The bulk of the management system requirements lies within this single clause. Clause 8 addresses both in-house and outsourced processes, while the overall process management includes adequate criteria to control these processes, as well as ways to manage planned and unintended change. Whatever the organization is in business to achieve, clause 8 is it. The overall process management includes having process criteria, controlling the processes within the criteria, controlling planned change and addressing unintended change as necessary. The organization shall plan, implement and control the processes needed to meet its discipline-speciﬁc requirements. This also relates to implementing the actions determined in 6.1 (actions to address risks and opportunities) and 6.2 (objectives and plans to achieve them). The organization is required to:
- Establish criteria for the processes (possibly in work instructions)
- Implement control of the processes, in accordance with the criteria (possibly through training and awareness)
- Keep documented information to the extent necessary to have conﬁdence that the processes have been carried out as planned (possibly within its QMS, or integrated MS)
- Control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects (possibly through the management of change process)
- Ensuring outsourced processes are controlled. This would include control and/or inﬂuence (depending on its ability to do so — the size of the order, importance to an external organization, etc.).
Typical audit evidence would relate to: the type and extent of control/inﬂuence to be applied are deﬁned within its QMS, processes for assessing the importance/risk of the outsourced activity and deriving suitable controls, and monitoring the effectiveness of the controls, etc. This could involve purchasing, risk/compliance, and operations/production functions within the organization. The context of the organization and the relevant needs and expectations of interested parties will clearly have a bearing on the extent of control/Inﬂuence expected of its outsourced processes.
Clause 8, Operation, has seven sub-clauses:
8.1 Operational Planning and Control
8.2 Determination of Requirements for Products and Services
8.3 Design and Development of Products and Services
8.4 Control of Externally Provided Products and Services
8.5 Production and Service Provision
8.6 Release of Products and Services
8.7 Control of Nonconforming Process Outputs, Products, and Services
8.1 Operational Planning and Control
The Organization should plan, implement, and control the processes, as outlined in 4.4, needed to meet requirements for the provision of products and services and to implement the actions determined in 6.1 by determining product and services requirements; establishing criteria for the processes and for the acceptance of products and services; determining the resources needed to achieve conformity to product and service requirements; implement control of the processes in accordance with the criteria; determining, maintaining and retain documented information to the extent necessary to have confidence that the processes have been carried out as planned and to demonstrate the conformity of products and services to requirements. The output of this planning should be suitable for the organization’s operations. The organization should control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. The organization should ensure outsourced processes are controlled in accordance with 8.4.
Clause 8.1 requires that operations be conducted through processes that are planned and controlled regardless of whether the organization or an outside party performs the process. Requirements for products and services are required to be determined and criteria established for acceptance. Identification of resources needed to achieve conformity is required. Planned changes are required to be controlled and action is taken to mitigate the effects of unintended consequences of changes. Documented information is required to be kept (retained) to demonstrate the conformity of product and service to requirements and that processes have been carried out as planned. The individual planning step in the 2008 version focuses on determining how to verify conformity, the 2015 version is oriented around the notion of managing and adequately resourcing a set of processes so that a state of control is achieved even when intended or unintended changes occur. It also indicates a requirement to review consequences and mitigate adverse effects as necessary. The clause also requires that the organization keep documented information to have confidence that these processes have been carried out as required. Note that the requirement for processes to accomplish all the operational activities is not repeated in each clause. A lack of repetitious requirements in each clause does not mean processes and documented information are not required. The first sentence of clause 8.1 makes the point that the organization “shall plan, implement and control the processes needed to meet the requirements for the provision of products and services.” It also reinforces the relationship between clauses 4.4 and 6. Therefore, even though ISO 9001:2015 may appear to some to have reduced the requirements for processes and controls, we believe clause 8.1, coupled with clauses 4 and 6, requires an organization to define, document, control, and keep records at least at the same level as previously required, and perhaps to an even greater level of comprehension.
Many organizations long ago adopted the process approach to managing operations, and thus may already be close to conforming. They may review the language in the new standard and tweaking processes and documented information, as appropriate. The organization needs to incorporate any additions, deletions, or modifications that are perceived as necessary or desirable to conform with these more process-oriented requirements and possibly to improve process effectiveness. Subtle “new” requirements related to control of changes and mitigating adverse effects should also be considered. On the other hand, some organizations may not have embraced the process approach to operational controls. Less documentation may be required, but ISO 9001:2015 requires that the organization understand the processes needed to deliver conforming products to customers. These processes must be understood not only with respect to the products themselves but also in the broader context of the objectives of the organization and any other requirements of the QMS (including interested parties and risks and opportunities). It may be advisable to:
- Create a quality plan for a product or service to describe how the QMS will be modified and applied to all operations. Such a plan could include or reference procedures and records to be maintained and analyzed.
- Consider using the product design and development process approach for designing processes. This is a requirement in the automotive industry. It has become a best practice demonstrated in many organizations even though ISO 9001 does not explicitly require adherence to the design and development requirements for internal process designs. This enhances both the effectiveness and efficiency of processes.
- Identify key performance measures for both products and processes and align them with your quality and business objectives.
The only requirement in clause 8.1 for documented information is to retain or maintain documented information as necessary to provide confidence that the processes have been carried out as required. Organizations should also consider maintaining documented information describing the operational processes and how they are to be carried out. The requirement to plan, implement, and control the processes needed to meet the requirements for the provision of products and services would be very difficult to achieve if documented information is not created and maintained for all processes of the QMS
The focus of clause 8.1 is on controls governing the making of product to meet customer requirements and all the QMS processes that, directly or indirectly, make this happen. Operation processes may include customer-related processes (sales and marketing), design and development, production, shipping, receiving, packaging, measurement, and monitoring of product and processes, etc., whether performed onsite or off-site. Some of the support processes that come to bear on Operations include document control, record control, human resources, infrastructure provision and maintenance, IT, purchasing and materials management, laboratory services and control of monitoring and measuring devices, business planning, etc. The output of Operation planning may be implemented in many different ways. It does not necessarily have to be all in one document, but may sometimes include several documents such drawings, machine set-up, inspection criteria, process sheets, etc. These must be readily available to those performing these processes.
