ISO 9001:2015 Requirements
The organization shall review and control changes for production or service provision, to the extent necessary to ensure continuing conformity with requirements. The organization shall retain documented information describing the results of the review of changes, the person(s) authorizing the change, and any necessary actions arising from the review.
1) The organization shall review and control changes for production or service provision, to the extent necessary to ensure continuing conformity with requirements.
reviewing and controlling changes to ensure continuing conformity with requirements is a critical aspect of quality management and compliance with standards like ISO 9001:2015. Here’s a comprehensive approach for organizations to follow:
- Change Identification:Establish a clear and formal process for identifying proposed changes. Anyone within the organization should be able to initiate a change request. Ensure that change requests include detailed information about the change, its purpose, and its potential impact.
- Change Request Submission:Create a system for submitting change requests. Standardize the format and content of change requests to ensure that they contain essential information, such as the rationale for the change and expected outcomes.
- Change Review Team:Form a cross-functional change review team comprising relevant stakeholders, including representatives from affected departments, subject matter experts, and quality assurance personnel.
- Impact Assessment:Conduct a comprehensive impact assessment to evaluate how the proposed change will affect conformity with requirements. Assess its impact on quality, compliance, safety, customer satisfaction, and any legal or regulatory obligations.
- Risk Analysis:Perform a risk analysis to identify potential risks associated with the change. Assess the likelihood and severity of these risks and develop mitigation plans where necessary.
- Change Approval Process:Establish a structured change approval process with clear criteria for approving or rejecting changes. Define roles and responsibilities, decision-making authority, and specific timelines for evaluation.
- Documentation and Records:Document all aspects of the change process, including assessments, risk analyses, approval decisions, and actions taken. Maintain a record of these activities for future reference and audits.
- Testing and Validation:If applicable, conduct testing or validation of the change to ensure that it does not negatively impact conformity with requirements. This may involve pilot testing, validation trials, or quality control checks.
- Communication:Communicate the approved changes and their implications to all relevant stakeholders, including employees, customers, suppliers, and regulatory bodies (if necessary). Ensure that everyone is informed of the change.
- Training and Education: Provide training and education to employees who will be affected by the change. Ensure they understand the new requirements and processes.
- Implementation Planning: Develop a detailed implementation plan, including timelines, resource allocation, and contingency plans, to ensure a smooth transition to the new state.
- Monitoring and Measurement: Establish Key Performance Indicators (KPIs) to monitor the effectiveness of the change and its impact on conformity with requirements. Regularly measure and report on these KPIs.
- Feedback Mechanism: Implement a feedback mechanism that allows employees, customers, and other stakeholders to report any issues or concerns related to the change.
- Periodic Review: Schedule periodic reviews of the change to ensure that it continues to meet conformity requirements and to identify opportunities for improvement.
- Continuous Improvement: Use the feedback and monitoring data to drive continuous improvement efforts. If issues or non-conformities are identified, take corrective actions promptly.
- Documentation and Record Keeping: -Maintain records of all change-related activities, including approvals, testing results, training records, and performance measurements.
- Management Review: Include the results of change control activities in management review meetings to ensure top-level awareness and commitment to maintaining conformity with requirements.
By following this comprehensive approach, organizations can effectively review and control changes to ensure continuing conformity with requirements. This systematic and structured approach helps mitigate risks, maintain quality, and enhance customer satisfaction while promoting compliance with relevant standards and regulations.
2) The organization shall retain documented information describing the results of the review of changes, the person(s) authorizing the change, and any necessary actions arising from the review.
maintaining records of the results of change reviews, authorizations, and any necessary actions is a crucial aspect of change control and compliance with quality management standards such as ISO 9001:2015. These records provide documented evidence of the change management process and ensure transparency, accountability, and traceability. Here’s how an organization can maintain such records effectively:
- Record of Change Request:Create a standardized form or digital template for recording change requests. This record should include details like the date of the request, the person initiating the change, the description of the change, its purpose, and its potential impact.
- Change Review Records:Maintain records of the change review process. These records should capture the results of the impact assessment, risk analysis, and any discussions or decisions made by the change review team. Include details about how the change may affect conformity with requirements.
- Authorization Records:Document the authorization of the change, including the name of the person(s) authorizing the change, their roles or positions, and the date of authorization. This provides clear accountability for the decision to proceed with the change.
- Change Implementation Records:Track the implementation of approved changes, documenting the steps taken to put the change into practice. This can include details about testing, training, and communication efforts related to the change.
- Action Records:Maintain records of any actions taken as a result of the change review. This should include corrective actions, preventive actions, or any adjustments made to ensure continuing conformity with requirements.
- Communication Records:Keep records of all communications related to the change, including notifications to stakeholders, employees, customers, and suppliers. This ensures that everyone is informed about the change and its implications.
- Monitoring and Measurement Records:Document the results of monitoring and measurement activities related to the change. This includes any Key Performance Indicators (KPIs) or metrics used to assess the effectiveness of the change.
- Feedback and Improvement Records:Maintain records of feedback received from stakeholders, including employees and customers, regarding the change. Document any suggestions or concerns raised and actions taken to address them.
