AgentSkillsCN

Change Control

变更控制

SKILL.md
--- frontmatter
skill_id: DOC-CHANGE-CONTROL
version: 1.0.0
last_updated: 2026-01-04
applies_to: [Class A, Class B, Class C]
jurisdiction: [FDA, EU MDR, Global]
prerequisites: [REG-IEC62304, REG-ISO14971, DOC-INLINE]

Change Control Process

Purpose

Define controlled process for software changes: requests, impact analysis, approvals, verification, and configuration management in regulated contexts.

When to Apply

  • Any change to safety-relevant software, requirements, design, tests, or configuration items.
  • Defect fixes, updates, refactors, and dependency/SOUP updates.

Requirements (testable)

  1. Change Request: Document change description, rationale, items affected, and trace links (requirements, hazards, tests). Rationale: clarity.
  2. Impact Analysis: Assess safety, cybersecurity, interoperability, documentation, and submission impact (FDA/MDR). Rationale: risk-aware decisions.
  3. Approval: Obtain appropriate approvals (engineering + QA/RA) before implementation for safety-relevant changes. Rationale: governance.
  4. Verification: Define and execute verification/validation scope for the change; include regression tests. Rationale: assurance.
  5. Configuration Management: Update baselines, versions, and release notes; ensure traceability of change to artifacts. Rationale: auditability.
  6. Submission Considerations: Flag changes that may trigger regulatory submission/update; record decision. Rationale: compliance.

Recommended Practices

  • Use templates for change requests with required fields.
  • Include SBOM updates when dependencies change.
  • Capture change risk level (minor/major) and tailor verification accordingly.
  • Link commits/PRs to change request IDs.

Patterns

Change request (YAML):

yaml
CR-145:
  description: Fix over-infusion timing edge case
  rationale: observed jitter at low battery
  affects: [REQ-62304-102, RISK-CTRL-19, TEST-410]
  risk: major
  submission_impact: no (reviewed QA/RA)

Verification entry:

markdown
Tests: TEST-410, TEST-411 rerun; new TEST-415 added for low-batt timing
Result: PASS

Anti-Patterns (risks)

  • Implementing changes without impact analysis -> risk: missed verification, submission gaps.
  • Skipping approvals for safety changes -> risk: noncompliance.
  • No linkage to tests/requirements -> risk: lost traceability.
  • Not updating SBOM after dependency changes -> risk: unmanaged vulnerabilities.

Verification Checklist

  • Change request recorded with rationale and affected artifacts.
  • Impact analysis completed (safety, cyber, interoperability, submission).
  • Approvals obtained per policy for safety-relevant changes.
  • Verification/regression defined and executed; results recorded.
  • Baselines/versioning/release notes updated; traceability maintained.
  • Submission impact decision documented.

Traceability

  • Change IDs (CR-###) linked to requirements, risks, commits/PRs, and test evidence.
  • Store decisions and approvals with release artifacts.

References

  • IEC 62304 (configuration management and change control).
  • FDA/MDR expectations for software change impact and documentation.

Changelog

  • 1.0.0 (2026-01-04): Initial change control skill with impact analysis and approval process.

Audit History

  • 2026-01-04: Audit performed. Verified:
    • IEC 62304 configuration management and change control references accurate
    • FDA/MDR change impact documentation expectations correctly noted