Change Control - Compliance with FDA 21 CFR Part 820

#1
Hello Everybody,

I have been working in QA for 7 months now and have been tasked with updating our change control procedure. We are ISO13485 certified and also need to comply with FDA 21 CFR Part 820. We don't currently have enough controls in place with change - we are able to amend specifications, process and product without any input from QA/RA as these can be handled at departmental level so long as they don't impact on other areas.

As part of this procedure I am incorporating the following:

- Amended change classification system (minor, moderate, major/significant)
- QA review and approval of all changes
- Change control board approval for major changes
- Streamlining multiple change control procedures into one systematic procedure so we are taking a consistent approach.

However, with no previous experience I have no knowledge of how this would work out in practise. Ideally, I would like to escalate the larger changes to the change board for review and approval. This will be held on a weekly basis however I am now wondering whether this needs to be a physical meeting at all (Obviously for some it would be where resource, coordination, regulatory issues are more questionable).

As an alternative (where actions are straight forward), would it be appropriate to document the action plan within the change request form, which can then be approved electronically by QA and appropriate reviewers/impacted areas (CCB reps)? The change request form also includes reason, impact assessment, documentation, etc. and is currently already 4 pages long without the action plan. Is it standard practise to ask change initiators to document action plans with change requests? This seems like a quicker way of getting these approved.

Also, we don't currently inform our notified body of any changes we make to product/process. I have looked online but I am really struggling to distinguish between changes that require notification and those that do not. Does anybody know of any solid guidance on this, or an example decision tree/flow depicting how this decision is made in their own organisation? I'm also unsure as to "how" this communication should be provided to them, i.e. is email sufficient or should we have a controlled template for notifications to notified bodies?

I have to have this in place within 4 weeks as part of a NC so am slightly panicking now. I have come across this forum today so thought it would be worth a shot. I have tried to ask management for guidance on this but I can't seem to get a straight answer except for "it's up to you" :(

Thank you in advance for any help or guidance anyone can offer!
 

yodon

Staff member
Super Moderator
#2
I'm confused as to how you can be compliant with 13485 and say you don't have change controls in place.

The QSR very much parallels the 13485:2016 standard . The QSR states procedural requirements for:
* identification of change - same as 13485
* documentation of change - same as 13485
* validation or verification - same as 13485
* review - same as 13485
* approval -same as 13485

(13485 goes on to talk about change impact assessment to constituent parts, product in process, product delivered, risk management, and product realization.)

Don't make it too complicated. A change is a change. They ALL need to be done in compliance with the standard / regulations.
 
#3
Hello neanybean, welcome to the forum! :bigwave:

First, if you are strictly concerned about 21 CFR 820 compliance, the change-control requirements are pretty straight forward. The suggestions you've proposed, while good practice, aren't really required by the regulations.

Did you get a NC sited by the FDA? If so, I'd be curious to know exactly what they identified as non-conforming. Otherwise, I'd suggest looking over the regulations - do a search for "Change", and just ensure that your system handles each one of the requirements.

It's difficult to give any specific advice without knowing details/needs/challenges of the organization, but I'm happy to give some general feedback...

...we are able to amend specifications, process and product without any input from QA/RA as these can be handled at departmental level so long as they don't impact on other areas.
This is definitely cause for concern! Unless there are people qualified to make quality and regulatory assessments of changes in each department, QA/RA should always be at the very least notified of changes.


As part of this procedure I am incorporating the following:

- Amended change classification system (minor, moderate, major/significant)
- QA review and approval of all changes
- Change control board approval for major changes
- Streamlining multiple change control procedures into one systematic procedure so we are taking a consistent approach.
All good improvements, I'd say. Especially the last - will simplify things tremendously.

...Ideally, I would like to escalate the larger changes to the change board for review and approval. This will be held on a weekly basis however I am now wondering whether this needs to be a physical meeting at all (Obviously for some it would be where resource, coordination, regulatory issues are more questionable).
What is the purpose of your "change board", if not to review and approve? Are they always the same people, or just parties that are impacted?