You may also consider using a specific product, contract or project quality plans to accomplish this. Your quality plans should include the processes needed, process sequence and control parameters, specific resources needed to make, verify and deliver the product, product acceptance criteria and quality objectives, product, and process monitoring and measurement control plans to control and correct any product or process nonconformities, reference to support processes, documents needed such as work instructions or engineering specifications, etc. and details of records to be kept. Focus on defect prevention in planning the controls for product realization. Quality objectives may include defect rates, scrap rates, etc. Requirements or criteria for the product may include physical properties, dimensional, functional, etc, and their related measurements, tolerances and acceptance levels. In many instances, depending on the nature of the product, the customer may specify objectives and requirements and criteria for the product realization processes as well. You must identify and document all processes addressing this clause as part of your QMS. For these processes, you must also identify what specific documents are needed for effective planning, operation, and control of production processes. These documents may include contracts, specifications, orders, product quality plans, work instructions, a documented procedure, etc., combined with unwritten practices, procedures and methods. Look at the risks related to your product, processes, and resources in determining the nature and extent of documented controls you need to have. Where any of the product realization processes are done off-site (e.g. at head-office), your QMS must include the off-site processes within your QMS and ensure that such processes comply with ISO 9001 requirements. The expectation is to flow down to the off-site facility, the relevant ISO 9001 requirements that you would have to implement, had you carried out the process at your own facility. Performance indicators to measure the effectiveness of product realization in meeting requirements and achieving quality objectives will be specific to each realization process and focus on reducing variation and waste in realization processes and related use of resources. Objectives may be used to monitor and improve process productivity, reduction of cycle time, errors, omissions, and failures, etc. You must also consider indicators to measure product performance such as – reduction in defect rates, PPM’s (defective parts per million), scrap rates, waste and rework, improvement in on-time delivery, product returns from customers, etc.
8.2 Determination of Requirements for Products and Services
8.2.1 Customer Communication
The organization must establish the processes for communicating with customers to provide information relating to products and services; inquiries, contracts, or order handling, including changes; obtaining customer feedback relating to product and services including customer complaints; handling or controlling customer property, and establishing specific requirements for contingency actions, when relevant.
8.2.2 Determination of Requirements related to Products and Services
The organization must ensure while determining the requirements for the products and services to be offered to customers that the product and service requirements (including those considered necessary by the organization), and applicable legal requirements, are defined. The organization must also ensure that it has the ability to meet the defined requirements and substantiate the claims for the products and services it offers.
8.2.3 Review of Requirements for Product and services
18.104.22.168 The organization must ensure that it has the ability to meet the requirements for products and services to be offered to customers. The organization shall conduct a review before committing to supply products and services to a customer; The review should include the requirements specified by the customer, including the requirements for delivery and post-delivery activities; requirements not stated by the customer, but necessary for the specified or intended use, when known; requirements specified by the organization; statutory and regulatory requirements applicable to the products and services; contract or order requirements differing from those previously expressed. The organization must ensure that contract or order requirements differing from those previously defined are resolved. When the customer does not provide a documented statement of their requirements, the organization must confirm them before accepting them. In some situations, such as internet sales, when a formal review is impractical for each order, the review can cover relevant product information, such as catalogues.
22.214.171.124 The organization should retain documented information on the results of the review and on any new requirements for the products and services.
8.2.4 Changes to requirements for products and services
The organization should ensure that relevant documented information is amended, and relevant persons are made aware of the changed requirements. when the requirements for products and services are changed.
Clause 8.2.1 requires the organization to conduct communications with customers. The detail requirements for communications with customers include:
- Providing product- and service-related information
- Handling customer orders of all types and changes thereto
- Getting customer feedback including complaints
- Exercising appropriate controls for any customer-owned property
- Establishing requirements for contingency actions
Clause 8.2.1 requires processes to accomplish specific types of information exchange. It requires five specific types of communication with customers to be included in the organization’s processes:
- Product and service information, including customer requirements
- Documented agreements with the customer, such as contracts, orders, changes, and other information needed to meet customer requirements
- Customer feedback including complaints
- The handling and treatment of customer-owned items were covered in great detail in clause 7.5.4 in ISO 9001:2008. The specific requirements of the 2008 version have been significantly simplified.
- Any contingency actions that are relevant.
Clause 8.2.1 is similar to clause 7.2.3 of ISO 9001:2008. The point of grouping these items under customer communications is to emphasize that these communications need to be systematically planned like all other processes. In doing so, consider the information in clause 7.4 on communication and the requirements related to process management in clause 4.4. If the customer is the organization’s most import contact, shouldn’t we concentrate some key planning effort on the processes used to communicate with them? It is generally necessary that a careful record is maintained of the requirements. Often the process involves multiple discussions, reviews (clause 8.2.2), and even early design and development work (clause 8.3). Carefully thought-out methods are needed to efficiently retain this input information for later use in the design process and as input to the resolution of disputes that may arise.
Clause 8.2.2 requires the organization to determine the requirements related to its products and services. This includes:
Establishing a process for determining the requirements for the products offered to potential customers
- Determining the requirements of the customer
- Determining requirements for the organization
- Determining requirements from applicable statutes and regulations
- Determining that the organization has the ability to meet the requirements and substantiate claims related to its products and services
One of the key things that communication with customers needs to ensure is that customer requirements and other requirements for the product or service are clearly understood. But communication and understanding of customer requirements is only one piece of the requirements puzzle. Many products are regulated and customers may have no knowledge of the regulatory or statutory details. Often the organization has learned key things that must be done a certain way for the product or service to meet customer requirements. Customers cannot be expected to know about many of these things. It is the organization’s responsibility to understand all these requirements and their specific application. It is also the organization’s responsibility to determine whether it can successfully deliver conforming product or service to the customer. Conformity is not difficult for organizations providing off-the-shelf catalogue products manufactured to published specifications or standardized services with normal delivery requirements. However, if customers are purchasing complex systems with custom engineering and software according to a complex set of commercial terms, it is essential to obtain a clear understanding of customer requirements by whatever means possible, including activities such as holding face-to-face meetings and attending pre-bid meetings. Full determination of customer requirements can be an iterative process. Often there are known issues that may evolve into real requirements at a later stage. In such cases, documentation of the open issues and providing for the attendant business risk may prove to be an acceptable approach to meeting the requirements of this clause. The determination of customer requirements is a critical activity and generally involves several functions and levels in an organization. It is recommended that you maintain documented information to describe the process for determination of all aspects of product and service requirements. The documented information should include both product requirements specified by the customer and product requirements not specified by the customer but necessary for intended or specified use. Also, unique regulatory and statutory requirements should be considered as well as commercial terms and conditions.
Clause 8.2.2b requires that the organization have the ability to meet requirements. Often with advanced products, there is a need to advance the state of the art as product development progresses. Such situations should be clearly identified and the business risks understood. In such cases, the deﬁned requirements could be the development of the needed technological advance. To avoid customer complaints or dissatisfaction, even for “requirements” that are not clearly stated (e.g., regulatory requirements or marketplace norms), the organization should consider a comprehensive understanding of customer requirements, perhaps even performing a failure modes and effects analysis (FMEA) on the processes as a form of risk assessment. Since the review process required in clause 8.2.2 is often iterative, retention of documented information of review results (eg, who reviewed what, when, and using what method) can be a practical necessity. While clause 8.22 does not require retention of any documented information on these determinations, it is recommended to have such records.
