- Environmental Services (ISO 14001:2015 Certification)
- OpEx Process Improvements
- Quality Systems (ISO 9001:2015 Certification)
- Support Services
- Case studies
- Get in touch
Clause 8.1 operational planning and control.
ISO 9001:2015 requires organisations to plan, implement and control their processes as required for the provision of products and services, and to implement the actions determined in planning activities. (See Planning articles 6.1, 6.2 and 6.3)
To achieve this, organisations must first determine the requirements for the products and services to be provided and establish criteria for both the processes, and the acceptance of the products and services.
In addition, organisations must:
- Establish the resources required to achieve conformity to the product and service requirements,
- Control the processes in accordance with the established criteria,
- Determine, maintain, and retain documented information appropriately, in order to have confidence that the processes have been executed as planned and to demonstrate the conformity of products and services to identified requirements.
The output of this planning must be appropriate to the organisations specific operations and any changes must be planned and controlled. In addition, reviews must be conducted into the consequences of unintended changes, including the taking of any necessary action to mitigate any adverse consequences.
Note: Outsourced processes must also be controlled. (See article 8.4.1, 8.4.2 and 8.4.3)
Section 8.0 of ISO 9001:2015 is primarily concerned with the operational "Do" part of the Plan, Do, Check, Act cycle.
To summarise clause 8.1, organisations must:
Establish their product and service requirements, and then look at the relevant processes to determine how they will be controlled and measured. IE: Specifications, tolerances, targets, values, Key Performance Indicators. In addition, resources necessary to ensure conformity to product / service requirements need to be established.
Consideration should be given to all processes (direct and indirect,) required to deliver products and services that meet customer requirements. At an operational level, the automotive industry (and increasingly, other sectors also) has pushed product and operational planning with its suppliers for many years through the Advanced Product Quality Planning process (APQP) and other similar methodologies. The output of the APQP process includes requirements for a risk identification and mitigation step (Failure Mode Effects Analysis) for both products and processes which feeds into the process planning stage (Process Flow Diagrams) and monitoring and control methods (Control Plans.) Such tools are outside the scope of these articles, but there are many sources available which explain these methodologies in depth if they are appropriate to your organisations (or your customers) specific requirements.
Auditors may seek to verify that organisations have planned their processes – certainly for any processes recently introduced. IE documented evidence that inputs and outputs, process controls and criteria have been established. That process monitors and performance indicators have been identified and that appropriate resources have been included in the planning process.
As the identification and mitigation of risk now permeates the standard, organisations should also expect also to be asked to demonstrate how their process planning has identified and addressed risk.
This article is the property of David Barker Consulting © and is free for you to use. If you wish to reproduce elsewhere, please be so kind as to ask permission first and credit me as your source. If you need any further assistance, feel free to use my contacts page to get in touch and let me know how I can help!
David Barker CQP MCQI
Arrange an obligation-free consultation.
Invalid email address
Mango can be used to control and maintain all aspects of an organisation's QHSE compliance requirements. So whatever your needs - be they Health & Safety, Quality, Environmental Management, Food Safety - or all four - Mango is the answer.
- Quality Management - ISO 9001
- Health & Safety - ISO 45001
- Environmental - ISO 14001
- Integrated QHSE
- Food Safety - ISO 22000
- Information Security - ISO 27001
- Business Continuity - ISO 22301
- Accidents & Incidents
- Audits & Inspections
- Document Management
- Environmental Management
- Event Management
- Food Safety/Incident
- Human Resources
- Management of Change
- Plant & Equipment
- Risk Management
- Security Incident
Broaden your QHSE knowledge with resources for all skill levels. Whether you need the latest advanced tactics, a refresher on the basics, or to start from scratch, this is your home for QHSE knowledge.
- Quality Management
- Health and Safety
- Food Safety
- Information Security
Watch and listen to some Mango clients. They are just like you. Wrestling with QHSE compliance. They tell stories of before and after using Mango. They tell it like it is.
- Agriculture and fishing
- Health Care
- Transport And Logistics
Clause 8.1 of ISO 9001: Operational Planning and Control
So far in this blog series I’ve mostly talked about very high-level processes. They’re what’s covered in clauses 4, 5, 6, and 7, and are the “Plan” part of the Plan-Do-Check-Act (PDCA) cycle . It’s the big picture stuff, the laying of critical foundations.
But of course, in every certification process there comes a point at which you have to deal with the detail – the “Do” part of the PDCA cycle. Capturing exactly how your company controls the internal processes that it uses to provide products and/or services to customers is key to running a successful Quality Health and Safety and Environmental System (QHSE).
So, in clause 4.4 you determined what your Quality Management System will look like. Now, for clause 8.1, you’ll be getting specific and adding lots of detail.
1. Decide What You Want to Capture
In other words, what criteria are you going to use for determining the processes. There aren’t any particular criteria listed in ISO 9001 for you to adopt, but some criteria that are commonly used are appearance, dimensions, completeness, performance or customer satisfaction. Depending on the needs of your particular business there may be more.
Whichever criteria you choose, there are two important things to consider when making your decision...
- Remember to keep the customer firmly at the forefront of your mind. Everything you record, measure and analyse should be for the betterment of the customer in the long run, and the criteria you choose are critical to this.
- The more information about processes that you capture, the better and more robust your system will ultimately be. Make sure that the criteria that you choose allow you to capture enough information to be useful.
2. Look at Resources
Once you’ve decided on criteria, the next step is to look at the resources that are required and spell that out. Who does what? What equipment do they use? What training is required? And so on.
3. Decide what kind documented information you need
Finally, look at what kind of documented information you will need to confidently show that the processes have occurred and that also prove conformity of the product or service to your requirements. Again, you decide this, as well as the amount of documentation that’s required. Don’t go overboard with this though. A tsunami of documentation will be counterproductive.
It’s at this point of the certification process that many companies come unstuck. A common mistake is that companies capture what they wish they were doing, not what they actually do. Many end up documenting what the process would look like in a perfect world, as opposed to what actually happens in reality.
How your company actually does things is what clause 8.1 is all about. If you’re honest about documenting the processes as they really are, you have done your team and your customers a great service. Big gains can be made when you are dealing with facts, and not fantasy. Be honest and rigorous about recording the reality of your processes.
Documented Information at Mango
Here at Mango, the team fleshed out the processes listed in clause 4.4. We debated each process and looked at the criteria and resources for each. As an example, let’s talk about marketing processes.
One of the goals for our marketing team is to successfully deliver leads to the sales team, so the first thing we did was to identify the processes that are used to deliver leads and the resources needed to do this.
One marketing process we use to generate leads is to run monthly webinars. We debated the criteria around running those webinars, and nailed down what actually happens each month regarding the webinar process:
- Appearance : Marketing webinars are run by Chief Marketing Officer. The webinars focus on QHSE and feature a guest with specialist knowledge.
- Dimensions : Once a month for 60 minutes, using a product called “ Go-to-webinar ”. Promotion of the webinar is using our email, blog and newsletter. A registration email is sent one week before broadcast, with a follow-up reminder email 1 days before broadcast. Distribution of webinar recording is via email and the blog the next day after broadcast.
- Completeness : Webinar completed within the first week of every month.
- Number of registrations.
- Feedback received via email/LinkedIn/comments.
- Number of leads generated for the sales team by each webinar.
- Resources: Go-to-webinar subscription, Chief Marketing Officer, Marketing Assistant, expert guest.
- Documentation: blog, email, leads.
By documenting the process and the criteria we formalised what we’d been doing. We gained clarity as well as creating a starting point for making improvements.
Here is a list of takeaways that will help you meet the 8.1 clauses:
- Take the high-level processes identified in clause 4.4 and flesh them out with your teams.
- Determine the criteria for what success looks like for each process.
- Determine the resources required for each process.
- We recommend documenting these processes so that the employees are clear in what the processes are.
View previous blogs in this series "How to Implement a QMS and Achieve ISO 9001 Certification":
How to Implement a QMS and Achieve ISO 9001 Certification - Part 1: Introduction
How to Implement a QMS and Achieve ISO 9001 Certification - Part 2: Customer Focus
How to Implement a QMS and Achieve ISO 9001 Certification - Part 3: Leadership
How to Implement a QMS and Achieve ISO 9001 Certification - Part 4: Engagement of People
How to Implement a QMS and Achieve ISO 9001 Certification - Part 5: Process Approach
How to Implement a QMS and Achieve ISO 9001 Certification - Part 6: Improvement
How to Impleme nt a QMS and Achieve ISO 9001 Certification - Part 7: Evidence Based Decision Maki ng
How to Implement a QMS and Achieve ISO 9001 Certification - Part 8: Relationship Management
How to Implement a QMS and Achieve ISO 9001 Certification - Part 9: Clauses 0.1, 0.2, 0.3, 1, 2 and 3 of ISO 9001:2015
How to Implement a QMS and Achieve ISO 9001 Certification - Part 10: Clauses 4.1, 4.2, 4.3 and 4.4 – Context, Interested Parties, Scope, QMS
How to Implement a QMS and Achieve ISO 9001 Certification - Part 11: Clauses 5.1 Leadership and Commitment
How to Implement a QMS and Achieve ISO 9001 Certification - Part 12: Clause 5.2 Policy
How to Implement a QMS and Achieve ISO 9001 Certification - Part 13: Clause 5.3 Roles, Responsibilities and Authorities
How to Implement a QMS and Achieve ISO 9001 Certification - Part 14: Clause 6.1 Actions to Address Risks and opportunities
How to Implement a QMS and Achieve ISO 9001 Certification - Part 15: Clause 6.2 Objectives
How to Implement a QMS and Achieve ISO 9001 Certification - Part 16: Clause 7.1 Resources
How to Implement a QMS and Achieve ISO 9001 Certification - Part 17: Clause 7.2 and 7.3 - Competence and Awareness
How to Implement a QMS and Achieve ISO 9001 Certification - Part 18: Clauses 7.5 - Documented Information
Tags: Quality Management , ISO 9001 , ISO 9001 certification , ISO 9001 accreditation
Subscribe to Email Updates
Posts by tag.
- Compliance (50)
- ISO 27001 Certification (46)
- information security (45)
- ISO 27001 (43)
- Quality Management (43)
- ISO 9001 certification (34)
- ISO 9001 (33)
- Health & Safety (31)
- Cybersecurity (30)
- ISO 9001 accreditation (28)
- Integrated QHSE (25)
- Compliance Management (20)
- 26 Ideas for Working from Home (18)
- QHSE Management (18)
- videos (15)
- Internal Audit (13)
- Workplace Health and Safety (11)
- Hazardous Substances (9)
- ISO Certification (8)
- 10 Compliance Things After Lockdown (7)
- Integrated Management System (7)
- Certification Body (6)
- External Audit (6)
- Management System (6)
- Training (6)
- Audits & Inspections (5)
- Food Safety (5)
- Risk Management (5)
- process approach (5)
- Continuous improvement (4)
- ISO 45001 (4)
- QHSE Compliance System (4)
- ISO 14001 (3)
- Management Review (3)
- Safety Management (3)
- Cloud Computing (2)
- Environmental (2)
- Food Act 2014 (2)
- Key Performance Indicators (2)
- non-conformances (2)
- Accidents & Incidents (1)
- Competency Records (1)
- Construction Safety (1)
- Cost-Benefit Analysis (1)
- Security Policy
Your one-stop shop for all your ATOL and Industry News
What is Clause 8 Operation in ISO 9001:2015?
