Change Control for Computerised Systems

Change Control for computerised systems is not a trivial issue. Although the internal requirements for change control are usually in place, the devil is often in the details.

Regulatory Requirements

The regulatory requirements are sparse and especially EU GMP Annex 11 "Computerised Systems" is rather modest regarding the requirements. The only requirement here is as follows:

Annex 11 - 10. Change and Configuration Management: Any changes to a computerised system including system configurations should only be made in a controlled manner in accordance with a defined procedure.

In addition, the requirements stated in EU GMP Annex 15 "Qualification and Validation" must also be taken into account. A first essential reference can be found under the section "Principles": Any planned changes to the facilities, equipment, utilities and processes, which may affect the quality of the product, should be formally documented and the impact on the validated status or control strategy assessed.

Furthermore, Annex 15 also addresses the following points, among others:

  • Quality risk management should be used in conjunction with change control.
  • Changes should be approved by responsible persons.
  • Evaluating the impact of the change prior to final approval. 
  • After the change has been implemented, it should be evaluated whether the change was successful.

In Chapter 18T of the PIC/S Guidance PI 011, change control is addressed in detail. It starts by stating basic requirements for documentation. What should be documented?

  • There should be a change review and approval procedure (SOP).
  • Detailed records of proposed changes with justification. 
  • Determination of impact prior to implementation of changes. 
  • Records of review and evaluation of the change (approval or rejection). 
  • Implementation of a method to indicate the status of the change. 
  • Method for assessing the overall impact of the change, including testing. 
  • Interface between change control procedures and configuration management system.

Inspection Practice

What kind of deficiencies were found during GMP inspections? Here are some examples of the most frequent ones:

Example 1
An evaluation regarding the criticality of the change could not be provided.

It makes sense to classify changes into different classes. Also the AiM 07121202 (Aide mémoire - catalog of specifications, questions and recommendations; serves for harmonization in the preparation, execution and follow-up of an inspection) of the EFG 11* describes a classification. From the class results then the expenditure in connection with the change. For classification, different classifications can be made in practice. Here are some variants that can be found in practice:

  • Class 1, 2, 3, etc.
  • Major, Minor 
  • Critical, Significant, Insignificant, ... 
  • Critical, less critical, very critical, ...

Example 2
The company had established a change control system. However, it was unclear which changes were to be processed via this procedure. There were only instructions on how to handle software updates. The following points were not regulated in the handling of

  • Hardware defects
  • Security patches
  • Changes to user accounts
  • Necessary changes due to detected software errors
  • Changes to the test system

About the security patches please find a note from PIC/S PI 041-1:

PIC/S PI 041-1
Security patches for operating systems and network components should be applied in a controlled and timely manner according to vendor recommendations in order to maintain data security. The application of security patches should be performed in accordance with change management principles.

Example 3
Concrete specifications for time intervals until a change must be completed are not documented. There should be a documented concept here for the time intervals within which a change is to be completed (scheduling). It is advisable to introduce a graduated procedure for this purpose. Specifications such as one year after application are extremely long and not acceptable for a hot-fix. This example, by the way, is a deficiency that is encountered again and again in connection with change control and computerised systems.

Sources:

EU GMP Guide Annex 11
EU GMP Guide Annex 15
PIC/S PI 011-3
PIC/S PI 041-1
AiM 07121202

Go back

x