Clause 8.2.3 states the obligation of the organization to review the requirements of products and services, which includes:
- Customer-specified requirements for the product or service, including any requirements for delivery or post-delivery actions
- Requirements are known to be needed by the organization even though not specified by the customer
- Applicable statutory and regulatory requirements applying to the product or service
- Requirements of the final contract or order differing from those previously provided by or discussed with the customer
The review is required to:
- Be performed prior to the organization’s commitment to producing the product or service
- Ensure resolution of all order requirements that may differ from those previously defined
- Include confirmation of the requirements in cases where the customer does not provide documented requirements o Retain documented information on the results of the review
The acceptance of an order or the submission of a quote or tender by an organization obliges the organization to meet the conditions stated in the order or to provide the goods and services included in the scope of the quotation or tender. The obligation assumed by the organization includes not only the products defined but also ancillary items such as conformance to stated delivery dates, adherence to referenced external standards, and compliance with the commercial terms and conditions applicable to the order, contract, quote, or tender as well as applicable statutory and regulatory requirements. The complexity of the order/quote review process depends on the products and services of the organization. A process for reviewing oral orders for off-the-shelf products with 24 hour delivery (e.g., software packages) will differ considerably from a process for reviewing a large order for a one-of-a-kind product with a two-year delivery (e.g., an order for a control system for an electric power-generating station). The review process must also accommodate, as applicable, electronic orders, blanket orders with periodic releases, unsolicited orders, orders through distributors or representatives, faxed orders, and an almost infinite combination of these and other possibilities. If the organization is involved in internet sales, creative thinking will be required to efficiently review customer requirements. With such a spectrum of possibilities, what is an organization expected to do to conform to the requirements? The first step should be to develop a clear understanding of the nature of the various kinds of customer requirements and fully understand each communication channel involved. If, for example, an organization publishes a catalogue and accepts only written orders for catalogue—listed items to standard delivery times, then the order or contract- review procedure can be simple. The process could be a designated individual (e.g., a manager, a clerk) reviewing, initiating, and dating the written order. This simple process can be used as valid evidence that requirements can be met. If an organization must address possibilities that occur only rarely, the organization could simply note in documented information (i.e., a procedure) that any circumstances different from standard terms and conditions will be addressed by a specific quality plan. Such a plan can be generated as a unique occasion arises. Thus, a simple order-entry process can have a very simple, brief, and effective contract-review process. For the large, complex contracts or quotations, the review process may involve many organizational entities such as engineering, manufacturing, legal, finance, and quality assurance. Accordingly, the procedures governing such reviews can be complex and lengthy. A good guideline to keep in mind when developing a process to address the specific requirements of clause 8.2.3 is to balance the risks to the organization with the effort expended in a review of customer requirements, keeping in mind that the purpose of the review is to add value and not to create a bureaucratic morass. A formal process should be deployed that indicates who will do what and how often.
Clause 8.2.4 states that changes are required to be controlled and documented information updated to ensure that changes are properly included in documented information. When changes to product requirements, orders, contracts, or quotations occur, the organization is required to ensure that relevant documented information is amended and communicated, as appropriate, within the organization. These simple and fundamental requirements are often much harder to meet. Changes tend to come from all sorts of sources. Customer ﬂoor-level workers in today’s environment often talk directly to factory workers in customers’ plants. Cell phones are used to relate the latest changes to schedules and requirements. The situation can turn into chaos. Thus, control rules are needed so that decisions related to changes are made by the appropriate people with relevant and up-to-date information. These considerations should be a key part of considering process interactions. Often the rapid response is critical for the customer, so design the system in such a way that you can deliver just that. Considerations for Documented Information to Be Maintained and/or Retained, Keeping good records of changes is both a challenge and a practical necessity.
Customer-related processes must include controls for determining customer and regulatory requirements, a review of such requirements, and communication with the customer. Customer requirements extend beyond product specifications and may include on-time delivery, packaging, labelling, mode of delivery, documentation, communications, QMS requirements, after-sales servicing, etc. Many of these requirements may also come from regulatory, industry or from within your own organization. Depending on the product or service, you must determine if any industry or regulatory requirement is applicable to product characteristics or process parameters that affect the product’s safety or compliance with regulatory requirements. You must consider all laws and regulatory requirements that may affect your product, materials, labour, production processes, your facility and work environment, etc. Where some or all of the processes – for determining customer requirements; for contract review and customer communication; etc., are done offsite, then you must show the linkages and interaction of these offsite activities with your on-site QMS processes. The nature of the requirements review may be different for different types of product or services. Your review records must show the basis of the review. Make sure you do your due diligence and risk analysis before you commit to contractual arrangements. I have seen many companies get into serious financial trouble, for taking on products transferred from another supplier because they did not assess all the risks. Manufacturing risk analysis is an assessment of your organization’s capacity and capability to effectively and efficiently provide the customer specified deliverables. Risk analysis should include timing, resources, development costs and investments, the potential for, and effects of, possible failures in processes, including suppliers. You should also consider financial and profitability risk. Sometimes it may take a few months to receive an order or contract from the customer after you have sent them your quotation. Your review process must ensure that you compare the customer’s order or contract with your latest quotation, and resolve any differences (accept or re-negotiate) before you accept the order or contract. Your customer relations management process must include a sub-process for change control and must include – a review of the change either from the customer or internal from the organization and its impact on fit, form, functionality, other processes, financial, delivery, etc. Have a process for change control. For significant issues or changes, obtain customer approval in writing for any waivers or changes of contractual or QMS requirements. Customer communications may take many forms such as software and interfaces for design and development, logistics, customer satisfaction feedback, etc. You must ensure that personnel at all levels have the competency and training to use these communications media and tools. You must identify and document all processes addressing this clause as part of your QMS. For these processes, you must also identify what specific documents are needed for effective planning, operation, and control of production activities. These documents may include – contracts, specifications, orders, product quality plans, work instruction, a documented procedure, etc., combined with unwritten practices, procedures, and methods. Look at the risks related to your product, processes, and resources in determining the nature and extent of documented controls you need to have. Performance indicators to measure the effectiveness of customer-related processes in meeting requirements and achieving quality objectives should focus on reducing variation in and improving these processes and related use of resources. Indicators may include a reduction in quote cycle time, pre and post-award review cycle time, order-entry errors and omissions, etc., and improvement in conversion ratio (i.e. ratio of contracts/orders awarded to quotes).
8.3 Design and Development of Products and Services
Clause 8.3, on design and development controls, has six subclauses:
- 8.3.1 General
- 8.3.2 Design and development planning
- 8.3.3 Design and development inputs
- 8.3.4 Design and development controls
- 8.3.5 Design and development outputs
- 8.3.6 Design and development changes
The organization should establish, implement, and maintain a design and development process. such that they are adequate for subsequent production or service provision.
8.3.2 Design and Development Planning
While planning for design and development, the organization must consider the following in determining the stages and controls for design and development:
- nature, duration, and complexity of the design and development activities;
- the required process stages, including applicable design and development reviews;
- the required design and development verification and validation activities;
- the responsibilities and authorities involved in the design and development process;
- the internal and external resource needs for the design and development of products and services;
- the need to control interfaces between persons involved in the design and development process;
- the need for involvement of customers and users in the design and development process;
- the requirements for the subsequent provision of products and services;
- the level of control expected for the design and development process by customers and other relevant interested parties;
- the documented information needed to demonstrate that design and development requirements have been met
8.3.3 Design and Development Inputs
The organization must determine the requirements essential for the specific type of products and services being designed and developed, including, as applicable, functional and performance requirements; applicable legal requirements; information derived from previous similar design and development activities; standards or codes of practice the organization has committed to implement; potential consequences of failure due to the nature of products and services; Ensure inputs are adequate for design and development purpose, complete, and unambiguous. Resolve conflicts among Design and Development inputs.
