CLAUSE 8 OPERATION

The bulk of the management system requirements lies within this single clause. Clause 8
addresses both in-house and outsourced processes, while the overall process management
includes adequate criteria to control these processes, as well as ways to manage planned and
unintended change.Whatever the organisation is in business to achieve, clause 8 is it. The
overall process management includes having process criteria, controlling the processes within the
criteria, controlling planned change and addressing unintended change as necessary. The
organization shall plan, implement and control the processes needed to meet their discipline-
specific requirements. This also relates to implementing the actions determined in 6.1 (actions to
address risks and opportunities) and 6.2 (objectives and plans to achieve them). The organization
is required to:

 Establish criteria for the processes (possibly in work instructions)

 Implement control of the processes, in accordance with the criteria (possibly
through training and awareness)
 Keep documented information to the extent necessary to have confidence that
the processes have been carried out as planned (possibly within its QMS, or integrated
MS)
 Control planned changes and review the consequences of unintended changes,
taking action to mitigate any adverse effects (possibly through a management of
change process)
 Ensuring outsourced processes are controlled. This would include control and/or
influence (depending on its ability to do so — size of order, importance to external
organization etc.).

Typical audit evidence would relate to: the type and extent of control/influence to be applied is
defined within its QMS, processes for assessing the importance/risk of the outsourced activity
and deriving suitable controls, and monitoring the effectiveness of the controls etc. This
could involve the purchasing, risk/compliance, and operations/production functions within
the organization. The context of the organization, and the relevant needs and expectations
of interested parties, will clearly have a bearing on the extent of control/Influence expected of its
outsourced processes.

Clause 8, Operation, has seven sub-clauses:

8.1 Operational Planning and Control

8.2 Determination of Requirements for Products and Services
8.3 Design and Development of Products and Services
8.4 Control of Externally Provided Products and Services
8.5 Production and Service Provision
8.6 Release of Products and Services
8.7 Control of Nonconforming Process Outputs, Products, and Services
8.1 Operational Planning and Control

The Organization should plan, implement, and control the processes, as outlined in 4.4,
needed to meet requirements for the provision of products and services and to implement the
actions determined in 6.1 by determining product and services requirements; establishing
criteria for the processes and for the acceptance of products and services; determining the
resources needed to achieve conformity to product and service requirements; implement
control of the processes in accordance with the criteria; determining, maintaining and retain
documented information to the extent necessary to have confidence that the processes have
been carried out as planned and to demonstrate conformity of products and services to
requirements. The output of this planning should be suitable for the organization’s
operations. The organization should control planned changes and review consequences of
unintended changes, taking action to mitigate any adverse effects, as necessary. The
organization should ensure outsourced processes are controlled in accordance with 8.4.

Clause 8.1 requires that operations be conducted through processes that are planned and
controlled regardless of whether the organization or an outside party performs the process.
Requirements for products and services are required to be determined and criteria established for
acceptance. Identification of resources needed to achieve conformity is required. Planned
changes are required to be controlled and action taken to mitigate the effects of unintended
consequences of changes. Documented information is required to be kept (retained) to
demonstrate conformity of product and service to requirements and that processes have been
carried out as planned. The individual planning step in the 2008 version focuses on determining
how to verify conformity, the 2015 version is oriented around the notion of managing
and adequately resourcing a set of processes so that a state of control is achieved even when
intended or unintended changes occur. It also indicates a requirement to review consequences
and mitigate adverse effects as necessary. The clause also requires that the organization keep
documented information to have confidence that these processes have been carried out
as required. Note that the requirement for processes to accomplish all the operational activities is
not repeated in each clause. A lack of repetitious requirements in each clause does not mean
processes and documented information are not required. The first sentence of clause 8.1 makes
the point that the organization “shall plan, implement and control the processes needed to meet
the requirements for the provision of products and services.” It also reinforces the relationship
between clauses 4.4 and 6. Therefore, even though ISO 9001:2015 may appear to some to have
reduced the requirements for processes and controls, we believe clause 8.1, coupled with clauses
4 and 6, requires an organization to define, document, control, and keep records at least at the
same level as previously required, and perhaps to an even greater level of comprehension.

Many organizations long ago adopted the process approach to managing operations, and thus
may already be close to conforming. They may review of the language in the new standard and
tweaking processes and documented information, as appropriate. The organization needs
to incorporate any additions, deletions, or modifications that are perceived as necessary or
desirable to conform with these more process—oriented requirements and possibly to improve
process effectiveness. Subtle “new” requirements related to control of changes and mitigating
adverse effects should also be considered. On the other hand, some organizations may not have
embraced the process approach to operational controls. Less documentation may be required,
but ISO 9001:2015 requires that the organization understand the processes needed to deliver
conforming products to customers. These processes must be understood not only with respect to
the products themselves but also in the broader context of the objectives of the organization and
any other requirements of the QMS (including interested parties and risks and opportunities). It
may be advisable to:

 Create a quality plan for a product or service to describe how the QMS will be modified
and applied to all operations. Such a plan could include or reference procedures and
records to be maintained and analyzed.
 Consider using the product design and development process approach for designing
processes. This is a requirement in the automotive industry. It has become a best practice
demonstrated in many organizations even though ISO 9001 does not explicitly require
adherence to the design and development requirements for internal process designs.
This enhances both the effectiveness and the efficiency of processes.
 Identify key performance measures for both products and processes and align them with
your quality and business objectives.

The only requirement in clause 8.1 for documented information is to retain or maintain
documented information as necessary to provide confidence that the processes have been carried
out as required. Organizations should also consider maintaining documented information
describing the operational processes and how they are to be carried out. The requirement to plan,
implement, and control the processes needed to meet the requirements for the provision of
products and services would be very difficult to achieve if documented information is not created
and maintained for all processes of the QMS

The focus of clause 8.1 is on controls governing the making of product to meet customer
requirements and all the QMS processes that, directly or indirectly, make this happen. Operation
processes may include customer related processes (sales and marketing), design and
development, production, shipping, receiving, packaging, measurement and monitoring of
product and processes, etc., whether performed onsite or off-site. Some of the support processes
that come to bear on Operations include document control, record control, human resources,
infrastructure provision and maintenance, IT, purchasing and materials management, laboratory
services and control of monitoring and measuring devices, business planning etc. The output of
Operation planning may be implemented in many different ways. It does not necessarily have to
be all in one document, but may sometimes include several documents such drawings, machine
set-up, inspection criteria, process sheets etc. These must be readily available to those
performing these processes.
You may also consider using specific product, contract or project quality plans to accomplish
this. Your quality plans should include the processes needed, process sequence and control
parameters, specific resources needed to make, verify and deliver product, product acceptance
criteria and quality objectives, product and process monitoring and measurement controls, plans
to control and correct any product or process nonconformities, reference to support processes,
documents needed such as work instructions or engineering specifications, etc. and details of
records to be kept. Focus on defect prevention in planning the controls for product realization.
Quality objectives may include defect rates, scrap rates, etc. Requirements or criteria for the
product may include physical properties, dimensional , functional, etc, and their related
measurements, tolerances and acceptance levels. In many instances, depending on the nature of
the product, the customer may specify objectives and requirements and criteria for the product
realization processes as well. You must identify and document all processes addressing this
clause as part of your QMS . For these processes, you must also identify what specific
documents are needed for effective planning, operation and control of production
processes. These documents may include contracts, specifications, orders, product quality plans,
work instructions, a documented procedure etc., combined with unwritten practices, procedures
and methods. Look at the risks related to your product, processes and resources in determining
the nature and extent of documented controls you need to have. Where any of the product
realization processes are done off-site (e.g. at head-office), your QMS must include the off-site
processes within your QMS and ensure that such processes comply with ISO 9001
requirements. The expectation is to flow down to the off-site facility, the relevant ISO 9001
requirements that you would have to implement, had you carried out the process at your own
facility. Performance indicators to measure the effectiveness of product realization in meeting
requirements and achieving quality objectives will be specific to each realization process and
focus on reducing variation and waste in realization processes and related use of
resources. Objectives may be used to monitor and improve process productivity, reduction of
cycle time, errors, omissions and failures etc. You must also consider indicators to measure
product performance such as – reduction in defect rates, PPM’s (defective parts per million),
scrap rates, waste and rework, improvement in on time delivery, product returns from customers
etc.
8.2 Determination of Requirements for Products and Services