Strap yourself in as we take a deep dive into Clause 8 Operation and how to meet the requirements for your ISO 9001 :2015 management system.
In this article, Auditor Training Online's director and triple certified real-world auditor, Jackie Stapleton sits down and explains the importance of Clause 8 to your ISO 9001 :2015 Management Systems .
No more guessing or confusion!
What is Clause 8 Operation talking about in ISO 9001 in general? This article is more about the broad intent or context of Clause 8 in an ISO 9001L2015 management system.
Clause 8 refers to Operation, so when I see this, it helps me to understand that “Right – now we’re at the stage of implementing stuff”. We’ve done all the planning, set some objectives, understand what resources we need, now let’s do it!
Clause 8 in ISO 9001 has a lot of content broken down into 7 subclauses with even more break down under that. I’m going to briefly explain the intent of each of these subclauses, I’m not going to get into the detail of the how and what it looks like for each. If you need this detail keep an eye out for the specific content and articles for each of these subclauses where I go into specifics.
Ok, let’s get moving through these subclauses then.
First up we have clause 8.1 Operational planning and control , and as it states it is all about planning and control at an operational level. This clause wants you to plan, implement and control the processes needed to manage the risks and opportunities as a result of what you discovered in clause 4 Context and clause 6 Planning . Now it’s time to plan how you will implement these actions and really get down to the product and service level of the business and system.
This then leads into clause 8.2 Requirements for products and services . Now you can establish your processes for how and what you will communicate to and from your customers, really define the requirements for your products and services so that you can clearly communicate to your customers what you can provide and ensure that what you say you can provide actually meets what the customer has requested.
If you are responsible for the design and development of your product or service, then clause 8.3 Design and development of products and services will be relevant to your business. For example, here at Auditor Training Online, we design and develop our own course content – we don’t buy it off-the-shelf, so we would need to conform to this clause. Some businesses may find that this clause is not applicable to what they do and therefore can state this as part of their scope. Clause 8.3 then walks you through the requirements of planning, inputs, controls, outputs, and management of change – the complete cycle of design and development.
Clause 8.4 Control of externally provided processes, products, and services is very detailed in its requirements for the control of any processes, products, and services that are being delivered by external parties – so anything that you outsource or have contractors provide. This clause talks about the criteria you need to determine when selecting and evaluating external providers, the type and extent of control needed as well as the information to provide to these external providers. I love this clause and if you do have an integrated management system, you would benefit from applying these requirements across all systems.
Ok, moving right along to clause 8.5 Production and service provision . Now, I know I’ve said that all of clause 8 is about implementation but this clause is REALLY about implementation. You can see it in the language that is used. They say things like:
> The implementation of monitoring and measurement activities
> The use of suitable infrastructure
> The appointment of competent persons
And so on … this is all stated in the first section of 8.5.1, then this is broken down into 5 more subclauses – I told you there was a LOT of content here! You may also find that some of these subclauses may not be applicable to what your activities, products, and services are. These do tend to be very product-focused.
These 5 subclauses are:
> 8.5.2 Identification and traceability – so when traceability is a requirement it’s important to note unique identification of any outputs of your product, service, or activities. For us here at ATOL this would be student id numbers as well as certificate numbers.
> Then clause 8.5.3 Property belonging to customers or external providers is all about if you do collect customer property to conduct your work, then this needs to be looked after – not lost or damaged. While in your care it is to be maintained, which might mean ensuring it is stored correctly and even safely to prevent access from unauthorised users.
> This is then followed by clause 8.5.4 Preservation – preservation during production and service provision can mean anything to do with identification (which is already in clause 8.5.2), handling, contamination control, packaging, storage, transportation and general protection.
> Clause 8.5.5 Post-delivery activities is what you need to consider once you have delivered or finalised your product – it is now handed over into your customers' possession. Is there anything that you also need to consider for post-delivery? This could be training, legal requirements, or storage and handling requirements of the product. Is there anything you need to pass on to the customer to ensure this is managed and controlled?
> Then finally clause 8.5.6 Control of changes – this pretty much means that if any of the above changes, does your product still conform with requirements? Do you have to go back to the beginning again to ensure identification, preservation, and post-delivery activities are maintained?
Then we can move on to clause 8.6 Release of products and services . There does need to be a process in place to authorise the release of a finished product or service. This should be documented with evidence showing conformity of the product to requirements and who authorised the release. Much like we do here at ATOL when releasing new course content – this is always reviewed and approved (or not) by myself prior to release and we have evidence of this in our project management program.
The final clause in all of clause 8, is 8.7 Control of nonconforming outputs . This means that even after all of our hard work to put in place processes to prevent things from going wrong, sometimes they still do occur. These are referred to as nonconformances.
This clause gives us options on how to deal with nonconformances such as fixing it, quarantining the product if it shouldn’t be used, letting the customer know where required and even being able to still provide the product if the customer says it’s ok.
Of course, what option you take all depends on the type of product or service you deliver. We wouldn’t still provide a product to a customer if it doesn’t meet their requirements, or it could cause harm.
This concludes clause 8 for ISO 9001, so I do hope that this gives you a high-level idea of what clause 8’s intent is in ISO 9001 without too many nitty-gritty details.
Hello, I Am an Auditor...
Being an auditor can be ‘fun’ in social situations during the ‘first-impressions-count-dear’ stage...
Consultant or Auditor
You might see on our website that we tend to use two, maybe three, words to describe the roles in...
Internal Audit Plan and Timetable
Learn all about an audit plan and timetable and what it looks like for you as an internal auditor?
Download ISO Power Pack: Get Everything In One Bundle
- Project Management
- ITIL Templates
- ISO 9001 QMS
- ISO 27001 ISMS
- ISO 20000 IT Service Management
- ISO 14001 Environmental Management System
- ISO Concepts
- ISO 13485 Medical Devices QMS
- AS 9100 Aerospace Quality Management System
- IATF 16949 Automotive Quality Management
- ISO 20000 Food Safety Management
- ISO 28000 Supply Chain Security Management System
- ISO 39001 Road Traffic Safety Management
- Free Templates
Sign up today and we'll send you a 10% discount code towards your first purchase.
Clause 8.1 of ISO 9001: Operational Planning and Control
What is operational planning and control in the iso management standards 9001.
Operational planning and control are the activities that an organisation undertakes to ensure that its resources are used effectively and efficiently to achieve its objectives.
Operational planning and control are a key part of the ISO 9001 quality management standard. They are concerned with the day-to-day running of the organization and ensuring that its resources are used effectively and efficiently to achieve its objectives. Operational planning and control involve the following activities:
- Setting objectives and targets
- Planning and implementing activities
- Monitoring and controlling activities
- Continuous improvement
At its core, operational planning and control are about ensuring that an organisation's resources are best used to achieve its objectives. To do this, an organisation needs to have a clear understanding of its processes, products, and services. It also needs to have a clear understanding of the market and the customer needs. With this information, an organisation can create a plan for how to best use its resources to achieve its objectives. Once the plan is in place, the organisation needs to monitor and control its operations to ensure that it is achieving its objectives. The operational planning and control process is an ongoing cycle that helps organisations to continuously improve their performance.
Why is Operational Planning and Control important?
OPC is a dynamic process that is constantly evolving in response to changes in the external environment and the needs of the organisation. It is an essential part of any organisation's overall strategy and helps to ensure that the organisation can respond effectively to opportunities and challenges. Operational Planning and Control is important because it provides a framework for making decisions about the allocation of resources and the implementation of activities. It helps managers to ensure that an organisation can achieve its objectives by identifying and responding to opportunities and threats in the environment.
OPC also helps managers to monitor progress towards objectives and take corrective action if necessary. This can help to avoid or minimise disruptions to operations and keep projects on track. In addition, OPC helps to improve communication between different departments and levels within an organisation. It can also help to create a sense of ownership and responsibility among employees for the achievement of organisational goals.
Comparison of operational planning and control requirements
Operational planning and control are two important aspects of quality management systems (QMS). Operational planning deals with the overall planning of activities and resources within an organization, while control focuses on the ongoing monitoring and execution of these plans. There are several similarities between operational planning and control, as well as some important differences. Both involve the identification and assessment of risks, the establishment of objectives and targets, and the development of plans to achieve these goals.
Operational planning is typically more static and long-term in nature, while control is more dynamic and short-term. Additionally, operational planning generally focuses on organisational resources and processes, while control pays more attention to the actual outputs of these processes. Operational planning is the process of planning the overall activities and resources of an organisation. It includes the identification and assessment of risks, the establishment of objectives and targets, and the development of plans to achieve these goals. Operational planning is typically more static and long-term in nature.
Control is the process of monitoring and executing the plans developed through operational planning. Control is more dynamic and short-term in nature, focusing on the actual outputs of organisational processes rather than just the resources and processes themselves. The key differences between operational planning and control are:
- Operational planning focuses on the future and control focuses on the present.
- Operational planning is about setting goals and control is about tracking progress.
- Operational planning is top-down, and control is bottom-up.
- Operational planning is done by management and control is done by employees.
- Operational planning is proactive, and control is reactive.
Determining the Requirements for Products & Services
The requirements for products and services provided by an organisation shall be determined and managed. Determination of the requirements for products and services is a key activity of the organisation that needs to be understood, controlled, and improved.
The requirements for products and services are determined by many factors including:
•The needs and expectations of customers, clients, users, patients, etc. •The regulatory and statutory requirements applicable to the products and services •The market requirements for the products and services •The organisational objectives for the products and services •The organisational size, structure, processes, etc. Organisations shall establish and maintain a process for the determination of the requirements for products and services. The process shall ensure that the requirements are determined and documented. The process shall be planned and carried out in a controlled manner. The outputs of the process shall include: •The requirements for products and services •The documentation of the requirements •The approved change requests for the requirements.
Implement Your Controls
The quality management system (QMS) is a set of policies, procedures and processes used by an organisation to ensure that its products and services meet the needs of its customers. QMS is also a way to monitor and improve the quality of an organisation's products and services. One of the main requirements of the QMS is the implementation of controls. Controls help an organisation to plan and control its operations in a way that ensures the quality of its products and services. There are two types of controls that an organisation can implement: • Preventive controls – these controls help to prevent problems from occurring. • Corrective controls – these controls help to fix problems that have already occurred.
What are preventive controls?