8.3.4 Design and Development Controls
The organization should apply controls to the design and development process to ensure that results to be achieved by the design and development activities are clearly defined; Design and development reviews are conducted as planned; Verification activities are conducted to ensure that the design and development outputs have met the design and development input requirements; Validation activities are conducted to ensure that the resulting products and services are capable of meeting the requirements for the specified application or intended use (when known). The organization must take any necessary actions on the problems determined during the reviews, or verification and validation activities. The organization must maintain any documented information about these activities. Design and development reviews, verification and validation have distinct purposes. They can be conducted separately or in any combination. as is suitable for the products and services of the organization.
8.3.5 Design and Development Outputs
The organization must ensure that design and development outputs meet the input requirements for design and development. They should be adequate for the subsequent processes for the provision of products and services. They must include or have a reference of monitoring and measuring requirements, and acceptance criteria, as applicable. They must ensure products to be produced, or services to be provided, are fit for the intended purpose and their safe and proper use. The organization must retain the documented information resulting from the design and development process.
8.3.6 Design and Development Changes
The organization should identify, review and control changes made (during the design and development of products and services, or subsequently) to design inputs and design outputs to the extent that there is no adverse impact on conformity to requirements. The organization must retain documented information on design and development changes, the result of the review, the authorization of changes and action taken to prevent adverse impact.
Design and development activities needed for products and services are required to be planned and controlled through an established, implemented, and maintained process. This process may be used for both products and services and for associated processes. It is required to include the following:
- Planning to determine design stages considering activities such as verification and validation, control of design interfaces, design review, resources needed for design and development, customer involvement, and the documented information needed to confirm that input requirements are met.
- Determination of the design and development inputs required, including such things as functional requirements, regulatory and statutory requirements, applicable standards or codes, information from earlier projects, and potential consequences of failure. Conflicting requirements are required to be resolved.
- Design and development controls, including clear delineation of the results to be achieved, planning and conducting design and development reviews and verification activities to ensure design outputs meet input requirements, and validation to ensure the products and services meet the requirement for the application intended.
- Design and development outputs are required to meet input requirements, to be adequate for subsequent processes in the provision of the product or service, and to ensure the products and services are fit for their intended purpose.
- Design and development changes are required to be identified, reviewed, and controlled. This includes changes to design inputs or outputs. Controls are required to ensure that changes do not have an impact on the products and service conformity.
- The organization is required to retain documented information resulting from the design and development process, including design and development changes.
The intent is to ensure that the organization plans and controls design and development projects. The key reason for this emphasis on planning is to maximize the probability that the project will meet the defined requirements. If the design and development processes are well planned and controlled, an additional benefit should be that projects are completed on time and within budget, Planning is required at the level of detail needed to achieve the design and development objectives—not to generate an excessive amount of paperwork. Stages of the project need to be determined, and responsibilities, authority, and interfaces need to be defined. Requirements need to be established for the incorporation of review, verification, and validation into the design and development project. The organization needs to determine how communications will be structured (e.g., weekly meetings, periodic reports, or other methods). In many cases, a number of organizations are involved in this process, and the success of the design and development project often rests heavily on proper identification, understanding, and control of design interfaces.
You must include product design and development in your QMS scope if you contract or convey the perception that you design product, regardless whether you buy, outsource or actually do design and development. The scope of your design and development activity must consider all aspects of the product and product realization processes to ensure its conformity to requirements. This includes product identification, handling, packaging, storage and protection during internal processing and delivery to the customer. Product design and development sometimes result in new manufacturing processes or changes to existing manufacturing processes. This clause is equally applicable for designing and developing manufacturing processes. Product design and development planning must focus on error prevention rather than detection in product quality as well as product realization processes. You must have an overall plan for your design project. Your plan must specify the design and development stages, activities and tasks, responsibilities, timeline and resources, specific tests, validations, and reviews, and outcomes. There are many tools available for planning ranging from a simple checklist to complex software. The degree and details of planning may vary according to size and length of contract or project, complexity, risk, product life, customer and regulatory requirements, past experience with a similar product, etc. You have flexibility in determining the scope of the stages, review, verification, and validation required for your product design and development projects. Your plan must be dynamic and updated as requirements and circumstances change. You must track progress against your plan at regular intervals or project milestones and update the plan as the activity progresses. Your design and development plan must include methods to communicate information, responsibilities, results, discussions, reviews, and resources. You must take a multi-disciplinary approach that includes as needed, other functions (besides design) such as quality, engineering, purchasing, sales, tooling, production, etc. Your plan must clearly identify these other functions and their specific role and responsibilities regarding the project. Consider including customer and supplier personnel at appropriate stages to do work and review results or progress. A multi-disciplinary approach applies collective and relevant knowledge and skills of these different functions to carry out or review design and development activities. The design and development project plan serves as both a document and a record as it is updated for completion for various activities. Where some or all of clause 8.3 design and development activities are done off-site, then you must show the linkages and interaction of these offsite activities with your on-site QMS processes. You must identify and document all processes addressing this clause as part of yours. For these processes, you must also identify what specific documents are needed for effective planning, operation, and control of production activities These documents may include contracts, technical drawings, and specifications, a documented plan for design and development, work instructions, a documented procedure, etc., combined with unwritten practices, procedures and methods. Look at the risks related to your product, processes, and resources in determining the nature and extent of documented controls you need to have. Many organizations use various software tools to document their product or process design and development plans. If the nature of your business does not require you to design and develop the product (e.g. you manufacture strictly from customer provided engineering drawings and specifications), then you must clearly state this exclusion to your QMS scope, in your quality manual. Performance indicators (to measure the effectiveness of design and development processes in meeting requirements and achieving quality objectives) should focus on reducing variation in and improving these processes and related use of resources. Indicators may include a reduction in design cycle time, development cycle time, specification errors, omissions, changes, design and development costs, etc., as well as measurable improvements in products developed.
You must identify, document and review design inputs requirements for function, performance, safety, regulatory, quality, reliability, durability, life, timing, maintainability, cost, identification, traceability, packaging, special or safety characteristics from the customer or regulatory body, and other requirements essential to the product. You must have a process that should be part of your design and development plan to identify, document, review, deploy and use design input information such as documents coming from various sources such as customer contracts, drawings and specifications, your own organization’s database of previous design and development projects, competitor analysis, industry standards, feedback from suppliers, field data. Design and Development usually require the input and involvement of many other functions and processes such as contract review, product realization, purchasing, top management etc. within the organization and your process must manage this interaction by defining responsibilities and means of communications. Inclusion of these controls in your design and development plan is one of many effective ways to achieve this. Such a multi-disciplinary approach has the benefit of applying the collective and relevant knowledge and skills of these different functions to carry out or review design and development activities.
