Change control

Change control is the documented, risk-assessed workflow a regulated organisation must run whenever it modifies anything that could affect product quality, patient safety or the validated state of a process. The scope is wider than newcomers expect: it covers a formula or recipe, a piece of equipment, a supplier or contract manufacturer, an SOP or work instruction, a computerised system, a facility utility (HVAC, water, compressed gas), a method, a label, a packaging configuration and even a key piece of personnel (a Qualified Person leaving and being replaced is a change-control event).

If a process has been validated, qualified or approved by a regulator — directly or by reference — then changing it without going through change control is, by definition, an uncontrolled deviation. Most FDA Warning Letters that cite 'failure to follow procedures' boil down to a change that was made on the floor without ever entering the change-control system.

An auditor's first question, after asking to see the quality manual, is almost always 'show me the change-control log for the last twelve months'. The log tells them, in one place, what your factory is doing differently than the last time anyone inspected it. From there they pull a sample of changes and audit the file end-to-end — risk assessment, approvals, training delivered, validation re-executed, effectiveness verified. A weak file in that sample is the fastest route from a routine inspection to a Form 483 observation.

There is a second, more strategic reason. Lifecycle management — the discipline of running a product or process over years and decades without quality drift — depends almost entirely on change control. ICH Q12 (lifecycle management) explicitly says so: 'an effective pharmaceutical quality system…with robust change management is the foundation for the management of post-approval CMC changes'. Without disciplined change control, every approved validation slowly decays as small modifications creep in unrecorded.

Change control is not a single clause in a single regulation; it is a pattern that recurs across every regime that governs regulated manufacturing. The wording differs, the expectation is identical.

Note that 21 CFR 820 does not have a stand-alone 'change control' section: the requirement is spread across document control (820.40), design changes (820.30(i)), purchasing controls (820.50) and process changes (820.70(b)). The QMSR transition due February 2026 aligns with ISO 13485 wording but does not reduce the substance — every documented procedure still needs a documented mechanism for changing it.

Inexperienced quality teams scope change control too narrowly — usually to formula edits and SOP revisions — and miss the events that most often trigger inspection findings. A defensible scope includes:

• Formula, recipe or bill-of-materials changes (including raw-material grade, supplier, particle size or moisture spec).
• Process changes (mixing time or speed, drying temperature, hold time, in-process control limits, sampling plan).
• Equipment changes (replacement, relocation, software upgrade, addition of a sensor, change of CIP / SIP cycle).
• Facility and utility changes (HEPA filter type, water-system component, compressed-air filter, lighting in an aseptic zone).
• Computerised system changes — firmware, OS patch, application upgrade, integration endpoint, data field added or removed (see Annex 11 §10).
• Supplier changes (new vendor, new manufacturing site of an existing vendor, change of distributor).
• Specification changes (raw material, in-process, finished product, stability).
• Method changes (analytical method, in-process test method, cleaning verification method).
• Document changes (SOP, work instruction, form, training material, label artwork).
• Organisational changes that affect quality (QP replacement, designated Person Responsible for Regulatory Compliance under MDR, PCQI under FSMA).
• Container, closure or packaging changes — including secondary and tertiary packaging when they affect protection or labelling.
• Storage and transport conditions (temperature range, humidity, light exposure).

A useful screening rule: if the change touches anything written into a regulatory submission, a validation protocol, a master batch record, an MMR/MBR/DMR, a label, a specification, a contract, or an approved supplier list, it is a change-control event. When in doubt, log it — closing a low-risk change quickly is cheaper than defending an unlogged one at audit.

Every mature change-control SOP classifies proposed changes before any other work happens, because the classification drives the depth of risk assessment, the level of approval, and the amount of re-validation required. The most common three-tier scheme:

The classification is itself a quality decision and should be made by people with QMS literacy — not by the change initiator alone. Mis-classifying a critical change as minor is one of the highest-severity Form 483 themes.

An audit-defensible change-control file walks an inspector through eight discrete, dated, electronically-signed steps. The headings below are what every Notified Body, FDA QSIT-trained investigator and GFSI auditor expects to see.