Preventive controls are actions that are taken to prevent problems from occurring. They are proactive measures that are taken to avoid defects or nonconformities in products and services. Preventive controls can be used in all stages of the product life cycle, from design to delivery. And they can be applied to all aspects of an organisation's operations, from manufacturing to marketing. Preventive controls help organisations to avoid problems by:
- Identifying potential problems before they occur
- Implementing measures to prevent problems from occurring
- Monitoring the effectiveness of preventive controls
There are many different types of preventive controls that an organisation can implement. Some common examples include: 1. Quality planning – this involves creating plans that detail how quality will be achieved throughout the product life cycle. 2. Process control – this involves implementing procedures and methods that ensure processes are carried out correctly. This may include using inspections, testing and audits. 3. Use of technology – this involves using automation and other technological tools to help prevent errors and improve quality. 4. Employee training – this ensures that employees are aware of the importance of quality and how to achieve it. Corrective controls are implemented to detect, identify, and correct any non-conformities that may occur during the operation of a process. They are an essential part of an organisation's quality management system (QMS) and are used to prevent, reduce, or eliminate the occurrence of non-conformities in products or services.
The design and implementation of corrective controls should consider the following factors: • The type of product or service being produced • The nature of the process • The materials, equipment and human resources involved • The environment in which the process is carried out • The customer's requirements
Your Partner in ISO Standard compliance
ISO 9001:2015 CLAUSE 8 OPERATION
by Pretesh Biswas
Audio version of the article
The bulk of the management system requirements lies within this single clause. Clause 8 addresses both in-house and outsourced processes, while the overall process management includes adequate criteria to control these processes, as well as ways to manage planned and unintended change. Whatever the organization is in business to achieve, clause 8 is it. The overall process management includes having process criteria, controlling the processes within the criteria, controlling planned change and addressing unintended change as necessary. The organization shall plan, implement and control the processes needed to meet its discipline-speciﬁc requirements. This also relates to implementing the actions determined in 6.1 (actions to address risks and opportunities) and 6.2 (objectives and plans to achieve them). The organization is required to:
- Establish criteria for the processes (possibly in work instructions)
- Implement control of the processes, in accordance with the criteria (possibly through training and awareness)
- Keep documented information to the extent necessary to have conﬁdence that the processes have been carried out as planned (possibly within its QMS, or integrated MS)
- Control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects (possibly through the management of change process)
- Ensuring outsourced processes are controlled. This would include control and/or inﬂuence (depending on its ability to do so — the size of the order, importance to an external organization, etc.).
Typical audit evidence would relate to: the type and extent of control/inﬂuence to be applied are deﬁned within its QMS, processes for assessing the importance/risk of the outsourced activity and deriving suitable controls, and monitoring the effectiveness of the controls, etc. This could involve purchasing, risk/compliance, and operations/production functions within the organization. The context of the organization and the relevant needs and expectations of interested parties will clearly have a bearing on the extent of control/Inﬂuence expected of its outsourced processes.
Clause 8, Operation, has seven sub-clauses:
8.1 Operational Planning and Control 8.2 Determination of Requirements for Products and Services 8.3 Design and Development of Products and Services 8.4 Control of Externally Provided Products and Services 8.5 Production and Service Provision 8.6 Release of Products and Services 8.7 Control of Nonconforming Process Outputs, Products, and Services
8.1 Operational Planning and Control
The Organization should plan, implement, and control the processes, as outlined in 4.4, needed to meet requirements for the provision of products and services and to implement the actions determined in 6.1 by determining product and services requirements; establishing criteria for the processes and for the acceptance of products and services; determining the resources needed to achieve conformity to product and service requirements; implement control of the processes in accordance with the criteria; determining, maintaining and retain documented information to the extent necessary to have confidence that the processes have been carried out as planned and to demonstrate the conformity of products and services to requirements. The output of this planning should be suitable for the organization’s operations. The organization should control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. The organization should ensure outsourced processes are controlled in accordance with 8.4.
Clause 8.1 requires that operations be conducted through processes that are planned and controlled regardless of whether the organization or an outside party performs the process. Requirements for products and services are required to be determined and criteria established for acceptance. Identification of resources needed to achieve conformity is required. Planned changes are required to be controlled and action is taken to mitigate the effects of unintended consequences of changes. Documented information is required to be kept (retained) to demonstrate the conformity of product and service to requirements and that processes have been carried out as planned. The individual planning step in the 2008 version focuses on determining how to verify conformity, the 2015 version is oriented around the notion of managing and adequately resourcing a set of processes so that a state of control is achieved even when intended or unintended changes occur. It also indicates a requirement to review consequences and mitigate adverse effects as necessary. The clause also requires that the organization keep documented information to have confidence that these processes have been carried out as required. Note that the requirement for processes to accomplish all the operational activities is not repeated in each clause. A lack of repetitious requirements in each clause does not mean processes and documented information are not required. The first sentence of clause 8.1 makes the point that the organization “shall plan, implement and control the processes needed to meet the requirements for the provision of products and services.” It also reinforces the relationship between clauses 4.4 and 6. Therefore, even though ISO 9001:2015 may appear to some to have reduced the requirements for processes and controls, we believe clause 8.1, coupled with clauses 4 and 6, requires an organization to define, document, control, and keep records at least at the same level as previously required, and perhaps to an even greater level of comprehension.
Many organizations long ago adopted the process approach to managing operations, and thus may already be close to conforming. They may review the language in the new standard and tweaking processes and documented information, as appropriate. The organization needs to incorporate any additions, deletions, or modifications that are perceived as necessary or desirable to conform with these more process-oriented requirements and possibly to improve process effectiveness. Subtle “new” requirements related to control of changes and mitigating adverse effects should also be considered. On the other hand, some organizations may not have embraced the process approach to operational controls. Less documentation may be required, but ISO 9001:2015 requires that the organization understand the processes needed to deliver conforming products to customers. These processes must be understood not only with respect to the products themselves but also in the broader context of the objectives of the organization and any other requirements of the QMS (including interested parties and risks and opportunities). It may be advisable to:
- Create a quality plan for a product or service to describe how the QMS will be modified and applied to all operations. Such a plan could include or reference procedures and records to be maintained and analyzed.
- Consider using the product design and development process approach for designing processes. This is a requirement in the automotive industry. It has become a best practice demonstrated in many organizations even though ISO 9001 does not explicitly require adherence to the design and development requirements for internal process designs. This enhances both the effectiveness and efficiency of processes.
- Identify key performance measures for both products and processes and align them with your quality and business objectives.
The only requirement in clause 8.1 for documented information is to retain or maintain documented information as necessary to provide confidence that the processes have been carried out as required. Organizations should also consider maintaining documented information describing the operational processes and how they are to be carried out. The requirement to plan, implement, and control the processes needed to meet the requirements for the provision of products and services would be very difficult to achieve if documented information is not created and maintained for all processes of the QMS
The focus of clause 8.1 is on controls governing the making of product to meet customer requirements and all the QMS processes that, directly or indirectly, make this happen. Operation processes may include customer-related processes (sales and marketing), design and development, production, shipping, receiving, packaging, measurement, and monitoring of product and processes, etc., whether performed onsite or off-site. Some of the support processes that come to bear on Operations include document control, record control, human resources, infrastructure provision and maintenance, IT, purchasing and materials management, laboratory services and control of monitoring and measuring devices, business planning, etc. The output of Operation planning may be implemented in many different ways. It does not necessarily have to be all in one document, but may sometimes include several documents such drawings, machine set-up, inspection criteria, process sheets, etc. These must be readily available to those performing these processes. You may also consider using a specific product, contract or project quality plans to accomplish this. Your quality plans should include the processes needed, process sequence and control parameters, specific resources needed to make, verify and deliver the product, product acceptance criteria and quality objectives, product, and process monitoring and measurement control plans to control and correct any product or process nonconformities, reference to support processes, documents needed such as work instructions or engineering specifications, etc. and details of records to be kept. Focus on defect prevention in planning the controls for product realization. Quality objectives may include defect rates, scrap rates, etc. Requirements or criteria for the product may include physical properties, dimensional, functional, etc, and their related measurements, tolerances, and acceptance levels. In many instances, depending on the nature of the product, the customer may specify objectives and requirements, and criteria for the product realization processes as well. You must identify and document all processes addressing this clause as part of your QMS. For these processes, you must also identify what specific documents are needed for effective planning, operation, and control of production processes. These documents may include contracts, specifications, orders, product quality plans, work instructions, a documented procedure, etc., combined with unwritten practices, procedures, and methods. Look at the risks related to your product, processes, and resources in determining the nature and extent of documented controls you need to have. Where any of the product realization processes are done off-site (e.g. at head-office), your QMS must include the off-site processes within your QMS and ensure that such processes comply with ISO 9001 requirements. The expectation is to flow down to the off-site facility, the relevant ISO 9001 requirements that you would have to implement, had you carried out the process at your own facility. Performance indicators to measure the effectiveness of product realization in meeting requirements and achieving quality objectives will be specific to each realization process and focus on reducing variation and waste in realization processes and related use of resources. Objectives may be used to monitor and improve process productivity, reduction of cycle time, errors, omissions, and failures, etc. You must also consider indicators to measure product performance such as – reduction in defect rates, PPM’s (defective parts per million), scrap rates, waste and rework, improvement in on-time delivery, product returns from customers, etc.
8.2 Determination of Requirements for Products and Services
8.2.1 customer communication.
The organization must establish the processes for communicating with customers to provide information relating to products and services; inquiries, contracts, or order handling, including changes; obtaining customer feedback relating to product and services including customer complaints; handling or controlling customer property, and establishing specific requirements for contingency actions, when relevant.
8.2.2 Determination of Requirements related to Products and Services
The organization must ensure while determining the requirements for the products and services to be offered to customers that the product and service requirements (including those considered necessary by the organization), and applicable legal requirements, are defined. The organization must also ensure that it has the ability to meet the defined requirements and substantiate the claims for the products and services it offers.
8.2.3 Review of Requirements for Product and services
184.108.40.206 The organization must ensure that it has the ability to meet the requirements for products and services to be offered to customers. The organization shall conduct a review before committing to supply products and services to a customer; The review should include the requirements specified by the customer, including the requirements for delivery and post-delivery activities; requirements not stated by the customer, but necessary for the specified or intended use, when known; requirements specified by the organization; statutory and regulatory requirements applicable to the products and services; contract or order requirements differing from those previously expressed. The organization must ensure that contract or order requirements differing from those previously defined are resolved. When the customer does not provide a documented statement of their requirements, the organization must confirm them before accepting them. In some situations, such as internet sales, when a formal review is impractical for each order, the review can cover relevant product information, such as catalogs.
220.127.116.11 The organization should retain documented information on the results of the review and on any new requirements for the products and services.
8.2.4 Changes to requirements for products and services
The organization should ensure that relevant documented information is amended, and relevant persons are made aware of the changed requirements. when the requirements for products and services are changed.
Clause 8.2.1 requires the organization to conduct communications with customers. The detailed requirements for communications with customers include:
- Providing product- and service-related information
- Handling customer orders of all types and changes thereto
- Getting customer feedback including complaints
- Exercising appropriate controls for any customer-owned property
- Establishing requirements for contingency actions
Clause 8.2.1 requires processes to accomplish specific types of information exchange. It requires five specific types of communication with customers to be included in the organization’s processes:
- Product and service information, including customer requirements
- Documented agreements with the customer, such as contracts, orders, changes, and other information needed to meet customer requirements
- Customer feedback including complaints
- The handling and treatment of customer-owned items were covered in great detail in clause 7.5.4 in ISO 9001:2008. The specific requirements of the 2008 version have been significantly simplified.