You must identify and include any special and safety characteristics in your process control documents such as quality plans, product drawings, operator instructions and other documents used to make or verify the product. Note that special requirements can also include process parameters such as temperature, timing, concentrations, etc. You must review all input requirements, review design and development progress, verify product design and validate developed product at various stages of your design and development process. The nature, frequency, and scope of these controls must be defined in your design and development plan or other documents. You must carry out these controls according to your plan and keep appropriate records.
Do design reviews at one or more milestones of the design and development project, depending on customer requirements, the size, complexity, and risks involved. The purpose of these reviews is to evaluate results to requirements, check project progress and costs to plan and take actions on any problems encountered. You must take a multi-disciplinary approach for doing these reviews and keep appropriate records of issues discussed, actions to be taken, responsibilities and timeline for completion. All design and development reviews must be included in your design and development plan. Product design Verification includes design reviews, comparing the new design to a similar proven design if available, performing alternate calculations, performing tests and simulations, reviewing the design documents before release, etc. Verification is checking product or process to input requirements, whereas validation is checking product or process is suitable for its intended use does it perform/function in the way intended by your customer or your organization. Manufacturing process design verification include design review, process capability studies, testing various process parameters, performing tests and trials, reviewing the manufacturing process design documents before release, etc. If you outsource any part of your design and development activity, then you must exercise the same controls required by clause 8.3 on the outsourced work and the organization doing the work, had it been done internally. Product and manufacturing process validation includes – design reviews, comparison between customer requirements and internal development plans, design and development validation against customer requirements and design and development input requirements, corrective action and lessons learned from documented process failures and product nonconformities. If you outsource any part of your design and development activity, then you must exercise the same controls required by clause 8.3 on the outsourced work and the organization doing the work, had it been done internally. Any problem you have encountered during the verification and validation or identified during review must be resolved.
Design and development output may be product or documentation or both. Product may be a prototype or finished product and documentation could be a computerized or hard copy drawing or specification. Check design and development output against the input requirements specified in 8.3.3, before you use it any further. Provide appropriate design and development output information to:
- Purchasing material or service specifications
- Production output such as product specifications, special characteristics, drawings, diagnostics, etc.
- Service output such as product specifications; performance reliability and maintenance criteria.
Initially, this information may be used for trials and validation, before being firmed up. Many documents are created from the design and development output stage such as drawings, quality plans, work instructions, etc. These documents must be controlled as per clause 7.5.3 such as approval, revision control, distribution, etc. Where any sophisticated design and development tools such as AutoCAD are used requiring specific competency or training, ensure you provide and keep appropriate records of competency and training of personnel performing design and development activities and use of these tools.
Make sure your process for design and development changes follow appropriate steps of clause 8.3 ie define the plan, have inputs and outputs, verify and validate to the extent necessary to meet customer requirements and control product, quality and business risks. Changes may come from an internal, customer or regulatory sources. Get all requests for product or manufacturing process design changes in writing from your customer. Impact of the change must be evaluated on materials used, design process, manufacturing process, characteristics and use of the developed product, regulatory compliance, cost, etc. While planning for change the organization must follow all the requirements as given in clause 6.3 planning for change and must also determine all risk and opportunities as given in clause 6.1. Documented information on design and development changes, the result of the review, the authorization of changes and action taken to prevent adverse impact must be maintained.
8.4 Control of Externally Provided Products and Services
The organization must ensure that externally provided processes, products, and services conform to specified requirements. The organization must apply the specified requirements for control of externally provided products and services when products and services are provided by external providers for incorporation into the organization’s own products and services; products and services are provided directly to the customer by external providers on behalf of the organization; a process or part of a process is provided by an external provider as a result of a decision by the organization to outsource a process or function. The organization must determine and apply criteria for evaluation, selection, monitoring of performance, and re-evaluation of external providers based on their ability to provide processes or products and services in accordance with specified requirements. The organization must retain appropriate documented information of the above-mentioned activities and any necessary action arising out of the evaluation.
8.4.2 Type and Extent of Control
The organization should ensure that externally provided processes, products, and services do not adversely affect the organization’s ability to consistently deliver conforming products and services to its customers. The organization should ensure that externally provided processes remain within the control of its quality management system. It should define both the controls that it intends to apply to an external provider and those it intends to apply to the resulting output. In determining type and extent of controls to be applied to the external provision of processes, products, and services, the organization must consider the potential impact of the externally provided processes, products, and services on the organization’s ability to consistently meet customer and applicable legal requirements and effectiveness of the controls applied by the external provider. The organization must establish and implement verification or other activities necessary to ensure the externally provided processes, products, and services meet the requirements.
8.4.3 Information on External Providers
The organization must ensure the adequacy of specified requirements prior to their communication to external providers. The organization should communicate to external providers applicable requirements for the following:
- products and services to be provided or the processes to be performed on behalf of the organization;
- approval or release of products and services, methods, processes or equipment;
- competence of personnel, including necessary qualification;
- their interactions with the organization’s quality management system;
- control and monitoring of the external provider’s performance to be applied by the organization;
- verification activities that the organization, or its customer, intends to perform at the external provider’s premises.
Externally provided processes, products and services include
- purchasing from a supplier
- an arrangement with an associate company
- outsourcing processes to an external provider.