8.2.1 Customer Communication

The organization must establish the processes for communicating with customers to
provide information relating to products and services; inquiries, contracts, or order handling,
including changes; obtaining customer feedback relating to product and services including
customer complaints; handling or controlling customer property, and establishing specific
requirements for contingency actions, when relevant.

8.2.2 Determination of Requirements related to Products and Services

The organization must ensure, while determining the requirements for the products and
services to be offered to customers that the product and service requirements (including those
considered necessary by the organization), and applicable legal requirements, are defined. The
organization must also ensure that it has the ability to meet the defined requirements and
substantiate the claims for the products and services it offers.

8.2.3 Review of Requirements for Product and services

8.2.3.1 The organization must ensure that it has the ability to meet the requirements for
products and services to be offered to customers. The organization shall conduct a review
before committing to supply products and services to a customer; The review should include
the requirements specified by the customer, including the requirements for delivery and post-
delivery activities; requirements not stated by the customer, but necessary for the specified or
intended use, when known; requirements specified by the organization; statutory and
regulatory requirements applicable to the products and services; contract or order
requirements differing from those previously expressed. The organization must ensure that
contract or order requirements differing from those previously defined are resolved.
When the customer does not provide a documented statement of their requirements, the
organization must confirm them before accepting them. In some situations, such as internet
sales, when a formal review is impractical for each order, the review can cover relevant
product information, such as catalogues.

8.2.3.2 The organization should retain documented information on the results of the review
and on any new requirements for the products and services.

8.2.4 Changes to requirements for products and services

The organization should ensure that relevant documented information is amended, and that
relevant persons are made aware of the changed requirements. when the requirements for
products and services are changed.

Clause 8.2.1 requires the organization to conduct communications with customers. The detail
requirements for communications with customers include:
  Providing product- and service-related information
 Handling customer orders of all types and changes thereto
 Getting customer feedback including complaints
 Exercising appropriate controls for any customer-owned property
 Establishing requirements for contingency actions

Clause 8.2.1 requires processes to accomplish specific types of information exchange. It require
five specific types of communication with customers to be included in the organization’s
processes:

 Product and service information, including customer requirements

 Documented agreements with the customer, such as contracts, orders, changes, and other
information needed to meet customer requirements
 Customer feedback including complaints
 The handling and treatment of customer-owned items was covered in great detail in
clause 7.5.4 in ISO 9001:2008. The specific requirements of the 2008 version have been
significantly simplified.
 Any contingency actions that are relevant.

Clause 8.2.1 is similar to clause 7.2.3 of ISO 9001:2008. The point of

grouping these items under customer communications is to emphasize that these communications
need to be systematically planned like all other processes. In doing so, consider the information
in clause 7.4 on communication and the requirements related to process management in clause
4.4. If the customer is the organization’s most import contact, shouldn’t we concentrate some
key planning effort on the processes used to communicate with them? It is generally necessary
that a careful record be maintained of the requirements. Often the process involves
multiple discussions, reviews (clause 8.2.2), and even early design and development work
(clause 8.3). Carefully thought-out methods are needed to efficiently retain this input information
for later use in the design process and as input to resolution of disputes that may arise.

Clause 8.2.2 requires the organization to determine the requirements related to its products and
services. This includes:

 Establishing a process for determining the requirements for the products offered to
potential customers
 Determining requirements of the customer
 Determining requirements for the organization
 Determining requirements from applicable statutes and regulations
 Determining that the organization has the ability to meet the requirements and
substantiate claims related to its products and services

One of the key things that the communication with customers needs to ensure is that customer
requirements and other requirements for the product or service are clearly understood. But
communication and understanding of customer requirements is only one piece of the
requirements puzzle. Many products are regulated and customers may have no knowledge of
the regulatory or statutory details. Often the organization has learned key things that must be
done a certain way for the product or service to meet customer requirements. Customers cannot
be expected to know about many of these things. It is the organization’s responsibility to
understand all these requirements and their specific application. It is also the
organization’s responsibility to determine whether it can successfully deliver conforming product
or service to the customer.
Conformity is not difficult for organizations providing off-the-shelf catalog products
manufactured to published specifications or standardized services with normal delivery
requirements. However, if customers are purchasing complex systems with custom engineering
and software according to a complex set of commercial terms, it is essential to obtain a
clear understanding of customer requirements by whatever means possible, including activities
such as holding face-to-face meetings and attending pre- bid meetings. Full determination of
customer requirements can be an iterative process. Often there are known issues that may evolve
into real requirements at a later stage. In such cases, documentation of the open issues and
providing for the attendant business risk may prove to be an acceptable approach to meeting the
requirements of this clause. The determination of customer requirements is a critical activity
and generally involves several functions and levels in an organization. It is recommended that
you maintain documented information to describe the process for determination of all aspects of
product and service requirements. The documented information should include both product
requirements specified by the customer and product requirements not specified by the customer
but necessary for intended or specified use. Also, unique regulatory and statutory requirements
should be considered as well as commercial terms and conditions.

Clause 8.2.2b requires that the organization have the ability to meet
requirements. Often with advanced products there is a need to advance the state of the art as
product development progresses. Such situations should be clearly identified and the business
risks understood. In such cases, the defined requirements could be the development of the needed
technological advance. To avoid customer complaints or dissatisfaction, even for
“requirements” that are not clearly stated (e.g., regulatory requirements or marketplace norms),
the organization should consider a comprehensive understanding of customer requirements,
perhaps even performing a failure modes and effects analysis (FMEA) on the processes as a form
of risk assessment. Since the review process required in clause 8.2.2 is often iterative, retention
of documented information of review results (eg, who reviewed what, when, and using what
method) can be a practical necessity. While clause 8.22 does not require retention of
any documented information on these determinations, it is recommended to have such records.

