22-24 February 2023
Change Control for computerised systems is not a trivial issue. Although the internal requirements for change control are usually in place, the devil is often in the details.
The regulatory requirements are sparse and especially EU GMP Annex 11 "Computerised Systems" is rather modest regarding the requirements. The only requirement here is as follows:
Annex 11 - 10. Change and Configuration Management: Any changes to a computerised system including system configurations should only be made in a controlled manner in accordance with a defined procedure.
In addition, the requirements stated in EU GMP Annex 15 "Qualification and Validation" must also be taken into account. A first essential reference can be found under the section "Principles": Any planned changes to the facilities, equipment, utilities and processes, which may affect the quality of the product, should be formally documented and the impact on the validated status or control strategy assessed.
Furthermore, Annex 15 also addresses the following points, among others:
In Chapter 18T of the PIC/S Guidance PI 011, change control is addressed in detail. It starts by stating basic requirements for documentation. What should be documented?
What kind of deficiencies were found during GMP inspections? Here are some examples of the most frequent ones:
An evaluation regarding the criticality of the change could not be provided.
It makes sense to classify changes into different classes. Also the AiM 07121202 (Aide mémoire - catalog of specifications, questions and recommendations; serves for harmonization in the preparation, execution and follow-up of an inspection) of the EFG 11* describes a classification. From the class results then the expenditure in connection with the change. For classification, different classifications can be made in practice. Here are some variants that can be found in practice:
The company had established a change control system. However, it was unclear which changes were to be processed via this procedure. There were only instructions on how to handle software updates. The following points were not regulated in the handling of
About the security patches please find a note from PIC/S PI 041-1:
PIC/S PI 041-1
Security patches for operating systems and network components should be applied in a controlled and timely manner according to vendor recommendations in order to maintain data security. The application of security patches should be performed in accordance with change management principles.
Concrete specifications for time intervals until a change must be completed are not documented. There should be a documented concept here for the time intervals within which a change is to be completed (scheduling). It is advisable to introduce a graduated procedure for this purpose. Specifications such as one year after application are extremely long and not acceptable for a hot-fix. This example, by the way, is a deficiency that is encountered again and again in connection with change control and computerised systems.