Change control within quality management systems (QMS) and information technology (IT) systems is a formal process used to ensure that changes to a product or system are introduced in a controlled and coordinated manner. It reduces the possibility that unnecessary changes will be introduced to a system without analysis, introducing faults into the system or undoing changes made by other users of software.
The goals of a change control procedure include minimal disruption to services, reduction in back-out activities, and cost-effective utilization of resources involved in implementing a change.
Change control is used in a wide variety of products and systems. For Information Technology (IT), it is a major aspect of the broader discipline of change management. Typical examples from the computer and network environments are patches to software products, installation of new operating systems, upgrades to network routing tables, or changes to the electrical power systems supporting such infrastructure.
Change control process can be described as the sequence of of six steps: record/classify, assess, plan, build/test, implement, close/gain acceptance.
A user initiates a change by making a formal request for something to be changed. The change control team then records and categorizes that request. This categorization would include estimates of importance, impact, and complexity.
Change control team makes an assessment typically by answering a set of questions concerning risk, both to the business and to the process, and follow this by making a judgment on who should carry out the change. If the change requires more than one type of assessment, the head of the change control team will consolidate them. Everyone with a stake in the change then meet to determine whether there is a business or technical justification for the change. The change is then sent to the delivery team for planning.
Management will assign the change to a specific delivery team, usually one with the specific role of carrying out this particular type of change. The team's first job is to plan the change in detail as well as construct a regression plan in case the change needs to be backed out.
If all stakeholders agree with the plan, the delivery team will build the solution, which will then be tested. They will then seek approval and request a time and date to carry out the implementation phase.
All stakeholders must agree to a time, date and cost of the implementation of the change. Following the implementation, it is usual to carry out a post-implementation review which would take place at another stakeholders meeting.
When the user agrees that the change was implemented correctly, the change can be closed.
Change Control in a Regulatory Environment
In a Good Manufacturing Practice (GMP) or ISO 9001 regulated environment, change control activities and procedures apply to software, labeling and packaging, device manufacturing processes, production equipment, manufacturing materials, and all associated documentation such as quality system procedures, standard operating procedures, quality acceptance procedures, data forms, and product-specific documentation. Change control is also applied to any production aids such as photographs and models or samples of assemblies and finished devices.
Any regulated industry has a compilation of documents containing the procedures and specifications for a finished product. It includes specifications and all other documentation required to procure components and produce, label, test, package, install, and service a finished product. Manufacturers are to prepare, control changes to, and maintain these documents using change control procedure which is in fact the document control procedure.
In my next post, I will describe the change control procedure as it applies to documentation in a regulated industry.