In my last post, I described change control process in general and I mentioned that in the regulated industries, manufactures are required to use a change control procedure. I am going to describe this change control procedure in this post.

A change control procedure is usually one of standard operating procedures (SOP's). It usually includes a change control form. Some companies also use change request forms for suggested changes. This procedure usually includes the following components:

Identification

The identification of the changed device, assembly, component, labeling, packaging, software, process, procedure, manufacturing material, and any other related item or document. The change control form has blank spaces for recording this data.

Effective Date

The effective date of the change which is usually a completion date, or an action to be performed when a specific event occurs, such as "implement the change when the new part is installed, validated, and operational." The blank on the change control form for recording the effective date should not be left empty.

Responsibility

The change procedure should state which department or designee is responsible for each function to be performed.

Revision Number

The change procedure should describe the way the revision level is to be incremented. It is common practice to use sequential numbers for revisions.

Communication

The change procedure should describe the communication of changes to all affected parties such as production, purchasing, contractors, suppliers, etc. As appropriate, the document might include activities that apply to internal operations. Examples are employee training, rework, or disposition of in-process assemblies, use of revised drawings and/or procedures, and disposition of old documents.

Updating Documentation

The change procedure should cover updating of primary and secondary documentation such as instruction manuals. Usually there are no problems with updating or revising primary documentation -- in fact, that is a major reason the given change order is being processed. In contrast, it is rather easy to forget that related secondary documents such as component drawings, instruction manuals or packaging require revision if affected by a given change. The use of a good change control form can alleviate this problem.

Documentation Distribution

Revised documentation should be distributed to persons responsible for the operations affected by the change and old documents removed and filed or discarded, as appropriate. After updated documents have been approved, these documents have to be made available at all locations for which they are designated, used, or otherwise necessary, and all obsolete documents have to be promptly removed from all points of use or otherwise prevented from unintended use.

Remedial Actions

Certain changes may require remedial action. Changes of this nature should be addressed in the change control procedure.

Regulatory Submissions

There may be changes may that require a regulatory submission. The change control procedure should specify if regulatory submissions should be considered when making a change.

Business Factors

The change procedure should also cover other factors such as financial impact, modification of sales literature, update of products in commercial distribution, etc.

Quality Assurance Review

The change procedure should cover if the quality assurance review is required for the change.

This change control procedure is also used for document control.

Changes to documents have to be reviewed and approved by an individual(s) in the same function or organization that performed the original review and approval of these documents unless there is a specific designation that states otherwise. These approved changes have to be communicated to the appropriate personnel in a timely manner. A company has to maintain records of changes to documents.

Change control for documents should include:

• identification of the affected documents;
• a description of the change;
• revision number
• the signature of the approving individual(s);
• the approval date;
• the date when the change becomes effective.

In a case of the regulatory agencies inspection, the change control procedure is usually audited. 

Change control within quality management systems (QMS) and information technology (IT) systems is a formal process used to ensure that changes to a product or system are introduced in a controlled and coordinated manner. It reduces the possibility that unnecessary changes will be introduced to a system without analysis, introducing faults into the system or undoing changes made by other users of software.

The goals of a change control procedure include minimal disruption to services, reduction in back-out activities, and cost-effective utilization of resources involved in implementing a change.

Change control is used in a wide variety of products and systems. For Information Technology (IT), it is a major aspect of the broader discipline of change management. Typical examples from the computer and network environments are patches to software products, installation of new operating systems, upgrades to network routing tables, or changes to the electrical power systems supporting such infrastructure.

Change control process can be described as the sequence of of six steps: record/classify, assess, plan, build/test, implement, close/gain acceptance.

Record/classify

A user initiates a change by making a formal request for something to be changed. The change control team then records and categorizes that request. This categorization would include estimates of importance, impact, and complexity.

Assess

Change control team makes an assessment typically by answering a set of questions concerning risk, both to the business and to the process, and follow this by making a judgment on who should carry out the change. If the change requires more than one type of assessment, the head of the change control team will consolidate them. Everyone with a stake in the change then meet to determine whether there is a business or technical justification for the change. The change is then sent to the delivery team for planning.

Plan

Management will assign the change to a specific delivery team, usually one with the specific role of carrying out this particular type of change. The team's first job is to plan the change in detail as well as construct a regression plan in case the change needs to be backed out.

Build/test

If all stakeholders agree with the plan, the delivery team will build the solution, which will then be tested. They will then seek approval and request a time and date to carry out the implementation phase.