Clause 8.2.3 states the obligation of the organization to review the requirements of products and
services, which includes:

 Customer-specified requirements for the product or service, including any requirements

for delivery or post-delivery actions
 Requirements known to be needed by the organization even though not specified by the
customer
 Applicable statutory and regulatory requirements applying to the product or service
 Requirements of the final contract or order differing from those previously provided by
or discussed with the customer
The review is required to:

 Be performed prior to the organization’s commitment to produce

the product or service
 Ensure resolution of all order requirements that may differ from those previously defined
 Include confirmation of the requirements in cases where the customer does not provide
documented requirements o Retain documented information on the results of the review

The acceptance of an order or the submission of a quote or tender by an organization obliges the
organization to meet the conditions stated in the order or to provide the goods and services
included in the scope of the quotation or tender. The obligation assumed by the organization
includes not only the products defined but also ancillary items such as conformance to stated
delivery dates, adherence to referenced external standards, and compliance with the commercial
terms and conditions applicable to the order, contract, quote, or tender as well as applicable
statutory and regulatory requirements. The complexity of the order/quote review process depends
on the products and services of the organization. A process for reviewing oral orders for off-the-
shelf products with 24 hour delivery (e.g., software packages) will differ considerably from a
process for reviewing a large order for a one-of-a-kind product with a two-year delivery (e.g., an
order for a control system for an electric power-generating station). The review process must
also accommodate, as applicable, electronic orders, blanket orders with periodic releases,
unsolicited orders, orders through distributors or representatives, faxed orders, and an almost
infinite combination of these and other possibilities. If the organization is involved in internet
sales, creative thinking will be required to efficiently review customer requirements. With such a
spectrum of possibilities, what is an organization expected to do to conform to the requirements?
The first step should be to develop a clear understanding of the nature of the various kinds of
customer requirements and fully understand each communication channel involved. If, for
example, an organization publishes a catalog and accepts only written orders for catalog—listed
items to standard delivery times, then the order or contract- review procedure can be simple. The
process could be a designated individual (e.g., a manager, a clerk) reviewing, initiating, and
dating the written order. This simple process can be used as valid evidence that requirements can
be met. If an organization must address possibilities that occur only rarely, the organization
could simply note in documented information (i.e., a procedure) that any circumstances different
from standard terms and conditions will be addressed by a specific quality plan. Such a plan can
be generated as the unique occasion arises. Thus, a simple order-entry process can have a very
simple, brief, and effective contract-review process. For the large, complex contracts
or quotations, the review process may involve many organizational entities such as engineering,
manufacturing, legal, finance, and quality assurance. Accordingly, the procedures governing
such reviews can be complex and lengthy. A good guideline to keep in mind when developing a
process to address the specific requirements of clause 8.2.3 is to balance the risks to
the organization with the effort expended in a review of customer requirements, keeping in mind
that the purpose of the review is to add value and not to create a bureaucratic morass. A formal
process should be deployed that indicates who will do what and how often.

Clause 8.2.4 states that changes are required to be controlled and documented information
updated to ensure that changes are properly included in documented information. When changes
to product requirements, orders, contracts, or quotations occur, the organization is required to
ensure that relevant documented information is amended and communicated, as appropriate,
within the organization. This simple and fundamental requirements are often much harder to
meet. Changes tend to come from all sorts of sources. Customer floor-level workers in today’s
environment often talk directly to factory workers in customers’ plants. Cell phones are used to
relate the latest changes to schedules and requirements. The situation can turn into chaos. Thus,
control rules are needed so that decisions related to changes are made by the appropriate people
with the relevant and up-to-date information. These considerations should be a key part of
considering process interactions. Often rapid response is critical for the customer, so design the
system in such a way that you can deliver just that. Considerations for Documented Information
to Be Maintained and/or Retained, Keeping good records of changes is both a challenge and a
practical necessity.

Customer related processes must include controls for determining customer and regulatory
requirements, a review of such requirements, and communication with the customer. Customer
requirements extend beyond product specifications and may include on-time delivery,
packaging, labeling, mode of delivery, documentation, communications, QMS requirements,
after sales servicing, etc. Many of these requirements may also come from regulatory, industry or
from within your own organization. Depending on the product or service, you must determine if
any industry or regulatory requirement is applicable on product characteristics or process
parameters that affect the product’s safety or compliance with regulatory requirements. You
must consider all laws and regulatory requirements that may affect your product, materials,
labor, production processes, your facility and work environment, etc. Where some or all of the
processes – for determining customer requirements; for contract review and customer
communication; etc., are done offsite, then you must show the linkages and interaction of these
offsite activities with your on-site QMS processes. The nature of requirements review may be
different for different types of product or services. Your review records must show the basis of
review. Make sure you do your due diligence and risk analysis before you commit to contractual
arrangements. I have seen many companies get into serious financial trouble, for taking on
products transferred from another supplier, because they did not assess all the
risks. Manufacturing risk analysis is an assessment of your organization’s capacity and capability
to effectively and efficiently provide the customer specified deliverables. Risk analysis should
include timing, resources, development costs and investments, potential for, and effects of,
possible failures in processes, including suppliers. You should also consider financial and
profitability risk. Sometimes it may take a few months to receive an order or contract from the
customer, after you have sent them your quotation. Your review process must ensure that you
compare the customer’s order or contract with your latest quotation, and resolve any differences
(accept or re-negotiate), before you accept the order or contract. Your customer relations
management process must include a sub-process for change control and must include – a review
of the change either from customer or internal from organization and its impact on fit, form,
functionality, other processes, financial, delivery, etc. Have a process for change control. For
significant issues or changes, obtain customer approval in writing for any waivers or changes of
contractual or QMS requirements. Customer communications may take many forms such as
software and interfaces for design and development, logistics, customer satisfaction feedback,
etc. You must ensure that personnel at all levels have the competency and training to use these
communications media and tools. You must identify and document all processes addressing this
clause as part of your QMS . For these processes, you must also identify what specific
documents are needed for effective planning, operation and control of production
activities. These documents may include – contracts, specifications, orders, product quality
plans, work instruction, a documented procedure etc., combined with unwritten practices,
procedures and methods. Look at the risks related to your product, processes and resources in
determining the nature and extent of documented controls you need to have. Performance
indicators to measure the effectiveness of customer-related processes in meeting requirements
and achieving quality objectives should focus on reducing variation in and improving these
processes and related use of resources. Indicators may include reduction in quote cycle time, pre
and post-award review cycle time, order-entry errors and omissions etc., and improvement in
conversion ratio (i.e. ratio of contracts/orders awarded to quotes).

8.3 Design and Development of Products and Services

Clause 8.3, on design and development controls, has six subclauses:

 8.3.1 General
 8.3.2 Design and development planning
 8.3.3 Design and development inputs
 8.3.4 Design and development controls
 8.3.5 Design and development outputs
 8.3.6 Design and development changes

8.3.1 General

The organization should establish, implement, and maintain a design and development
process. such that they are adequate for subsequent production or service provision.

8.3.2 Design and Development Planning

While planning for design and development, the organization must consider the following in
determining the stages and controls for design and development:

1. the nature, duration and complexity of the design and development activities;
2. the required process stages, including applicable design and development reviews;
3. the required design and development verification and validation activities;
4. the responsibilities and authorities involved in the design and development process;
5. the internal and external resource needs for the design and development of products
and services;
6. the need to control interfaces between persons involved in the design and development
process;
7. the need for involvement of customers and users in the design and development
process;
8. the requirements for subsequent provision of products and services;
9. the level of control expected for the design and development process by customers and
other relevant interested parties;
 10. the documented information needed to demonstrate that design and development
requirements have been met

8.3.3 Design and Development Inputs

The organization must determine the requirements essential for the specific type of products
and services being designed and developed, including, as applicable, functional and
performance requirements; applicable legal requirements; information derived from previous
similar design and development activities; standards or codes of practice the organization has
committed to implement; potential consequences of failure due to the nature of products and
services; Ensure inputs are adequate for design and development purpose, complete, and
unambiguous. Resolve conflicts among Design and Development inputs.

