OQOTECH→ Consultoría GxP/CSV
Back to blog
CSV/CSAcontrol de cambiosmantenimiento del estado de controlvalidación de sistemas GxP relevantes

Change Control in Computerized Systems: A Lifecycle Management Approach

Mayte Garrote5 min read

Introduction

Computerized systems in GxP environments require rigorous change control to maintain their validated status throughout their lifecycle. The GAMP 5 guidance states that any modification must be evaluated to determine its impact on functionality, security and data integrity. The FDA’s 21 CFR Part 11 and EU GMP Annex 11 require documented procedures to ensure that changes do not compromise the validity of the system. Inadequate management may result in loss of controlled status and require full revalidation.

Regulatory framework for change control

Change control in GxP computerised systems is based on several regulatory frameworks that set out specific requirements to maintain the integrity of the validated system.

Requirements according to GAMP 5

The GAMP 5 guidance defines change control as a systematic process for evaluating, approving, implementing and verifying modifications to computerised systems. It stipulates that all changes must be classified according to their impact:

  • Minor changes: corrections that do not affect critical functionality
  • Major changes: modifications that impact GxP-related functions
  • Critical changes: significant alterations that may require partial or full revalidation

Compliance with 21 CFR Part 11 and EU GMP Annex 11

Both regulations stipulate that systems must maintain appropriate controls throughout their operational life. This includes documenting all changes, assessing their impact on existing validation, and implementing corrective measures where necessary.

Change management methodology

Initial assessment of the change

The first step involves formally documenting the change request, including:

  • Detailed description of the proposed modification
  • Technical and business justification
  • Identification of affected systems and processes
  • Preliminary risk assessment

Impact analysis on validation

Each change must be assessed against existing validation documentation to determine:

  • Impact on user requirements specifications (URS): Does the change alter functional or performance requirements?
  • Impact on functional specifications (FS): Are functions critical to GxP being modified?
  • Impact on qualification: Does it require re-execution of IQ, OQ or PQ protocols?
  • Effect on operating procedures: Does it require SOP updates or training?

Classification and approval

Based on the impact analysis, changes are classified according to their criticality:

Level 1 – No GxP impact: Administrative changes or minor corrections that do not affect validated functionality. Require approval from the system administrator.

Level 2 – Low GxP impact: Modifications affecting non-critical functions. Require approval from the quality manager and limited testing.

Level 3 – High GxP impact: Changes modifying critical or safety functions. Require approval from the change committee and revalidation activities.

Controlled implementation

Implementation must follow a structured protocol:

  1. Environment preparation: Full system and data backup
  2. Development implementation: Application of the change in the test environment
  3. Functional testing: Verification that the change works according to specification
  4. Regression testing: Confirmation that existing functions have not been affected
  5. Migration to production: Controlled implementation with a rollback plan

Verification and documentation

Post-implementation, the following must be done:

  • Verify that the change meets the specified requirements
  • Confirm that there are no unforeseen impacts
  • Update the affected validation documentation
  • Record the change in the system configuration log
  • Notify affected users

Practical application in GxP environments

Security patch management

A common example is the application of security patches to LIMS systems. The process includes:

  1. Evaluation of the patch against the validated configuration
  2. Testing in a test environment to identify potential conflicts
  3. Documentation of the impact on interfaces and integrations
  4. Deployment during a scheduled maintenance window
  5. Post-deployment verification of critical functions

Third-party software updates

For updates to applications such as ERP or MES systems:

  • Review of the supplier’s release notes
  • Mapping of new functionalities against URS
  • Assessment of the impact on interface validations
  • Planning of necessary revalidation activities
  • Coordination with multiple internal stakeholders

Infrastructure changes

Hardware or operating system modifications require:

  • Compatibility analysis with validated applications
  • Verification that security controls are maintained
  • Disaster recovery testing
  • Updating of infrastructure qualification documentation

Conclusion

A robust change control methodology is essential for maintaining the validated status of GxP computerised systems. The systematic classification of changes according to their impact, together with documented assessment and implementation processes, ensures ongoing regulatory compliance. The key to success lies in proactive risk assessment, comprehensive documentation and post-implementation verification to confirm that the system maintains its integrity, functionality and regulatory compliance.

Related services

We can help you directly with this

System ValidationComplete validation of computerized systems: ERP, LIMS, MES, mobile applications, medical devices and AI systems under GxP regulations and 21 CFR Part 11.View serviceSAP ValidationSAP validation in GxP environments under 21 CFR Part 11 and GAMP 5: QM, PP, MM, SD, HR and S/4HANA modules. Full coverage of upgrades, patches and regulatory updates.View serviceProcess AutomationDigitalization of quality and compliance processes: paper elimination, electronic workflows and electronic signatures compliant with 21 CFR Part 11.View service

Was this useful?

If you have a validation project or need regulatory support, we can help.

Talk to an expert