Change Control: Fundamentals for the Life Sciences

Why is Change Control Necessary for Compliance? 

The purpose of change control is to assure that a validated state is maintained despite any changes to the client software systems. Essential goals in change control are managing changes, ensuring the absence of unnecessary changes, documenting completed changes, assuring  services are not disrupted unnecessarily, and ensuring resources are used efficiently. Sample activities necessitating change control may include upgrades or new releases of the application, corrections to fix an issue, modifications to the software application, parameter changes, and changes within the database or underlying data structure. Change control is not required for system and data backups, user security administration, applying security definition updates, load balancing, or system monitoring. 

Change Control Process

Key elements of a change control process template include capturing the known state of the system. GxP validation following a defined validation plan captures a picture of the system state before production. It captures specific components of the system, the compatibility of components and their support, the proper functions of the system, the qualifications of authorized system operators, and the ability to maintain and recover the system state.  

In a change control plan, the foundation is the defined concepts for change control established in industry guidelines and regulations. Concepts that influence change control are the Information Technology Information Library (ITIL), International Standards Organization (ISO), Good Automated Manufacturing Practice (GAMP), Control Objectives for Information Technology (COBIT), Committee of Sponsoring Organizations (COSO), and Sarbanes-Oxley (SOX).  

Configuration management is a foundational requirement of the change control process. Configuration identification defines the baseline of the system, defines key components, defines boundaries, and defines and tests functions against a set of standards. Configuration control defines standard operating procedures (SOP) specifying change control, requires assessment and approvals for changes, documents maintenance, and “change” is clearly defined within training. Enforcement is the periodic internal audit of changes by Quality Assurance that includes corrective and preventative action (CAPA) and consequences for deviations. It also includes training employees on change control SOPs to recognize changes to the existing process.  

Change Control Policy

Change control policy it defines criteria for the definition of change, as well as the criteria for risk consideration.  

Change control standard operating procedure (SOP) defines the process used to request a change, assess a change, test a change, approve a tested change for production, and review a change post-production. A change control form captures data for review and approval as a GMP record. It defines the cause for change, suggests a solution, and is approved by the appropriate department. An assessment of IT change is based on assessed risks to system integrity, key variables to document, and the functions to demonstrate. The change control board is defined as a group of applicable Information Technology (IT), Business, and Quality Assurance (QA) representatives who determine the impact of proposed testing and review infrastructure and software changes.  

During the change control test, a test coordinator monitors as changes are selected to be processed. The new process and expectations are reviewed in advance for affected groups. Test scripts are developed and executed with regression testing while the process is monitored to provide clarification and expedite when necessary. A change control rollout plan is based on risk, size, and impact of change. The ongoing monitoring of critical systems and business processes is essential. The review in change control includes assembling test documentation, reviewing with the change control board or project sponsor, and obtaining approval from the change control board to proceed.  

Change control violations are the most common grounds for suspension and dismissal in GMP organizations. Prevent regulatory issues with a proven enforcement system to manage compliance across the end-to-end supply chain. 

To further discuss how The Arbour Advantage can answer questions about the change control process for pharmaceutical, medical device, and biotechnology organizations, contact us today to learn more.