Classification of Changes for GMP/GDP

Classification of change controls within change management is a common and widely accepted best practice. It stems from the requirement that change proposals as assessed from a risk perspective, where:

the level of rigor, effort and documentation is commensurate with the level of risk,
the risk assessments adequately evaluate the potential risks and benefits of changes to product quality, safety and efficacy, and
those risk assessments consider the potential risks and benefits to other products, processes and systems.

Classification for GMP/GDP changes itself is not a requirement, it is a guidance, best found in the PIC/S Recommendation “How to Evaluate and Demonstrate the Effectiveness of a Pharmaceutical Quality System in relation to Risk-based Change Management” (PI 054-1) which states in section 5.2 “Change Management procedures often require a risk-based classification (e.g. critical, major, minor) to be assigned to proposed changes as well as an impact assessment to be performed. The latter routinely determines the potential impacts of the proposed change on various items, such as product quality, documentation, cleaning, maintenance, regulatory compliance, etc. In some cases, especially for simple and minor/low risk changes, an impact assessment is sufficient to document the risk-based rationale for a change without the use of more formal risk assessment tools or approaches.”

The PIC/S tells us that these categories drive the amount of rigor a change control requires, which is a great reason to have them. We spend time creating and confirming our categories, and then we only need to perform more rigorous risk assessments on the big changes.

How should we build this risk-based classification system? There are four criteria that drive this:

Potential regulatory impact
Potential impact on the qualified and validated state
Potential impact on the ability to disposition and ship product
Complexity

I tend to use only two categories, defined like this:

Major has Significant Impact: Changes that have a considerable potential impact on the process, product quality, safety, or regulatory status.

Minor has Limited Impact: Changes that have minimal or no significant impact on the process, product quality, safety, or regulatory status.

Change Management is Bigger than Change Control So Think Beyond Individual Changes

For regulatory impact, it really is as easy as dividing things into the four categories. “Do, Report, and Do and Record are minors. “Do and Tell” are majors, and “Tell and Do are either majors or critical based on how you slice it.

When considering potential validation impact you’ll leverage your process risk assessments and your validated state to determine what is in that bucket. This is why I like a document like an operational control strategy because this tells me exactly what impacts my validated state and I can just it to form this category.

The potential impact on the ability to disposition and ship the product has me looking at what can impact the ability to release and get the product out the door, which is an important aspect of what we do. Remember, a shortage of products is a quality issue.

Complexity looks at how many processes and systems are impacted and how many functions and areas are involved. The more complex, the more formal risk assessment is required. For example, you might use groupings like this:

Low level of complexity

Requires actions from the change owner and the system owner’s department(s) only
Impacts 1 system
<10 document revisions (approximate)
<2 potential training audiences (approximate)

Higher complexity:

Requires actions from more than change owner and system owner
Impacts more than one system
>10 document revisions
>2 potential training audiences (approximate)

The where of making the classification also makes a difference. I recommend up front, agreed to by the change owner and quality and it then drives everything. Doing it just before approval really just decides who gets to approve the change control and whether it goes to CCRB or not.

These classifications can be loose guidelines; for example, a table that looks at the first three categories and then by complexity. Your rating depends on whichever Impact or Complexity is higher.

Impact of Change (regulatory, validation, product)		Complexity of Change
Minor	No risk to patient as assessed by SISPQ, product, or validated equipment or process AND No regulatory impact.	Limited impact to only one system/functional area AND Has defined process for implementation of change. (e.g. all action items are per defined procedures)
Major	Potential impact to patient or product SISPQ or validated equipment or process or compliance	Impacts multiple systems / functional areas OR Has defined process for implementation of change
Critical	High likelihood of impact to patient, product SISPQ or validated equipment or process or compliance	Impacts multiple systems / functional areas OR Implementation activities are not pre-defined or governed by formal internal system

Or we could try for something much more specific. The advantage of specific is any change owner can start making the determination. Something like this:

