Let’s admit it, whether in our personal or working lives, change is hard! As a species, we like to stick with the known and what works for us. Do many of us switch between Apple and Android devices? Is there a brand of car, beer, or wine that we favor? Why don’t we try other varieties? How long do we agonize over changing roles or (indeed) companies? In order to evaluate the risks, we repeatedly run through the mental checklists of the pros and cons, which are themselves impacted by our appetite for risk. In quasi-legal terms, we are trying to remove or justify the reasonable doubt (aka risk) that we are perceiving based on the facts that we have available. Applying that same process to a large organization exponentially increases the risk of failed change implementation. Therefore, the implementation of a robust change management/control process is a prerequisite for a well-functioning quality management system. It’s not surprising that regulators have placed a heavy focus on the pharmaceutical change management system. We see references to change management sprinkled through guidance, regulations, and best practices issued by global regulators. Examples include:

  • EU GMPs Chapter 1, Sections 1.4, 1.8, and 1.10
  • EU GMPs Chapter 4, Section 4.29
  • EU GMPs Chapter 5, Section 5.25
  • EU GMPs Annex 15, Section 11
  • ICH Q10 Section 3.2.3
  • ICH Q12 Chapter 6, Appendix 2
  • PICS PI 054-1 Recommendation “How to Evaluate/Demonstrate the Effectiveness of a Pharmaceutical Quality System in relation to Risk-based Change Management”
  • U.S. FDA Guidance for Industry: Quality Systems Approach to Pharmaceutical CGMP Regulations
  • 21 CFR 211.22 Responsibilities of quality control unit
  • 21 CFR 211.100 Written procedures; deviations
  • 21 CFR 820.30 Design controls
  • 21 CFR 820.40 Document controls
  • 21 CFR 314.70 Supplements and other changes to an approved NDA
  • ISO 13485 Medical devices — Quality management systems — Requirements for regulatory purposes

Given this level of regulation and guidance from global regulators, it’s not surprising that change management is a focus of inspections and regulatory submission assessments given change management’s importance to product lifecycle management as defined in ICH Q12.

Creating a system that enables rapid changes that are properly scrutinized and approved is a fine balancing act. As ICH Q10 states, the complexity of the system should be commensurate with the risk (or as a former colleague at MHRA used to say, “as simple as you can and as complex as you must”). One of the challenges in developing the change management system is that it must be flexible enough to deal with changes of varying levels of complexity. Whether it’s as simple as purchasing a new pipette for the laboratory or as complex as building a new facility, often the exact same change management system is used.

In our experience in industry and as regulators, we have observed change management systems evolve into monsters! Instead of supporting key stakeholders, they can inhibit and frustrate them. Why does this happen? Like many other areas of the quality management system, the change control system “evolves” reactively to events (e.g., changes that have gone wrong or observations from regulators). This leads to processes and procedures that can be too large and unwieldy and often very difficult to follow. It is not uncommon for us to observe a “more is better”-type approach in an attempt to convince regulators that we know what we’re doing.

Creation of greater complexity almost inevitably leads to the development of unintended (or even deliberate) workarounds of the system. These workarounds can have many titles, such as “batch notes” that record a change in the batch record, temporary change controls, changes to equipment recorded within an equipment management system/equipment logbook (as is done with like-for-like changes, which generally do not require documentation within the change management system). Preventative risk management approaches that do not require documentation but facilitate changes on site only create more complexity and obviate the goal of the formal change management system.

One personal reflection of a change that was categorized as “like-for-like” was a case at a facility that had severe mold contamination in its cleanrooms. The investigation eventually identified that a roof had recently been replaced on the building that contained the cleanrooms, but that the construction was completed without a change control. This led to inadequate controls during the roof replacement and external contractors inadvertently damaged the roof during the installation. When asked why there was no change control opened to include this work, the site team said that the replacement of the old roof with a new roof was considered “functionally similar” or “like for like” and, thus, didn’t require a change control to be opened. Though this was an obvious error, there is also a need to carefully set the threshold for what actions require change controls to prevent minor changes from getting stuck and unduly delayed in a system that isn’t responsive or isn’t quick enough to be effective.

If your change control system is overly complex and not responsive enough to effectively manage all types of changes, you may be at increased risk of a regulatory citation during an inspection.

Stay tuned to this space to continue this discussion looking at ICH Q12 and Quality Culture.