- Any contingency actions that are relevant.
Clause 8.2.1 is similar to clause 7.2.3 of ISO 9001:2008. The point of grouping these items under customer communications is to emphasize that these communications need to be systematically planned like all other processes. In doing so, consider the information in clause 7.4 on communication and the requirements related to process management in clause 4.4. If the customer is the organization’s most important contact, shouldn’t we concentrate some key planning effort on the processes used to communicate with them? It is generally necessary that a careful record is maintained of the requirements. Often the process involves multiple discussions, reviews (clause 8.2.2), and even early design and development work (clause 8.3). Carefully thought-out methods are needed to efficiently retain this input information for later use in the design process and as input to the resolution of disputes that may arise.
Clause 8.2.2 requires the organization to determine the requirements related to its products and services. This includes:
- Establishing a process for determining the requirements for the products offered to potential customers
- Determining the requirements of the customer
- Determining requirements for the organization
- Determining requirements from applicable statutes and regulations
- Determining that the organization has the ability to meet the requirements and substantiate claims related to its products and services
One of the key things that communication with customers needs to ensure is that customer requirements and other requirements for the product or service are clearly understood. But communication and understanding of customer requirements is only one piece of the requirements puzzle. Many products are regulated and customers may have no knowledge of the regulatory or statutory details. Often the organization has learned key things that must be done a certain way for the product or service to meet customer requirements. Customers cannot be expected to know about many of these things. It is the organization’s responsibility to understand all these requirements and their specific application. It is also the organization’s responsibility to determine whether it can successfully deliver a conforming product or service to the customer. Conformity is not difficult for organizations providing off-the-shelf catalog products manufactured to published specifications or standardized services with normal delivery requirements. However, if customers are purchasing complex systems with custom engineering and software according to a complex set of commercial terms, it is essential to obtain a clear understanding of customer requirements by whatever means possible, including activities such as holding face-to-face meetings and attending pre-bid meetings. Full determination of customer requirements can be an iterative process. Often there are known issues that may evolve into real requirements at a later stage. In such cases, documentation of the open issues and providing for the attendant business risk may prove to be an acceptable approach to meeting the requirements of this clause. The determination of customer requirements is a critical activity and generally involves several functions and levels in an organization. It is recommended that you maintain documented information to describe the process for the determination of all aspects of product and service requirements. The documented information should include both product requirements specified by the customer and product requirements not specified by the customer but necessary for intended or specified use. Also, unique regulatory and statutory requirements should be considered as well as commercial terms and conditions.
Clause 8.2.2b requires that the organization have the ability to meet requirements. Often with advanced products, there is a need to advance the state of the art as product development progresses. Such situations should be clearly identified and the business risks understood. In such cases, the deﬁned requirements could be the development of the needed technological advance. To avoid customer complaints or dissatisfaction, even for “requirements” that are not clearly stated (e.g., regulatory requirements or marketplace norms), the organization should consider a comprehensive understanding of customer requirements, perhaps even performing a failure modes and effects analysis (FMEA) on the processes as a form of risk assessment. Since the review process required in clause 8.2.2 is often iterative, retention of documented information of review results (eg, who reviewed what, when, and using what method) can be a practical necessity. While clause 8.22 does not require retention of any documented information on these determinations, it is recommended to have such records.
Clause 8.2.3 states the obligation of the organization to review the requirements of products and services, which includes:
- Customer-specified requirements for the product or service, including any requirements for delivery or post-delivery actions
- Requirements are known to be needed by the organization even though not specified by the customer
- Applicable statutory and regulatory requirements applying to the product or service
- Requirements of the final contract or order differing from those previously provided by or discussed with the customer
The review is required to:
- Be performed prior to the organization’s commitment to producing the product or service
- Ensure resolution of all order requirements that may differ from those previously defined
- Include confirmation of the requirements in cases where the customer does not provide documented requirements o Retain documented information on the results of the review
The acceptance of an order or the submission of a quote or tender by an organization obliges the organization to meet the conditions stated in the order or to provide the goods and services included in the scope of the quotation or tender. The obligation assumed by the organization includes not only the products defined but also ancillary items such as conformance to stated delivery dates, adherence to referenced external standards, and compliance with the commercial terms and conditions applicable to the order, contract, quote, or tender as well as applicable statutory and regulatory requirements. The complexity of the order/quote review process depends on the products and services of the organization. A process for reviewing oral orders for off-the-shelf products with 24 hour delivery (e.g., software packages) will differ considerably from a process for reviewing a large order for a one-of-a-kind product with a two-year delivery (e.g., an order for a control system for an electric power-generating station). The review process must also accommodate, as applicable, electronic orders, blanket orders with periodic releases, unsolicited orders, orders through distributors or representatives, faxed orders, and an almost infinite combination of these and other possibilities. If the organization is involved in internet sales, creative thinking will be required to efficiently review customer requirements. With such a spectrum of possibilities, what is an organization expected to do to conform to the requirements? The first step should be to develop a clear understanding of the nature of the various kinds of customer requirements and fully understand each communication channel involved. If, for example, an organization publishes a catalog and accepts only written orders for catalogue—listed items to standard delivery times, then the order or contract- review procedure can be simple. The process could be a designated individual (e.g., a manager, a clerk) reviewing, initiating, and dating the written order. This simple process can be used as valid evidence that requirements can be met. If an organization must address possibilities that occur only rarely, the organization could simply note in documented information (i.e., a procedure) that any circumstances different from standard terms and conditions will be addressed by a specific quality plan. Such a plan can be generated as a unique occasion arises. Thus, a simple order-entry process can have a very simple, brief, and effective contract-review process. For the large, complex contracts or quotations, the review process may involve many organizational entities such as engineering, manufacturing, legal, finance, and quality assurance. Accordingly, the procedures governing such reviews can be complex and lengthy. A good guideline to keep in mind when developing a process to address the specific requirements of clause 8.2.3 is to balance the risks to the organization with the effort expended in a review of customer requirements, keeping in mind that the purpose of the review is to add value and not to create a bureaucratic morass. A formal process should be deployed that indicates who will do what and how often.
Clause 8.2.4 states that changes are required to be controlled and documented information updated to ensure that changes are properly included in documented information. When changes to product requirements, orders, contracts, or quotations occur, the organization is required to ensure that relevant documented information is amended and communicated, as appropriate, within the organization. These simple and fundamental requirements are often much harder to meet. Changes tend to come from all sorts of sources. Customer ﬂoor-level workers in today’s environment often talk directly to factory workers in customers’ plants. Cell phones are used to relate the latest changes to schedules and requirements. The situation can turn into chaos. Thus, control rules are needed so that decisions related to changes are made by the appropriate people with relevant and up-to-date information. These considerations should be a key part of considering process interactions. Often the rapid response is critical for the customer, so design the system in such a way that you can deliver just that. Considerations for Documented Information to Be Maintained and/or Retained, Keeping good records of changes is both a challenge and a practical necessity.
Customer-related processes must include controls for determining customer and regulatory requirements, a review of such requirements, and communication with the customer. Customer requirements extend beyond product specifications and may include on-time delivery, packaging, labelling, mode of delivery, documentation, communications, QMS requirements, after-sales servicing, etc. Many of these requirements may also come from regulatory, industry or from within your own organization. Depending on the product or service, you must determine if any industry or regulatory requirement is applicable to product characteristics or process parameters that affect the product’s safety or compliance with regulatory requirements. You must consider all laws and regulatory requirements that may affect your product, materials, labour, production processes, your facility and work environment, etc. Where some or all of the processes – for determining customer requirements; for contract review and customer communication; etc., are done offsite, then you must show the linkages and interaction of these offsite activities with your on-site QMS processes. The nature of the requirements review may be different for different types of product or services. Your review records must show the basis of the review. Make sure you do your due diligence and risk analysis before you commit to contractual arrangements. I have seen many companies get into serious financial trouble, for taking on products transferred from another supplier because they did not assess all the risks. Manufacturing risk analysis is an assessment of your organization’s capacity and capability to effectively and efficiently provide the customer-specified deliverables. Risk analysis should include timing, resources, development costs and investments, the potential for, and effects of, possible failures in processes, including suppliers. You should also consider financial and profitability risks. Sometimes it may take a few months to receive an order or contract from the customer after you have sent them your quotation. Your review process must ensure that you compare the customer’s order or contract with your latest quotation, and resolve any differences (accept or re-negotiate) before you accept the order or contract. Your customer relations management process must include a sub-process for change control and must include – a review of the change either from the customer or internal from the organization and its impact on fit, form, functionality, other processes, financial, delivery, etc. Have a process for change control. For significant issues or changes, obtain customer approval in writing for any waivers or changes of contractual or QMS requirements. Customer communications may take many forms such as software and interfaces for design and development, logistics, customer satisfaction feedback, etc. You must ensure that personnel at all levels have the competency and training to use these communications media and tools. You must identify and document all processes addressing this clause as part of your QMS. For these processes, you must also identify what specific documents are needed for effective planning, operation, and control of production activities. These documents may include – contracts, specifications, orders, product quality plans, work instruction, a documented procedure, etc., combined with unwritten practices, procedures, and methods. Look at the risks related to your product, processes, and resources in determining the nature and extent of documented controls you need to have. Performance indicators to measure the effectiveness of customer-related processes in meeting requirements and achieving quality objectives should focus on reducing variation in and improving these processes and related use of resources. Indicators may include a reduction in quote cycle time, pre and post-award review cycle time, order-entry errors and omissions, etc., and improvement in conversion ratio (i.e. ratio of contracts/orders awarded to quotes).
8.3 Design and Development of Products and Services
Clause 8.3, on design and development controls, has six subclauses:
- 8.3.2 Design and development planning
- 8.3.3 Design and development inputs
- 8.3.4 Design and development controls
- 8.3.5 Design and development outputs
- 8.3.6 Design and development changes
The organization should establish, implement, and maintain a design and development process. such that they are adequate for subsequent production or service provision.
8.3.2 Design and Development Planning
While planning for design and development, the organization must consider the following in determining the stages and controls for design and development:
- nature, duration, and complexity of the design and development activities;
- the required process stages, including applicable design and development reviews;
- the required design and development verification and validation activities;
- the responsibilities and authorities involved in the design and development process;
- the internal and external resource needs for the design and development of products and services;
- the need to control interfaces between persons involved in the design and development process;
- the need for involvement of customers and users in the design and development process;
- the requirements for the subsequent provision of products and services;
- the level of control expected for the design and development process by customers and other relevant interested parties;
- the documented information needed to demonstrate that design and development requirements have been met
8.3.3 Design and Development Inputs
The organization must determine the requirements essential for the specific type of products and services being designed and developed, including, as applicable, functional and performance requirements; applicable legal requirements; information derived from previous similar design and development activities; standards or codes of practice the organization has committed to implement; potential consequences of failure due to the nature of products and services; Ensure inputs are adequate for design and development purpose, complete, and unambiguous. Resolve conflicts among Design and Development inputs.