- Periodic Review Records:Keep records of periodic reviews of the change to assess its ongoing conformity with requirements and identify opportunities for improvement.
- Record Retention: Establish a record retention policy that defines how long records related to change management should be retained. Ensure that records are stored securely and are easily accessible for audits and reviews.
- Auditing and Documentation Validation:Regularly audit the documentation related to change control to ensure that it is complete, accurate, and up-to-date. Make necessary revisions and updates as needed.
- Management Review: Present records of change control activities in management review meetings to demonstrate compliance with standards and to gather insights for continuous improvement.
Maintaining these records not only helps ensure compliance but also facilitates transparency, accountability, and the ability to learn from past changes. It provides valuable documentation for audits, regulatory inspections, and management assessments.
Documented Information Required
In ISO 9001:2015, Clause 8.5.6 “Control of Changes” focuses on ensuring that changes to the organization’s processes, products, services, or the Quality Management System (QMS) itself are controlled and managed effectively. Here’s a list of documents and records required for compliance with Clause 8.5.6:
- Change Management Procedure: This is a documented procedure that outlines the organization’s process for managing changes. It should include the steps for initiating, reviewing, approving, implementing, and communicating changes.
- Change Request Form: A standardized form or digital template that individuals or departments use to submit change requests. It should capture essential information about the change, including its nature, purpose, potential impact, and rationale.
- Change Authorization Records: Documentation of the authorization process, including the names or positions of individuals responsible for approving changes, the date of authorization, and their signatures or electronic approvals.
- Change Review Records: Records of the review process for each change, including the results of impact assessments, risk analyses, and any discussions or decisions made by the change review team.
- Risk Analysis Documentation: Documentation related to risk assessments conducted for proposed changes. This should include information on identified risks, their potential impact, and mitigation plans.
- Change Implementation Records: Records of actions taken during the implementation of approved changes. This may include testing, training, and communication efforts related to the change.
- Action Records: Documentation of any corrective or preventive actions taken as a result of change reviews, including the rationale, actions, responsibilities, and deadlines for completion.
- Communication Records: Records of all communications related to the change, including notifications to stakeholders, employees, customers, and suppliers. This should include the method and date of communication.
- Monitoring and Measurement Records: Records of monitoring and measurement activities related to the change, including any Key Performance Indicators (KPIs) or metrics used to assess the effectiveness of the change.
- Feedback and Improvement Records: Records of feedback received from stakeholders, including employees and customers, regarding the change. Document any suggestions, concerns, or improvements made in response.
- Periodic Review Records: Records of periodic reviews of the change to assess its ongoing conformity with requirements and identify opportunities for further improvement.
- Record Retention Policy: A documented record retention policy that defines how long records related to change management should be retained and the criteria for disposal.
- Training and Competence Records: Documentation of training and competence records for employees involved in change management activities, demonstrating their qualifications and training related to the change control process.
- Documented Process Flowcharts: Flowcharts or process maps that visually depict the steps involved in the change control process, from initiation to implementation.
- Documented Process Responsibilities: A document outlining the responsibilities of individuals or departments involved in the change control process, including their roles and authorities.
- Management Review Records: Records of how change control activities are presented and discussed in management review meetings, demonstrating top-level awareness and commitment.
These documents and records are critical for effectively controlling changes within an organization while ensuring compliance with ISO 9001:2015 Clause 8.5.6. They provide a structured and documented approach to managing changes, maintaining quality, and promoting continual improvement.
Example of Change Management Procedure
- This procedure outlines the process for managing changes within [Organization Name]. It aims to ensure that all changes are systematically reviewed, authorized, implemented, and communicated while considering their potential impact on the Quality Management System (QMS), processes, products, and services.
- This procedure applies to all changes initiated within the organization, including changes to processes, products, services, and the QMS itself.
- Define any specific terms or acronyms used in the procedure.
4. Procedure Steps:
4.1. Change Initiation:
- Any employee or department may initiate a change by completing the “Change Request Form” (Appendix A).
- The change request should include details about the nature of the change, its purpose, potential benefits, and any risks or impacts.
4.2. Change Review:
- The Change Review Team, composed of relevant stakeholders, including representatives from affected departments and quality assurance, will review the change request.
- The team will assess the impact of the change on the QMS, processes, products, services, compliance, and other relevant factors.
- A risk analysis will be conducted to identify and evaluate potential risks associated with the change.
- The Change Review Team will decide whether to approve or reject the change based on the impact assessment and risk analysis.
- If approved, the team will designate an authorized person(s) to approve the change.
4.4. Change Implementation:
- The authorized person(s) will oversee the implementation of the approved change.
- Implementation may involve testing, training, and communication efforts to ensure a smooth transition.
- Communication plans will be developed to notify stakeholders, including employees, customers, suppliers, and regulatory bodies (if applicable), about the approved change.
- Effective communication will ensure that everyone is informed of the change and its implications.
4.6. Monitoring and Measurement:
- Key Performance Indicators (KPIs) or metrics related to the change will be established to monitor its effectiveness and impact.