8.3.4 Design and Development Controls

The organization should apply controls to the design and development process to ensure
that results to be achieved by the design and development activities are clearly defined;
Design and development reviews are conducted as planned; Verification activities are
conducted to ensure that the design and development outputs have met the design and
development input requirements; Validation activities are conducted to ensure that the
resulting products and services are capable of meeting the requirements for the specified
application or intended use (when known). The organization must take any necessary actions
on the problems determined during the reviews, or verification and validation activities. The
organization must maintain any documented information of these activities. Design and
development reviews, verification and validation have distinct purposes. They can
be conducted separately or in any combination. as is suitable for the products and services of
the organization.

8.3.5 Design and Development Outputs

The organization must ensure that design and development outputs meet the input
requirements for design and development. They should be adequate for the subsequent
processes for the provision of products and services. They must include or have a reference of
monitoring and measuring requirements, and acceptance criteria, as applicable. They
must ensure products to be produced, or services to be provided, are fit for intended purpose
and their safe and proper use. The organization must retain the documented information
resulting from the design and development process.

8.3.6 Design and Development Changes

The organization should identify, review and control changes made (during the design and
development of products and services, or subsequently) to design inputs and design outputs to
the extent that there is no adverse impact on conformity to requirements. The organization
must retain documented information on design and development changes, the result of review,
the authorization of changes and action taken to prevent adverse impact.
Design and development activities needed for products and services are required to be planned
and controlled through an established, implemented, and maintained process. This process may
be used for both products and services and for associated processes. It is required to include the
following:

 Planning to determine design stages considering activities such as verification and

validation, control of design interfaces, design review, resources needed for design and
development, customer involvement, and the documented information needed to
confirm that input requirements are met.
 Determination of the design and development inputs required, including such things as
functional requirements, regulatory and statutory requirements, applicable standards or
codes, information from earlier projects, and potential consequences of
failure. Conflicting requirements are required to be resolved.
 Design and development controls, including clear delineation of the results to be
achieved, planning and conducting design and development reviews and verification
activities to ensure design outputs meet input requirements, and validation to ensure
the products and services meet the requirement for the application intended.
 Design and development outputs are required to meet input requirements, to be adequate
for subsequent processes in the provision of the product or service, and to ensure the
products and services are fit for their intended purpose.
 Design and development changes are required to be identified, reviewed, and controlled.
This includes changes to design inputs or outputs. Controls are required to ensure that
changes do not have an impact on the products and service conformity.
 The organization is required to retain documented information resulting from the design
and development process, including design and development changes.

The intent is to ensure that the organization plans and controls design and development projects.
The key reason for this emphasis on planning is to maximize the probability that the project will
meet defined requirements. If the design and development processes are well planned and
controlled, an additional benefit should be that projects are completed on time and
within budget Planning is required at the level of detail needed to achieve the design and
development objectives—not to generate an excessive amount of paperwork. Stages of the
project need to be determined, and responsibilities, authority, and interfaces need to be defined.
Requirements need to be established for the incorporation of review, verification, and validation
into the design and development project. The organization needs to determine how
communications will be structured (e.g., weekly meetings, periodic reports, or other methods). In
many cases a number of organizations are involved in this process, and the success of the design
and development project often rests heavily on proper identification, understanding, and control
of design interfaces.

You must include product design and development in your QMS scope if you contract or convey
the perception that you design product, regardless whether you buy, outsource or actually do
design and development. The scope of your design and development activity must consider all
aspects of the product and product realization processes to ensure its conformity to requirements.
This includes product identification, handling, packaging, storage and protection during internal
processing and delivery to the customer. Product design and development sometimes results in
new manufacturing processes or changes to existing manufacturing processes. This clause is
equally applicable for designing and developing manufacturing processes. Product design and
development planning must focus on error prevention rather than detection in product quality as
well as product realization processes. You must have an overall plan for your design project.
Your plan must specify the design and development stages, activities and tasks, responsibilities,
timeline and resources, specific tests, validations, and reviews, and outcomes. There are many
tools available for planning ranging from a simple checklist to complex software. The degree and
details of planning may vary according to size and length of contract or project, complexity, risk,
product life, customer and regulatory requirements, past experience with similar product, etc.
You have flexibility in determining the scope of the stages, review, verification and validation
required for your product design and development projects. Your plan must be dynamic and
updated as requirements and circumstances change. You must track progress against your plan at
regular intervals or project milestones and update the plan as activity progresses. Your design
and development plan must include methods to communicate information, responsibilities,
results, discussions, reviews and resources. You must take a multi-disciplinary approach that
includes as needed, other functions (besides design) such as quality, engineering, purchasing,
sales, tooling, production, etc. Your plan must clearly identify these other functions and their
specific role and responsibilities regarding the project. Consider including customer and supplier
personnel at appropriate stages to do work and review results or progress. A multi-disciplinary
approach applies collective and relevant knowledge and skills of these different functions to
carry out or review design and development activities. The design and development project plan
serves as both a document and a record as it is updated for completion for various activities.
Where some or all of clause 8.3 design and development activities are done off site, then you
must show the linkages and interaction of these offsite activities with your on-site QMS
processes. You must identify and document all processes addressing this clause as part of your.
For these processes, you must also identify what specific documents are needed for effective
planning, operation and control of production activities These documents may include contracts,
technical drawings and specifications, a documented plan for design and development, work
instructions, a documented procedure etc., combined with unwritten practices, procedures and
methods. Look at the risks related to your product, processes and resources in determining the
nature and extent of documented controls you need to have . Many organizations use various
software tools to document their product or process design and development plans. If the nature
of your business does not require you to design and develop product (e.g. you manufacture
strictly from customer provided engineering drawings and specifications), then you must clearly
state this exclusion to your QMS scope, in your quality manual. Performance indicators (to
measure the effectiveness of design and development processes in meeting requirements and
achieving quality objectives) should focus on reducing variation in and improving these
processes and related use of resources. Indicators may include reduction in design cycle time,
development cycle time, specification errors, omissions, changes, design and development costs
etc., as well as measurable improvements in products developed.

You must identify, document and review design inputs requirements for function, performance,
safety, regulatory, quality, reliability, durability, life, timing, maintainability, cost,
identification, traceability, packaging, special or safety characteristics from the customer or
regulatory body, and other requirements essential to the product. You must have a process that
should be part of your design and development plan to identify, document, review , deploy and
use design input information such as documents coming from various sources such as customer
contracts, drawings and specifications, your own organization’s database of previous design and
development projects, competitor analysis, industry standards, feedback from suppliers, field
data. Design and Development usually requires the input and involvement of many other
functions and processes such as contract review, product realization, purchasing, top
management etc. within the organization and your process must manage this interaction by
defining responsibilities and means of communications. Inclusion of these controls in your
design and development plan is one of many effective ways to achieve this. Such a multi-
disciplinary approach has the benefit of applying the collective and relevant knowledge and
skills of these different functions to carry out or review design and development activities.
You must identify and include any special and safety characteristics in your process control
documents such as quality plans, product drawings, operator instructions and other documents
used to make or verify product. Note that special requirements can also include process
parameters such as temperature, timing, concentrations, etc. You must review all input
requirements, review design and development progress, verify product design and validate
developed product at various stages of your design and development process. The nature,
frequency and scope of these controls must be defined in your design and development plan or
other document. You must carry out these controls according to your plan and keep appropriate
records .

