8.5.6 Control of changes
This clause is critical and essential and, excluding the clear definition of requirements in the first place, the biggest risk, in my opinion to the stability of the QMS. Changes which are not clearly communicated create confusion. Changes which have not been adequately reviewed and vetted may be implemented and result in an undesired outcome. Changes, in general, create instability and a robust change management process is critical to ensure changes are fully reviewed, approved, communicated, understood and validated when they are implemented.
ISO9001:2015 describes the following requirements:
“The organization shall review and control changes for production or service provision, to the extent necessary to ensure continuing conformity with requirements.” The organization is required to review and control changes for all of the previously discussed “production and service provision” topics including 8.5.1 Control of production and service provision (all of the controls established in the first place), 8.5.2 Identification and traceability, 8.5.3 Property belonging to customers or external providers, 8.5.4 Preservation and 8.5.5 Post-delivery activities. So, just as the QMS must have defined each of these items, any changes to them must be controlled.
“The organization shall retain documented information describing the results of the review of changes, the person(s) authorizing the change, and any necessary actions arising from the review.” The interesting point here is that while this clause requires the above listed components of the QMS be protected during changes, and the changes be documented, only 8.5.2 and 8.5.3 have the requirement to have been documented in the first place. Therefore, the organization must determine the most effective way to retain documented information of changes, whether the issue was initially documented or not.
THIS WEEK’S HOMEWORK
Review your QMS and determine where each of the bullets in this clause is determined. Then, follow the trail to determine whether you have “documented information” regarding changes to any of those areas. Review your change management process to ensure it includes the requirements of ” results of the review of changes”, “the person(s) authorizing the change” and “any necessary actions arising from the review”.