Implement

All stakeholders must agree to a time, date and cost of the implementation of the change. Following the implementation, it is usual to carry out a post-implementation review which would take place at another stakeholders meeting.

Close/gain acceptance

When the user agrees that the change was implemented correctly, the change can be closed.

Change Control in a Regulatory Environment

In a Good Manufacturing Practice (GMP) or ISO 9001 regulated environment, change control activities and procedures apply to software, labeling and packaging, device manufacturing processes, production equipment, manufacturing materials, and all associated documentation such as quality system procedures, standard operating procedures, quality acceptance procedures, data forms, and product-specific documentation. Change control is also applied to any production aids such as photographs and models or samples of assemblies and finished devices.

Any regulated industry has a compilation of documents containing the procedures and specifications for a finished product. It includes specifications and all other documentation required to procure components and produce, label, test, package, install, and service a finished product. Manufacturers are to prepare, control changes to, and maintain these documents using change control procedure which is in fact the document control procedure.

In my next post, I will describe the change control procedure as it applies to documentation in a regulated industry. 

In my last post, I described the GMP requirements for document control. In this post, I am going to describe the GMP requirements for information technology used in a GMP company.

For a drug to be produced in a GxP compliant manner, some specific information technology practices must be followed. Computer systems involved in the development, manufacture, and sale of regulated product must meet certain requirements such as:

• secure logging: each system activity must be registered, in particular what users of the system do, that relate to research, development and manufacturing. The logged information has to be secured appropriately so that it cannot be changed once logged, not even by an administrative user of the system;
• auditing: an IT system must be able to provide conclusive evidence in litigation cases, to reconstruct the decisions and potential mistakes that were made in developing or manufacturing a medical device, drug or other regulated product;
• keeping archives: relevant audit information must be kept for a set period. In certain countries, archives must be kept for several decades. Archived information is still subject to the same requirements, but its only purpose is to provided trusted evidence in litigation cases;
• accountability: Every piece of audited information must have a known author who has signed into the system using an electronic signature. No actions are performed by anonymous individuals;
• non-repudiation: audit information must be logged in a way that no user could say that the information is invalid, e.g. saying that someone could have tampered with the information. One way of assuring this is the use of digital signatures.

GMP guidelines require that software programs must be validated by adequate and documented testing. Validation is defined as the documented act of demonstrating that a procedure, process, and activity will consistently lead to the expected results. The software validation guideline states: “The software development process should be sufficiently well planned, controlled, and documented to detect and correct unexpected results from software changes."

To validate software, it must be:

• structured, documented, and evaluated as it is developed;
• checked to make sure that it meets specifications;
• adequately tested with the assigned hardware systems;
• operated under varied conditions by the intended operators or persons of like training to assure that it will perform consistently and correctly.

It is important to notice these requirements since a document management system is required to control documents, so this document management system must meet these requirements for information technology. 

In the regulated environment, the document control is the cornerstone of the quality system. It is so important that if an external audit identifies deficiencies in the document control system, the entire organization can be shut down.

In my last post, I talked about the connection between ISO 9001 and document control. ISO 9001 is one example of the regulated environment. It is usually used in engineering types of companies. In food, drugs, medical devices, and cosmetics industries, GxP/GMP regulations are used. Today, I am going to talk about the connection between GxP/GMP and document control.

GxP is a general term for Good Practice quality guidelines and regulations. The titles of these good practice guidelines usually begin with "Good" and end in "Practice", with the specific practice descriptor in between. GxP represents the abbreviations of these titles, where x (a common symbol for a variable) represents the specific descriptor.

For example: Good Clinical Practice (GCP), Good Laboratory Practice (GLP), Good Manufacturing Practice (GMP), Good Safety Practice (GSP), and many others.

A "c" or "C" is sometimes added to the front of the acronym. The preceding "c" stands for "current." For example, cGMP is an acronym for "current Good Manufacturing Practice." The term GxP is only used in a casual manner, to refer in a general way to a collection of quality guidelines.

The purpose of the GxP quality guidelines is to ensure that a product is safe and meets its intended use. GxP guides quality manufacture in regulated industries such as food, drugs, medical devices, and cosmetics.

The most central aspects of GxP are traceability - the ability to reconstruct the development history of a drug or medical device and accountability - the ability to resolve who has contributed what to the development and when.

GMP is the most well known example of a GxP.