The controls required for external provision can vary widely depending on the nature of the processes, products, and services. The organization can apply risk-based thinking to determine the type and extent of controls appropriate to particular external providers and externally provided processes, products, and services;
Clause 8.4 covers the requirements to control purchased product including your outsourced process, control suppliers you buy from, and requirements to control your buying process. The purchased product includes raw materials, components, subassemblies, supplies, tooling, machinery and equipment, sequencing, sorting, rework, testing, calibration, maintenance, etc. Note that clause 8.4 requirements apply to items that go into the product, manufacture the product, check the product or deliver the product; whether paid for or customer provided. These may include materials, production equipment, tooling, measuring and test equipment, facilities, transport vehicles, returnable packaging, intellectual property (drawings, specifications or proprietary information), product returned for servicing under warranty, product sent for outsourced work, etc. You must have specifications/criteria for the purchased product. These specifications may come from your organization, customer, regulatory bodies, supplier or industry. As documents, these specifications must be controlled as per clause 7.5.3. Many times the customer may require the use of pre-approved purchased products and suppliers. The onus is still on you to ensure that purchased product from customer-designated sources meets all requirements. You must control both, the product you buy, as well as the supplier you buy from. Your controls must primarily be based on prevention of nonconformities in both product and supplier performance. Determine how important the purchased product is to design, manufacture, assemble and maintain your end product. Factors such as targets for product quality, life, reliability, durability, maintainability, and cost must be applied to the purchased product going into your end product. Categorize your purchased products and services accordingly. Then determine what controls you need to ensure consistent purchased product quality and consistent supplier performance. You can then apply different controls for different purchased products. There are several ways to evaluate your suppliers. Besides product quality, your criteria for supplier selection and evaluation may include the potential supplier’s financial capability, technical and manufacturing capability, and capacity, reliability, reputation, flexibility to handle changes, support, service, cost, etc. The importance of these criteria will vary according to the items materials or services you purchase, and so you can apply different criteria to different suppliers. You can categorize your suppliers accordingly based on these criteria. It might be useful to maintain a list of all qualified suppliers. In addition to the initial evaluation and approval of suppliers, you are required to carry out ongoing monitoring and measurement of their performance. Use supplier monitoring indicators to evaluate the consistency, capability, and reliability of their performance for quality, delivery, support, etc. On-time delivery is very important and disruptions (due to waiting for materials) at your customers or even your own facility must be avoided. Depending on the risks related to materials supplied and supplier performance, you might consider requiring some of your key suppliers to comply with some or all of ISO 9001 requirements and perhaps even certification. You must identify your purchasing processes whether on-site or off-site. For each process, you must document the controls for purchased product and suppliers. You must also show the linkage and interaction of purchasing processes with other processes such as design, manufacturing, tooling maintenance, calibration. Where any of your controlled suppliers have gone through a significant organizational change you must verify the continuity and effectiveness of their QMS. You must keep records of all supplier evaluations (whether initial or periodic), including any corrective actions placed on them for any nonconformities. You must identify and document all processes addressing this clause as part of your QMS. For these processes, you must also identify what specific documents, controls, and resources are needed.You could use a documented procedure or other combination of specific practices, procedures, documents, and methods. Look at the risks related to your product, processes, and resources in determining the extent of documented controls you need to have. Performance indicators to measure the effectiveness of purchasing processes in meeting requirements and achieving quality objectives should focus on measuring supplier performance and reducing variation in and improving purchasing processes and related use of resources. Indicators for supplier performance may include reduction of defects in supplied product, scrap, waste and rework, improvement in on-time delivery, service, cost, etc. Indicators for the purchasing process may include a reduction in supplier- quote review cycle time, contract award cycle time, purchase order-entry errors and omissions, receiving errors & omissions, etc.
As indicated earlier, you can apply different controls for different suppliers and products depending on your initial supplier evaluation and their ongoing product quality and delivery performance. In any case, these controls must be included or referenced in your quality or inspection plans. To the extent that you decide to do verification of purchased product, you also have flexibility in when you do the verification. You can do it on receipt or at any time prior to use in production. Make sure you appropriately control un-inspected product. This may include identification and storage to prevent unintended use. Consider using supplier quality plans, inspection plans, etc., to verify that purchased product meets specified purchase (product and QMS) requirements. Verification of purchased product can range from doing no verification to 100% verification. You have flexibility in determining the scope of purchased product verification. Your inspection process must define and document the acceptance criteria and sampling plan for product conformity and what measurement tools needed and records needed to show effective control of purchased product quality and supplier performance.
Your purchase documents such as purchase order, contract, blanket order, your organization’s supplier quality manual, etc. must specify your requirements for the purchased product; the suppliers QMS and any other initial or on-going controls you deem necessary for ensuring consistent supplier performance. You must define how you ensure the adequacy of these documents before you communicate them to your supplier. A review of the adequacy of purchasing documents may include their completeness, accuracy, correctness, quantity, timing, cost, approval, etc., by one or more functions; computerized controls, etc. In larger organizations, this may be a separate process on-site or off-site. In either case, it must be identified and controlled. While clause 8.4.3 does not specify keeping of records, you must show evidence of carrying out (issue purchase documents) and review of these documents
An outsourced process is any value-adding or conversion activity related to your product or service, that is performed by an external organization such as a subcontractor, sister facility, etc. Note that the external organization may perform the outsourced activity at their facility or yours. A manufacturing company may outsource welding, heat treatment or painting of product. A software company may outsource software development. A bank may outsource check clearing services. You must be able to demonstrate sufficient controls over outsourced processes to ensure that such processes are performed according to the relevant requirements of ISO 9001:2008. The nature and scope of such control will depend on the nature of the outsourced or subcontracted process and the risk involved. Outsourced processes may be controlled in any number of ways, e.g., providing the vendor with product specifications; your supplier quality manual that they must meet; asking for inspection and test results or certificates of compliance; validation of outsourced process; conducting product and QMS audits of your vendor; etc. The expectation here is that you flow down to your vendor, the relevant ISO 9001 requirements that you would have to implement, had you performed the process at your own facility.
CLAUSE 8.5 Production and Service Provision
8.5.1 Control of Production and Service
The organization should implement production and service provision under controlled conditions. Include these controlled conditions, as applicable:
- availability of documented information that defines characteristics of products and services.
- availability of documented information that defines activities to be performed and results to be achieved.
- availability and use of suitable monitoring and measuring resources
- implementation of monitoring and measurement activities at appropriate stages to verify that criteria for control of processes and process outputs, and acceptance criteria for products and services, have been met.
- use and control of suitable infrastructure and process environment for the operation of the process.
- appointment of a competent person and, where applicable, required qualification of persons;
- validation, and periodic revalidation, of ability to achieve planned results of any process for production and service provision where the resulting output cannot be verified by subsequent monitoring or measurement.
- implementation of products and services release, delivery, and post-delivery activities.
This clause provides a list of control requirements that you may use, if applicable to your business. Identify and control all operation process. Show the interaction of these processes with other processes. Use your product, project or contract quality plan to control your operational activities. Schedule your operations taking into consideration customer delivery requirements, production capacity and capability, material availability and usage, personnel availability and usage; storage; etc. Carefully define and document the interaction of your operation scheduling process with your logistics processes such as inventory management, customer communication, traffic and shipping control, packaging and labelling, sales and billing. Use quality plans to control your operation processes. Quality plans address what has to be made, how much has to be made, when it has to be made, by whom, in what sequence, how it has to be made, what equipment to use, what measurement and monitoring tools to use, what to inspect, when to inspect, how much to inspect, what to do if problems arise, etc. Your quality plan must cover all operation process steps from receipt of materials, production, packaging, storage, delivery and even post-delivery activities such as installation or training. Your quality plans are dynamic and must be updated for the changes in product specifications or process parameters; resources used; monitoring or measurement requirements, etc. Your quality plans should reference any work instructions specified for the process steps. Work instructions may be viewed as a subset of your quality plan and may relate to a specific task or activity of your overall product realization process for e.g. setting up a machine, performing an inspection, packaging a product, If you determine that work instructions are needed at specific points in your process, then they must be readily available and relevant i.e. current or right version. Note that work instructions may exist in may form such as narrative, graphical, audio, video, physical display, etc. To improve your QMS, it will be very useful to draw a flow chart to link the flow and interaction of the activities and sub-processes covered by these clauses, e.g. many organizations overlook reviewing and updating their quality plans for corrective action taken to address a manufacturing process problem. Operational personnel must have timely access to all information relevant to their activities including specific work instructions if necessary. There may be a serious risk to production flow if such information is unavailable or untimely. You must identify and document all processes addressing this clause as part of your QMS For these processes, you must also identify what specific documents are needed for effective planning, operation, and control of production activities. These documents may include – a product quality plan; work instructions; documented procedure; etc., combined with unwritten practices, procedures and methods. Look at the risks related to your product, processes, and resources in determining the nature and extent of documented controls you need to have. Performance indicators to measure the effectiveness of operational processes in meeting requirements and achieving quality objectives should focus on reducing variation in and improving production processes and related use of resources.
