Impact Assessment

What impact assessment is — and how it differs from change impact assessment

Impact assessment is the cross-cutting discipline. Change impact assessment is one of its applications. They're related but not the same thing.

Impact assessment is the structured evaluation of any decision or event's potential effects on product quality, patient safety, validation status, regulatory commitments, and operations. It's the methodology that turns risk-based thinking from principle into specific judgment — applied wherever a decision could have consequences beyond the immediate context.

Impact assessment isn't a single workflow; it's a discipline that lives inside many workflows. Change impact assessment sits inside change control. Deviation impact lives inside investigation. CAPA impact lives inside action planning. Supplier-change impact lives inside supplier notification handling. Each application uses the same risk-based methodology, scoped to the specific decision at hand. When a colleague says "we need an impact assessment", the workflow context determines what the assessment actually covers.

The 2023 ICH Q9(R1) revision raised the bar across every application. R1 emphasises subjectivity awareness, deliberate hazard identification, appropriate formality, and risk-based decision-making. These principles affect how impact assessment should be conducted whether the trigger is a change, a deviation, a CAPA, or a supplier notification.

Why impact assessment surfaces across so many inspection findings

Impact assessment shows up as a finding in change control inspections, deviation inspections, CAPA inspections, supplier inspections, and validation inspections — because the same discipline runs through all of them. Programs with weak impact assessment in one area typically have it in others, and inspectors increasingly look at impact assessment as a cross-cutting discipline rather than evaluating it once per workflow.

The 2023 ICH Q9(R1) revision raised the bar specifically. R1 calls out subjectivity in scoring, single-perspective bias in assessment, and tick-box assessment that doesn't actually consider hazards deliberately. The implication: pure-numerical scoring without rationale, copy-paste assessment language across distinct decisions, and assessment-after-the-fact are all increasingly cited.

This is also where the change-specific entry and this one differ in emphasis. Change impact assessment focuses on getting one change right inside change control. Impact assessment as a discipline asks whether the firm applies the same rigour everywhere it's needed. A program where change impact assessments are excellent but deviation impact assessments are pro forma fails the consistency test.

Inspector perspective: sampling across workflows is the test that reveals whether impact assessment is systemic or contextual. A few change requests, a few CAPAs, a few significant deviations. If the same discipline appears across them — same scope coverage, same methodology, same depth scaled to severity — the program is operating. If it varies dramatically by workflow, the discipline is contextual, and that itself is a finding pattern.

Where impact assessment obligations come from across frameworks

Impact assessment is embedded across quality framework expectations because it's the operational layer that connects risk principles to decisions:

• ICH Q9(R1) (effective 2023): the quality risk management framework. Impact assessment is the operational application. R1 strengthens expectations on subjectivity, hazard ID, formality, and decision-making.
• ICH Q10 §3.2.3 — Change Management System: risk-based evaluation — the change impact assessment application.
• ICH Q10 §3.2.2 — CAPA: impact considerations in CAPA planning and effectiveness assessment.
• ICH Q12: post-approval changes use risk-based categories; impact assessment determines the category.
• 21 CFR §211.100: written procedures including any changes — implicit impact assessment.
• 21 CFR §211.192: investigation of unexplained discrepancies — impact assessment on batches and processes.
• 21 CFR §820.30(i) — Design changes: review before implementation = impact assessment for design changes.
• 21 CFR §820.40(b) — Document changes: review = impact assessment for documentation.
• 21 CFR §820.100: CAPA system; impact considerations in action planning.
• EU GMP Chapter 1 §1.4: PQS elements including assessment of impact for changes and deviations.
• EU GMP Annex 15 §3: validation impact; defines when re-validation is needed.
• EU GMP Annex 11 §10: cumulative change impact reviewed periodically.
• ISO 13485 §4.1.4: changes to QMS evaluated for effect — explicit impact assessment requirement.
• ISO 13485 §7.3.9: design changes evaluation of effects.
• MHRA "GxP" Data Integrity Definitions and Guidance for Industry (March 2018, updated September 2021): impact on data integrity an explicit scope area.
• WHO TRS 1019, Annex 3: change management impact guidance.