8.3.4 Design and Development Controls
The organization should apply controls to the design and development process to ensure that results to be achieved by the design and development activities are clearly defined; Design and development reviews are conducted as planned; Verification activities are conducted to ensure that the design and development outputs have met the design and development input requirements; Validation activities are conducted to ensure that the resulting products and services are capable of meeting the requirements for the specified application or intended use (when known). The organization must take any necessary actions on the problems determined during the reviews, or verification and validation activities. The organization must maintain any documented information about these activities. Design and development reviews, verification, and validation have distinct purposes. They can be conducted separately or in any combination. as is suitable for the products and services of the organization.
8.3.5 Design and Development Outputs
The organization must ensure that design and development outputs meet the input requirements for design and development. They should be adequate for the subsequent processes for the provision of products and services. They must include or have a reference of monitoring and measuring requirements, and acceptance criteria, as applicable. They must ensure products to be produced, or services to be provided, are fit for the intended purpose and their safe and proper use. The organization must retain the documented information resulting from the design and development process.
8.3.6 Design and Development Changes
The organization should identify, review and control changes made (during the design and development of products and services, or subsequently) to design inputs and design outputs to the extent that there is no adverse impact on conformity to requirements. The organization must retain documented information on design and development changes, the result of the review, the authorization of changes, and action is taken to prevent adverse impact.
Design and development activities needed for products and services are required to be planned and controlled through an established, implemented, and maintained process. This process may be used for both products and services and for associated processes. It is required to include the following:
- Planning to determine design stages considering activities such as verification and validation, control of design interfaces, design review, resources needed for design and development, customer involvement, and the documented information needed to confirm that input requirements are met.
- Determination of the design and development inputs required, including such things as functional requirements, regulatory and statutory requirements, applicable standards or codes, information from earlier projects, and potential consequences of failure. Conflicting requirements are required to be resolved.
- Design and development controls, including clear delineation of the results to be achieved, planning and conducting design and development reviews and verification activities to ensure design outputs meet input requirements, and validation to ensure the products and services meet the requirement for the application intended.
- Design and development outputs are required to meet input requirements, to be adequate for subsequent processes in the provision of the product or service, and to ensure the products and services are fit for their intended purpose.
- Design and development changes are required to be identified, reviewed, and controlled. This includes changes to design inputs or outputs. Controls are required to ensure that changes do not have an impact on the products and service conformity.
- The organization is required to retain documented information resulting from the design and development process, including design and development changes.
The intent is to ensure that the organization plans and controls design and development projects. The key reason for this emphasis on planning is to maximize the probability that the project will meet the defined requirements. If the design and development processes are well planned and controlled, an additional benefit should be that projects are completed on time and within budget, Planning is required at the level of detail needed to achieve the design and development objectives—not to generate an excessive amount of paperwork. Stages of the project need to be determined, and responsibilities, authority, and interfaces need to be defined. Requirements need to be established for the incorporation of review, verification, and validation into the design and development project. The organization needs to determine how communications will be structured (e.g., weekly meetings, periodic reports, or other methods). In many cases, a number of organizations are involved in this process, and the success of the design and development project often rests heavily on proper identification, understanding, and control of design interfaces.
You must include product design and development in your QMS scope if you contract or convey the perception that you design a product, regardless of whether you buy, outsource, or actually do design and development. The scope of your design and development activity must consider all aspects of the product and product realization processes to ensure its conformity to requirements. This includes product identification, handling, packaging, storage, and protection during internal processing and delivery to the customer. Product design and development sometimes result in new manufacturing processes or changes to existing manufacturing processes. This clause is equally applicable for designing and developing manufacturing processes. Product design and development planning must focus on error prevention rather than detection in product quality as well as product realization processes. You must have an overall plan for your design project. Your plan must specify the design and development stages, activities and tasks, responsibilities, timeline and resources, specific tests, validations, and reviews, and outcomes. There are many tools available for planning ranging from a simple checklist to complex software. The degree and details of planning may vary according to size and length of contract or project, complexity, risk, product life, customer and regulatory requirements, past experience with a similar product, etc. You have flexibility in determining the scope of the stages, review, verification, and validation required for your product design and development projects. Your plan must be dynamic and updated as requirements and circumstances change. You must track progress against your plan at regular intervals or project milestones and update the plan as the activity progresses. Your design and development plan must include methods to communicate information, responsibilities, results, discussions, reviews, and resources. You must take a multi-disciplinary approach that includes as needed, other functions (besides design) such as quality, engineering, purchasing, sales, tooling, production, etc. Your plan must clearly identify these other functions and their specific role and responsibilities regarding the project. Consider including customer and supplier personnel at appropriate stages to do work and review results or progress. A multi-disciplinary approach applies collective and relevant knowledge and skills of these different functions to carry out or review design and development activities. The design and development project plan serves as both a document and a record as it is updated for completion for various activities. Where some or all of clause 8.3 design and development activities are done off-site, then you must show the linkages and interaction of these offsite activities with your on-site QMS processes. You must identify and document all processes addressing this clause as part of yours. For these processes, you must also identify what specific documents are needed for effective planning, operation, and control of production activities These documents may include contracts, technical drawings, and specifications, a documented plan for design and development, work instructions, a documented procedure, etc., combined with unwritten practices, procedures and methods. Look at the risks related to your product, processes, and resources in determining the nature and extent of documented controls you need to have. Many organizations use various software tools to document their product or process design and development plans. If the nature of your business does not require you to design and develop the product (e.g. you manufacture strictly from customer-provided engineering drawings and specifications), then you must clearly state this exclusion to your QMS scope, in your quality manual. Performance indicators (to measure the effectiveness of design and development processes in meeting requirements and achieving quality objectives) should focus on reducing variation in and improving these processes and related use of resources. Indicators may include a reduction in design cycle time, development cycle time, specification errors, omissions, changes, design and development costs, etc., as well as measurable improvements in products developed.
You must identify, document, and review design inputs requirements for function, performance, safety, regulatory, quality, reliability, durability, life, timing, maintainability, cost, identification, traceability, packaging, special or safety characteristics from the customer or regulatory body, and other requirements essential to the product. You must have a process that should be part of your design and development plan to identify, document, review, deploy and use design input information such as documents coming from various sources such as customer contracts, drawings, and specifications, your own organization’s database of previous design and development projects, competitor analysis, industry standards, feedback from suppliers, field data. Design and Development usually require the input and involvement of many other functions and processes such as contract review, product realization, purchasing, top management, etc. within the organization and your process must manage this interaction by defining responsibilities and means of communications. The inclusion of these controls in your design and development plan is one of many effective ways to achieve this. Such a multi-disciplinary approach has the benefit of applying the collective and relevant knowledge and skills of these different functions to carry out or review design and development activities. You must identify and include any special and safety characteristics in your process control documents such as quality plans, product drawings, operator instructions, and other documents used to make or verify the product. Note that special requirements can also include process parameters such as temperature, timing, concentrations, etc. You must review all input requirements, review design and development progress, verify product design and validate developed products at various stages of your design and development process. The nature, frequency, and scope of these controls must be defined in your design and development plan or other documents. You must carry out these controls according to your plan and keep appropriate records.
Do design reviews at one or more milestones of the design and development project, depending on customer requirements, the size, complexity, and risks involved. The purpose of these reviews is to evaluate results to requirements, check project progress and costs to plan and take actions on any problems encountered. You must take a multi-disciplinary approach for doing these reviews and keep appropriate records of issues discussed, actions to be taken, responsibilities and timeline for completion. All design and development reviews must be included in your design and development plan. Product design Verification includes design reviews, comparing the new design to a similar proven design if available, performing alternate calculations, performing tests and simulations, reviewing the design documents before release, etc. Verification is checking product or process to input requirements, whereas validation is checking product or process is suitable for its intended use does it perform/function in the way intended by your customer or your organization. Manufacturing process design verification includes design review, process capability studies, testing various process parameters, performing tests and trials, reviewing the manufacturing process design documents before release, etc. If you outsource any part of your design and development activity, then you must exercise the same controls required by clause 8.3 on the outsourced work and the organization doing the work, had it been done internally. Product and manufacturing process validation includes – design reviews, comparison between customer requirements and internal development plans, design and development validation against customer requirements and design and development input requirements, corrective action, and lessons learned from documented process failures and product nonconformities. If you outsource any part of your design and development activity, then you must exercise the same controls required by clause 8.3 on the outsourced work and the organization doing the work, had it been done internally. Any problem you have encountered during the verification and validation or identified during review must be resolved.
Design and development output may be product or documentation or both. Product may be a prototype or finished product and documentation could be a computerized or hard copy drawing or specification. Check design and development output against the input requirements specified in 8.3.3, before you use it any further. Provide appropriate design and development output information to:
- Purchasing material or service specifications
- Production output such as product specifications, special characteristics, drawings, diagnostics, etc.
- Service output such as product specifications; performance reliability and maintenance criteria.
Initially, this information may be used for trials and validation, before being firmed up. Many documents are created from the design and development output stage such as drawings, quality plans, work instructions, etc. These documents must be controlled as per clause 7.5.3 such as approval, revision control, distribution, etc. Where any sophisticated design and development tools such as AutoCAD are used requiring specific competency or training, ensure you provide and keep appropriate records of competency and training of personnel performing design and development activities and use of these tools.
Make sure your process for design and development changes follows the appropriate steps of clause 8.3 ie define the plan, have inputs and outputs, verify and validate to the extent necessary to meet customer requirements, and control product, quality, and business risks. Changes may come from the internal, customer, or regulatory sources. Get all requests for product or manufacturing process design changes in writing from your customer. The impact of the change must be evaluated on materials used, design process, manufacturing process, characteristics and use of the developed product, regulatory compliance, cost, etc. While planning for change the organization must follow all the requirements as given in clause 6.3 planning for change and must also determine all risk and opportunities as given in clause 6.1. Documented information on design and development changes, the result of the review, the authorization of changes, and action is taken to prevent adverse impact must be maintained.
8.4 Control of Externally Provided Products and Services
The organization must ensure that externally provided processes, products, and services conform to specified requirements. The organization must apply the specified requirements for control of externally provided products and services when products and services are provided by external providers for incorporation into the organization’s own products and services; products and services are provided directly to the customer by external providers on behalf of the organization; a process or part of a process is provided by an external provider as a result of a decision by the organization to outsource a process or function. The organization must determine and apply criteria for evaluation, selection, monitoring of performance, and re-evaluation of external providers based on their ability to provide processes or products and services in accordance with specified requirements. The organization must retain appropriate documented information of the above-mentioned activities and any necessary action arising out of the evaluation.
8.4.2 Type and Extent of Control
The organization should ensure that externally provided processes, products, and services do not adversely affect the organization’s ability to consistently deliver conforming products and services to its customers. The organization should ensure that externally provided processes remain within the control of its quality management system. It should define both the controls that it intends to apply to an external provider and those it intends to apply to the resulting output. In determining type and extent of controls to be applied to the external provision of processes, products, and services, the organization must consider the potential impact of the externally provided processes, products, and services on the organization’s ability to consistently meet customer and applicable legal requirements and effectiveness of the controls applied by the external provider. The organization must establish and implement verification or other activities necessary to ensure the externally provided processes, products, and services meet the requirements.
