Changes, Changes Everywhere

It is sometimes unfortunate that ICHQ10 defines Change Management as “A systematic approach to proposing, evaluating, approving, implementing and reviewing changes.” This lifecycle approach can sometimes confuse people as they are used to the definition popular elsewhere that change management is “the discipline that guides how we prepare, equip and support individuals to successfully adopt change in order to drive organizational success and outcomes.”

I tend to think this is an issue of focus and lack of coherence in the organization that stems from:

  • Not understanding that all changes are to a system that involves people, organization, technology and process
  • Balkanized change processes leads to changes being atomized or channeled though discrete processes that do not drive system thinking

Both of these can lead to a change going to a default change control process and not appropriately dealing with all aspects of the change. Teams tend to have their default (IT puts everything in as a computer change, facilities always uses a an equipment change) but those defaults are not built to deal with a change holistically.

Change is a movement out of a current state (how things are today), through a transition state, and to a future state (how things will be done). Change management needs to be about how we manage that change from the entire system – people, organization, technology and process. Only by approaching change from a full system perspective do we ensure the full benefit and avoid unintended consequences.

Change Identification

Changes come from everywhere. They are driven by other quality processes, by business needs, by innovation. To quickly address change it is important to have a good funnel system that will get the change to evaluation.

Change Evaluation

All changes should be evaluated for risk and impact. This evaluation is iterative and determines the level and form of evaluation.

Change Control

Right sized change control based on risk and impact. Some changes are one-and-done. But many are multi-faceted, and it is important to structure it appropriately.

I’ve written a lot on change management that covers this in more detail. Explore them here

2020 FDA 483s around change

The yearly database of 483s has been updated by the FDA. Lots will be written on themes as we end the year, so I decided to give a few of my immediate observations.

I find that over time what I focus in on changes, as my jobs evolve and change, and the interests I have shift. However, some things never change, so let us talk change.

Reference NumberShort DescriptionLong Description2020 Frequency2019 Frequency2018 Frequency
21 CFR 211.100(a)Changes to Procedures Not Reviewed, ApprovedChanges to written procedures are  not [drafted, reviewed and approved by the appropriate organizational unit] [reviewed and approved by the quality control unit].  Specifically, ***8139
21 CFR 211.160(a)Lab controls established, including changesThe establishment of [specifications] [standards] [sampling plans] [test procedures] [laboratory control mechanisms] including any changes thereto, are not [drafted by the appropriate organizational unit] [reviewed and approved by the quality control unit].  Specifically, ***41817
21 CFR 212.20(c)Adverse effects of changes madeYou did not demonstrate that any change does not adversely affect the [identity] [strength] [quality] [purity] of your PET drug. Specifically,***111
483s related to changes

I think its fair to say the decreases as a result of the pandemic and the reduced inspections.

Over on the device side of things we see:

Reference NumberShort DescriptionLong DescriptionFrequency
21 CFR 820.30(i)Design changes – Lack of or Inadequate ProceduresProcedures for design change have not been [adequately] established.  Specifically,***26
21 CFR 820.40(b)Document change records, maintained.Records of changes to documents were not [adequately] maintained.  Specifically, ***6
21 CFR 820.70(b)Production and Process Change Procedures, lack of or Inad.Procedures for changes to a [specification] [method] [process] [procedure] have not been [adequately] established.  Specifically, *** 5
21 CFR 820.75(c)Process changes – review, evaluation and revalidationA validated process was not [reviewed and evaluated] [revalidated] when changes or process deviations occurred. Specifically, ***5
21 CFR 820.40(b)Change records, contentRecords of changes did not include [a description of the change] [identification of the affected documents] [the signature of the approving official(s)] [the approval date] [when the change became effective].  Specifically, ***



3
21 CFR 820.50(b)Supplier notification of changesThere is no agreement with [suppliers] [contractors] [consultants] to notify you of changes in the product or service.  Specifically, ***3
21 CFR 820.75(c)Documentation – review in response to changes or deviationsThere is no documentation of the [review and evaluation of a process] [revalidation of a process] performed in response to changes or process deviations.  Specifically, ***1
Device 473s around change

I’m a firm believer that pharma should always pay attention to the medical device side for 483s. A lot of us are combination products now (or will be) and there is always good trends to be aware of.

My key takeaways:

  1. Think change management and not just change control and document control
  2. Computer change controls need to be holistic and system orientated
  3. Have a process that ensures changes are appropriately reviewed and approved
  4. Risk based and evaluate validation
  5. A robust supplier management program is critical, plan for change

Here’s a more detailed checklist to help you evaluate your change system.

PIC/S on Change Review and Effectiveness

Starting from the end, let’s review some of the requirements in the new draft PIC/S guidance.

Prior to change closure

RequirementImportant Points
Changes meet their intended objectives and pre-defined effectiveness criteria. Any deviations from those criteria are adequately assessed, accepted and managed/justified. Whenever possible, quantitative data are leveraged to objectively determine change effectiveness (e.g. statistical confidence and coverage).Clearly delineating what effective means as a date is critical to generate data.