Validation is usually required where the product cannot be verified without damaging or destroying the product, e.g. some types of welding, heat treatment, painting, electroplating, rust-proofing, etc. In such instances, the quality of these activities may only be discovered after use. This would generally not be accepted due to safety (e.g. weld) or aesthetic (evidence of rust or dullness of chrome) reasons. In the case of a service such as pizza delivery within 30 minutes of order placement, if the timeliness of delivery is not verifiable, then validation would be required. However, most service-oriented businesses (e.g. delivery; call centre) have some form of monitoring during service execution to ensure service quality. Validation involves conducting capability studies using a combination of resources technology, equipment, materials, environment, competent personnel, and production and testing methods that consistently result in a quality product or service. Validation may also require customer or regulatory approval of the process. You must keep appropriate records of process validation showing both the achievement of planned results as well as the ongoing maintenance of such capability. If you change any part of the proven process capability for e.g. materials, equipment or personnel, etc., you must revalidate i.e re-prove the changed process. It is up to each organization to determine what combination of resources and methods will provide the required consistent process capability and quality of product or service. Include as appropriate, these validation controls in your quality plans.
Product-related indicators may include a reduction in defect rates, PPM’s (defective parts per million), scrap rates, waste and rework; improvement in on-time delivery. Production process-related indicators may include a reduction in set-up time, run rates, process cycle time, production scheduling and operator errors and omissions, etc.
8.5.2 Identification and Traceability
The organization should use suitable means to identify “process outputs” where necessary to ensure conformity of products and services. The organization should identify the status of “process outputs” with respect to monitoring and measurement requirements throughout production and service provision. The organization should control the unique identification of “process outputs” where traceability is a requirement. It should retain any documented information necessary to maintain traceability. “Process outputs” are results of any activities which are ready for delivery to the customer or to an internal customer (e.g., the receiver of inputs to next process). “Process outputs” can include products, services, intermediate parts, components, etc.
There are three distinct control requirements specified here.
- Product identification: It means knowing the identity of yours or customer supplied product from incoming receipt of materials, raw material storage, use in production, work in progress, finished product storage, and delivery of the product to the customer. Product identification can be controlled using physical and electronic methods.
- Product status: It means knowing the quality status (good or bad) of materials and product through each of the above stages. Product status can be controlled using physical and electronic methods.
- Unique Product Identification: It is not a mandatory requirement under ISO 9001 unless contractually required by customers or regulatory bodies. In certain industry sectors such as the automotive or aerospace or pharmaceutical industry, unique product identification is mandatory for safety, regulatory and risk management reasons. This usually involves keeping detailed records of product manufacturer such as material, equipment, personnel, processes, production, inspection and test details, etc., for individual products or production batches. These records help to trouble-shoot product and process problems, resolve customer complaints, and enables continual improvement of product and process. In many instances, it also reduces cost, risk, and use of resources by narrowing the problem down to a specific cause or instance. Depending on the product, the OEM may specify the degree of unique identification and traceability required.
While this clause does not call for a specific documented information, these controls may be included in your Operation processes through your product quality plans, work instructions and other specific documentation. Examples of product identification and test status include physical tags, bar code labels linked to computer records; MRP systems tracking specific production runs/lots, automated production transfer processes, etc. Performance indicators to measure the effectiveness of processes that control identification and traceability may include reduction in identification errors and omissions; product quality status errors and omissions; and traceability errors and omissions.
8.5.3 Property Belonging to Customers or External Providers
The organization should exercise care with property belonging to customers or external providers while under the organization’s control or being used by the organization. The organization should identify, verify, protect, and safeguard the customer’s or external provider’s property provided for use or incorporation into products and services. It should report to the customer or external provider when their property is incorrectly used, lost, damaged, or otherwise found to be unsuitable for use. Customer property can include material, components, tools and equipment, customer premises, intellectual property, and personal data.
Customer or External provider property may include material, production equipment, tooling, measuring and test equipment, facilities, transport vehicles, returnable packaging, intellectual property such as drawings, specifications or proprietary information, product returned for servicing under warranty, product sent for outsourced work, etc.
All customer property is exposed to the risk of being damaged, lost, misused, misplaced, stolen, become unsuitable or obsolete for use. You must establish controls for each of these risks. Notify the customer/ External provider in writing if their property is lost, damaged or otherwise found to be unsuitable such as perishable past its shelf life for use. Control to minimize the risks to customer/External provider property include inventory management, preservation, and storage, identification, status and traceability indicators, maintenance, notification, traffic flow, authorized use, restricted access, etc. Marking customer/External provider property with a unique identification number that can be traced to a record that provides details of ownership is one of many acceptable controls. While this clause does not call for specific documented information, these controls may be included in your product realization processes through your product quality plans, work instructions, and other specific documentation. Many of the controls needed for clause 8.5.2 Identification and traceability and clause 8.5.4 Preservation apply to customer property. The processes, controls, and documentation for these other clauses could be expanded to include customer property. Performance indicators to measure the effectiveness of processes that control customer property may include a reduction in identification errors and omissions, loss due to damage or unsuitability, scrap, rejects, etc., as well as increased customer property turnover rates.
The organization should ensure the preservation of “process outputs” during production and service provision, to the extent necessary to maintain conformity to requirements. Preservation can include identification, handling, packaging, storage, transmission or transportation, and protection.
All raw materials, work in progress, finished product, supplies, customer provided materials or product, product sent for outsourced work, etc., are subject to the risk of being damaged, lost, misused, misplaced, stolen, become unsuitable, perishable or obsolete i.e. past shelf life for use. This could occur during receipt, handling, storage, use in production, and transportation to the customer, etc. These could be controlled using identification, status and traceability indicators, inventory cycle counts and condition evaluation, stock rotation methods such as FIFO, just in time, tracking shelf life, special, controls for restricted access, handling and storage of hazardous materials, climate and environment, maintenance procedures, bar codes, training, use of special equipment for handling, condition reports, etc. These controls may be included in your product realization processes through your product quality plans, work instructions and other specific documentation. Many of the controls needed for clause 7.5.3 Identification and traceability apply to the preservation of the product.
Performance indicators to measure the effectiveness of processes that control preservation of product may include a reduction in obsolete and spoils materials an product (e.g., fresh produce, fruits, or frozen foods), identification errors and omissions, rejects, waste, scrap, etc., and increase in inventory turnover and material/product availability, and product safety.
