Skip to content
CHANGEROUTE

Change Control Procedure for ISO 9001: A Practical Template for UK Manufacturers

What a Change Control Procedure Has to Do

A change control procedure is the documented method your organisation uses to review, approve, implement, and record changes to its products, processes, and supporting documentation. For UK manufacturers certified to ISO 9001:2015, it is the procedure that turns clause 8.5.6 ("control of changes") from a requirement into a repeatable, auditable practice.

The procedure does not have to be long. A two-page document that clearly defines what counts as a change, who reviews it, who approves it, and what records are kept will satisfy an auditor far better than a twenty-page document nobody follows. The test an auditor applies is simple: can you take a recent change and show the procedure was actually followed?

This guide sets out a practical structure for a change control procedure suited to a UK manufacturing SME, and explains exactly which records ISO 9001:2015 requires you to keep.

What ISO 9001:2015 Actually Requires

Two clauses govern change control, and it helps to be clear about which applies where.

Clause 8.5.6 — Control of changes is the operational one. It requires the organisation to review and control changes for production or service provision, to the extent necessary to ensure continuing conformity with requirements. The clause requires you to retain documented information that describes:

  • The results of the review of the change
  • The person(s) authorising the change
  • Any necessary actions arising from the review

Clause 8.3.6 — Design and development changes applies specifically to changes made during or after design and development. It requires changes to design inputs and outputs to be identified, reviewed, and controlled to prevent adverse impact on conformity, and the retention of documented information on the changes, the review results, the authorisation, and the actions taken.

Most SME manufacturers operate one change control procedure that covers both clauses, with the design-specific requirements of 8.3.6 handled as a stronger review path inside the same procedure. That is acceptable — the standard does not require separate procedures. What it requires is that both kinds of change are controlled and recorded.

Note that neither clause prescribes a form, a numbering scheme, or a software system. The standard describes the outcomes; the method is yours.

A Practical Change Control Procedure Structure

Here is a structure a UK manufacturing SME can adopt directly. Each section maps to something an auditor will look for.

1. Purpose and Scope

State what the procedure controls. For a manufacturing SME this is typically changes to:

  • Product designs, drawings, and specifications
  • Bills of materials (BOMs)
  • Manufacturing processes, work instructions, and routings
  • Inspection and test plans
  • Approved suppliers and materials
  • Controlled QMS documents

Define what is out of scope too — for example, routine document formatting updates that do not change technical content may be handled under a lighter document control process rather than full change control.

2. Definitions and Change Classification

Define your change types and classify them by risk. A common SME approach uses two or three tiers:

  • Minor change — no impact on form, fit, function, or compliance (e.g. a typographical correction on a drawing note). Reviewed and approved by one authorised person.
  • Major change — affects form, fit, function, customer requirements, or regulatory compliance. Requires full review through the Change Control Board (CCB).

Documenting the threshold between minor and major is important: auditors specifically check for changes that bypassed proper review by being mis-classified as minor.

3. Raising a Change Request

Define how a change is initiated. This is the Engineering Change Request (ECR) stage. The request should capture what is changing, why, who is requesting it, and any supporting evidence such as a linked non-conformance report or customer instruction.

4. Impact Assessment

Specify who assesses the change and what they assess. For a manufacturing change this normally means engineering, production, purchasing, and quality each evaluating the effect on their area. For a process change, a Process FMEA review is the standard way to assess what new failure modes the change might introduce. The assessment is the evidence that the change was reviewed before approval — the core of clause 8.5.6.

5. Review and Approval

Define who approves which class of change and at what authority level. State that approval must happen before implementation — retrospective approval is a common audit finding. Record the names of the authorising persons; clause 8.5.6 requires this explicitly.

6. Implementation

Describe how an approved change is rolled out: which documents are revised, who updates them, how staff are notified and trained, and how superseded documents are withdrawn. The approved change becomes an Engineering Change Order (ECO) — the formal instruction to implement.

7. Verification and Close-Out

State how you confirm the change achieved its intent without introducing new problems, and how the change record is closed. The closed record is the complete audit evidence.

8. Records and Retention

List the records the procedure produces and how long they are kept. At minimum, ISO 9001:2015 clause 8.5.6 requires you to retain the review results, the authorising person, and the necessary actions. Most UK SMEs keep change records for a defined period (commonly three years, longer for safety-critical or regulated products) and document the retention rule in this section.

The Records Auditors Check

During an ISO 9001 surveillance audit, the auditor typically selects two or three recent changes and traces each one through your procedure. They are checking that:

  1. The change was reviewed before implementation, with the review documented
  2. The impact assessment covered all affected areas
  3. The approval was given by a person with the correct authority, and that person is named in the record
  4. Affected documents were actually revised to reflect the change
  5. The change is traceable from its trigger (an NCR, a customer request, a design improvement) through to close-out
  6. The record is complete and retrievable

The most common findings are incomplete records — a missing impact assessment, an unnamed approver, or a document that was changed in practice but never formally revised.

Keeping It Proportionate

The biggest mistake SME manufacturers make with change control is over-engineering it. A procedure with seven approval signatures for a typo correction will be ignored, and an ignored procedure is worse than a simple one because the gap between the written procedure and actual practice is itself a non-conformance.

ISO 9001:2015 builds proportionality into the requirement: clause 8.5.6 controls changes "to the extent necessary." A minor change can be reviewed and approved by one person in five minutes, provided the record shows it was reviewed and who approved it. Reserve the full CCB process for changes that genuinely affect form, fit, function, or compliance.

How ChangeRoute Fits

A change control procedure is only as good as the discipline behind it — and discipline is hard to maintain across email chains, spreadsheets, and paper routing slips. ChangeRoute is built to run exactly this procedure: structured ECR submission, routed impact assessment, CCB approval with named authorisers and timestamps, ECO generation, and a complete, exportable audit evidence pack for each change.

If you run a UK manufacturing SME and want a change control procedure that runs itself instead of living in a Word document, join the waitlist for early access.

Sources

  • ISO 9001:2015 — Quality management systems — Requirements (clauses 8.5.6 Control of changes and 8.3.6 Design and development changes). Available from ISO and BSI (paywalled).
  • ISO/TC 176 — the ISO Technical Committee responsible for ISO 9001: iso.org/committee/53882
  • UKAS — United Kingdom Accreditation Service, the UK accreditation body for certification bodies issuing ISO 9001 certificates.

Ready to automate your change management workflow?

ChangeRoute replaces paper ECRs with a structured digital workflow. Join the waitlist for early access.

No spam. Unsubscribe any time. Privacy policy.

Related guides

How to Set Up a Change Control Board for SME Manufacturers

Practical guide to establishing a Change Control Board (CCB) for small and medium UK manufacturers. Roles, meeting structure, decision criteria, and ISO 9001 compliance tips.

Engineering Change Management: The Complete ISO 9001 Guide

A comprehensive guide to engineering change management for UK manufacturers. Covers ECR, ECO, ECN processes, ISO 9001 clauses 8.3.6 and 8.5.6, and practical implementation for SMEs.

Corrective Action and Preventive Action (CAPA): An ISO 9001 Guide for UK Manufacturers

What CAPA means under ISO 9001:2015, why 'preventive action' became risk-based thinking, and how UK manufacturing SMEs run an audit-ready corrective action process.