Change Category	Change Description
Manufacturing Processes	In-process labeling
	Changes to Process Control and Operating Parameters (tightening/shifting) within current batch record (does not impact established conditions)
	The addition of in-process or final product samples
	Changes to sample volume for in-process or finished product samples
	Addition of new ancillary equipment (e.g. no product contact, does not control process steps) to the process
Analytical Methods	Changes to the qualification of a critical reagent (i.e., in-house produced assay standards and controls)
	Use of an additional new instrument of the identical model and vendor
	Change in compendial method to comply with formal updates to compendia, provided it does not involve the widening of system suitability or acceptance criteria
	Equipment/instruments calibration, maintenance, and cleaning
	Changes to software or validated analytical spreadsheets that do not impact the current validated state of the method
	Movement of instruments from one location to another in the same room/lab
	Initial validation of analytical spreadsheets for use in calculation of data and results defined by a specific analytical method, provided it does not replace a worksheet in an SOP (if so, this change may be reportable)
	Changes to non-critical equipment or materials that allow “or equivalent” in current method, provided method re-validation is not required
Drug Substance or Drug Product Specifications/ Limits	Changes to the sampling plan involving changes to the number of extra samples or amount of sample provided to QC or CMO as appropriate.
Drug Substance or Drug Product Specifications/ Limits	Changes to the storage and/or shipping conditions of samples (except for stability vials)
Raw Materials/Com ponents	Compendial Specification Changes to meet Compendial updates
	Non-product contact filters
	Vendor increase or decrease in the number of items per shipping container, or the size of the shipping or outer container
	Changes to the vendor Certificate of Analysis (format change only)
	Changes in recommended expiration date and/or storage conditions of raw material
Finished Goods	Catalog Number changes to components
	Creation of label at contract manufacturing site for existing presentation (assuming ‘No’ other change to already approved label)
	Changing position of pharmacode on leaflet
Computer	When there is no validation impact
Facility, Utilities, Systems and Equipment (including Automation)	Equipment/instrument maintenance
	Decommissioning of equipment not classified as critical equipment
	Computer programming that affects non-production equipment
	Alarms (i.e., notification system for out of tolerances)
	Cleaning and Sanitization of Manufacturing facilities and non-product Contact equipment
	Upgrade of Application Software or operating system
	Alarm set point changes
	Creating user groups and modifying user group privileges
	Tuning parameter, adjustment to the gain, reset and rate of a PID controller
	Phase or sequence change that does not affect the function and performance
	Modifying a phase prompt or message (technical change)
	Addition of a graphic, adding or changing a non-static device to a graphic (technical change)
	Addition or changing to an interlock/permissive trigger
	Changes to alarm paging/notification functionality

Spend the time on your classification structure. You will use it to:

Determine level of risk assessment (major yes, minor no)
Determine approvals (minors can be as simple as change owner and quality)
Does this change require a CCRB? Only send majors.

Interim Controls within a Change Control

The PIC/S recommendation on change control section 5.3 “Change Planning & Implementation” recognizes that changes often address issues that need to be remediated:

Potential risks with the current state (until changes are implemented) and any risks that might be temporarily introduced during the change process are adequately assessed.
Interim controls (short-term measures), as needed, are identified and implemented in a timely manner to monitor/mitigate risks associated with the current situation (until change implementation).

This section also recognizes that changes introduce an interim set of conditions that lead to implementation – from opening a machine through massive construction activities, and just about anything else.

A good change control does not just address what is necessary to implement the desired future state. It also contains interim controls for managing the current state until the future is implemented, and addresses all of the potential risks during the process of implementation.

Change plans address current, interim, and future states

Often the change control stems from an action plan in a CAPA record, where the interim controls are specifically called out and detailed. These may be adequate for a relatively brief period but are not realistically sustainable. Remember that these interim controls must also go through the appropriate change control process. Which may have been a separate change control or be part of this change control. In all cases, the change control should either determine that the CAPA plan is adequate or identify additional risks that were identified during change planning.

Risk assessments for change control should really have three basic risk questions:

What are the risks of the current state as we implement the change?
What are the risks of the implementation process?
What are the risks of the future state?

As discussed elsewhere, these questions are really branching trees.

Interim controls in a change are usually little temporary changes in the change plan that either mitigate occurrence or impact.

Interim Control Type	Mitigate Occurrence	Mitigate Impact
Examples	Every record processed will be reviewed for the event error before completion. Revised preventive maintenance procedure to require vibration test at next preventive maintenance. Increase cleaning frequency of incubator.	Add emergency response steps to address a valve that is malfunctioning. Add engineering check for pump prior to each use. Perform cleaning log review prior to use.

As temporary changes, it is important to determine how they will be implemented, if they require monitoring, and how they will go away. Often the process of implementation of the change removes the temporary changes, but that is not always the case.

Changes that impact multiple product

Dear all, regarding question 20 “Is the effective date of the change (completion date) recorded and when appropriate the first batch manufactured recorded?” we are not sure how to handle it for multi-product changes. At our site we manufacture products of different customers. Sometimes we have changes, where f.e. documents of several products need to be adapted. How are the requirements defined in such cases? Do we need to report the first batch only once or for each product
Correspondent

This request comes from my post “29 questions to ask about your change management/change control system.”