Do design reviews at one or more milestones of the design and development project, depending
on customer requirements, the size, complexity and risks involved. The purpose of these reviews
is to evaluate results to requirements, check project progress and costs to plan and take actions
on any problems encountered. You must take a multi-disciplinary approach for doing these
reviews and keep appropriate records of issues discussed, actions to be taken, responsibilities and
timeline for completion. All design and development reviews must be included in your design
and development plan.Product design Verification includes design reviews, comparing the new
design to a similar proven design if available, performing alternate calculations, performing tests
and simulations, reviewing the design documents before release, etc. Verification is checking
product or process to input requirements, whereas validation is checking product or process is
suitable for its intended use does it perform/function in the way intended by your customer or
your organization. Manufacturing process design verification include design review , process
capability studies, testing various process parameters, performing tests and trials, reviewing the
manufacturing process design documents before release, etc.If you outsource any part of your
design and development activity, then you must exercise the same controls required by clause 8.3
on the outsourced work and the organization doing the work, had it been done internally.Product
and manufacturing process validation includes – design reviews, comparison between customer
requirements and internal development plans, design and development validation against
customer requirements and design and development input requirements, corrective action and
lessons learned from documented process failures and product nonconformities. If you outsource
any part of your design and development activity, then you must exercise the same controls
required by clause 8.3 on the outsourced work and the organization doing the work, had it been
done internally. Any problem you have encountered during the verification and validation or
identified during review must be resolved.
Design and development output may be product or documentation or both. Product may be
prototype or finished product and documentation could be a computerized or hard copy drawing
or specification. Check design and development output against the input requirements specified
in 8.3.3, before you use it any further. Provide appropriate design and development output
information to:

 Purchasing material or service specifications

 Production output such as product specifications, special characteristics, drawings,
diagnostics, etc.
 Service output such as product specifications; performance reliability and maintenance
criteria.

Initially, this information may be used for trials and validation, before being firmed up. Many
documents are created from the design and development output stage such as drawings, quality
plans, work instructions, etc. These documents must be controlled as per clause 7.5.3 such as
approval, revision control, distribution, etc. Where any sophisticated design and development
tools such as AutoCAD are used requiring specific competency or training, ensure you provide
and keep appropriate records of competency and training of personnel performing design and
development activities and use of these tools.

Make sure your process for design and development changes follow appropriate steps of clause
8.3 ie define plan, have inputs and outputs, verify and validate to the extent necessary to meet
customer requirements and control product, quality and business risks. Changes may come from
internal, customer or regulatory sources. Get all requests for product or manufacturing process
design changes in writing from your customer. Impact of the change must be evaluated on
materials used, design process, manufacturing process, characteristics and use of developed
product, regulatory compliance, cost etc. While planning for change the organization must
follow all the requirements as given in clause 6.3 planning for change and must also determine
all risk and opportunities as given in clause 6.1. Documented information on design and
development changes, the result of review, the authorization of changes and action taken to
prevent adverse impact must be maintained.

8.4 Control of Externally Provided Products and Services

8.4.1 General

The organization must ensure that externally provided processes, products, and services
conform to specified requirements. The organization must apply the specified requirements for
control of externally provided products and services when products and services are provided
by external providers for incorporation into organization’s own products and
services; products and services are provided directly to the customer by external providers on
behalf of the organization; a process or part of a process is provided by an external provider
as a result of a decision by organization to outsource a process or function. The organization
must determine and apply criteria for evaluation, selection, monitoring of performance, and
re-evaluation of external providers based on their ability to provide processes or products and
services in accordance with specified requirements. The organization must retain appropriate
documented information of the above mentioned activities and any necessary action arising
out of evaluation.

8.4.2 Type and Extent of Control

The organization should ensure that externally provided processes, products and services do
not adversely affect the organization’s ability to consistently deliver conforming products and
services to its customers. The organization should ensure that externally provided processes
remain within the control of its quality management system. It should define both the controls
that it intends to apply to an external provider and those it intends to apply to the resulting
output. In determining type and extent of controls to be applied to external provision of
processes, products and services, organization must consider the potential impact of the
externally provided processes, products, and services on the organization’s ability to
consistently meet customer and applicable legal requirements and effectiveness of the controls
applied by the external provider. The organization must establish and implement verification
or other activities necessary to ensure the externally provided processes, products, and
services meet the requirements.

8.4.3 Information on External Providers

The organization must ensure the adequacy of specified requirements prior to their
communication to external providers. The organization should communicate to external
providers applicable requirements for the following:

1. products and services to be provided or the processes to be performed on behalf of the

organization;
2. approval or release of products and services, methods, processes or equipment;
3. competence of personnel, including necessary qualification;
4. their interactions with the organization’s quality management system;
5. control and monitoring of the external provider’s performance to be applied by the
organization;
6. verification activities that the organization, or its customer, intends to perform at the
external provider’s premises.

Externally provided processes, products and services includes

1. purchasing from a supplier

2. an arrangement with an associate company
3. outsourcing processes to an external provider.

