WI-RI-001 - System Change Control
Purpose
- Explain and provide instruction for initiating, reviewing, approving, and denying change requests for Research Informatics systems.
Responsibilities
- Personnel that submit a change request are responsible for managing it within the change control logs.
- System administrators or their designees are responsible for approval or denial of change requests for their system.
Instructions
Change Request Initiation
When a change to a system is being made a change request should be entered such that the change, its effects, and its risks are documented.
-
- Go to the Sharepoint Change Control page.
- Select ‘New’ at the top.
- Below is a list of all fields and a description of what each field should contain. Fields marked with an asterisk (*) are required before the request may be posted. Fields marked with a caret (^) are automatically filled, updated, or appended with the completion of the review/approval via Microsoft Teams.
- Request Date*: The date the request was officially made, or work began on staging the change.
- Status*^: Used to determine what the status of the change is. New, In Progress, Approved, Denied, or Deployed are the available statuses.
- System*: What system the change applies to. Currently allows for selection of OnCore, eReg, and REDCap.
- Request Type: Defines if the log entry is for a change/update to a system or caused by an incident.
- Requested by*: Who initially requested the change and is in charge of the details of the change request.
- Short Description*: A brief description of the changes being made to the system.
- Change Reason and Summary*: The reason for the change to be made, including a summarization of the changes and any details about them.
- Risk Analysis^: Denotes the need for a risk analysis, who performed it, and the results of such.
- Impact Assessment: An observation of the change being made to identify potential hazards as well as the impact on users or the system itself. 21 CFR Part 11 compliant systems or environments are required to complete a Risk Analysis document that should be attached to the change request.
- Testing^: A description of the testing required to ensure the system change is functional and has not adversely affected the system.
- Notification Plan: A plan to identify users, support team members, or other personnel that may require a notification of the change.
- Approver^: The designated approver for a change request. Typically the approver is a supervisor for that system.
- Approval Date^: Date that the approval was given for the change to enter a production environment.
- Reviewer^: Name of the person who reviewed the change in a testing environment. This should be performed by a member of the system support team.
- Deployment Date: Date that the change was deployed to a production environment.
- Deployed by (person): Who deployed the change to a production environment.
- Sign-off status^: A designation that the change request was approved or denied.
- Emergency Change: A designation of whether the change being made was an emergency change or not.
- Review Date^: Date that the change/change request was reviewed.
- Approval/Denial Reason: Reason for approving or denying a change request. If the change is approved, comments may be added here. If the change is deemed too risky or unnecessary, it may be denied and the reason for such documented here.
- Related References: Lists any additional references necessary for understanding context around the request, including ticket numbers, links, and other text-related methods of accessing information.
- Attachments: Any pertinent documents to the change request may be attached, including any Risk Analysis documents that were created.
- After filling in the required fields and any supplementary information that may be available, the change request can be saved.
- All change requests are given a unique identification number for easy tracking.
- Additional information should be added as identified if need be.
Impact Assessment
An analysis of the impact that the change would have upon the system and any related risks.
-
- The impact assessment should detail what is affected by the change including fields, consoles or other functionality.
- May additionally include, but is not limited to:
- Expected down time
- Customer or user impact
- Security risks
- May additionally include, but is not limited to:
- A Risk Analysis is required to be performed for 21 CFR Part 11 validated systems using SOP-RI-002 - Risk Analysis as a guide.
- The Risk Analysis Template should be used for this purpose, and attached to the change request upon completion.
- A Risk Analysis requires that a QA Specialist or IT Manager is contacted for review and guidance.
- The impact assessment should detail what is affected by the change including fields, consoles or other functionality.
Testing and Documentation
A change to a system should be tested and have the relevant documentation updated to reflect the change.
- The request should outline what testing is required to verify the integrity of the system after the change.
- The environment that the testing is conducted in should be included here.
- The version of the software being tested should be included in the request if applicable.
- Results of the testing should be included in the change request before deployment to a production environment.