At heart, this requirement is to help meet the regulatory requirement that “After implementation, an evaluation of the change should be undertaken to confirm the change objectives were achieved and that there was no deleterious impact on product quality.” (ICH Q9 part IV.B.3.d)

In order to perform an evaluation, you must be able to know when to start. This evaluation must be able to be performed on each and every product. It is from here we can settle on 1st batch. There are lots of ways to do this. The requirement is, for each and every product, to be able to state definitively when the change was first applied to the product.

We can drill down to the most definitive guidance on GMP Change Control, the PIC/S Recommendation “How to Evaluate and Demonstrate the Effectiveness of a Pharmaceutical Quality System in relation to Risk-based Change Management” which further strengthens the requirement:

Section	Requirement	Means
5.4. Change Review and Effectiveness	Changes are monitored via ongoing monitoring systems to ensure maintenance of a state of control, and lessons learned are captured and shared/communicated. (Note: Activities such as Management Review, Annual Product Quality Review, Continuous Process Verification, Deviation Management and Complaint Monitoring can be useful in this regard.)	Having that definitive point allow all these activities to be effective.

The requirement is clear. We need to be able for any given change identify when it started impacting product.

All of the various Annual Product Review/Product Quality Review requirements also require the ability to evaluate all changes to the product in a given time frame.

There is also the need, for release purposes, to determine if a batch is impacted by a change.

Like many such requirements, there are multiple ways to do this. I think the requirement to capture first batch in a change control really stems from it, in many ways, being the easiest to do as you only have to manage it in the change control workflow. Though, in all honesty, it is also darn annoying with changes potentially being open more than a year to capture all possible products.

Based on our core requirement, there are several factors to consider:

There must be a way for a user to easily determine when a given change impacted a given product and to determine if a given batch was impacted by the changes
The user must be able to link any batch to all the changes that impacted it
The user must be able to run a report of all changes that impacted a product in a time frame

There are multiple ways of solving for this from the put a field in the change control to set of interfaces between the ERP and eQMS (and maybe MES).

Change Management is Bigger than Change Control So Think Beyond Individual Changes

As a pharmaceutical GXP professional with one foot in the GXP Quality camp and another in the organizational change management camp, I have a few pet peeves. And one of my biggest is whenever someone uses a phrase like “Change management may be known by different terminologies (e.g., change control, change requests, change orders).” That’s a reductionist statement that can really lead to a lot of confusion in an organization.

Change management is the how of change – assess, handle and release. Change control is the what, the execution steps. Change management is a big picture system that looks systematically at people, technology, process, and organization. Change control is the set of mechanisms for controlling the introduction of that change to the organization.

A lot of different systems and processes have change control elements. As many of these processes are supported with specific technologies, it can be very important to think about how they fit together like a puzzle.

This puzzle is usually made up of core requirements. Based on how much the change impacts them decides the rigor of the change control process.

Take for example a pharmaceutical manufacturing site. It is fairly typical to have one process for maintenance, another for IT, another for documents, etc. And then you have a change control system for things that impact established conditions, including validated state and regulatory submissions. Maybe you work at some technological utopia with a single system that manages all changes with all the deliverables, but at most places, you are trying to balance efficiency with effectiveness, and have a real need to avoid unnecessary duplication.

ICH Q12 helps by giving a nice breakdown of the major families of changes.

This helps somewhat, but for the average user it is not very specific. We need to translate it. First, we establish that only one system will be used for regulatory impact (“Tell and Do”, “Do and Tell” “Do and Report” and some of “Do and Record”), then we put the major activities that go into it. This breakdown might look like:

We are utilizing a few major criteria:

Impact of regulated state
Impact of validated state
Risk level of change
Scale of change to the organization

Using these criteria we can even drill down further, for example:

It is usually a good idea to go down to an even deeper level to help the end-user.