The controls required for external provision can vary widely depending on the nature of the
processes, products and services. The organization can apply risk-based thinking to determine
the type and extent of controls appropriate to particular external providers and externally
provided processes, products and services;
Clause 8.4 covers the requirements to control purchased product including your outsourced
process, control suppliers you buy from, and requirements to control your buying process.
Purchased product includes raw materials, components, subassemblies, supplies, tooling,
machinery and equipment, sequencing, sorting, rework, testing, calibration, maintenance, etc.
Note that clause 8.4 requirements apply to items that go into the product, manufacture the
product, check the product or deliver the product; whether paid for or customer provided. These
may include materials, production equipment, tooling, measuring and test equipment, facilities,
transport vehicles, returnable packaging, intellectual property (drawings, specifications or
proprietary information), product returned for servicing under warranty, product sent for
outsourced work etc. You must have specifications/criteria for purchased product. These
specifications may come from your organization, customer, regulatory bodies, supplier or
industry. As documents, these specifications must be controlled as per clause 7.5.3. Many times
the customer may require the use of pre-approved purchased products and suppliers. The onus is
still on you to ensure that purchased product from customer-designated sources meets all
requirements. You must control both, the product you buy, as well as the supplier you buy from.
Your controls must primarily be based on prevention of nonconformities in both product and
supplier performance. Determine how important the purchased product is to design, manufacture,
assemble and maintain your end product. Factors such as targets for product quality, life,
reliability, durability, maintainability, and cost must be applied to purchased product going into
your end product. Categorize your purchased products and services accordingly. Then determine
what controls you need to ensure consistent purchased product quality and consistent supplier
performance. You can then apply different controls for different purchased products. There are
several ways to evaluate your suppliers. Besides product quality, your criteria for supplier
selection and evaluation may include the potential supplier’s financial capability, technical and
manufacturing capability and capacity, reliability, reputation, flexibility to handle changes,
support, service, cost etc. The importance of these criteria will vary according to the items
materials or services you purchase, and so you can apply different criteria to different suppliers.
You can categorize your suppliers accordingly based on these criteria. It might be useful to
maintain a list of all qualified suppliers. In addition to the initial evaluation and approval of
suppliers, you are required to carry out ongoing monitoring and measurement of their
performance. Use supplier monitoring indicators to evaluate the consistency, capability and
reliability of their performance for quality, delivery, support, etc. On-time delivery is very
important and disruptions (due to waiting for materials) at your customers or even your own
facility must be avoided. Depending on the risks related to materials supplied and supplier
performance, you might consider requiring some of your key suppliers to comply with some or
all of ISO 9001 requirements and perhaps even certification. You must identify your purchasing
processes whether on site or off site. For each process, you must document the controls for
purchased product and suppliers. You must also show the linkage and interaction of purchasing
processes with other processes such as design, manufacturing, tooling maintenance, calibration.
Where any of your controlled suppliers have gone through a significant organizational change
you must verify the continuity and effectiveness of their QMS. You must keep records of all
supplier evaluations (whether initial or periodic), including any corrective actions placed on
them for any nonconformities. You must identify and document all processes addressing this
clause as part of your QMS. For these processes, you must also identify what specific
documents, controls and resources are needed .You could use a documented procedure or other
combination of specific practices, procedures, documents and methods. Look at the risks related
to your product, processes and resources in determining the extent of documented controls you
need to have. Performance indicators to measure the effectiveness of purchasing processes in
meeting requirements and achieving quality objectives should focus on measuring supplier
performance and reducing variation in and improving purchasing processes and related use of
resources. Indicators for supplier performance may include reduction of defects in supplied
product, scrap, waste and rework, improvement in on-time delivery, service, cost, etc. Indicators
for purchasing process may include reduction in supplier- quote review cycle time, contract
award cycle time, purchase order-entry errors and omissions, receiving errors & omissions etc.

As indicated earlier, you can apply different controls for different suppliers and products
depending on your initial supplier evaluation and their ongoing product quality and delivery
performance. In any case these controls must be included or referenced in your quality or
inspection plans. To the extent that you decide to do verification of purchased product, you also
have flexibility in when you do the verification. You can do it on receipt or at any time prior to
use in production. Make sure you appropriately control un-inspected product. This may include
identification and storage to prevent unintended use. Consider using supplier quality plans,
inspection plans, etc., to verify that purchased product meets specified purchase (product and
QMS) requirements. Verification of purchased product can range from doing no verification to
100% verification. You have flexibility in determining the scope of purchased product
verification. Your inspection process must define and document the acceptance criteria and
sampling plan for product conformity and what measurement tools needed and records needed to
show effective control of purchased product quality and supplier performance.

Your purchase documents such as purchase order, contract, blanket order, your organization’s
supplier quality manual, etc. must specify your requirements for the purchased product; the
suppliers QMS and any other initial or on-going controls you deem necessary for ensuring
consistent supplier performance. You must define how you ensure the adequacy of these
documents before you communicate them to your supplier. A review of adequacy of purchasing
documents may include their completeness, accuracy, correctness, quantity, timing, cost,
approval, etc., by one or more functions; computerized controls, etc. In larger organizations, this
may be a separate process on-site or off-site. In either case, it must be identified and controlled.
While clause 8.4.3 does not specify keeping of records, you must show evidence of carrying out
(issue purchase documents) and review of these documents

An outsourced process is any value-adding or conversion activity related to your product or

service, that is performed by an external organization such as a subcontractor, sister facility, etc.
Note that the external organization may perform the outsourced activity at their facility or yours.
A manufacturing company may outsource welding, heat treatment or painting of product. A
software company may outsource software development. A bank may outsource check clearing
services. You must be able to demonstrate sufficient controls over outsourced processes to
ensure that such processes are performed according to the relevant requirements of ISO
9001:2008. The nature and scope of such control will depend on the nature of the outsourced or
subcontracted process and the risk involved. Outsourced processes may be controlled in any
number of ways, e.g., providing the vendor with product specifications; your supplier quality
manual that they must meet; asking for inspection and test results or certificates of compliance;
validation of outsourced process; conducting product and QMS audits of your vendor; etc. The
expectation here is that you flow down to your vendor, the relevant ISO 9001 requirements that
you would have to implement, had you performed the process at your own facility.

CLAUSE 8.5 Production and Service Provision

8.5.1 Control of Production and Service

The organization should implement production and service provision under controlled
conditions. Include these controlled conditions, as applicable:

1. availability of documented information that defines characteristics of products and

services.
2. availability of documented information that defines activities to be performed and
results to be achieved.
3. availability and use of suitable monitoring and measuring resources
4. implementation of monitoring and measurement activities at appropriate stages to
verify that criteria for control of processes and process outputs, and acceptance criteria
for products and services, have been met.
5. use and control of suitable infrastructure and process environment for operation of
process.
6. appointment of competent person and, where applicable, required qualification of
persons;
7. validation, and periodic revalidation, of ability to achieve planned results of any
process for production and service provision where resulting output cannot be verified
by subsequent monitoring or measurement.
8. implementation of products and services release, delivery, and post-delivery activities.

This clause provides a list of control requirements that you may use, if applicable to your
business. Identify and control all operation process. Show the interaction of these processes with
other processes. Use your product, project or contract quality plan to control your operation
activities. Schedule your operations taking into consideration customer delivery requirements,
production capacity and capability, material availability and usage, personnel availability and
usage; storage; etc. Carefully define and document the interaction of your operation scheduling
process with your logistics processes such as inventory management, customer communication,
traffic and shipping control, packaging and labeling, sales and billing. Use quality plans to
control your operation processes. Quality plans address what has to be made, how much has to
be made, when it has to be made, by whom, in what sequence, how it has to be made, what
equipment to use, what measurement and monitoring tools to use, what to inspect, when to
inspect, how much to inspect, what to do if problems arise, etc.Your quality plan must cover all
operation process steps from receipt of materials, production, packaging, storage, delivery and
even post-delivery activities such as installation or training. Your quality plans are dynamic and
must be updated for the changes in product specifications or process parameters; resources used;
monitoring or measurement requirements, etc. Your quality plans should reference any work
instructions specified for the process steps. Work instructions may be viewed as a subset of your
quality plan and may relate to a specific task or activity of your overall product realization
process for e.g. setting up a machine, performing an inspection, packaging a product, If you
determine that work instructions are needed at specific points in your process, then they must be
readily available and relevant i.e. current or right version. Note that work instructions may exist
in may forms such as narrative, graphical, audio, video, physical display etc. To improve your
QMS, it will be very useful to draw a flow chart to link the flow and interaction of the activities
and sub-processes covered by these clauses, e.g. many organizations overlook reviewing and
updating their quality plans for corrective action taken to address a manufacturing process
problem. Operational personnel must have timely access to all information relevant to their
activities including specific work instructions if necessary. There may be serious risk to
production flow, if such information is unavailable or untimely. You must identify and document
all processes addressing this clause as part of your QMS For these processes, you must also
identify what specific documents are needed for effective planning, operation and control of
production activities. These documents may include – a product quality plan; work instructions;
documented procedure; etc., combined with unwritten practices, procedures and methods. Look
at the risks related to your product, processes and resources in determining the nature and extent
of documented controls you need to have. Performance indicators to measure the effectiveness of
operation processes in meeting requirements and achieving quality objectives should focus on
reducing variation in and improving production processes and related use of resources.