- Documentation (e.g. DFDs, User Guides, Work Instructions) should be updated to reflect the change if applicable.
- Changes to documentation should be listed in the change request for tracking purposes.
Notification Plan
A plan that is made to ensure all that are affected by a change are properly notified.
-
- Any personnel or users that should be notified of the change to the system should be listed.
- The list of people to be notified may include, but is not limited to:
- The change request reviewer
- The change request approver
- The support team for the system
- Impacted users
- The method of notification (e.g., email, Teams, Application UGM, center/institute meeting agendas) may be listed. Note: When using methods like Application UGM and center/institute meeting agendas, ensure the item is added directly on the resource as well.
Change Request Comments
- If there is further discussion required during review or approval, such may be done with comments.
- To add a comment, do the following:
- Go to the Sharepoint Change Control page.
- Select the desired change request.
- Select 'Edit'.
- On the right side, add the comment or question you have.
- Ensure to add an @Name for the person you intend to have answer the question or address the comment.
- This step is crucial so that the person is notified via email.
Requesting a Risk Analysis
- Select the change request.
- At the top select Automate > Risk Analysis Request.
- Add a message for them in the Request field. This messaging should clearly state they are analyzing risk, not reviewing or approving the change.
- Add them to the Approvers list.
- If listing more than one person, only one needs to sign off. The first to respond will be listed as the reviewer.
- Set reminder specifications if desired.
- Select Run Flow to send an email and Microsoft Teams request to the designated individual.
Risk Analysis Request
A Risk Analysis of the requested change may be required before a change to the system is approved for production deployment. This is not an impact assessment and is required for Part 11 compliant systems. Only request this for Part 11 compliant systems, and assign the request to an IT QA Specialist or IT Manager.
Microsoft Teams Review
- Within Microsoft Teams, move to the Approvals tab
- If the Approvals tab is not visible, you can select it from the triple dots menu at the bottom of the sidebar.
- Select the request (it will appear as an approval).
- Select the attachment link and observe the change being made.
- After analysis of the change is complete, enter a comment in teams explaining the extent and result of the risk analysis.
- The comment is automatically added to the change request in the Risk Analysis field when submitted.
- Select Approve or Reject.
- Selecting Approve will automatically update the Risk Analysis field.
- The Risk Analysis field is appended with the comment provided.
- Selecting Reject will automatically update the Risk Analysis field.
- The Risk Analysis field is appended with the comment provided.
- If a change is determined to not need a risk analysis, the request may be rejected with a comment stating such. Comments will still be appended to the Risk Analysis field.
- Selecting Approve will automatically update the Risk Analysis field.
- After completion of the risk analysis, the review and approval processes may proceed.
Requesting Review
- Select the change request.
- At the top select Automate > Change Request Review.
- Add a message for the reviewer in the Request field. This messaging should clearly state they are reviewing/testing the change, not approving it.
- Add the reviewer to the Approvers list.
- If listing more than one reviewer, only one needs to sign off. The first to review the change will be listed as the reviewer.
- Set reminder specifications if desired.
- Select Run Flow to send an email and Microsoft Teams approval request to the reviewer.
Review of a Change Request
A review of the requested change is required before a change to the system is approved for production deployment.
-
- All changes should be reviewed by a member of the support team for the system being changed.
- The reviewer is responsible for ensuring all changes to the system have been made correctly and did not cause extraneous variances.
- The extent of the review should include, but is not limited to:
- Testing and verifying test results in a non-production environment.
- Ensuring the impact assessment (and risk analysis, if applicable) encompasses the hazards that the change may cause.
- Verifying that any changes to documentation have been listed.
- Inspecting the notification plan for all who need to be informed.
- The following information should be added to the change request:
- Who reviewed the change request.
- Date the request was reviewed.
- The extent of testing and any issues encountered during such.
- The reviewer is responsible for providing feedback to the original requester if all requirements are not met.