8.4.3 Information on External Providers
The organization must ensure the adequacy of specified requirements prior to their communication to external providers. The organization should communicate to external providers applicable requirements for the following:
- products and services to be provided or the processes to be performed on behalf of the organization;
- approval or release of products and services, methods, processes or equipment;
- competence of personnel, including necessary qualification;
- their interactions with the organization’s quality management system;
- control and monitoring of the external provider’s performance to be applied by the organization;
- verification activities that the organization, or its customer, intends to perform at the external provider’s premises.
Externally provided processes, products and services include
- purchasing from a supplier
- an arrangement with an associate company
- outsourcing processes to an external provider.
The controls required for external provision can vary widely depending on the nature of the processes, products, and services. The organization can apply risk-based thinking to determine the type and extent of controls appropriate to particular external providers and externally provided processes, products, and services;
Clause 8.4 covers the requirements to control purchased product including your outsourced process, control suppliers you buy from, and requirements to control your buying process. The purchased product includes raw materials, components, subassemblies, supplies, tooling, machinery and equipment, sequencing, sorting, rework, testing, calibration, maintenance, etc. Note that clause 8.4 requirements apply to items that go into the product, manufacture the product, check the product or deliver the product; whether paid for or customer provided. These may include materials, production equipment, tooling, measuring and test equipment, facilities, transport vehicles, returnable packaging, intellectual property (drawings, specifications or proprietary information), product returned for servicing under warranty, product sent for outsourced work, etc. You must have specifications/criteria for the purchased product. These specifications may come from your organization, customer, regulatory bodies, supplier or industry. As documents, these specifications must be controlled as per clause 7.5.3. Many times the customer may require the use of pre-approved purchased products and suppliers. The onus is still on you to ensure that purchased product from customer-designated sources meets all requirements. You must control both, the product you buy, as well as the supplier you buy from. Your controls must primarily be based on prevention of nonconformities in both product and supplier performance. Determine how important the purchased product is to design, manufacture, assemble and maintain your end product. Factors such as targets for product quality, life, reliability, durability, maintainability, and cost must be applied to the purchased product going into your end product. Categorize your purchased products and services accordingly. Then determine what controls you need to ensure consistent purchased product quality and consistent supplier performance. You can then apply different controls for different purchased products. There are several ways to evaluate your suppliers. Besides product quality, your criteria for supplier selection and evaluation may include the potential supplier’s financial capability, technical and manufacturing capability, and capacity, reliability, reputation, flexibility to handle changes, support, service, cost, etc. The importance of these criteria will vary according to the items materials or services you purchase, and so you can apply different criteria to different suppliers. You can categorize your suppliers accordingly based on these criteria. It might be useful to maintain a list of all qualified suppliers. In addition to the initial evaluation and approval of suppliers, you are required to carry out ongoing monitoring and measurement of their performance. Use supplier monitoring indicators to evaluate the consistency, capability, and reliability of their performance for quality, delivery, support, etc. On-time delivery is very important and disruptions (due to waiting for materials) at your customers or even your own facility must be avoided. Depending on the risks related to materials supplied and supplier performance, you might consider requiring some of your key suppliers to comply with some or all of ISO 9001 requirements and perhaps even certification. You must identify your purchasing processes whether on-site or off-site. For each process, you must document the controls for purchased products and suppliers. You must also show the linkage and interaction of purchasing processes with other processes such as design, manufacturing, tooling maintenance, calibration. Where any of your controlled suppliers have gone through a significant organizational change you must verify the continuity and effectiveness of their QMS. You must keep records of all supplier evaluations (whether initial or periodic), including any corrective actions placed on them for any nonconformities. You must identify and document all processes addressing this clause as part of your QMS. For these processes, you must also identify what specific documents, controls, and resources are needed.You could use a documented procedure or other combination of specific practices, procedures, documents, and methods. Look at the risks related to your product, processes, and resources in determining the extent of documented controls you need to have. Performance indicators to measure the effectiveness of purchasing processes in meeting requirements and achieving quality objectives should focus on measuring supplier performance and reducing variation in and improving purchasing processes and related use of resources. Indicators for supplier performance may include reduction of defects in supplied product, scrap, waste, and rework, improvement in on-time delivery, service, cost, etc. Indicators for the purchasing process may include a reduction in supplier- quote review cycle time, contract award cycle time, purchase order-entry errors and omissions, receiving errors & omissions, etc.
As indicated earlier, you can apply different controls for different suppliers and products depending on your initial supplier evaluation and their ongoing product quality and delivery performance. In any case, these controls must be included or referenced in your quality or inspection plans. To the extent that you decide to do verification of purchased product, you also have flexibility in when you do the verification. You can do it on receipt or at any time prior to use in production. Make sure you appropriately control un-inspected product. This may include identification and storage to prevent unintended use. Consider using supplier quality plans, inspection plans, etc., to verify that the purchased product meets specified purchase (product and QMS) requirements. Verification of purchased products can range from doing no verification to 100% verification. You have flexibility in determining the scope of purchased product verification. Your inspection process must define and document the acceptance criteria and sampling plan for product conformity and what measurement tools needed and records needed to show effective control of purchased product quality and supplier performance.
Your purchase documents such as purchase order, contract, blanket order, your organization’s supplier quality manual, etc. must specify your requirements for the purchased product; the supplier’s QMS and any other initial or on-going controls you deem necessary for ensuring consistent supplier performance. You must define how you ensure the adequacy of these documents before you communicate them to your supplier. A review of the adequacy of purchasing documents may include their completeness, accuracy, correctness, quantity, timing, cost, approval, etc., by one or more functions; computerized controls, etc. In larger organizations, this may be a separate process on-site or off-site. In either case, it must be identified and controlled. While clause 8.4.3 does not specify keeping of records, you must show evidence of carrying out (issue purchase documents) and review of these documents
An outsourced process is any value-adding or conversion activity related to your product or service, that is performed by an external organization such as a subcontractor, sister facility, etc. Note that the external organization may perform the outsourced activity at their facility or yours. A manufacturing company may outsource welding, heat treatment, or painting of product. A software company may outsource software development. A bank may outsource check clearing services. You must be able to demonstrate sufficient controls over outsourced processes to ensure that such processes are performed according to the relevant requirements of ISO 9001:2008. The nature and scope of such control will depend on the nature of the outsourced or subcontracted process and the risk involved. Outsourced processes may be controlled in any number of ways, e.g., providing the vendor with product specifications; your supplier quality manual that they must meet; asking for inspection and test results or certificates of compliance; validation of outsourced process; conducting product and QMS audits of your vendor; etc. The expectation here is that you flow down to your vendor, the relevant ISO 9001 requirements that you would have to implement, had you performed the process at your own facility.
CLAUSE 8.5 Production and Service Provision
8.5.1 control of production and service.
The organization should implement production and service provision under controlled conditions. Include these controlled conditions, as applicable:
- availability of documented information that defines characteristics of products and services.
- availability of documented information that defines activities to be performed and results to be achieved.
- availability and use of suitable monitoring and measuring resources
- implementation of monitoring and measurement activities at appropriate stages to verify that criteria for control of processes and process outputs, and acceptance criteria for products and services, have been met.
- use and control of suitable infrastructure and process environment for the operation of the process.
- appointment of a competent person and, where applicable, required qualification of persons;
- validation, and periodic revalidation, of ability to achieve planned results of any process for production and service provision where the resulting output cannot be verified by subsequent monitoring or measurement.
- implementation of products and services release, delivery, and post-delivery activities.
This clause provides a list of control requirements that you may use, if applicable to your business. Identify and control all operational processes. Show the interaction of these processes with other processes. Use your product, project, or contract quality plan to control your operational activities. Schedule your operations taking into consideration customer delivery requirements, production capacity and capability, material availability and usage, personnel availability and usage; storage; etc. Carefully define and document the interaction of your operation scheduling process with your logistics processes such as inventory management, customer communication, traffic and shipping control, packaging and labeling, sales, and billing. Use quality plans to control your operation processes. Quality plans address what has to be made, how much has to be made, when it has to be made, by whom, in what sequence, how it has to be made, what equipment to use, what measurement and monitoring tools to use, what to inspect, when to inspect, how much to inspect, what to do if problems arise, etc. Your quality plan must cover all operation process steps from receipt of materials, production, packaging, storage, delivery, and even post-delivery activities such as installation or training. Your quality plans are dynamic and must be updated for the changes in product specifications or process parameters; resources used; monitoring or measurement requirements, etc. Your quality plans should reference any work instructions specified for the process steps. Work instructions may be viewed as a subset of your quality plan and may relate to a specific task or activity of your overall product realization process for e.g. setting up a machine, performing an inspection, packaging a product, If you determine that work instructions are needed at specific points in your process, then they must be readily available and relevant i.e. current or right version. Note that work instructions may exist in many forms such as narrative, graphical, audio, video, physical display, etc. To improve your QMS, it will be very useful to draw a flow chart to link the flow and interaction of the activities and sub-processes covered by these clauses, e.g. many organizations overlook reviewing and updating their quality plans for corrective action taken to address a manufacturing process problem. Operational personnel must have timely access to all information relevant to their activities including specific work instructions if necessary. There may be a serious risk to production flow if such information is unavailable or untimely. You must identify and document all processes addressing this clause as part of your QMS For these processes, you must also identify what specific documents are needed for effective planning, operation, and control of production activities. These documents may include – a product quality plan; work instructions; documented procedure; etc., combined with unwritten practices, procedures, and methods. Look at the risks related to your product, processes, and resources in determining the nature and extent of documented controls you need to have. Performance indicators to measure the effectiveness of operational processes in meeting requirements and achieving quality objectives should focus on reducing variation in and improving production processes and related use of resources.
Validation is usually required where the product cannot be verified without damaging or destroying the product, e.g. some types of welding, heat treatment, painting, electroplating, rust-proofing, etc. In such instances, the quality of these activities may only be discovered after use. This would generally not be accepted due to safety (e.g. weld) or aesthetic (evidence of rust or dullness of chrome) reasons. In the case of a service such as pizza delivery within 30 minutes of order placement, if the timeliness of delivery is not verifiable, then validation would be required. However, most service-oriented businesses (e.g. delivery; call center) have some form of monitoring during service execution to ensure service quality. Validation involves conducting capability studies using a combination of resources technology, equipment, materials, environment, competent personnel, and production and testing methods that consistently result in a quality product or service. Validation may also require customer or regulatory approval of the process. You must keep appropriate records of process validation showing both the achievement of planned results as well as the ongoing maintenance of such capability. If you change any part of the proven process capability for e.g. materials, equipment or personnel, etc., you must revalidate i.e re-prove the changed process. It is up to each organization to determine what combination of resources and methods will provide the required consistent process capability and quality of product or service. Include as appropriate, these validation controls in your quality plans.
Product-related indicators may include a reduction in defect rates, PPM’s (defective parts per million), scrap rates, waste and rework; improvement in on-time delivery. Production process-related indicators may include a reduction in set-up time, run rates, process cycle time, production scheduling and operator errors and omissions, etc.