- Regular measurement and reporting of these KPIs will occur.
4.7. Feedback and Improvement:
- Feedback from stakeholders, including employees and customers, will be solicited and evaluated regarding the change.
- Any suggestions, concerns, or improvements will be documented and addressed.
4.8. Record Keeping:
- All records related to change management, including change requests, impact assessments, authorization records, communication records, and feedback, will be maintained as per the Record Retention Policy (Appendix B).
- Include any relevant appendices, such as the Change Request Form (Appendix A) and the Record Retention Policy (Appendix B).
6. Revision and Review:
- This procedure will be reviewed, updated, and revised as necessary to reflect changes in the organization’s processes, products, services, or regulatory requirements.
Example of Change Request Form
- Name: [Requester’s Name]
- Department: [Requester’s Department]
- Date: [Date of Request]
- Contact Information: [Requester’s Email/Phone]
- Change Title/Description: [Brief title or description of the change]
- Nature of Change: [Select one: Process Change, Product Change, Service Change, QMS Change, Other (Specify)]
- Purpose of Change: [Explain why this change is necessary]
- Expected Benefits: [Describe the expected benefits of this change]
- Affected Area(s): [Specify departments, processes, products, or services impacted by the change]
- Potential Risks: [Identify potential risks associated with the change]
Change Request Review:
- Change Review Team: [List members of the change review team]
- Review Date: [Date of review]
- Decision: [Select one: Approved, Rejected, Further Review Required]
- Authorized Approver: [Name of the person authorized to approve the change]
- Approval Date: [Date of approval]
- Implementation Plan: [Provide a brief plan outlining how the change will be implemented, including timelines and responsibilities]
- Stakeholders to Notify: [List stakeholders, including employees, customers, suppliers, and regulatory bodies, if applicable]
- Communication Method: [Specify how the change will be communicated]
- Communication Date: [Date of communication]
Monitoring and Measurement:
- Key Performance Indicators (KPIs): [List any KPIs or metrics related to the change]
- Measurement Plan: [Explain how and when KPIs will be measured and reported]
Feedback and Improvement:
- Feedback Mechanism: [Describe how feedback from stakeholders will be collected and addressed]
- Suggestions/Concerns: [Document any suggestions, concerns, or improvements related to the change]
- [Attach any supporting documents or files related to the change request]
- Requester’s Signature: ___________________________ Date: _______________
- Authorized Approver’s Signature: __________________ Date: _______________
Note: For office use only
- Change Request Number: [Assigned by the organization]
- Status: [Open, Approved, Rejected, Implemented, Closed]
- Record Keeping: [Date and location of record keeping]
Example of Record Retention Policy
- The purpose of this policy is to establish guidelines for the retention and disposal of records within [Organization Name]. It aims to ensure that records are retained for the appropriate duration to meet legal, regulatory, operational, and historical requirements while minimizing storage costs and risks.
- This policy applies to all records, regardless of format or medium, created or received by [Organization Name] in the course of its business activities. It covers records related to administration, finance, human resources, quality management, customer service, and any other functional areas.
3. Policy Statement:
3.1. Record Categories:
- Records are categorized into the following types:
- Vital Records: Records critical to the continued operation of the organization.
- Legal and Regulatory Records: Records required to meet legal and regulatory obligations.
- Operational Records: Records necessary for ongoing business operations.
- Historical Records: Records of historical value or significance.
3.2. Retention Periods:
- Records will be retained based on their category and in compliance with applicable legal and regulatory requirements. Specific retention periods are outlined in the Record Retention Schedule (Appendix A).
3.3. Record Custodianship:
- Each record will have a designated custodian responsible for its maintenance and disposal in accordance with this policy.
3.4. Secure Storage:
- Records will be stored securely to prevent unauthorized access, damage, or loss.
- Records will be disposed of at the end of their retention periods in a manner that ensures confidentiality and compliance with data protection laws.
3.6. Record Destruction Authorization:
- Destruction of records will require written authorization from the designated custodian and compliance with legal and regulatory requirements.
4. Record Retention Schedule:
- The Record Retention Schedule (Appendix A) provides specific retention periods for various types of records maintained by [Organization Name]. It is updated as needed to reflect changes in legal or regulatory requirements.
- All employees, contractors, and third parties are required to comply with this policy and related procedures.
- [Organization Name] will provide training and guidance to employees on the proper retention and disposal of records.
7. Monitoring and Review:
- The [Position/Department] is responsible for monitoring compliance with this policy and conducting periodic reviews to ensure its effectiveness.
8. Record Keeping:
- Records related to this policy, including the Record Retention Schedule, record disposal authorizations, and records of destruction, will be maintained as required by legal and regulatory obligations.
9. Document History:
- This policy will be reviewed and updated as necessary to ensure its relevance and effectiveness. Document revision history will be maintained.
This example change management procedure provides a structured framework for managing changes within an organization. Remember to customize it to align with your organization’s specific needs and requirements, and ensure that it complies with ISO 9001:2015 or any other applicable standards or regulations.