- After alterations are made to the system the review process should be repeated until all requirements are satisfied.
- Problems encountered during testing should be documented with the change request.
There are two methods of documenting review of a change request. However, if you received a Microsoft Teams Review Request, you must use Microsoft Teams:
- Microsoft Teams Review (preferred method)
- Within Microsoft Teams, move to the Approvals tab
- If the Approvals tab is not visible, you can select it from the triple dots menu at the bottom of the sidebar.
- Select the review request (it will appear as an approval, but the action is still a review).
- Select the attachment link and observe the change being made.
- After testing of the change is complete, enter a comment in teams explaining the extent and result of testing.
- The comment is automatically added to the change request in the Testing field when submitted.
- Select Approve or Reject.
- Selecting Approve will automatically update the Reviewer, Review Date, and Testing fields.
- The Testing field is appended with the comment provided by the reviewer when approved.
- Selecting Reject will automatically update the Reviewer field.
- No other fields are recorded in this instance as the testing is deemed incomplete.
- Rejected reviews are typically caused by selection of the wrong reviewer, an inability to test, or cancellation of the change request.
- Selecting Approve will automatically update the Reviewer, Review Date, and Testing fields.
- Sharepoint Review (only as a backup)
- Go to the Sharepoint Change Control page.
- Select the desired change request.
- Select 'Edit'.
- Enter the name of the reviewer in the 'Reviewer' field.
- Enter the date the request was reviewed in the 'Review Date' field.
- Enter details of the extent and results of testing in the 'Testing' field if applicable.
- This should begin on a new line and preceded with 'Reviewer comments:'
- Save the change request.
Requesting Approval
- Select the change request.
- At the top select Automate > Change Request Approval.
- Add a message for the approver in the Request field. This messaging should clearly state they are approving the change request.
- Add the approver to the Approvers list.
- If listing more than one Approver, only one needs to sign off. The first to sign off will be recorded as the Approver.
- Set reminder specifications if desired.
- Select Run Flow to send an email and Microsoft Teams approval request to the Approver.
Approval of a Change Request
A request is required to be approved before a change to the system is allowed to be made.
- All change requests must be approved by an application manager for the system or an appropriate designee before the change may proceed.
- Following approval of the request, work on the change in production may proceed.
- The approver is responsible for ensuring all applicable fields in the change request have been filled.
There are two methods of approving a change request. However, if you received a Microsoft Teams Approval Request, you must use Microsoft Teams:
- Microsoft Teams Approval (preferred method)
- Within Microsoft Teams, move to the Approvals tab.
- If the Approvals tab is not visible, you can select it from the triple dots menu at the bottom of the sidebar.
- Select the pending approval.
- Select the attachment link.
- After viewing the Sharepoint change request, enter a comment in teams explaining the approval of the request (if needed).
- The comment is automatically added to the change request in the Approval/Denial Reason field when submitted.
- Select Approve.
- Selecting Approve will automatically update the Status, Sign-off Status, Approver, and Approval Date fields.
- Sharepoint Approval (only as a backup)
- Go to the Sharepoint Change Control page.
- Select the desired change request.
- Select 'Edit'.
- Change the 'Status' field to 'Approved'.
- Change the 'Sign-off Status' field to 'Approved'.
- Enter the name of the approver in the 'Approved by' field.
- Enter the date the request was approved in the 'Approval Date' field.
- Save the change request.
Denial of a Change Request
A request that has been denied should prevent the change from occurring in production environments.
-
- The approver is responsible for denying the change request if problems are found.
- The reason for denial should be documented
- If the approver denies the change request the change should be prevented from applying to the system in a production environment.
- If the change is deemed unwanted or unable to be applied and is subsequently denied, the change request is considered resolved.
- All work on the change should cease.
- Any existing work should be reverted to a version prior to the change.
- If the change is still requested to be implemented after denial by the approver, steps to remedy the identified issues should be taken.