8.5.2 Identification and Traceability
The organization should use suitable means to identify “process outputs” where necessary to ensure conformity of products and services. The organization should identify the status of “process outputs” with respect to monitoring and measurement requirements throughout production and service provision. The organization should control the unique identification of “process outputs” where traceability is a requirement. It should retain any documented information necessary to maintain traceability. “Process outputs” are results of any activities which are ready for delivery to the customer or to an internal customer (e.g., the receiver of inputs to the next process). “Process outputs” can include products, services, intermediate parts, components, etc.
There are three distinct control requirements specified here.
- Product identification: It means knowing the identity of your or customer-supplied product from incoming receipt of materials, raw material storage, use in production, work in progress, finished product storage, and delivery of the product to the customer. Product identification can be controlled using physical and electronic methods.
- Product status: It means knowing the quality status (good or bad) of materials and products through each of the above stages. Product status can be controlled using physical and electronic methods.
- Unique Product Identification: It is not a mandatory requirement under ISO 9001 unless contractually required by customers or regulatory bodies. In certain industry sectors such as the automotive or aerospace or pharmaceutical industry, unique product identification is mandatory for safety, regulatory, and risk management reasons. This usually involves keeping detailed records of product manufacturer such as material, equipment, personnel, processes, production, inspection and test details, etc., for individual products or production batches. These records help to trouble-shoot product and process problems, resolve customer complaints, and enable continual improvement of product and process. In many instances, it also reduces cost, risk, and use of resources by narrowing the problem down to a specific cause or instance. Depending on the product, the OEM may specify the degree of unique identification and traceability required.
While this clause does not call for specific documented information, these controls may be included in your Operation processes through your product quality plans, work instructions, and other specific documentation. Examples of product identification and test status include physical tags, bar code labels linked to computer records; MRP systems tracking specific production runs/lots, automated production transfer processes, etc. Performance indicators to measure the effectiveness of processes that control identification and traceability may include a reduction in identification errors and omissions; product quality status errors and omissions; and traceability errors and omissions.
8.5.3 Property Belonging to Customers or External Providers
The organization should exercise care with property belonging to customers or external providers while under the organization’s control or being used by the organization. The organization should identify, verify, protect, and safeguard the customer’s or external provider’s property provided for use or incorporation into products and services. It should report to the customer or external provider when their property is incorrectly used, lost, damaged, or otherwise found to be unsuitable for use. Customer property can include material, components, tools and equipment, customer premises, intellectual property, and personal data.
Customer or External provider property may include material, production equipment, tooling, measuring and test equipment, facilities, transport vehicles, returnable packaging, intellectual property such as drawings, specifications or proprietary information, product returned for servicing under warranty, product sent for outsourced work, etc. All customer property is exposed to the risk of being damaged, lost, misused, misplaced, stolen, become unsuitable or obsolete for use. You must establish controls for each of these risks. Notify the customer/ External provider in writing if their property is lost, damaged, or otherwise found to be unsuitable such as perishable past its shelf life for use. Control to minimize the risks to customer/External provider property include inventory management, preservation, and storage, identification, status and traceability indicators, maintenance, notification, traffic flow, authorized use, restricted access, etc. Marking customer/External provider property with a unique identification number that can be traced to a record that provides details of ownership is one of many acceptable controls. While this clause does not call for specific documented information, these controls may be included in your product realization processes through your product quality plans, work instructions, and other specific documentation. Many of the controls needed for clause 8.5.2 Identification and traceability and clause 8.5.4 Preservation apply to customer property. The processes, controls, and documentation for these other clauses could be expanded to include customer property. Performance indicators to measure the effectiveness of processes that control customer property may include a reduction in identification errors and omissions, loss due to damage or unsuitability, scrap, rejects, etc., as well as increased customer property turnover rates.
The organization should ensure the preservation of “process outputs” during production and service provision, to the extent necessary to maintain conformity to requirements. Preservation can include identification, handling, packaging, storage, transmission or transportation, and protection.
All raw materials, work in progress, finished product, supplies, customer provided materials or product, product sent for outsourced work, etc., are subject to the risk of being damaged, lost, misused, misplaced, stolen, become unsuitable, perishable, or obsolete i.e. past shelf life for use. This could occur during receipt, handling, storage, use in production, and transportation to the customer, etc. These could be controlled using identification, status and traceability indicators, inventory cycle counts and condition evaluation, stock rotation methods such as FIFO, just in time, tracking shelf life, special, controls for restricted access, handling and storage of hazardous materials, climate and environment, maintenance procedures, bar codes, training, use of special equipment for handling, condition reports, etc. These controls may be included in your product realization processes through your product quality plans, work instructions, and other specific documentation. Many of the controls needed for clause 7.5.3 Identification and traceability apply to the preservation of the product. Performance indicators to measure the effectiveness of processes that control preservation of product may include a reduction in obsolete and spoils materials an product (e.g., fresh produce, fruits, or frozen foods), identification errors and omissions, rejects, waste, scrap, etc., and increase in inventory turnover and material/product availability, and product safety.
8.5.5 Post-Delivery Activities
The organization should meet requirements, as applicable, for post-delivery activities associated with products and services. In determining the extent of post-delivery activities that are required the organization should consider risks associated with products and services; Customer feedback; legal requirements; nature, use, and intended lifetime of products and services; Post-delivery activities can include actions under warranty provisions, contractual obligations (such as maintenance services) and supplementary services (such as recycling or final disposal)
Post Delivery activities mean based on customer agreement or other agreement, the organization may be responsible for providing support for their product or services after delivery. This could include technical support, routine maintenance or total recall, recycling, reusable packaging, returnable containers, etc. The extent of post-delivery activity will depend on:
- Statutory and regulatory requirements: If statutory or regulatory requirements dictate post-delivery activities or warranties, they must be addressed
- the potential undesired consequences associated with its products and services: The organization must consider potential consequences, and how they intend to respond, the scope of their reaction plan, etc
- nature, use and an intended lifetime of its products and services: This is very commonly stated in the organization’s return policy or statement of liability. Some organizations clearly state that there are no warranties (or post-delivery activities) offered, expressed, or implied. If this is the case (and in the absence of any other requirements in this list), this section can be addressed simply by acknowledging that there are no post-delivery activities.
- customer requirements: If the customer requires post-delivery, support, warranty, protection through delivery and receipt, etc, the post-delivery activities should be clearly described.
- Customer feedback: Customer feedback should be considered when determining the scope of post-delivery activities. This also implies that the scope of those post-delivery activities may change over time in response to customer feedback.
8.5.6 Control of Changes
The organization should review and control changes for production or service provision to the extent necessary to ensure continuing conformity with requirements. The organization should retain documented information describing the results of the review of changes, personnel authorizing the change, and any necessary actions arising from the review.
The organization is required to review and control changes for all of the previously discussed “production and service provision” topics including 8.5.1 Control of production and service provision (all of the controls established in the first place), 8.5.2 Identification and traceability, 8.5.3 Property belonging to customers or external providers, 8.5.4 Preservation and 8.5.5 Post-delivery activities. So, just as the QMS must have defined each of these items, any changes to them must be controlled. Changes that are not clearly communicated create confusion. Changes that have not been adequately reviewed and vetted may be implemented and result in an undesired outcome. Changes, in general, create instability, and a robust change management process is critical to ensure changes are fully reviewed, approved, communicated, understood, and validated when they are implemented. Records describing the results of the review of changes, personnel authorizing the change, and any necessary actions arising from the review have to be maintained.
8.6 Release of Products and Services
The organization should implement planned arrangements at appropriate stages to verify product and service requirements have been met. Retain evidence of conformity with acceptance criteria. The release of products and services to the customer should not proceed until the planned arrangements for verification of conformity have been satisfactorily completed unless otherwise approved by a relevant authority and, as applicable, by the customer. The organization should retain documented information for traceability to the person(s) authorizing the release of products and services for delivery to the customer. The organization should also retain documented information for evidence of conformity with the acceptance criteria.
You must identify, monitor, and measure product/service characteristics to verify conformity to requirements. Product characteristics may be dimensional, functional, performance, reliability, durability, maintainability, life, cost, etc. Requirements may come from your customer, your own organization, regulatory and industry sources. You must plan what characteristic(s) to measure, type of measurements, what measurement device to use, how often to measure, sample size, acceptance criteria, and records needed for each product or product type. Use your quality plan to document these controls. Your product, project, or contract quality plan must define the stages at which various monitoring and measurement will be carried out at incoming receipt of materials from suppliers or outsourced work, storage, internal production processes, finished product, packaging, at time of shipping and post-installation. Monitoring and measurement may be done by your personnel, subcontracted or outsourced labor, or by the customer. You must ensure that all personnel performing monitoring and measurement are trained and competent. If you plan on releasing during any stage of production or shipping finished product, where all planned inspections and measurements to that stage have not been completed, ensure that you obtain prior written approval/waiver from a relevant internal authority or the customer. Where practical, consider completing all missed planned inspections and measurements before product delivery. You must identify and document all product realization processes that may address this clause, as part of your QMS, e.g. receiving, production, shipping, etc. For such processes, you must also identify what specific documents are needed for effective planning, operation, and control. You could use a product quality plan, any documented information, or other combination of specific practices, procedures, and methods. Look at the risks related to your product, processes, and resources in determining the extent of documented controls you need to have. Performance indicators to measure product conformity may include a reduction in defect rates, PPM’s (defective parts per million), scrap rates, waste, rework, improvement in on-time delivery, product returns from the customer, etc. Performance indicators to measure the effectiveness of product realization processes in achieving product conformity include productivity, reduction of cycle time, errors, omissions, and failures, etc.
8.7 Control of Nonconforming Process Outputs, Products, and Service
The organization should ensure process outputs, products, and services that do not conform to requirements are identified and controlled to prevent unintended use or delivery. The organization should take appropriate action based on the nature of nonconformity and its impact on the conformity of products and services. This is applicable also to nonconforming products and services detected after delivery of products during or after the provision of service. The organization should deal with nonconforming outputs in one or more of these ways:
- segregation, containment, return, or suspension of the provision of products and services;
- informing the customer;
- obtaining authorization for acceptance under concession.
The organization should verify conformity to requirements when nonconforming process outputs, products, and services are corrected.
The organization should retain documented information that describes the nonconformity, action taken, concessions obtained, identifies the person or authority that made the decision regarding dealing with nonconformity.
