Change Impact Assessment

What change impact assessment is

Inside change control, the impact assessment is where the actual quality thinking happens. Change Impact Assessment (sometimes called Change Impact Analysis) is the structured evaluation of a proposed change's potential effects on product quality, patient safety, validation status, regulatory commitments, training, supplier obligations, and operational risk. It happens before the change is approved, and it drives the classification, the approval routing, and the implementation plan.

The change itself is rarely the failure mode. The assessment that should have caught the change's scope is. Tick-box assessments fail at inspection more reliably than any other change-control gap.

Impact assessment applies Quality Risk Management principles from ICH Q9(R1) — typically severity × probability × detectability scoring, or a defined matrix appropriate to the change type. Depth scales with the change's potential reach: a minor procedural correction warrants a brief assessment; a validated-system configuration change warrants multi-disciplinary cross-functional review with documented rationale per scope area.

Why impact assessment is the most-inspected element of change control

When an inspector pulls a change request, the impact assessment is usually where they linger longest. The change description tells them what was done. The impact assessment tells them whether the firm actually understood what they were doing. A thoughtful assessment with cross-functional rationale gives confidence; a tick-box assessment with the same wording across multiple unrelated changes raises immediate concern.

The 2023 ICH Q9(R1) revision raised the bar specifically. R1 calls out subjectivity in risk scoring and emphasises that hazard identification should be deliberate and multi-source. The implication for impact assessment: pure-numerical scoring without documented reasoning, single-perspective assessment without cross-functional input, and copy-paste assessment language across distinct changes are all increasingly cited.

The downstream consequence is real. Changes implemented on the basis of incomplete impact analysis tend to produce deviations. The unintended effect the assessment missed surfaces operationally. Those deviations trace back to the change, the change traces back to the assessment, and the firm has a two-finding stack instead of one.

Inspector perspective: when reading an impact assessment, the test is whether actual thinking is evident. Did the assessor consider validated state, training impact, supplier notifications, regulatory commitments? Is there a narrative explaining the reasoning, or just a score? When a critical scope area is missing entirely — training-on-change not addressed, or supplier-notification not checked when the change clearly affects a supplier — the finding writes itself.

Where change impact assessment obligations come from

Impact assessment is embedded in change-control expectations across most GxP frameworks:

• ICH Q9(R1) (effective 2023): quality risk management principles applied to change impact. R1 strengthens expectations on subjectivity, hazard identification, formality, and decision-making — all directly relevant to impact assessment quality.
• ICH Q10 §3.2.3 — Change Management System: requires risk-based evaluation, expert review, and management of regulatory commitments arising from the change. The risk-based evaluation is the impact assessment.
• ICH Q12: post-approval changes use risk-based categories; impact assessment determines which category applies and which regulatory commitments come with it.
• 21 CFR §211.100: written procedures for production and process control including any changes — implicitly requires understanding the change before implementing it.
• 21 CFR §820.30(i) — Design changes: identification, documentation, validation or verification, review, and approval of design changes before their implementation. The review is the impact assessment.
• 21 CFR §820.40(b) — Document changes: changes shall be reviewed and approved; the review is the impact assessment for documentation changes.
• EU GMP Annex 15 §3 — Qualification and Validation: defines when re-validation is needed; the determination comes from impact assessment.
• EU GMP Chapter 1 §1.4(xvii): change management system as a quality system element; presupposes impact assessment.
• EU GMP Annex 11 §10: periodic evaluation of computerised systems; cumulative change impact reviewed.
• ISO 13485 §4.1.4: changes to the QMS shall be evaluated for their effect — the explicit impact assessment requirement for device QMS.
• ISO 13485 §7.3.9: design and development changes evaluation of effects.
• MHRA "GxP" Data Integrity Definitions and Guidance for Industry (March 2018, updated September 2021): change impact on data integrity is an explicit scope area.
• WHO TRS 1019, Annex 3: WHO guidance on change management for pharmaceutical products.