1. Initiation — describe the change, the reason, the affected products / processes / documents / systems, and the proposed implementation date. Captured in a controlled form with a unique CC number.
2. Risk assessment — formal evaluation against ICH Q9 (quality risk management) or an equivalent framework. Identify hazards introduced, removed or modified. Produce a documented severity / probability / detectability score and a risk-control plan.
3. Technical and regulatory evaluation — does the change affect a regulatory filing? An established condition? A registered specification? A validated state? A signed Quality Agreement with a customer? Capture each evaluation as a record.
4. Action plan — list the deliverables: SOP revisions, re-validation protocols, training, supplier notifications, label re-prints, regulator submissions. Each deliverable has an owner, due date and acceptance criteria.
5. Review and approval — by everyone whose function is affected: production, engineering, QC, QA, regulatory, and where required commercial / supply-chain. Two-person e-signature for the QA approval is industry standard.
6. Implementation — execute the action plan. Every deliverable closes against its acceptance criteria with documented evidence. The cut-over date is recorded.
7. Verification — confirm that the change was implemented as planned. Re-qualification or re-validation results are attached. Training-completion records are attached.
8. Effectiveness review — a dated, structured check (typically 30, 60 or 90 days after implementation, depending on risk) that the change achieved its intended outcome and did not introduce new issues. Without this step the change is not closed.

The effectiveness review is the step organisations skip most often. ICH Q10 §3.2.3 explicitly requires it, and so does ISO 13485 by implication of §8.5. A change closed without an effectiveness check is, at audit, indistinguishable from an unverified deviation.

Every change-control risk assessment should be traceable to ICH Q9(R1) (Quality Risk Management, revised 2023). Q9 is method-agnostic — you can use FMEA, HACCP, fault-tree, fishbone or a simpler risk matrix — but it requires that the assessment is documented, that the team has the right competence, and that the output supports a defensible decision.

A pragmatic, audit-friendly approach for change control:

1. Define the change scope and the systems / processes / products it touches.
2. List potential failure modes introduced by the change (use prompt cards: 'what could be confused for the old way?', 'where could training gaps appear?', 'what cleaning effectiveness assumptions still hold?').
3. Score each failure mode for severity (patient or product impact), probability (frequency of opportunity) and detectability (likelihood of catching it before product reaches the patient).
4. Multiply to a Risk Priority Number (RPN). Compare against your SOP threshold for action — typically RPN ≥ 100 triggers explicit risk-control planning.
5. For each high-RPN failure mode, define a specific risk control (procedural change, engineering change, training delivery, monitoring KPI). Tie each control back to a deliverable in the action plan.
6. Re-score residual risk after controls are in place. Document any residual risk that is accepted, by whom and why.

A change that touches a validated process or qualified piece of equipment almost always re-opens part of the validation. EU GMP Annex 15 §11 spells out the principle: 'a documented review of the changes' that determines what re-qualification or re-validation is needed. ICH Q7 §13 (for APIs) and ISO 13485 §7.5.6 (for devices) say the same in different words.

The single most useful artefact for managing this in practice is a validation map: a matrix that lists every validated process, system and piece of equipment on one axis, and on the other axis the inputs that affect each one — formula, equipment, method, personnel, software, facility, supplier, material. When a change-control entry is opened, the map immediately tells the team which validations are potentially impacted. Without a validation map, teams forget cleaning validation, computer system re-validation and method re-validation almost every time.

Re-validation effort scales with the classification:

Computerised systems — LIMS, MES, ERP, QMS, EBR/EBMR/EDHR, label printers, lab instruments, building management systems, even spreadsheets — sit under EU GMP Annex 11 and 21 CFR Part 11. Annex 11 §10 is explicit: 'Any changes to a computerised system including system configurations should only be made in a controlled manner in accordance with a defined procedure.'

A defensible computerised-system change-control record includes:

• Description of the change (functional and technical) and the version it moves from / to.
• Risk assessment with explicit consideration of GxP impact, data integrity (ALCOA+) and audit-trail continuity.
• Regression test plan covering at minimum the functions touched, the integrations consumed and the audit-trail / e-signature flows.
• Backout plan — what happens if the change has to be reversed.
• User-acceptance testing evidence with traceable test scripts and signed results.
• Production cut-over plan, including data migration approach and pre/post-migration data-integrity checks.
• Post-implementation monitoring window (typically 30 days) with explicit success criteria.

Failing to include audit-trail continuity in the assessment is one of the most common GAMP 5 findings. A system upgrade that loses or re-numbers historical audit-trail entries is, by Annex 11 standards, a data-integrity event in its own right.