I agree, this doesn't have to be in physical meetings, and mandating weekly scheduling (or scheduling at all) is ill-advised, as the queue of changes, and nature of changes will inevitably vary.

As an alternative (where actions are straight forward), would it be appropriate to document the action plan within the change request form, which can then be approved electronically by QA and appropriate reviewers/impacted areas (CCB reps)? The change request form also includes reason, impact assessment, documentation, etc. and is currently already 4 pages long without the action plan. Is it standard practise to ask change initiators to document action plans with change requests? This seems like a quicker way of getting these approved.
This is a good strategy, IMO, and more-or-less the way we handle. Person initiating change request documents:
- Reason for change
- What needs to be changed, and how

We also have a checklist of standard impact assessments, which allows an action plan to be formed (e.g. what verification/validation, risk management, training, etc. tasks are required?)
- Does the change require notification to regulatory bodies?
- Does the change impact sampling plans? Is validity of previous testing impacted?
- Does the change impact device DMR/technical file?
- Does the change impact risk files?
- Does the change impact production?
- Are there any disposition requirements? i.e. how does the change affect current equipment, inventory, and product (both in inventory, and in the field)?
-...

Once completed, the request is then passed on for review by all affected parties. At this point the request can be revised as necessary for completion and accuracy, and is approved. Upon approval tasks are delegated (action plan).

Also, we don't currently inform our notified body of any changes we make to product/process. I have looked online but I am really struggling to distinguish between changes that require notification and those that do not. Does anybody know of any solid guidance on this, or an example decision tree/flow depicting how this decision is made in their own organisation? I'm also unsure as to "how" this communication should be provided to them, i.e. is email sufficient or should we have a controlled template for notifications to notified bodies?
There is a MEDDEV guidance for this.
If uncertain, don't hesitate to contact your notified body.

I have to have this in place within 4 weeks as part of a NC so am slightly panicking now. I have come across this forum today so thought it would be worth a shot. I have tried to ask management for guidance on this but I can't seem to get a straight answer except for "it's up to you" :(
Been there. But embrace the responsibility. You are tasked with setting up a major process! Consider the company operations and needs, and make sure you're creating something of value that will work in the context of your organisation.

Best of luck!

MM.
 
#4
Hello,
Ive worked in change control a few years and just want to give a brief answer to your questions.
1) as far as a formal committee meeting, its up do you, all you are required to do is to make sure that each change is vetted by sme's that are relevant to the change such as validation, facilities, utilities, manufacturing or QC, and QA.we always had regulatory as it is important to know if a change has affect on the dossier or changes something submitted for certification. We had a formal meeting and then changed it to just a meeting with Quality and Operations management and whomever is leading the change. Then decide if its minor or major and assign smes (subject matter experts) which will read the proposed change (vetting part) and approval will come through the software and approval of plan, QA, management of the complete plan.
2) Risk assessments are an important component with all smes and quality.
3) Regulatory takes care of notified body
4) You will have to determine guidelines for what is minor or major and what needs regulatory or notification
5) you form sounds like it covers everything except for timelines for when the change will be implemented and closed and if an effectivess review is needed. You do not need a list of actions on the opening of the change just overall what is being done and how. The actions may not all be knownuntil the smes meet and do a risk assessment and then they MUST send a statement of what their department needs to do (this will be the actions of the change). In addition, any documents that will be changed should be listed as well as references to other documents, specs, manufacturers etc..as needed.

So, having said that there is a lot of leeway as to how you accomplish it, but the most important is quality and sme approval of the change plan, a formal meeting is not required unless you feel its beneficial as the smes, quality will meet for the risk assessment and also review and approve the final change plan online software (or you will need a signature page). You can not do notifications by email, there may be an online form but this is usually done by a regulatory or trained management person. Concentrate on defining minor and major, which sme's will be needed, when and who will approve, and how will it be documented when the actions are done and, the change implemented? meaning its back to ISO (GMP) standards. All smes's will need training as well as QA and change leaders.
Good Luck!
 

Top Bottom