What a working impact assessment process contains

A defensible impact assessment process runs through these elements:

• Scope checklist defined. The template names the areas to evaluate — product quality, patient safety, validation status, regulatory commitments, training, supplier obligations, data integrity, EHS, business continuity. Whether each area applies to this change is a judgment captured in the assessment, but the prompt to consider it is built in.
• Risk methodology applied. Per ICH Q9(R1), severity × probability × detectability or an equivalent risk matrix. The methodology is consistent across changes in the same category so classifications are comparable.
• Multi-disciplinary input where the change warrants it. Cross-functional assessment for major and critical changes — quality, regulatory, validation, supply, EHS as applicable. Single-perspective is acceptable for minor changes; for major changes it's a finding.
• Narrative rationale per scope area. Not just a score. Why is this area rated this way? What evidence supports the rating? What did the assessor consider? Narrative is what distinguishes thoughtful assessment from tick-box.
• Linked documents and prior changes. Affected SOPs, specifications, batch records, validation protocols, and related historical changes referenced. Assessment that doesn't acknowledge related context tends to miss systemic impact.
• Validation-impact determination. Explicit conclusion on whether the change affects validated state and, if so, the depth of re-validation or verification required (full, partial, performance verification, or no change to validated state).
• Training-impact determination. Explicit list of personnel affected; training plan if needed; whether effective date depends on training completion.
• Regulatory-impact determination. Explicit conclusion on regulatory filing implications under ICH Q12 or the applicable regional framework. Where regulatory filing is required, the change classification escalates.
• Supplier-notification check. Where the change requires notifying suppliers (per quality agreements) or customers, the notification list and timing captured.
• Classification output. The assessment's primary output is the change classification (minor, major, or critical), which drives approval routing and validation depth.
• Post-implementation reassessment. After the change goes live, the assessment is reviewed: predictions vs reality, unintended effects, assumption validity. Feeds the effectiveness review.

What strong impact assessment programs do

The patterns that hold up at inspection:

• Template covers full scope. Quality, safety, validation, regulatory, training, supplier, data integrity, EHS, business continuity prompts built in.
• Risk methodology consistent. Per ICH Q9(R1) principles, documented, consistent across changes in the same category.
• Depth scales with classification. Minor: brief justified assessment. Major or critical: multi-disciplinary cross-functional with documented rationale per scope.
• Narrative present, not just scores. Each scope area has reasoning, not a number alone.
• Cross-functional input where warranted. Quality, regulatory, validation, supply, EHS as applicable for major or critical.
• Validation-impact explicit. Specific conclusion on whether re-validation is needed and at what depth.
• Training-impact explicit. Affected personnel identified; training plan defined; effective date gating where appropriate.
• Regulatory-impact explicit. Filing implications considered under the ICH Q12 framework.
• Supplier-notification checked. Quality-agreement obligations evaluated.
• Linked context referenced. Related SOPs, specs, prior changes, validation evidence cited.
• Pre-approval timing. Assessment completes before approval, not after.
• Post-implementation reassessment. Predictions vs reality reviewed; informs effectiveness review.
• Bias awareness per Q9(R1). Assessor independent enough to challenge the change sponsor's preferred classification.

How Complere supports change impact assessment

Change impact assessment is the thinking your team does before a change moves forward. Complere gives that thinking a structured home — not a separate form that gets disconnected from the change, but fields built into the change request itself, present from the moment it's created.

When your team opens a change request, the impact assessment prompts are already there: scope areas to consider, risk evaluation, validation impact, training impact, regulatory impact, supplier-notification check. The change can't move to approval until the relevant fields are filled in, so a thin or empty assessment isn't a path the workflow allows. Your assessment depth scales with how you've classified the change — a minor wording correction gets a streamlined view; a major or critical change opens the deeper template with cross-functional sign-offs you've configured.

The change request stays linked to everything it touches. Affected SOPs, related prior changes, the validation evidence the change reaches into, the training tasks it generates, the suppliers your quality agreements require you to notify — all visible from the request, all reciprocally referenced from the related records. When your auditor asks "what else did this change affect?", you don't reconstruct it; you open the record. Every contributor's input, with their name, what they said, and when, is preserved in the history.

Once the change is live, the post-implementation reassessment step is part of the same workflow. The original assessment is right there; your reviewer captures whether what you predicted matched what happened, and whether the assumptions held. If a pattern emerges that needs systemic correction, it routes into CAPA from the same record.

What stays with your team: deciding what scope areas matter for your operations, what risk methodology you trust, what counts as minor versus major versus critical, who signs off on what, and the depth standards you hold your assessors to. Complere supports the discipline; the quality thinking is your team's.

Related change-management and risk terms

Change impact assessment sits inside change control and uses risk management methods:

• Change Control — the workflow impact assessment lives inside
• Risk Management — provides the methodology (ICH Q9(R1))
• Validation — validation impact is a primary scope area; conclusion drives re-validation
• Training Management — training impact is a primary scope area
• Supplier Qualification — supplier-notification check is a scope area
• Data Integrity — DI impact is a scope area per MHRA Sep 2021
• CAPA — CAPAs may trigger changes that require impact assessment
• Change Control Module