Change Control for Computerised Systems

IT / OT Infrastructure Qualification and Operation in a GMP Environment

Recommendation

22-24 May 2024
Copenhagen, Denmark

IT / OT Infrastructure Qualification and Operation in a GMP Environment

Free of charge ECA GMP Newsletter

Register now for ECA's GMP Newsletter

Register for the ECA GMP Newsletter

Change Control for computerised systems is not a trivial issue. Although the internal requirements for change control are usually in place, the devil is often in the details.

Regulatory Requirements

The regulatory requirements are sparse and especially EU GMP Annex 11 "Computerised Systems" is rather modest regarding the requirements. The only requirement here is as follows:

Annex 11 - 10. Change and Configuration Management: Any changes to a computerised system including system configurations should only be made in a controlled manner in accordance with a defined procedure.

In addition, the requirements stated in EU GMP Annex 15 "Qualification and Validation" must also be taken into account. A first essential reference can be found under the section "Principles": Any planned changes to the facilities, equipment, utilities and processes, which may affect the quality of the product, should be formally documented and the impact on the validated status or control strategy assessed.

Furthermore, Annex 15 also addresses the following points, among others:

  • Quality risk management should be used in conjunction with change control.
  • Changes should be approved by responsible persons.
  • Evaluating the impact of the change prior to final approval. 
  • After the change has been implemented, it should be evaluated whether the change was successful.

In Chapter 18T of the PIC/S Guidance PI 011, change control is addressed in detail. It starts by stating basic requirements for documentation. What should be documented?

  • There should be a change review and approval procedure (SOP).
  • Detailed records of proposed changes with justification. 
  • Determination of impact prior to implementation of changes. 
  • Records of review and evaluation of the change (approval or rejection). 
  • Implementation of a method to indicate the status of the change. 
  • Method for assessing the overall impact of the change, including testing. 
  • Interface between change control procedures and configuration management system.

Inspection Practice

What kind of deficiencies were found during GMP inspections? Here are some examples of the most frequent ones:

Example 1
An evaluation regarding the criticality of the change could not be provided.

It makes sense to classify changes into different classes. Also the AiM 07121202 (Aide mémoire - catalog of specifications, questions and recommendations; serves for harmonization in the preparation, execution and follow-up of an inspection) of the EFG 11* describes a classification. From the class results then the expenditure in connection with the change. For classification, different classifications can be made in practice. Here are some variants that can be found in practice:

  • Class 1, 2, 3, etc.
  • Major, Minor 
  • Critical, Significant, Insignificant, ... 
  • Critical, less critical, very critical, ...

Example 2
The company had established a change control system. However, it was unclear which changes were to be processed via this procedure. There were only instructions on how to handle software updates. The following points were not regulated in the handling of

  • Hardware defects
  • Security patches
  • Changes to user accounts
  • Necessary changes due to detected software errors
  • Changes to the test system

About the security patches please find a note from PIC/S PI 041-1:

PIC/S PI 041-1
Security patches for operating systems and network components should be applied in a controlled and timely manner according to vendor recommendations in order to maintain data security. The application of security patches should be performed in accordance with change management principles.

Example 3
Concrete specifications for time intervals until a change must be completed are not documented. There should be a documented concept here for the time intervals within which a change is to be completed (scheduling). It is advisable to introduce a graduated procedure for this purpose. Specifications such as one year after application are extremely long and not acceptable for a hot-fix. This example, by the way, is a deficiency that is encountered again and again in connection with change control and computerised systems.

Sources:

EU GMP Guide Annex 11
EU GMP Guide Annex 15
PIC/S PI 011-3
PIC/S PI 041-1
AiM 07121202

Conference Recommendations

IT / OT Infrastructure Qualification and Operation in a GMP Environment

Copenhagen, Denmark
22-24 May 2024

IT / OT Infrastructure Qualification and Operation in a GMP Environment

Computerised System Validation

Vienna, Austria
11-14 June 2024

Computerised System ValidationLeveraging Suppliers & CSV Master Class

Computerised System Validation: Leveraging Suppliers

Vienna, Austria
11 June 2024

Computerised System Validation: Leveraging SuppliersBook together with the course "Computerised System Validation Master Class" and save up to € 590,-

Related GMP News

14/02/2024
Cloud Computing: Workaround for non-compliant PaaS
07/02/2024
Cloud Computing: Validation performed by a CSP on its own - what is the Value?
24/01/2024
Cloud Computing: Can an automated Deployment Chain replace an IQ?
17/01/2024
Cloud Computing: Consequences of different service models for Qualification / Validation
10/01/2024
Cloud Computing: Validation of SaaS; who is accountable?
13/12/2023
Cloud Computing: Assessment of Cloud Suppliers from an authority's point of view

Go back

GMP Conferences by Topics