Good Manufacturing Practice (GMP) are practices and the systems required to be adapted in pharmaceutical and medical devices companies. GMP is the guidance that outlines the aspects of production and testing that can impact the quality of a product.

Many countries have legislated that pharmaceutical and medical device companies must follow GMP procedures, and have created their own GMP guidelines that correspond with their legislation. Basic concepts of all of these guidelines remain more or less similar to the ultimate goals of safeguarding the health of the patient as well as producing good quality medicine, medical devices, or active pharmaceutical products.

In the U.S. a drug may be deemed adulterated if it passes all of the specifications tests but is found to be manufactured in a condition which violates current good manufacturing guidelines. Therefore, complying with GMP is a mandatory aspect in pharmaceutical and medical devices manufacturing.

Documentation is a critical tool for ensuring GxP/GMP compliance.

This is what GMP states about document control:

Each manufacturer shall establish and maintain procedures to control all documents that are required. The procedures shall provide for the following:

1. Document approval and distribution. Each manufacturer shall designate an individual(s) to review for adequacy and approve prior to issuance all documents. The approval, including the date and signature of the individual(s) approving the document, shall be documented. Documents shall be available at all locations for which they are designated, used, or otherwise necessary, and all obsolete documents shall be promptly removed from all points of use or otherwise prevented from unintended use.

2. Document changes. Changes to documents shall be reviewed and approved by an individual(s) in the same function or organization that performed the review and approval of original documents, unless specifically designated otherwise. Approved changes shall be communicated to the appropriate personnel in a timely manner. Each manufacturer shall maintain records of changes to documents. Change records shall include a description of the change, identification of the affected documents, the signature of the approving individual(s), the approval date, and when the change becomes effective.

These requirements are consistent with document control requirements stated in ISO 9001 which I described in my previous post.

The role of QA, in regards to the document system, is one of management and overview. QA ensures that all documents are maintained in a controlled fashion and that all procedures are being used within a company are approved by the appropriate subject matter experts, are consistent with other documents, and are the most current version. One way that QA ensures this is by being the last signature on all approved documents. All documents; current, obsolete, superseded, as well as all the history on the creation and revision of the document are kept in Quality Assurance.

These are the steps of the document control procedure:

Creation

Any knowledgeable employee should be able to write or revise documents as needed. 

Revising

When revising a document the redline changes along with detailed justification of the changes should be routed.

Routing

The document control function of QA is responsible for routing documents for review and approval. It is suggested that a pre-route be done to ensure that all affected parties are in agreement with the document before it is submitted to QA. There should be a documented process detailing how documents are submitted for review and approval.

A controlled form listing all the changes made to the document, justification for the changes, and a list of personnel who need to review the document needs to be routed along with the document. At a minimum the author’s manager, all affected department heads, and QA need to review the document. Other Subject Matter Experts can be included.

Approval

Once all affected parties have agreed to the changes, document control will prepare the document for approval. All changes will be incorporated into the document. For new documents the version # will be 00. For each revision of a document the version number will increase (01, 02, 03, etc). A master document will be routed for approval signatures.

Typically the approval signatures are the Author, the Department Head, and QA. QA must be the last signature on all documents. Usually the approval signatures only appear on the first page of the document. Once the master document has been signed, and effective date is stamped onto each page of the document. The effective date must be far enough in advance to allow for the document to be trained on before it becomes effective (typically this is 5 days).

Distributing

On the effective day copies of the signed master document are routed to the affected departments. The departments will remove the old version and replace it the new version (for revised documents). If the document is new, there will be no replacement document to remove.

The old versions must be returned to document control. On a periodic basis document control personnel should audit the binders to determine if they contain the correct versions. Each document binder should contain a table of contents and only those documents that the department is responsible for. A full set of all approved documents should be in the QA department as well as in a central company location.

Archiving

Old revisions of documents will be stamped as superseded. No document revisions will be discarded or altered. A file will be maintained within QA that contains all the superseded documents and the signature approvals of personnel who agreed to the revisions.

Obsolete

If a document will no longer be used by any department in the company it can become obsolete. The document must be stamped as Obsolete and all copies removed from all document binders. It is a good idea to place a notice in the document stating that the document has been Obsolete.

Good manufacturing practice (GMP) regulations require that all documentation be issued, managed and controlled using a document management system.

In my future posts, I will further describe GMP regulations pertaining to documentation and documentation management systems.