Health IT Basics:
Principles of IT Change Control
Discipline helps to prevent chaos...
Do you have a mature Change Control process? We must understand the definitions and processes of Change Control so that we can better determine the maturity of our healthcare IT structures and functions. We can learn much through a critical look at our Change Control process.
We will cover the basics to help you understand the opportunities and challenges of IT Change Control. Organizations are often at significant risk of poor outcomes when they lack a mature change control model.
In a nutshell, change control is the formal process through which we evaluate and document the changes to our systems and products. It is a specific subset of the larger field of IT Change Management. The latter discipline ("change management") deals with all aspects of change to our people, processes and technology. While project managers often refer to change control and change management interchangeably, I think it is most helpful to discriminate between the two terms. I often refer to the latter as "change leadership" to make the distinction clearer.
Let's define sound principles of change control and then discuss the consequences of non-adherence.
Four key principles define change control:
- Tracking (an audit trail of all changes)
- Vetting (assessing) impact to technology changes
- Alignment to vision
Let's review each of these individually.
Organizations with great change control have an "evergreen" (i.e. continuously up to date) audit trail of every change in their system/products. While some organizations manage tracking with spreadsheets, the best will use a software database that ensures that they record all pertinent information to each change and find it easy to research, report and retrieve change control information. Change control databases should be accessible and transparent to the organization.
It is critical that you log all changes to the system/product, even if routine maintenance or an emergency change. Likewise one must conduct regular audits against policy and procedures to ensure that everyone is following the change control process correctly.
In order to track, an organization should have a consistent process for logging requests for any proposed changes to the system/product. The diagram below demonstrates a typical change control process and the steps that we must track. Good change control software will have a standard intake form (including required fields) and track each step of the process. Tracking may also include a maintenance and review cycle of a system/product.
We expect our change control software to have tickets for logging change control (CR) requests. New requests should include:
- Business reason/justification for request
- Build steps, if known (i.e. the work effort)
- End-user impact analysis including
- System downtime during the change
- Impact to other systems
- Impact to workflow and job/role responsibilities
- Risks of the change (including risks of not doing change)
- Education/training plan(s)
- Timeline for the change
- Including testing, validation and impact to other affected systems/products
- Back-out plan (What we do if it all goes badly)
Vetting impact to technology changes
Before any changes are made in our system/product, we should assess the impact of those changes to workflow, functions and operations. A multidisciplinary team is very helpful; it is rare that one person can truly evaluate our changes and their impact. Successful health systems include many subject matter experts (SME) in the process.
The business analyst evaluates the request and assesses both the risk of making the change as well as NOT making the change. The analyst weighs both risks and benefits. The analyst considers what "unintended consequences" will occur with making a change. He/she then documents the analysis. When benefits appear to exceed risks, the changes might proceed in a testing environment at this point. Ultimately the Change Control Board reviews the request to make the final determination on the validity of the change.
Successful organizations convene a Change Control Board (CCB) on a regular basis to review change requests (CR) and audits. In healthcare, the CCB typically meets weekly. Change Control governance in healthcare often includes sub-committees that review change requests first, then present to a final Executive CCB. Typical sub-committees include:
- Clinical systems change control (Overseeing EHR, PACS, and other clinical systems)
- Financial systems change control (Overseeing financial and other enterprise non-clinical systems (supply chain, human resources, etc.)
- Technical change control (Overseeing technology infrastructure, such as network, data center, telephony)
They also hold regular forums with end-users to understand current needs and discuss proposed changes.
Change control committees flourish with a multidisciplinary mix of individuals/roles. The successful organization sees change control meetings and attendance as a high priority. Otherwise, blind spots and missteps occur. The CCB must listen to the voice of the "gut". When one member feels uncomfortable with a change, the group must invest enough time to understand the reluctance. Often, the experienced CCB member senses danger before he/she logically processes the source of his/her concern. The CCB must avoid "group think" as well as a culture that silences its members concerns.
Alignment to Vision
A wise man once said, "If you don't know where you are going, you may end up at the wrong place." I think the diagram speaks for itself. We are either aligned to our vision, or heading somewhere else.
When the CCB knows and adheres to the vision, everything becomes much easier to process and review. Every step an organization takes, can either move us toward our vision or somewhere else.
Of course, this reminds us that we must know and communicate our vision. Even today we find organizations that are more reactive than proactive if their day to day operations. If the vision is unclear or undefined, the CCB can step in and drive toward clarity before it approves too many reactive changes. Vision helps to establish priority. Otherwise we are adrift in change and "busy-ness".
Warning Signs of Poor Change Control
- CCB does not meet regularly
- CCB meetings poorly attended
- Frequent emergency changes
- High incidence of "routine maintenance" causing poor outcomes
- No audits of change control compliance
- Frequent downtimes
- Frequent unintended consequences
- Noncompliance to change control sequence
Learn more about Leadership and Change Management Resources.