Validation is usually required where product cannot be verified without damaging or destroying
the product, e.g. some types of welding, heat-treatment, painting, electroplating, rust-proofing,
etc. In such instances, the quality of these activities may only be discovered after use. This would
generally not be acceptable due to safety (e.g. weld) or aesthetic (evidence of rust or dullness of
chrome) reasons. In the case of a service such as pizza delivery within 30 minutes of order
placement, if the timeliness of delivery is not verifiable, then validation would be required.
However, most service-oriented businesses (e.g. delivery; call center) have some form of
monitoring during service execution to ensure service quality. Validation involves conducting
capability studies using a combination of resources technology, equipment, materials,
environment, competent personnel, and production and testing methods that consistently result in
a quality product or service. Validation may also require customer or regulatory approval of the
process. You must keep appropriate records of process validation showing both the achievement
of planned results as well as the ongoing maintenance of such capability. If you change any part
of the proven process capability for e.g. materials, equipment or personnel, etc., you must
revalidate i.e re-prove the changed process. It is up to each organization to determine what
combination of resources and methods will provide the required consistent process capability and
quality of product or service. Include as appropriate, these validation controls in your quality
plans.

Product related indicators may include reduction in defect rates, PPM’s (defective parts per
million), scrap rates, waste and rework; improvement in on time delivery. Production process
related indicators may include reduction in set-up time, run rates, process cycle time, production
scheduling and operator errors and omissions etc.

8.5.2 Identification and Traceability

The organization should use suitable means to identify “process outputs” where necessary to
ensure conformity of products and services. THe organization should identify status of
“process outputs” with respect to monitoring and measurement requirements throughout
production and service provision. The organization should control unique identification of
“process outputs” where traceability is a requirement. It should retain any documented
information necessary to maintain traceability. “Process outputs” are results of any activities
which are ready for delivery to customer or to an internal customer (e.g., receiver of inputs to
next process). “Process outputs” can include products, services, intermediate parts,
components, etc.

There are three distinct control requirements specified here.

 Product identification: It means knowing the identity of yours or customer supplied

product from incoming receipt of materials, raw material storage, use in production,
work in progress, finished product storage, and delivery of product to the customer.
Product identification can be controlled using physical and electronic methods.
 Product status: It means knowing the quality status (good or bad) of materials and
product through each of the above stages. Product status can be controlled using physical
and electronic methods.
 Unique Product Identification: It is not a mandatory requirement under ISO 9001, unless
contractually required by customers or regulatory bodies. In certain industry sectors such
as the automotive or aerospace or pharmaceutical industry, unique product identification
is mandatory for safety, regulatory and risk management reasons. This usually involves
keeping detailed records of product manufacturer such as material, equipment, personnel,
processes, production, inspection and test details, etc., for individual products or
production batches. These records help to trouble-shoot product and process problems,
resolve customer complaints, and enables continual improvement of product and process.
In many instances, it also reduces cost, risk and use of resources by narrowing the
problem down to a specific cause or instance. Depending on the product, the OEM may
specify the degree of unique identification and traceability required.

While this clause does not call for a specific documented information, these controls may be
included in your Operation processes through your product quality plans, work instructions and
other specific documentation. Examples of product identification and test status include physical
tags, bar code labels linked to computer records; MRP systems tracking specific production
runs/lots, automated production transfer processes, etc. Performance indicators to measure the
effectiveness of processes that control identification and traceability may include reduction in
identification errors and omissions; product quality status errors and omissions; and traceability
errors and omissions.

8.5.3 Property Belonging to Customers or External Providers

The organization should exercise care with property belonging to customers or external
providers while under the organization’s control or being used by organization. The
organization should identify, verify, protect, and safeguard the customer’s or external
provider’s property provided for use or incorporation into products and services. It should
report to the customer or external provider when their property is incorrectly used, lost,
damaged, or otherwise found to be unsuitable for use. Customer property can include
material, components, tools and equipment, customer premises, intellectual property, and
personal data.

Customer or External provider property may include material, production equipment, tooling,
measuring and test equipment, facilities, transport vehicles, returnable packaging, intellectual
property such as drawings, specifications or proprietary information, product returned for
servicing under warranty, product sent for outsourced work, etc.
All customer property is exposed to the risk of being damaged, lost, misused, misplaced, stolen,
become unsuitable or obsolete for use. You must establish controls for each of these risks. Notify
the customer/ External provider in writing if their property is lost, damaged or otherwise found to
be unsuitable such as perishable past its shelf life for use. Control to minimize the risks to
customer/External provider property include inventory management, preservation and storage,
identification, status and traceability indicators, maintenance, notification, traffic flow,
authorized use, restricted access, etc. Marking customer/External provider property with a unique
identification number that can be traced to a record that provides details of ownership is one of
many acceptable controls. While this clause does not call for a specific documented information,
these controls may be included in your product realization processes through your product
quality plans, work instructions and other specific documentation. Many of the controls needed
for clause 8.5.2 Identification and traceability and clause 8.5.4 Preservation apply to customer
property. The processes, controls and documentation for these other clauses could be expanded
to include customer property. Performance indicators to measure the effectiveness of processes
that control customer property may include reduction in identification errors and omissions, loss
due to damage or unsuitability, scrap, rejects, etc., as well as increased customer property
turnover rates.

8.5.4 Preservation

The organization should ensure the preservation of “process outputs” during production and
service provision, to the extent necessary to maintain conformity to requirements. Preservation
can include identification, handling, packaging, storage, transmission or transportation, and
protection.

All raw materials, work in progress, finished product, supplies, customer provided materials or
product, product sent for outsourced work, etc., are subject to risk of being damaged, lost,
misused, misplaced, stolen, become unsuitable ,perishable or obsolete i.e. past shelf life for use.
This could occur during receipt, handling, storage, use in production, and transportation to the
customer, etc. These could be
Controlled using identification, status and traceability indicators, inventory cycle counts and
condition evaluation, stock rotation methods such as FIFO, just in time, tracking shelf life,
special, controls for restricted access, handling and storage of hazardous materials, climate and
environment, maintenance procedures, bar codes, training, use of special equipment for handling,
condition reports, etc. These controls may be included in your product realization processes
through your product quality plans, work instructions and other specific documentation. Many of
the controls needed for clause 7.5.3 Identification and traceability apply to preservation of
product.
Performance indicators to measure the effectiveness of processes that control preservation of
product may include reduction in obsolete and spoils materials an product (e.g., fresh produce,
fruits, or frozen foods), identification errors and omissions, rejects, waste, scrap, etc., and
increase in inventory turnover and material/product availability, and product safety.

