Apparently, it is not following proper change management practices
The US Navy has recently been forced to restrict the operations
of its three newest fast-attack nuclear submarines – including one that was
commissioned less than a week before – over "unauthorized and undocumented
weld repairs having been performed."
At $2.6 billion price tag for each submarine, one must consider the
impact that implementation of uncontrolled changes will have on the Navy’s
finances, operational readiness, reputation, and the performance of individuals
involved. Someone, at some point, had
made a decision that the required repairs are minor enough to bypass the
mandated change management procedures, or that, perhaps, they didn’t have the
time to deal with the required paperwork.
That erroneous decision had apparently resulted in great costs to
We see the same situations in the world of the regulated
computerized systems, where lack of proper change management procedures, or
individuals choosing not to follow such procedures, force the systems as a
whole to be declared non-compliant and unreliable, with all the expected
consequences of such decisions.
I recently led a team tasked with assessing the state of
compliance of a large product Quality and Compliance Management system used to
support QA areas such as CAPA, non-conformances, product change control, audit
management, etc. The team had discovered
a number of serious issues, but the one that stood out was the fact that the
system was updated 29 times in the previous 12 months, without a single system
change following the applicable change control procedures. There were probably more changes performed
that could no longer be tracked.
Although an in-depth investigation included reviews of relevant
emails and meeting notes, as well as interviews with various personnel involved
in the changes, the necessary information about the performed changes, such as
what was done, when, why and by whom, could never be recovered. We’ve interviewed the individuals responsible
for implementing the changes, and the primary reasons given for bypassing the
required process were “we didn’t have the time for documentation”, “it was just
a minor change”, “it was just a collection of bug fixes”, and, perhaps my
‘favorite’, “we couldn’t have the system users agree on the change, so we
decided to implement it in production to see if they like it”. Although the process was in place, the
individuals involved felt they were placed under the circumstances that forced
them not to follow it.
The system stakeholders acknowledged that the changes were
implemented without due risk and impact assessments, and were not formally
authorized, adequately tested or approved for implementation. Technical analysis revealed that the system
documentation such as User Requirements and Design Specifications may only be 60-70%
accurate, and the system no longer behaved as describe in the system test
scripts. When the executive management
were informed, they had to decide whether the system must be taken off line, thus
forcing the business to revert to costly paper-based processes and erasing
millions of dollars spent on the initial system implementation and validation,
or the organization would chose operating a non-compliant system “at risk”,
while rushing to fully revalidate the system.
Although the above case is extreme, we must never forget that
inadequately controlled system changes erode at the validated and compliant
state of the system, one change at a time.
Regardless of how much funds and attention is invested in the initial
system purchase, implementation and validation, it is the uncontrolled system changes
that may ultimately obliterate all of these efforts, rendering the system non-compliant.
It is important to remember that although major system releases
normally receive the attention and funds required to follow the applicable
procedures, it is ‘minor’ system changes that are often made by smaller teams,
if not individual players, who may not follow the required procedures, be that
through a conscious decision or through the lack of training and understanding
of the required processes.
Organizations must proactively establish, communicate and
enforce appropriate change management processes and procedures, as well as stay
mindful of high-pressure environments that may force individual players to
circumvent the due process for the sake of saving time and efforts. Although the individual ‘minor’ changes may
seem harmful, their cumulative effect may eventually be devastating.
For RCM offerings relevant to the above article, please visit:
IT Part 11 and Other Regulatory
IT Quality Management Systems