定程序。主动管理关注和引用。

Data Life Cycle 数据生命周期

• Data life cycle

Data life cycle(s) defined in standards and/or procedures

definition

定义于标准和/或规程的数据生命周期

• 数据生命周期定义

Data life cycle defined in Data life cycles

Data life cycles

procedures, and defined f and

generally defined

Some data life applied maintained,

following

Data life cycles cycles defined consistently to supported by

procedures.

not defined. on an ad-hoc allkey effectiveautomate

Notconsistently

没有定义数据生命basis. regulated data d tools

applied.

周期 一些数据生命周and records. 已定义数据生命周

数据生命周期普遍

期被临时定义 数据生命周期定期，并通过有效的自

定义于规程中，但执

义于规程中，并始动化工具维护和支

行不到位

终适用于所有关持。 键数据和记录 • Quality Risk Application of risk management (including justified and documented Management riskassessments) through the data life cycle.

• 质量风险管理 在数据生命周期中应用风险管理（包括经论证和文件化的风险评估） Data integrity

Data integrity risk management

No documented and Limited data considered in risk established as Quality Risk justified integrity risk assessment an integral part Management assessment of assessments procedures, but of thedata life activities risks to data performed on an notperformed to a cycle and system subject to integrity ad-hoc basis. consistent life cycle. continuous 对数据完整性的风权且进行了有限level. 进行数据完整性improvement 险无文件化的和合的数据完整性风风险评估过程中考风险管理，作为数持续改进的质量风理的评估 险评估 虑到的数据完整性，据生命周期和系险管理活动

但没有落实 统生命周期的组

成部分 • Data Management processes Established data management processes, supported by appropriate tools. andtools 建立数据管理流程，并有适当的工具支持 • 数据管理流程和工具

Well established common data

Some data Data management

Well management

management procedures

established and processes,

processes defined, but not

effective data maintained,

No data management defined by always

management updated,supported

processes individual effectivelyimplem

processes. by appropriate

没有数据管理流程 Process Owners ented

建立数据管理流automated tools

个别流程所有者定义了数据管理规

程 ，并有效的执已建立通用的数据

定义了一些数据程，但并不总是有效

行 管理流程，通过适当

管理流程 地执行

的自动化工具维护、更新 • Master and

Established processes to ensure the accuracy, consistency, and controlof

reference master and reference data.

datamanagement 建立规程以确保主数据和参考数据的准确性、一致性和控制 • 主数据和参考数据管理

Well established

Some common

Well

master/referencMaster/reference master/reference

established and

e data Data management data management

No effective

management procedures processes,maintai

master/reference master/referenc

processes defined, but not ned, updated,

data management e data

defined by alwayseffectively supported by

processes managementproce

individualProceimplemented appropriate

没有主数据参考数sses.

ss Owners 建立了主/参考数据automated tools

据的管理规程 建立了主/参考数

个别流程所有者管理规程，但并不总已建立了通用的主/

据管理规程，并得

定义了一些主/参是有效地执行 参考数据管理规程，

到有效执行

考数据管理规程 通过适当的自动化

工具维护、更新 • Data Incident and Established processes to deal with data incidents and problems, ProblemManagement linkedwith change management and deviation management as appropriate. • 数据事件和问建立处理数据事件和问题的规程，并与变更管理和偏差管理联系在一起 题管理

Data incidents and problems typically Established

Established data

Some data effectively dealt data incident

incident and

incident and with as a partof and problem

problem

data problem normal system or management

No formal data management

management operational process linked

incident and data process,

processes incident to CAPAand

problem supported bytools

defined management, but deviation

management and appropriate

byindividual with management

process metrics, leading

Process/System limitedconsideratwhere

没有正式的数据事to process

Owners ion of wider DI necessary.

件和数据问题管理improvement.

由个别流程/系统implications. 建立数据的事件

规程. 建立数据事件和问

所有者定义了一数据事件和问题通和问题管理规程，

题管理流程，由工具

些数据事件和数常作为正常系统或并且，必要时，与

和适当的度量支持，

据问题管理规程 操作事件管理的一CAPA和偏差管理

已实现过程改进

部分有效地处理，但联系在一起 很少考虑扩大数据完整性影响。 • Access and Security Establishing technical and procedural controls for access management management andto ensure the security of regulated data and records. • 访问和安全管对访问管理建立技术和程序控制，并确保数据和记录的安全性 理

Established system for

Some controls, consistent

Established

but group logins access control

Lack of basic standards and

and shared and

access control and procedures for

accounts securitymanagem

security measures security and

widespread. ent, including

allowing access

Passwordpolices regular review

unauthorizedchangcontrol,but not

weak or not of security

es consistently

enforced breaches and

缺乏基本的访问控applied

有一些控制，但组incidents

制和安全措施，允许已建立安全和访问

登录和共享账户已建立强壮的访

未经授权的更改 控制的标准和规程，

普遍。密码策略弱问控制和安全管

但落实不到位

或不强制执行 理体系，包括定期

审查安全漏洞和事件

Established

integrated system for consistent access control and securitymanagement, supported by appropriate tools and metrics for continuousimprovement.