- After the issues have been addressed, the change request should proceed through the review and approval process, repeating this flow until the change is approved or cancelled.
- If the change is found to be unable to be approved, the request should be denied and considered cancelled.
- The approver is responsible for denying the change request if problems are found.
There are two methods of denying a change request. However, if you received a Microsoft Teams Request, you must use Microsoft Teams:
- Microsoft Teams Denial (preferred method)
- Within Microsoft Teams, move to the Approvals tab.
- If the Approvals tab is not visible, you can select it from the triple dots menu at the bottom of the sidebar.
- Select the pending approval.
- Select the attachment link.
- After viewing the Sharepoint change request, enter a comment in teams explaining the denial of the request (required).
- The comment is automatically added to the change request in the Approval/Denial Reason field when submitted.
- Select Reject.
- Selecting Reject will automatically update the Status, Sign-off Status, Approver, and Approval/Denial Reason fields.
- Sharepoint Denial (only as a backup)
- Go to the Sharepoint Change Control page.
- Select the desired change request.
- Select 'Edit'.
- Change the 'Sign-off Status' field to 'Denied'.
- Change the 'Status' field to 'Denied'.
- Enter the reason the request was denied in the 'Approval/Denial Reason' field.
- Save the change request.
Change Deployment
Approved requests may be deployed to a production environment.
- Approved requests may move forward with their deployment procedures.
- This process will vary based on system, and their specific procedures should be followed.
- After deployment the following fields need to be updated in the change request:
- Status should be set to Deployed.
- Deployed by (person) should be set to whoever lead the deployment of the change to production (if applicable, this not required for vendor lead updates).
- Deployment Date should be set to the date the change was made in production.
- An email reminder to set the deployment date and the status field one day after approval of the change control.
- Additional email reminders will be sent on a weekly basis until the deployment date field is filled.
- After a change is successfully deployed to production and the related fields are complete, the change request is considered complete.
Emergency Change Requests
An emergency change is defined as any update, disaster, or other immediate and/or unforeseen occurrence within a system that happens prior to the ability to create a change control entry (this includes vendor provided changes or updates that were applied without timely notification given to UW). Emergency changes to a system are required to be authorized and should be documented during or after the change has been made.
-
- An emergency change is required to be documented as a change request.
- The request should be filled in the same way as a normal change request, but it should be designated as an emergency change.
- Emergency changes are required to be authorized by the system manager or designee.
- The system manager or designee that authorizes the emergency change should also be the approver for the change request when it is added to the system.
- If there is adequate time before an emergency change is made the request may be added.
- In this scenario minimal information may be entered, but after deployment of the change any missing information should be placed in the change request.
- Emergency changes should be reviewed or tested before release to a production environment.
- Initial testing for an emergency change may be minimal to ensure a timely response to the emergency.
- Following the release of the change to a production environment, further testing may be done and documented in the change request.
- An emergency change is required to be documented as a change request.
Document History
Reviewed Date | Change Reason | Approver |
---|---|---|
08/04/2022 | Initial Document | Jacob Elfert |
10/6/2022 | Added Document History and Related Documents sections | Jacob Elfert |
01/19/2023 | Format update for deployment and emergency change headers | Jacob Elfert |
03/14/2023 | Added link to SOP-RI-010 - Change Management | Jacob Elfert |
04/13/2023 | Updated names of fields, added formatting, and adjusted links | Jacob Elfert |
09/14/2023 | Clarified Microsoft Teams flows and added info on deployment dates | Jacob Elfert |
07/03/2024 | Updated Document History date format, added caret to indicate automatic filling, updating, or appending of fields | Jill Kubiak |
07/10/2024 | Added additional definition for Emergency Change requests | Jacob Elfert |
08/06/2024 | Added Risk Analysis section. Added Reference, Request Type, and Risk Analysis fields | Jacob Elfert |
08/15/2024 | Updated Notification Plan method to include Application UGM and center/institute meeting agendas | Jill Kubiak |