Requires CCR	Does Not Require CCR
Any change that impacts the integrity of controlled classified areas, including all room and equipment surfaces	Changes that do not impact integrity of controlled classified areas by meeting the following criteria: · Does not change airflow · Does not impact structural integrity and maintains a smooth cleanable surface · Does not change means of ingress/egress · Does not impact current sampling sites from the Environmental Monitoring Program · Materials used are resistant to cleaning agents used in the area as defined in the building specifications · Materials are included in disinfectant effectiveness study
Any change that impacts air balancing	Work that is part of routine or preventive maintenance or calibration
Changes to equipment or replacements with a functional equivalent or different component	Changes to equipment with an exact component
Changes to facility floor layout	Instrument calibration including adjustments to field instrumentation
Changes to equipment operating and control parameters	Removal/storage of portable equipment
Changes to equipment, material and personnel ingress, egress and flow procedures	Replacement of system instrument hardware with exact components (hardware)
Changes to room classifications	Engineering studies that do not change the validated state or change anything requiring a CCR per this procedure
Changes that impact the environmental integrity of a room	Alarm set point changes that return to the previous qualified/validated state
Replacement and/or decommissioning of equipment, utilities or facilities	Remediation work (such as mechanical polishing, weld repairs, electro-polishing, filling of pits, de-rouging and chemical cleaning with already approved material)
Alarm set point or classification changes	Addition, modification or deletion to Potable Water, Plant Steam, Chilled Water, Cogeneration System, or pre-treatment reverse-osmosis
Changes in intended use of a room or area	Modification to piping tied to Potable Water, Plant Steam, Chilled Water, Cogeneration System, or pre-treatment reverse-osmosis
Changes to Preventive Maintenance that includes: · Decreasing frequency of preventive maintenance (i.e. making less frequent) · Change in intent of a preventive maintenance task · Adding or removing tasks	Changes to Preventive Maintenance that include: · Increasing frequency of preventative maintenance (i.e. making more frequent) · Administrative changes · Adding clarity to a task (e.g. changing instructions on how to execute a task without altering the intent of the task) · Reordering task(s) without changing intent of the task(s) · Changes of tools needed to execute a task; room dedicated tools must remain in the designated area · Changes to quantity of materials
Changes that decrease the calibration frequency (i.e. make less frequent) for GMP Critical equipment (e.g. directly related to operational control of the product)	· Changes that increase calibration frequency (i.e. make more frequent) for GMP Non-Critical equipment (e.g. indirectly related to operational control of the product)
Tuning parameter, adjustment to the gain, reset and rate of a PID controller	New or replacement analytical equipment or instruments identified as Category A or Category B-Calibration Only with an exact component
Changes to the calibration frequency of GMP critical equipment (e.g. directly related to operational control of the product)	Changes to manufacturing report properties
Changes to the Environmental Monitoring Program, including addition, deletion or change to a sample location	Changes to alarm paging/notification recipients
Changes to the program for disinfection of a facility or equipment exterior	Creating/modifying individual user accounts
Change of materials of construction or class of polymeric materials (e.g. elastomers, tubing, gaskets and diaphragms)	Add an instrument to the calibration system during pre-commissioning
Changes to hardware or infrastructure associated with a validated system, equipment or utility	Changes to requalification frequency that do not change the intended use or validated state of the equipment or utility
Upgrade of application software or operating system for validated systems, equipment or utility	Corrective changes to an SOP to align it to the validated state
Changes to an SOP to align it to the validated state with impact to one or more regulatory filings	A corrective change to alarm set points to align with the validated state
Creating user groups and/or modifying user group privileges as part of a larger process change associated with validated systems, equipment, or utilities	Addition of a new calibration standard to be used with a new type of instrument at the Alachua site
Creating user groups and/or modifying user group privileges associated with validated systems, equipment, or utilities	Changes to alarm paging/notification recipients
Addition of a new calibration standard to be used with a new type of instrument at the Cambridge and Lexington sites
Modifying a phase prompt or message associated with validated systems, equipment, or utilities
Addition / change of a graphic associated with validated systems, equipment, or utilities
Addition or changing an interlock/permissive trigger
Addition/removal of I/O of validated systems
Changes to the Environmental Monitoring Program, including addition, deletion or change to a sample location
Changes to alarm paging/notification functionality
Historical data collection configuration
Change of equipment and spare parts storage site, including transfers between facilities and transfers to a contracted third party

All of this is change management. We utilize multiple change control mechanisms to manage the change.

Also, don’t forget that change controls can nest. For example a change to the EQMS has IT changes, document changes, training changes, and probably more.

Change Strategies for Accelerating Changes

The five change strategies that leaders can utilize:

Directive strategy – the manager uses his authority and imposes change with little or no involvement of other people.
Expert strategy – usually involves expertise to manage and solve technical problems that result from the change.
Negotiating strategy – manager shows willingness to negotiate and bargain in order to effect change with timely adjustments and concessions.
Educative strategy – when the manager plans to change peoples’ values and beliefs.
Participative strategy – when the manager stresses the full involvement of all of those involved and affected by the anticipated changes.

These are not mutually exclusive. It is not uncommon to use 2 or 3 or even all five on larger, more complicated changes.