How impact assessment runs across workflows

Impact assessment applies a consistent discipline across workflows, with context-specific scope adjustment:

• Defined methodology. Per ICH Q9(R1), the firm has a documented risk evaluation approach — severity × probability × detectability, FMEA-style, or an alternative matrix appropriate to the context. Applied consistently across workflows.
• Scope checklist per workflow type. Change impact: full scope (quality, safety, validation, regulatory, training, supplier, DI, EHS, business continuity). Deviation impact: focused (batch impact, validation state, regulatory commitments, related batches). CAPA impact: action-focused (validated state changes, training implications, supplier obligations). Each workflow has its own template.
• Multi-disciplinary input scaled to severity. Cross-functional assessment for high-severity items in any workflow. Single-perspective acceptable for low-severity, with documented rationale.
• Narrative rationale per scope area. Not just scores. Why is this area rated this way? What evidence supports the rating?
• Linked context referenced. Related changes, prior deviations, validation evidence, applicable SOPs all referenced from the assessment record.
• Pre-decision timing. Assessment completes before the decision is implemented. Post-decision assessment is a documentation finding.
• Update on new information. When new information emerges (additional batches affected, related event identified), the impact assessment is revisited and updated.
• Output drives decision. The assessment's conclusion determines the next step — change classification, batch disposition, CAPA depth, regulatory notification timing.
• Audit trail per assessment. Each record captured with identity, contribution, timestamp.
• Periodic methodology review. The risk methodology itself is reviewed periodically. Under ICH Q9(R1), assessors should be aware of subjectivity and the methodology should be updated to address known biases.

What strong impact assessment programs do across workflows

The patterns that hold up at inspection across workflows:

• Methodology consistent across workflows. Same risk principles applied; templates scoped to context.
• Scope checklist per workflow type. Built into the template; assessor prompted to consider each scope area.
• Depth scales with severity. High-severity items get multi-disciplinary input; low-severity get streamlined.
• Narrative rationale. Not just scores; reasoning visible.
• Linked context. Related records, prior assessments, applicable evidence referenced.
• Pre-decision timing. Always before implementation.
• Update on new information. Assessment revisited when context changes.
• Cross-functional input where warranted. Not single-perspective for major items.
• Output drives subsequent decisions. Classification, routing, depth all flow from the assessment.
• Audit trail per assessment. Identity, contribution, timestamp.
• Methodology review per Q9(R1). Periodic awareness of subjectivity, bias mitigation.
• Training on impact assessment principles. Personnel performing assessments trained on Q9(R1) principles, the methodology, and bias awareness.

How Complere supports impact assessment across workflows

Impact assessment is the discipline your quality team owns. Complere is built around the idea that the same discipline should look the same wherever it appears — so a reviewer comparing a change impact assessment, a deviation impact evaluation, and a CAPA impact analysis sees the same methodology applied with the same rigour.

Wherever an impact assessment belongs — inside a change request, inside a deviation investigation, inside a CAPA action plan, inside a risk record — the fields are right there in the record, not in a separate document somebody has to remember to attach. Your team configures the risk methodology once: the severity scale, the probability scale, the detectability scale, whatever decision rules you've built around them. That same methodology then flows into every workflow that asks for an impact assessment.

The consistency-check move your inspector likes — sampling across change, CAPA, and deviation records to see whether impact assessment quality varies by workflow — stops being a risk because the methodology can't drift from one workflow to another. It's the same configured matrix.

The assessment record carries the linked context with it: related changes, prior deviations, connected CAPAs, applicable validation evidence. The assessor sees the broader picture, and so does anyone reviewing later. Every contribution to the assessment — who added what, when, what they changed — lives on the record. Where the conclusion drives the next decision (a change classification, a batch disposition, a notification timing), the workflow routes from the conclusion rather than from someone's later interpretation of it.

What stays with your team: the risk methodology itself (the scales, the matrices, the decision rules), the scope checklists per workflow, the depth standards per severity, the cross-functional sign-off rules for major items, and the training that keeps your assessors current with Q9(R1). Complere makes the discipline easy to apply consistently and easy to evidence; the judgment and the methodology behind it are still your quality work.

Related quality discipline terms

Impact assessment is cross-cutting; it touches most quality workflows:

• Change Impact Assessment — the change-control-specific application
• Risk Management — provides the methodology (ICH Q9(R1))
• Change Control — the workflow where change impact assessment lives
• Deviation — deviation impact assessment is part of investigation
• CAPA — CAPA impact assessment is part of action planning
• Validation — validation impact is a scope area; conclusion drives re-validation
• Training Management — training impact is a scope area
• Supplier Qualification — supplier change impact is part of supplier governance