已建立强壮的访问控制和安全管理的集成系统，并有适当的工具和度量支持以持续改进

Establishing processes for ensuring accessibility, readability

• Archival and andintegrity of regulated data in compliance with regulatory retention requirementsincluding retention periods.

• 归档和保存 根据法规要求，建立规程确保数据的可访问性、可读性和完整性，包括的保存

期限 No effective process for identifying and meeting

No consideration regulatory of long term retentionrequirarchival and ements. Few retention periods archival

没有考虑长期归档arrangements in 和保存期限 place.

无有效流程识别并符合法规对于保存要求。很少有存档。

Retention policy and schedule defined covering some, but not allregulated records. Some systems with no formal archival process.

定义了保存策略和计划覆盖一部分，但不是所有的记录。有一些系统做了非正式的归档

Retention Schedule

Archival and data

includes all

retention

regulated

policies and

records, and

processes

those

regularly

policiessupport

reviewedagainst

ed by

regulatory and

appropriate

technical

archival

developments

processes and

根据法规和技术发

tools.

展对归档和数据保

保存时间计划表

存和流程定期

包括了所有记录，

审核

并有适当的归档流程和工具支持。

• Electronic

Signatures • 电子签名

Effective application of electronic signatures to electronic

records,where approval, verification, or other signing is required by applicableregulations.

在电子记录中有效应用电子签名

Lack of clear Policies in place. Compliant Electronic policy on Compliant e-signatures in signature signature e-signatures in place for all policies and application, and place for some, relevant processes lack of but not systems, regularly consistenttechnallrelevant supported reviewed

No control of

electronic signatures. 无电子签名控制

ical support for systems. e-signatures. 有，某些但不是对签名应用的缺所有相关系统都有乏明确的，对合规的电子签名 电子签名缺乏强壮的技术支持

byconsistent technology where

possible 电子签名在所有相关系统中均合规，并得到强壮的技术支持 againstcurrent best practice and technical

developments 针对现行良好规范和技术发展定期审查电子签名和程序

• Audit trails

• 审计追踪

Usable and secure audit trails recording the creation, modification, ordeletion of GxP data and records, allowing effective review either as part ofnormal business process or during investigations.

审计跟踪可用并安全，以记录GXP数据和记录的创建，修改，或删除，在正常业务流程或调查期间进行有效的审核

Some limited use of audit trails.

Effective audit

Often incomplete

Audit trail in trail in place

or not fit

place for most for all

forpurpose (e.g.

regulated regulated Audit trail

in content and

systems, but with systems, and use policies and use

reviewability).

undefined and andreview of regularly

Lack of effective Not typically

inconsistentuse audit trail reviewed against

and compliant reviewed as

within business included in regulatory

audit trails partof normal

processes in some established andtechnical

缺乏有效的合规的business

cases. business developments

审计追踪 process.

对大多数系统进行processes. 根据法规和技术发

有限的使用审计

审计追踪，但在某些为所有的系统进展，定期审查审计追

追踪。往往不完整

情况下业务流程未行有效的审计追踪和使用情况

或达不到要求（例

定义审计追踪或落踪，以及在既定业

如内容和可查

实不到位 务流程中进行审

性）。通常不作为

计追踪并审核

正常业务流程的一部分进行审核

Data Life Cycle Supporting Processes

数据生命周期支持过程

• Auditing • 审计

Auditing against defined data quality standards, including appropriatetechniques to identify data integrity failures 对定义的数据质量标准进行审计，包括确定数据完整性故障的适当技术

Some audits Data quality and Effective data Auditing process performed on an integrity process auditing fully and schedule for

No data quality or ad-hoc and defined, but integrated into subject to review integrity audits reactive basis, audits not wider audit and performed but alwayseffective process improvement,based 没有执行数据质量noestablished and the level of andschedule. on audit results 或完整性审计 process for data follow-up 有效的数据审计and trends.

