The Foundation
The 4 Pillars of a Compliant GxP Change Control System
Target Audience:
- QA Managers, Compliance Leaders, QPs
In GxP, Change Control isn’t just a procedure—it’s the core mechanism for maintaining control and minimizing risk.
Regulators across the globe (FDA, EMA, WHO) fundamentally expect the same four pillars to protect product quality, identity, safety, strength, and purity.
Here are the 4 Non-Negotiables for Your Change Control System:
1. Risk Management (ICH Q9
- The effort must be commensurate with the risk.
- Your classification system (Minor, Moderate, Major) must directly map to the depth of your impact assessment and validation requirements.
Avoid “one-size-fits-all” reviews!
Detail:
- A Major/Critical change requires a formal, multi-disciplinary FMEA and potential regulatory notification.
- A Minor change can use a streamlined review checklist.
2. Formal Documentation & Traceability
- Every change requires a complete, auditable trail.
- This includes documenting the rejection of a proposed change and the rationale for approval.
Detail:
- Your Change Control record must serve as the master index.
It must clearly reference the version-controlled documents that were impacted and the objective evidence of completion.
This ensures traceability for any internal or external audit.
3. Quality Unit Oversight
- The independent Quality Unit (QU) must review and approve all GxP-relevant changes.
- This maintains the objectivity needed to protect the patient.
Detail:
- The QU’s role starts at initial assessment (classifying risk) and ends at final closure approval.
- The QU must verify that the implementation plan was followed, the required testing was completed, and the results confirmed the desired outcome before the change can go live or the record can be closed.
4. Maintenance of a Validated State (Annex 15)
- The primary goal is to confirm the process remains in a state of control post-change. If the change impacts critical parameters, revalidation is non-negotiable.
Detail:
- The impact assessment must specifically address the change’s effect on Design Qualification (DQ), Installation Qualification (IQ), Operational Qualification (OQ), Performance Qualification (PQ).
Changes should be evaluated against existing Validation Master Plans (VMPs) to determine the required scope of re-qualification.
Compliance Manager Takeaway:
- If your Change Control records don’t explicitly link the change’s risk rating to the scope of verification/validation, or if you cannot trace an updated SOP back to the Change Request, you are vulnerable to a 483/Warning Letter finding.
Reference Guidelines:
- EU GMP EudraLex Volume 4
- ICH Q9 (Quality Risk Management
Resource Person: BARBARA PIROLA