CQV activities can tell you if the intended objective is met. Effectiveness reviews must be made up of:

Sufficient data points, as described in the implementation plan, gathered to a described timeline, before an assessment of the change is made.

The success criteria should be achieved. If not, reasons why they have not been achieved should be assessed along with the mitigation steps to address the reasons why, including reverting to the previous operating state where appropriate. This may require the proposal of a subsequent change or amendment of the implementation plan to ensure success.

Data and knowledge gathered from implementation of the change should be shared with the development function and other locations, as appropriate, to ensure that learning can be applied in products under development or to similar products manufactured at the same or other locations
As part of the quality risk management activities, residual risks are assessed and managed to acceptable levels, and appropriate adaptations of procedures and controls are implemented.These are action items in the change control.

As part of the closure activities, revise the risk assessment, clearly delineating risk assessment in two phases.
Any unintended consequences or risks introduced as a result of changes are evaluated, documented, accepted and handled adequately, and are subject to a pre-defined monitoring timeframe.Leverage the deviation system.

Prior to or after change closure

RequirementImportant Points
Any post-implementation actions needed (including those for deviations from pre-defined acceptance criteria and/or CAPAs) are identified and adequately completed.If you waterfall into a CAPA system, it is important to include effectiveness reviews that are to the change, and not just to the root cause.
Relevant risk assessments are updated post-effectiveness assessments. New product/process knowledge resulting from those risk assessments are captured in the appropriate Quality and Operations documents (e.g. SOPs, Reports, Product Control Strategy documents, etc.)Risk management is not a once and done for change management.
Changes are monitored via ongoing monitoring systems to ensure maintenance of a state of control, and lessons learned are captured and shared/communicated.Knowledge management is critical as part of the product management lifecycle.

Lessons learned are critical.

Regulatory Focus on Change Management

November was an exciting month for change management!

ICH Q12 “Technical and Regulatory Considerations for Pharmaceutical Product Lifecycle Management” was adopted by the ICH in Singapore, which means Q12 is now in Stage 5, Implementation. Implementation should be interesting as concepts like “established conditions” and “product lifecycle management” which sit at the core of Q12 are still open for interpretation as Q12 is implemented in specific regulatory markets.

And then, to end the month, PIC/S published draft 1 of PI 054-1 “Recommendation on How to Evaluate / Demonstrate the Effectiveness of a Pharmaceutical Quality System in relation to Risk-based Change Management.”

This draft guidance is now in a review period by regulatory agencies. Which means no public comments, but it will be applied on a 6-month trial basis by PIC/S participating authorities, which include the US Food and Drug Administration and other regulators across Europe, Australia, Canada, South Africa, Turkey, Iran, Argentina and more.

This document is aligned to ICH Q10, and there should be few surprised in this. Given PIC/S concern that “ongoing continual improvement has probably not been realised to a meaningful extent. The PIC/S QRM Expert Circle, being well-placed to focus on the QRM concepts of the GMPs and of ICH Q10, is seeking to train GMP inspectors on what a good risk-based change management system can look like within the PQS, and how to assess the level of effectiveness of the PQS in this area” it is a good idea to start aligning to be ahead of the curve.

“Changes typically have an impact assessment performed within the change control system. However, an impact assessment is often not as comprehensive as a risk assessment for the proposed change.”

This is a critical thing that agencies have been discussing for years. There are a few key takeaways.

  1. The difference between impact and risk is critical. Impact is best thought of as “What do I need to do to make the change.” Risk is “What could go wrong in making this change?” Impact focuses on assessing the impact of the proposed change on various things such as on current documentation, equipment cleaning processes, equipment qualification, process validation, training, etc. While these things are very important to assess, asking the question about what might go wrong is also important as it is an opportunity for companies to try to prevent problems that might be associated with the proposed change after its implementation.
  2. This 8 page document is really focusing on the absence of clear links between risk assessments, proposed control strategies and the design of validation protocols.
  3. The guidance is very concerned about appropriately classifying changes and using product data to drive decisions. While not specifying it in so many words, one of the first things that popped to my mind was around how we designate changes as like-for-like in the absence of supporting data. Changes that are assigned a like-for-like classification are often not risk-assessed, and are awarded limited oversight from a GMP perspective. These can sometimes result in major problems for companies, and one that I think people are way to quick to rush to.

Much of my thoughts on implementing this can be found in my presentation on change management and change control.

It is fascinating to look at appendix 1, which really lays out some critical goals of this draft guidance: better risk management, real time release, and innovative approaches to process validation. This is sort of the journey we are all on.

ASQ Audit Conference – Day 1 Afternoon

I presented on change management and then I spent the afternoon focusing more on ASQ member leader stuff. So not much to report on sessions.

My session, Lessons on Change Management went well. I probably should have cut the slides way back instead of re-purposing slides from a longer presentation, but I think I hit a lot of key points and hopefully it was valuable for folks.

I ended up working the FDC Division table after that, so I skipped the final session of the day. Probably best, after presenting its always hard for me to focus for a little while.

Tomorrow is a full day, and I present on data integrity.