Change Control is a general term describing the process of managing how changes are introduced into a controlled System. Change control demonstrates to regulatory authorities that validated systems remain under control during and after system changes. Change Control systems are a favorite target of regulatory auditors because they vividly demonstrate an organization’s capacity to control its systems.
Organizations need to explicitly define their processes for evaluating changes to validated systems. There should be a well defined, multidisciplinary approach to considering the effects from proposed changes. Some changes, such as adding a data field to a form or report may be very minor; other changes, such as altering how a program stores and organizes data can be quite extensive. Before changes are implemented, organizations should document the expected outcomes of the changes and have an established plan to implement and test the change and update any existing validation documentation. Part of defining the process for evaluating change control should include the requirements for implementing minor, major and critical changes. This allows the organization to focus proportionate validation resources to the change effort.
One useful tool to determine the extent of revalidation is Risk Assessment. By reviewing the original validation requirements, and evaluating the new risks introduced through the changes to the system, the Risk Assessment process can help determine which sections of the system will need re-testing. If the risk assessment determines that the change is minor or does not affect the system requirements, only limited testing, focused on the affected system object would be required to demonstrate that the system has maintained its validated state. Major changes will require additional re-validation and critical changes could trigger and entire re-validation of a system.
Typical Steps in a Change Control project are:
Q: Do I need to revalidate a system every time I make a change?
A: It depends on the scope of the change, the structure of the system and any new risks introduced into the system. Changes to critical components of a system might require a complete revalidation, but smaller changes might only require testing of the changes.