Supplier changes are change-control events whether or not your own factory does anything differently. 21 CFR 820.50 (purchasing controls), ICH Q7 §17 (agents, brokers, traders, distributors, repackers and relabellers) and the FDA's 2016 Contract Manufacturing Quality Agreement guidance all require that supplier changes flow through change control with the same rigour as internal process changes.

Quality Agreements almost always list specific change types that the supplier must notify the customer about — change of manufacturing site, change of sub-supplier of a critical raw material, change of QC method, change of release specification. When such notifications arrive, they should open a change-control entry on the receiving side automatically. V5's supplier portal does exactly this: a supplier-initiated change notification creates a draft CC entry against the right product family, pre-populated with the supplier's evidence.

A change that has been approved on paper but where operators have not yet been trained is not really implemented — and operating to the new way before training is delivered is, regulatorily, a worse position than continuing on the old way. The effective date of a change must be the later of: the date the new document is released, the date training is delivered to every affected role, and the date any pre-requisite re-validation is signed off.

Document control and change control are joined at the hip here. The training matrix needs to know which roles are affected by which document, and the kiosk or shop-floor application needs to hard-block work against the new SOP until the operator has acknowledged the current effective version. See our companion page on [document control](/glossary/document-control) for the mechanics.

Reading three years of FDA Warning Letters and EU GMP inspection reports surfaces the same change-control failure modes over and over:

• No change-control record at all — the change was made informally on the floor, often with a verbal QA approval that no one wrote down.
• Mis-classification — a critical change recorded as minor to avoid the risk-assessment and re-validation overhead.
• Risk assessment that is conclusory rather than analytical — 'no impact' written without a documented reasoning step.
• Effectiveness review skipped — the change is closed at implementation, not at verified effectiveness.
• Training delivered after the effective date — operators were working to the new SOP before they had signed off on it.
• Re-validation scoped too narrowly — process re-validated, cleaning validation forgotten.
• Audit-trail discontinuity after a computerised-system upgrade.
• Supplier change accepted on the receiving side without opening an internal change-control entry.
• Document change pushed live without re-issuing the master batch record / device master record snapshot — the next batch runs against a stale snapshot.

Each of these is preventable with workflow discipline; each is a recurring root cause of expensive remediation programmes.

A management-review-grade change-control programme tracks at least five metrics, trended monthly and segmented by site, product family and change class:

• Number of change-control entries opened (by class) — early-warning indicator of process drift or new product introduction load.
• Cycle time from initiation to approval, and from approval to closure — a lengthening tail indicates resource constraints or unresolved risk assessments.
• Percentage of changes closed on time against original target — a lifecycle hygiene metric.
• Percentage of changes with an effectiveness review completed within the planned window — the single most diagnostic metric for quality-culture maturity.
• Repeat-issue rate — number of new change-control entries that address the same root cause as a previous one. High repeat rate indicates effectiveness reviews are rubber-stamped.

V5 treats change control as a first-class workflow that sits at the same level as deviation, NCR and CAPA — and is explicitly cross-linked to them. The relevant capabilities, end to end:

• Every change-control entry carries a class (minor / major / critical) and a risk-assessment record built directly against ICH Q9(R1). Individual scores are captured before consensus to expose subjectivity.
• Approved-formula edits and approved-MMR edits automatically open a major-class change-control entry. The formula version cannot become 'current' until the change is closed.
• Two-person e-signature on QA approval is enforced for major and critical changes — a preparer and an independent reviewer, both with documented training records on the affected procedure.
• Validation map: each equipment, computerised system, method and process record carries a 'last validated' state. The change-control screen surfaces every dependent validation that a proposed change touches, automatically generates re-qualification tasks, and blocks closure until they are signed off.
• Documents, training and the kiosk are wired together. A change that ships a new SOP revision opens a training task against the right roles. The kiosk hard-blocks any work under that SOP until the operator has acknowledged the new effective version.
• Supplier-initiated change notifications received through the supplier portal create a draft change-control entry on our side, pre-populated with the supplier's evidence, the affected products and the suggested classification.
• The change-control register is the homepage of the QMS module — every entry shows status, owner, due date, attached risk assessment, re-validation status, training status and effectiveness-review status, all in one row.
• Audit-trail continuity is preserved across V5 application upgrades. Historical audit-trail entries are immutable; upgrade-time data migrations are themselves change-controlled and produce pre/post integrity reports.