quality and inconsistent. 完全集成到更广根据审计结果和趋integrity 定义了数据质量和泛的审计过程和势进行审核，并改进

auditing. 完整性流程，但审计计划中 有一些审计是在并不总是有效的，后临时和被动基础续的水平不一致 上进行的，没有建立数据质量和完整性审计的流程。 • Metrics • 度量 审核过程和进度表 Measuring the effectiveness of data governance and data integrityactivities 衡量数据治理和数据完整性活动的有效性 Metrics captured Metrics captured consistently, and for most key Metrics fed into a Limited metrics systems and captured continuous captured, on an datasets. Level, consistently, improvementprocesad-hoc basis purpose, anduse according to an s for data 有限指标捕获，在inconsistent. established governance and 一个特设的基础为大多数关键系统process. integrity 上 和数据集捕获的度根据既定的过程，度量一致地被捕获，量。水平、用途和使一致地度量指标 并加入到数据治理用不一致 和完整性的持续改进过程中。 No data related metrics captured. 没有捕获与数据相关的指标 • Classification and Data and system classification and compliance assessment activities assessment 数据和系统分类以及合规性评估活动 • 分级和评估 Data Established classification process for data Limited data performed (e.g. as classification, Classification classification, a part of system based on process subject to on an ad-hoc complianceassessmbusiness review and No data basis. No formal ent), but limited processdefinitiimprovement, classification. process in detail and ons and based outcomesand 无分级 有限的数据分级，scope. regulatory trends. 临时的。非正式规已执行数据分级（如requirements. 根据结果和趋势，审程 作为系统符合性评基于业务流程定查和改进分级规程 估的一部分），但细义和监管要求，建节和范围有限 立数据分级规程 • CS Validation and compliance 计算机化系统验证和合规性 Established framework for achieving and maintaining validated andcompliant computerized systems 建立框架以实现和维持计算机化系统验证和合规性 Most systems Established CS Validation supporting or process in place policies and maintaining for ensuring processes regulated records that all systems regularly Systems No formal supporting or process for CS maintaining validation, The regulated records extent of and data are notvalidated 受监管的记录和数据的支持或保存系统未经验证

validation andevidence dependent on local

individuals. 没有正式的计算机化系统验证过程，验证的程度和证据仅依赖于个别员工

and data supportingand reviewed arevalidated maintaining againstregulatory according to a regulated and industry defined process, records and data developments but approach is are validated 针对法规和行业发not according 展定期审查计算机alwaysconsistent toindustry good 化系统验证和between systems practice, and 流程 and does not fully fully compliant cover data with

integrity risks regulations, 多数支持或保存记includingeffect录和数据的系统已ive and 按照既定流程进行documented 验证，但是系统之间management of 的方法并不总是一data integrity 致的，也不能完全覆risks.

盖数据完整性风险 建立适当的程序，

以确保所有支持和保存记录和数据的系统已根据行业规范进行验证，并完全合规，包括数据完整性风险的有效的书面管理

• Control strategy • 控制策略

Proactive design and selection of controls aimed at avoiding failuresand incidents, rather than depending on procedural controls aimed atdetecting failure

前瞻性地设计和选择控制措施，以避免故障和事件，而不是依赖过程控制来检测故障。

Technical and

Integrity fully

procedural

Some application designed into

No consideration controls are

of controls, Technical and processes before

of potential applied in most

typically procedural purchase of

causes of data cases, based on

procedural controls applied, systems

integrity anestablished

approaches aimed but dependent on andtechnology,

failures risk-based

atdetecting individualproject including

andrelevant decision

failures or system appropriate

controls process

应用了一些控制应用技术和过程控controls

不考虑数据完整性基于既定的以风

措施，但通常是用制，但依赖于单个项在购买系统和技术

失效的潜在原因并险为基础的决策

于检测故障的过目或系统 之前，充分设计流程

采取相关控制 过程，大多数情况

程方法 的完整性，包括适当

下均应用了技术

的控制

和程序控制

IT Architecture IT架构 Appropriate IT architecture to support regulated business processes anddata integrity

合理的IT架构来支持业务流程的合规性和数据完整性

IT architecture considered, and generally supports data integrity

andcompliance, but is typically defined on a system by system basis.

有考虑IT架构，并通常支持数据完整性和合规性，但是通常只是就某一系统而言的考虑

Established IT architecture

IT architecture

policy and

strategy

strategy, with

regularly

full

reviewed against

considerationon

industry

how this

andtechnical

supports data

developments.

integrity.

根据行业和技术发

建立IT架构

展，定期回顾IT架

和策略，充分考虑

构

了如何支持数据完整性

IT architecture strategy and

No consideration decisions not of IT architecture documented, and strategy dependent

没有考虑IT架构策onlocal SMEs. 略 没有文件规定IT

架构策略和决策，依赖于个别SMEs

IT Qualified and controlled IT infrastructure to support Infrastructure regulatedcomputerized systems IT基础设施 经确认的和受控的IT基础设施以支持受监管的计算机化系统

Established

risk-based

Infrastructure

infrastructure

generally

qualification

qualified,

process, Infrastructure

according to an

ensuringthat approach

established

current good it regularly

process,but is

practice is reviewed against

often a document

applied, industry

driven approach,

supported by andtechnical

sometimes applied

tools and developments.

inconsistently

technology 根据行业和技术发

基础设施一般已确

建立了基于风险展，定期回顾IT基

认，按照一个既定的

的的基础设施确础设施

过程，但往往是文档

认规程，确保应用

驱动的方法，有时应

现行良好IT规

用不一致

范，并得到工具和技术的支持

No established process for infrastructure qualification.

No infrastructure Some

qualificationperfperformed,depenormed dent on local 无基础设施确认 SMEs.

没有建立基础设施确认规程。有一些，依赖于个别SMEs。