ISO 9001:2015-Clause 8.7 applies to processes, products, and services that do not conform to customer requirements, applicable regulatory requirements, or your own organization requirements. Nonconformities may relate to suppliers and outsourced work, your own organizational activities, or product shipped to customers. Your organization must have controls and responsibilities to identify, contain i.e. prevent further processing or use, keep records of the nature and other details of the nonconformity, notify appropriate personnel and customer, where appropriate, evaluate what disposition action needs to be taken, carry out timely disposition, determine policies for release for further processing or shipment to the customer, obtain customer concessions, rework and re-verification, establish performance indicators to measure the effectiveness of the control of nonconformance process, etc. Product or material found with no identification or its quality status is not known, should be treated as a nonconforming product and controlled as mentioned above. If you find that a nonconforming product has been shipped, without a customer concession, you must take appropriate action to reduce the immediate and consequential effect of the nonconformity. Depending upon the seriousness and scope of the nonconformity, you might consider taking action to eliminate the nonconformity as well as a corrective action to eliminate the root causes of the nonconformity. It might be appropriate in specific circumstances to notify the customer and resolve the situation to your customer’s satisfaction. A similar rationale may be applied where the product has been shipped that does not meet regulatory requirements. Depending upon the seriousness and scope of the nonconformity, you might consider taking action to eliminate the nonconformity as well as a corrective action to eliminate the root causes of the nonconformity. You need to be aware of any reporting requirements imposed by regulatory bodies and comply with them. A concession authorization allows you to ship nonconforming products, under controlled conditions. A deviation authorization allows you to manufacture a product different from the original specification, under controlled conditions. In both these situations, make sure that you obtain these authorizations in writing prior to shipping or manufacturing the nonconforming product. All product realization processes must show the interaction with your process for a nonconforming product. Performance indicators to measure the effectiveness of control of nonconforming products may include a reduction in cycle time to evaluate and dispose of nonconforming products, reduced errors in preventing unintended use or delivery, improved alternate use of the nonconforming product, and cost recovery, etc.
Published by Pretesh Biswas
Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt . View all posts by Pretesh Biswas
One thought on “ ISO 9001:2015 CLAUSE 8 OPERATION ”
Thank you so much these helpful articles…thanks to you I am a good teacher of QMS!!
Leave a Reply Cancel reply
ALCUMUS ISOQAR LIMITED REGISTERED NUMBER 02637608 (“ALCUMUS”) TERMS AND CONDITIONS OF CONTRACT
Rules of registration to supply certification services, rules of registration between alcumus holdings limited (alcumus isoqar) and the client (organisations audited and certified by alcumus isoqar)..
- Feb 11, 2019
Understanding The Clauses Of ISO 9001:2015 (Clause 8.1 - 8.2 Operation)
There are six (6) implementable clauses within ISO 9001:2015 Quality Management System Standard.
Within this series of posts over the next six weeks we will discuss the requirements to all six clauses and the correct interpretation thereof.
8.1 Operational Planning and Control
This requirement is comparable to the requirements from ISO 9001:2008 Clause 7.1 – Product Realization Planning, but it has been extended to include implementation and control, as well planning. You should seek and record evidence that your organization has determined the design and its processes to meet the requirements of your customers and the requirements of your QMS. Evidence that the process, including all inputs, outputs, resources, controls, criteria, and process measurement and performance indicators being planned should be sought.
This is a new requirement. For those risks and opportunities that your organization has identified, you should seek evidence that these actions have been integrated into the management system; as such, these actions should be verifiable at process level – for example, evidence of controls, acceptance criteria and resources to address the risks and opportunities. Review the acceptability criteria; this may include targets, measures, values, KPIs, specifications and other criteria as relevant to the output.
You should ensure that the implemented processes are controlled as planned and that there is evidence that your organization has evaluated the effectiveness of actions taken when addressing risks and opportunities. Evaluate and record any evidence pertaining to planned and unintended changes.
Operational planning is about controlling the design and development process. The organization must ensure that all related activities take place under controlled conditions. The final product or service is the culmination of events that transfer customer requirements and expectations into a tangible product or effective service that conforms to specified requirements and expectations. Control product realization planning by:
Determining quality objectives for the product;
Determining requirements for the product;
Identifying processes required to achieve conformance;
Establishing processes required to achieve conformance;
Identifying documents to demonstrate conformance;
Identifying resources required to achieve conformance;
Maintaining and retaining documented information.
Your organization needs to plan in advance for how they will manufacture their product or deliver their service. The plans need to take into account the product requirements and any quality objectives that might be appropriate, resources and documents that may be necessary, what type of monitoring and/or inspection activities should be put in place to ensure the product or service will meet the requirements, and what types of records should be kept.
8.2 Requirements for Products and Services
8.2.1 Customer Communication
This requirement is directly comparable to the requirements of ISO 9001:2008 Clause 7.2.3 – Customer Communication. It has been expanded to include new requirements to obtain ‘customer views and perceptions’ instead of ‘customer feedback’. Some or all of the following specific customer communication should be observed and evidenced:
1. Marketing information;
2. Quotations and order forms;
3. Confirmation of authorized orders and amended orders;
4. Delivery notes and certificates of conformity;
5. Invoices and credit notes;
6. E-mail and general correspondence;
7. Site visit reports or notes to/from customer;
8. Customer feedback and complaints management process.
8.2.2 Determination of Requirements for Products & Services
This new requirement replaces ISO 9001:2008 Clause 7.2.1 - Determination of Requirements Related to Product Requirements. You should seek and record evidence that your organization has implemented a process to determine the requirements for the products and services that it intends to offer to customers.
This may also include the requirements from interested parties and also statutory and regulatory requirements relating to the product.
8.2.3 Review of the Requirements for Products & Services
This requirement is comparable to ISO 9001:2008 Clause 7.2.1 - Determination of Requirements Related to Product and Clause 7.2.2 - Review of Requirements Related to Product.
The requirement states that your organization should now include a review of the requirements arising from any relevant interested parties. You should seek and record evidence that these requirements are considered during product and service reviews.
8.2.4 Changes to Requirements for Products & Services
This is a new requirement. You should seek and record evidence that your organization has ensured that all relevant documented information; relating to changed product or service requirements, is amended and those relevant design personnel are made aware of the changed requirements.
Join our mailing list to receive upcoming posts : http://www.isoqar.co.za/
- The Auditor (Strip Gallery)
- The Auditor Wiki
- THE AUDITOR: YEAR ONE (E-Book)
- THE AUDITOR: YEAR TWO (E-Book)
- Patreon Donations
- Remote Services
- Remote QMS Maintenance
- ISO 17021-1
- AS Tri-System
- AS9100 Suspension Help
- NIST 800-171
- Internal Auditing
- Deep Dive Auditing
- Available Topics
- Upcoming Events
- Send Oxebridge to Congress
- Advocacy Services
- Q001 Standard & Support Docs
- Q001 Accreditation Standards
- Q001 Advisory Board
- Surviving ISO 9001 (Book)
- Surviving AS9100 (Book)
- ISO 9001 QMS Template Kit
- AS9100 QMS Template Kit
- Guidance Documents
- Benefits of ISO 9001 (Series)
- Latest News & Opinion
- The Auditor Comic Strip
- Slack Group / O-Forum
- Subscribe to Blog
- ISO Whistleblower Reports
- PPE Fraud Reports
- Legal Fund Donations
- Request Quote
- Contact Oxebridge
- Slack Channel
- About Oxebridge
About Christopher Paris
- Legal Defense Fund
- Subscribe to Stuff
- The Oxebridge Report
- Submit an Article
- Site Policies & Legal
Benefits of ISO 9001, Part 5: Clause 8.1 on Operational Planning
Posted by Christopher Paris | Dec 27, 2019 | Guidance Document
[This series of articles tries to emphasize the benefits of ISO 9001, and how to yield results from each major clause of the standard.]
Clauses 4, 5, 6 and 7 of ISO 9001:2015 dealt with higher-level planning and structure of the QMS, and assume that you are using the standard to devise it as well as structure key elements of your company. Clause 8 gets down into more of the day-to-day, nuts and bolts of operation of the QMS, now that it’s been planned and launched.
This section is the largest of the entire standard, so we need to delve into each sub-clause separately. The first is 8.1, called “Operational Planning and Control.”
I’ve written at length about how this clause is confusing to many, and often overlaps with clause 8.5.1, which we will discuss later. Suffice it to say, you may want to carefully read both clauses (8.1 and 8.5.1) and decide when and where to apply their lengthy bulleted lists of requirements. The thinking is that the list of 8.1 should happen at a higher level, with the list in 8.5.1 applying only after a given job is taken and underway, but I think this view is limiting. You’ll likely have to bite both of them at the same time.
Limiting our discussion to 8.1 for the purposes of this article, however, we see the list is prescribing some ideas on what you should be thinking about when developing the “operational” processes. In Clause 4.4, the standard asked you to develop your overall QMS processes; ISO is assuming, here, that you will have to take a second swing at this, but at the operational level. Many companies find that’s not necessary, and they’ve already considered and developed operational processes as part of 4.4. If that’s true for you, don’t worry, that’s great. If not, then 8.1 gives you a list of things to consider for the processes involving day-to-day activities.
There’s some leftover language from ancient ur-texts that predated ISO 9001, hinting at the use of “quality plans.” These had fallen out of favor in the 2000s and 2010s, but I do see a resurgence as companies see a need to tailor their QMS to suit specific customers. Quality plans are not a requirement here, but they do help satisfy this clause.
If we look ahead to the remaining sub-clauses in section 8, we get an idea of what “operational processes” are of interest to ISO 9001 here. They are asking you to consider any processes related to the intake of customer orders (covered later under 8.2.), the design of product (8.3.), purchasing (8.4.), production or service provision (8.5), inspection and testing (8.6) and nonconformity control (8.7.) That should help focus your thinking. So you can use the list in 8.1 to go back and review your process breakdown from 4.4, and check to see if you have properly defined processes related to the requirements of these clauses, and have put in the necessary controls for them.
When implemented properly, Clause 8.1 should result in the following tangible benefits for your company:
- The activities related to intake of customer orders, the design of product, purchasing, production or service provision, inspection and testing and nonconformity control will all be well thought out before you take on work. This will reduce surprises and nonconformities.
- You will have suitable means of measuring these “operational processes” in real time, so that if the processes start to deviate, you will know before a nonconformity is encountered.
- You may develop customer-specific or product-specific “quality plans” which help tailor the QMS for those cases.
Click here for the full series of articles on The Benefits of ISO 9001:2015 .
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100 . He reviews wines for the irreverent wine blog, Winepisser .
Operational planning is about controlling the design and development process. The organization must ensure that all related activities take place under
Section 8.0 of ISO 9001:2015 is primarily concerned with the operational "Do" part of the Plan, Do, Check, Act cycle. To summarise clause 8.1, organisations
Clause 8.1 of ISO 9001: Operational Planning and Control ... So far in this blog series I've mostly talked about very high-level processes. They're what's covered
The output of this planning shall be suitable for the organization's operations. The organization shall control planned changes and review the
This clause wants you to plan, implement and control the processes needed to manage the risks and opportunities as a result of what you
Operational planning and control are a key part of the ISO 9001 quality management standard. They are concerned with the day-to-day running
The output of this planning should be suitable for the organization's operations. The organization should control planned changes and review the
Operational planning is about controlling the design and development process. The organization must ensure that all related activities take
Clause 8 gets down into more of the day-to-day, nuts and bolts of operation of the QMS, now that it's been planned and launched. This section is
Tutorial on ISO 9001 clause 8.1 | QMS OPERATIONAL PLANNING AND CONTROL | ISO 9001 operations | QMS OperationsContact for detailed