8.5.5 Post-Delivery Activities
The organization should meet requirements, as applicable, for post-delivery activities associated with products and services. In determining the extent of post-delivery activities that are required the organization should consider risks associated with products and services; Customer feedback; legal requirements; nature, use, and intended lifetime of products and services; Post-delivery activities can include actions under warranty provisions, contractual obligations (such as maintenance services) and supplementary services (such as recycling or final disposal)
Post Delivery activities mean based on customer agreement or other agreement, the organization may be responsible for providing support for their product or services after delivery. This could include technical support, routine maintenance or total recall, recycling, reusable packaging, returnable containers, etc. The extent of post-delivery activity will depend on:
- Statutory and regulatory requirements: If statutory or regulatory requirements dictate post-delivery activities or warranties, they must be addressed
- the potential undesired consequences associated with its products and services: The organization must consider potential consequences, and how they intend to respond, the scope of their reaction plan, etc
- nature, use and an intended lifetime of its products and services: This is very commonly stated in the organization’s return policy or statement of liability. Some organizations clearly state that there are no warranties (or post-delivery activities) offered, expressed or implied. If this is the case (and in the absence of any other requirements in this list), this section can be addressed simply by acknowledging that there are no post-delivery activities.
- customer requirements: If the customer requires post-delivery, support, warranty, protection through delivery and receipt, etc, the post-delivery activities should be clearly described.
- Customer feedback: Customer feedback should be considered when determining the scope of post-delivery activities. This also implies that the scope of those post-delivery activities may change over time in response to customer feedback.
8.5.6 Control of Changes
The organization should review and control changes for production or service provision to the extent necessary to ensure continuing conformity with requirements. The organization should retain documented information describing the results of the review of changes, personnel authorizing the change, and any necessary actions arising from the review.
The organization is required to review and control changes for all of the previously discussed “production and service provision” topics including 8.5.1 Control of production and service provision (all of the controls established in the first place), 8.5.2 Identification and traceability, 8.5.3 Property belonging to customers or external providers, 8.5.4 Preservation and 8.5.5 Post-delivery activities. So, just as the QMS must have defined each of these items, any changes to them must be controlled. Changes which are not clearly communicated create confusion. Changes which have not been adequately reviewed and vetted may be implemented and result in an undesired outcome. Changes, in general, create instability and a robust change management process is critical to ensure changes are fully reviewed, approved, communicated, understood and validated when they are implemented. Records describing results of the review of changes, personnel authorizing the change, and any necessary actions arising from the review have to be maintained.
8.6 Release of Products and Services
The organization should implement planned arrangements at appropriate stages to verify product and service requirements have been met. Retain evidence of conformity with acceptance criteria. The release products and services to the customer should not proceed until the planned arrangements for verification of conformity have been satisfactorily completed unless otherwise approved by a relevant authority and, as applicable, by customer. The organization should retain documented information for traceability to the person(s) authorizing the release of products and services for delivery to the customer. The organization should also retain documented information for evidence of conformity with the acceptance criteria.
You must identify, monitor and measure product/service characteristics to verify conformity to requirements. Product characteristics may be dimensional, functional, performance, reliability, durability, maintainability, life, cost, etc. Requirements may come from your customer, your own organization, regulatory and industry sources. You must plan what characteristic(s) to measure, type of measurements, what measurement device to use, how often to measure, sample size, acceptance criteria, and records needed for each product or product type. Use your quality plan to document these controls. Your product, project or contract quality plan must define the stages at which various monitoring and measurement will be carried out at incoming receipt of materials from suppliers or outsourced work, storage, internal production processes, finished product, packaging, at time of shipping, and post-installation. Monitoring and measurement may be done by your personnel, subcontracted or outsourced labour or by the customer. You must ensure that all personnel performing monitoring and measurement are trained and competent.
If you plan on releasing during any stage of production or shipping finished product, where all planned inspections and measurements to that stage have not been completed, ensure that you obtain prior written approval/waiver from a relevant internal authority or the customer. Where practical, consider completing all missed planned inspections and measurements before product delivery. You must identify and document all product realization processes that may address this clause, as part of your QMS, e.g. receiving, production, shipping, etc. For such processes, you must also identify what specific documents are needed for effective planning, operation and control.
You could use a product quality plan, any documented information or other combination of specific practices, procedures and methods. Look at the risks related to your product, processes and resources in determining the extent of documented controls you need to have. Performance indicators to measure product conformity may include reduction in defect rates, PPM’s (defective parts per million), scrap rates, waste, rework, improvement in on-time delivery, product returns from the customer, etc. Performance indicators to measure the effectiveness of product realization processes in achieving product conformity include productivity, reduction of cycle time, errors, omissions and failures, etc.
8.7 Control of Nonconforming Process Outputs, Products, and Service
The organization should ensure process outputs, products, and services that do not conform to requirements are identified and controlled to prevent unintended use or delivery. The organization should take appropriate action based on the nature of nonconformity and its impact on the conformity of products and services. This is applicable also to nonconforming products and services detected after delivery of products during or after the provision of service. The organization should deal with nonconforming outputs in one or more of these ways:
- segregation, containment, return, or suspension of the provision of products and services;
- informing the customer;
- obtaining authorization for acceptance under concession.
The organization should verify conformity to requirements when nonconforming process outputs, products, and services are corrected.
The organization should retain documented information that describes the nonconformity, action taken, concessions obtained, identifies the person or authority that made the decision regarding dealing with nonconformity.
ISO 9001:2015-Clause 8.7 applies to processes, products and services that do not conform to customer requirements, applicable regulatory requirements or your own organization requirements. Nonconformities may relate to suppliers and outsourced work, your own organizational activities or product shipped to customers. Your organization must have controls and responsibilities to identify, contain i.e. prevent further processing or use, keep records of the nature and other details of the nonconformity, notify appropriate personnel and customer, where appropriate, evaluate what disposition action needs to be taken, carry out timely disposition, determine policies for release for further processing or shipment to the customer, obtain customer concessions, rework and re-verification, establish performance indicators to measure the effectiveness of the control of nonconformance process, etc.
Product or material found with no identification or its quality status is not known, should be treated as a nonconforming product and controlled as mentioned above. If you find that nonconforming product has been shipped, without a customer concession, you must take appropriate action to reduce the immediate and consequential effect of the nonconformity. Depending upon the seriousness and scope of the nonconformity, you might consider taking action to eliminate the nonconformity as well as a corrective action to eliminate the root causes of the nonconformity. It might be appropriate in specific circumstances to notify the customer and resolve the situation to your customer’s satisfaction. A similar rationale may be applied where the product has been shipped that does not meet regulatory requirements. Depending upon the seriousness and scope of the nonconformity, you might consider taking action to eliminate the nonconformity as well as a corrective action to eliminate the root causes of the nonconformity. You need to be aware of any reporting requirements imposed by regulatory bodies and comply with them.
A concession authorization allows you to ship nonconforming product, under controlled conditions. A deviation authorization allows you to manufacture product different from the original specification, under controlled conditions. In both these situations, make sure that you obtain these authorizations in writing prior to shipping or manufacturing the nonconforming product. All product realization processes must show the interaction with your process for nonconforming product. Performance indicators to measure the effectiveness of control of nonconforming product may include reduction in cycle time to evaluate and dispose of nonconforming product, reduced errors in preventing unintended use or delivery, improved alternate use of the nonconforming product and cost recovery, etc.