8.5.5 Post-Delivery Activities

The organization should meet requirements, as applicable, for post-delivery activities

associated with products and services. In determining the extent of post-delivery activities that
are required the organization should consider risks associated with products and services;
Customer feedback; legal requirements; nature, use, and intended lifetime of products and
services; Post-delivery activities can include actions under warranty provisions, contractual
obligations (such as maintenance services) and supplementary services (such as recycling or
final disposal)

Post Delivery activities means based on customer agreement or other agreement, the
organization may be responsible for providing support for their product or services after delivery.
This could include technical support, routine maintenance or total recall, recycling, reusable
packaging, returnable containers, etc . The extent of post delivery activity will depend on:

 Statutory and regulatory requirements: If statutory or regulatory requirements dictate

post-delivery activities or warranties, they must be addressed
 the potential undesired consequences associated with its products and services: The
organization must consider potential consequences, and how they intend to respond, the
scope of their reaction plan, etc
 the nature, use and intended lifetime of its products and services: This is very
commonly stated in the organization’s return policy or statement of liability. Some
organizations clearly state that there are no warranties (or post-delivery activities)
offered, expressed or implied. If this is the case (and in the absence of any other
requirements in this list), this section can be addressed simply by acknowledging that
there are no post-delivery activities.
 customer requirements: If the customer requires post-delivery, support,
warranty, protection through delivery and receipt, etc, the post-delivery activities should
be clearly described.
 Customer feedback: Customer feedback should be considered when determining the
scope of post-delivery activities. This also implies that the scope of those post delivery
activities may change over time in response to customer feedback.

8.5.6 Control of Changes

The organization should review and control changes for production or service provision to
extent necessary to ensure continuing conformity with requirements. The organization should
retain documented information describing results of review of changes, personnel authorizing
change, and any necessary actions arising from review.

The organization is required to review and control changes for all of the previously discussed
“production and service provision” topics including 8.5.1 Control of production and service
provision (all of the controls established in the first place), 8.5.2 Identification and traceability,
8.5.3 Property belonging to customers or external providers, 8.5.4 Preservation and 8.5.5 Post-
delivery activities. So, just as the QMS must have defined each of these items, any changes to
them must be controlled. Changes which are not clearly communicated create confusion.
Changes which have not been adequately reviewed and vetted may be implemented and result in
an undesired outcome. Changes, in general, create instability and a robust change management
process is critical to ensure changes are fully reviewed, approved, communicated, understood
and validated when they are implemented. Records describing results of review of changes,
personnel authorizing change, and any necessary actions arising from review has to be
maintained.

8.6 Release of Products and Services

The organization should implement planned arrangements at appropriate stages to verify

product and service requirements have been met. Retain evidence of conformity with
acceptance criteria. The release products and services to the customer should not proceed
until the planned arrangements for verification of conformity have been satisfactorily
completed unless otherwise approved by a relevant authority and, as applicable, by customer.
The organization should retain documented information for traceability to the person(s)
authorizing release of products and services for delivery to the customer. The organization
should also retain documented information for evidence of conformity with the acceptance
criteria.

You must identify, monitor and measure product/service characteristics to verify conformity to
requirements. Product characteristics may be dimensional, functional, performance, reliability,
durability, maintainability, life, cost, etc. Requirements may come from your customer, your own
organization, regulatory and industry sources. You must plan what characteristic(s) to measure,
type of measurements, what measurement device to use, how often to measure, sample size,
acceptance criteria, and records needed for each product or product type. Use your quality plan
to document these controls.
Your product, project or contract quality plan must define the stages at which various monitoring
and measurement will be carried out at incoming receipt of materials from suppliers or
outsourced work, storage, internal production processes, finished product, packaging, at time of
shipping, and post installation. Monitoring and measurement may be done by your personnel,
subcontracted or outsourced labor or by the customer. You must ensure that all personnel
performing monitoring and measurement are trained and competent.
If you plan on releasing during any stage of production or shipping finished product, where all
planned inspections and measurements to that stage have not been completed, ensure that you
obtain prior written approval/waiver from a relevant internal authority or the customer. Where
practical, consider completing all missed planned inspections and measurements before product
delivery. You must identify and document all product realization processes that may address this
clause, as part of your QMS, e.g. receiving, production, shipping, etc. For such processes, you
must also identify what specific documents are needed for effective planning, operation and
control.
You could use a product quality plan, any documented information or other combination of
specific practices, procedures and methods. Look at the risks related to your product, processes
and resources in determining the extent of documented controls you need to have. Performance
indicators to measure product conformity may include reduction in defect rates, PPM’s
(defective parts per million), scrap rates, waste, rework, improvement in on time delivery,
product returns from customer, etc. Performance indicators to measure the effectiveness of
product realization processes in achieving product conformity include productivity, reduction of
cycle time, errors, omissions and failures, etc.

8.7 Control of Nonconforming Process Outputs, Products, and Service

8.7.1

The organization should ensure process outputs, products, and services that do not conform to
requirements are identified and controlled to prevent unintended use or delivery. The
organization should take appropriate action based on nature of nonconformity and its impact
on conformity of products and services. This is applicable also to nonconforming products and
services detected after delivery of products during or after provision of service.The
organization should deal with nonconforming outputs in one or more of these ways:

 correction;
 segregation, containment, return, or suspension of provision of products and services;
 informing the customer;
 obtaining authorization for acceptance under concession.

The organization should verify conformity to requirements when nonconforming process

outputs, products, and services are corrected.

8.7.2

The organization should retain documented information that describes the nonconformity,
action taken, concessions obtained, identifies the person or authority that made decision
regarding dealing with nonconformity.

ISO 9001:2015-Clause 8.7 applies to processes, products and services that does not conform to
customer requirements, applicable regulatory requirements or your own organization
requirements. Nonconformities may relate to suppliers and outsourced work, your own
organizational activities or product shipped to customers. Your organization must have controls
and responsibilities to identify, contain i.e. prevent further processing or use, keep records of the
nature and other details of the nonconformity, notify appropriate personnel and customer, where
appropriate, evaluate what disposition action needs to be taken, carry out timely disposition,
determine policies for release for further processing or shipment to the customer, obtain
customer concessions, rework and re-verification, establish performance indicators to measure
the effectiveness of the control of nonconformance process, etc.
Product or material found with no identification or its quality status is not known, should be
treated as nonconforming product and controlled as mentioned above. If you find that
nonconforming product has been shipped, without a customer concession, you must take
appropriate action to reduce the immediate and consequential effect of the nonconformity.
Depending upon the seriousness and scope of the nonconformity, you might consider taking
action to eliminate the nonconformity as well as corrective action to eliminate the root causes of
the nonconformity.It might be appropriate in specific circumstances to notify the customer and
resolve the situation to your customer’s satisfaction. A similar rationale may be applied where
product has been shipped that does not meet regulatory requirements. Depending upon the
seriousness and scope of the nonconformity, you might consider taking action to eliminate the
nonconformity as well as corrective action to eliminate the root causes of the nonconformity.
You need to be aware of any reporting requirements imposed by regulatory bodies and comply
with them.
A concession authorization allows you to ship nonconforming product, under controlled
conditions. A deviation authorization allows you to manufacture product different from the
original specification, under controlled conditions. In both these situations, make sure that you
obtain these authorizations in writing prior to shipping or manufacturing nonconforming product.
All product realization processes must show the interaction with your process for nonconforming
product. Performance indicators to measure the effectiveness of control of nonconforming
product may include reduction in cycle time to evaluate and dispose of nonconforming product,
reduced errors in preventing unintended use or delivery, improved alternate use of
nonconforming product and cost recovery, etc.