ISO 9001-2015 Note For area 8: Operation

8 Operation
ISO 9001:2015 Requirement
Table of contents:

 8.1 Operational planning and control

 8.2 Requirements for products and services
o 8.2.1 Customer communication
o 8.2.2 Determining the requirements related to products and services
o 8.2.3 Review of requirements related to products and services
o 8.2.4 Changes to requirements for products and services
 8.3 Design and development of product and services
o 8.3.1 General
o 8.3.2 Design and development planning
o 8.3.3 Design and development inputs
o 8.3.4 Design and development controls
o 8.3.5 Design and development outputs
o 8.3.6 Design and development changes
 8.4 Control of externally provided resources, products and services
o 8.4.1 General
o 8.4.2 Types and extent of control
o 8.4.3 Information for external providers
 8.5 Product and service provision
o 8.5.1 Control of production and service provision
o 8.5.2 Indentification and traceability
o 8.5.3 Property belonging to customers or external providers
o 8.5.4 Preservation
o 8.5.5 Post-delivery activities
o 8.5.6 Control of changes
 8.6 Release of products and services
 8.7 Control of nonconforming outputs

8.1 Operational planning and control

ISO 9001:2015 Requirement
The organization shall plan, implement, and control the processes (See 4.4) needed to meet
requirements for the provision of products and services and to implement the actions determined in
clause 6 by:

a) determine product and services requirements

b) establish criteria for

 the processes and

 for the acceptance of products and services

c) determine the resources needed to achieve conformity to product and service requirements
d) implement control of the processes in accordance with the criteria;

e) determining, maintaining and retaining documented information to the extent necessary

1. to have confidence that the processes have been carried out as planned and
2. to demonstrate conformity of products and services to requirements

The output of planning shall be suitable for the organization’s operations.

The organization shall control planned changes and review consequences of unintended changes,
taking action to mitigate any adverse effects, as necessary.

The organization shall ensure that outsourced processes are controlled in accordance with 8.4.

8.2 Requirements for products and services

ISO 9001:2015 Requirement
Table of contents:

 8.2.1 Customer communication

 8.2.2 Determining the requirements related to products and services
 8.2.3 Review of requirements related to products and services
 8.2.4 Changes to requirements for products and services

8.2.1 Customer communication

ISO 9001:2015 Requirement
Communicating with customers shall include:
a) providing information relating to products and services
b) inquiries handling, contracts, or order handling, including changes
c) obtaining customer feedback relating to product and service, including customer complaints
d) the handling or controlling of customer property
e) establish specific requirements for contingency actions, when relevant

What has changed from ISO 9001:2008

Earlier these requirements were addressed in clause 7.2.3 of ISO 9001:2008.
Communication related to handling of customer property has been added.
Establishing requirements for contingency actions has been added.

Notes
What is Contingency actions?

Wikipedia defines contingency plan as:

A contingency plan is a plan devised for an outcome other than in the usual (expected) plan. It is
often used for risk management when an exceptional risk that, though unlikely, would have
catastrophic consequences.

So "establishing specific requirements for contingency action" means having a communication with
customer on the actions when things are not going per plan.

8.2.2 Determining the requirements related to

products and services
ISO 9001:2015 Requirement
When determining the requirements for the products and services to be offered to customer, the
organization shall ensure that:
a)the requirements for the product and services are defined, including

 applicable legal requirements

 those considered necessary by the organization

b) the organization can meet the claims for the products and services it offers.

What has changed from ISO 9001:2008

This clause replaces clause 7.2.1 (Determination of requirements related to product) of ISO
9001:2008. The organization's "ability to meet the defined requirements" was earlier covered in the
clause 7.2.2 (c) of ISO 9001:2008. That requirement has now been moved to this clause to confirm if
the organization "can meet the claims".

8.2.3 Review of requirements related to products and

services
ISO 9001:2015 Requirement
8.2.3.1
The organization shall ensure that it has the ability to meet the requirements for product and service
to be offered to customers. The organization shall conduct a review before committing to supply
product and service to a customer. This review to include:
a) requirements specified by customer including the requirements for delivery and post-delivery
activities;
b)requirements not stated by the customer, but necessary for the specified or intended use, when
known;
c)requirements specified by the organization;
d)statutory and regulatory requirements applicable to the products and services;
e)contract or order requirements differing from those previously expressed

The organization shall ensure that the contract or order requirements differing from those previously
defined are resolved.

The customer’s requirements shall be confirmed by the organization before acceptance, when the
customer does not provide a documented statement of their requirements.
Note: In some situation, such as internet sales, a formal review is impractical for each order. Instead,
the review can cover relevant product information, such as catalogues.

8.2.3.2
The organization shall retain documented information, as application:
a)on the review results
b)on any new requirements for the product and service

What has changed from ISO 9001:2008

This clause replaces the clause 7.2.2 (Review of requirements related to the product) of ISO
9001:2008.
Earlier this clause had a requirement for the organization to review if the organization has the ability
to meet requirements of not. That clause has now been removed and moved to 8.2.2 under
determination of requirements. Instead of asking whether the organization has the "ability to meet"
the new clause looks for whether the organization "can meet claims".

8.2.4 Changes to requirements for products and

services
ISO 9001:2015 Requirement
When product and services requirements are changed, the organization shall ensure that the
documented information is amended and relevant people are made aware of the changes.

What has changed from ISO 9001:2008

This requirement was earlier the last requirement under clause 7.2.2 (Review of requirements related
to product) of ISO 9001:2008. In this new standard the requirement has been placed under a
separate clause from the review of requirement clause.

8.3 Design and development of product and services

ISO 9001:2015 Requirement
Table of contents:

 8.3.1 General
 8.3.2 Design and development planning
 8.3.3 Design and development inputs
 8.3.4 Design and development controls
 8.3.5 Design and development outputs
 8.3.6 Design and development changes

What has changed from ISO 9001:2008

In the previous standard there were seven sub-clauses under Design and development (7.3 of ISO
9001:2008)

 7.3.1 Design and Development Planning

 7.3.2 Design and Development Inputs
 7.3.3 Design and Development Outputs
 7.3.4 Design and Development Review
 7.3.5 Design and Development Verification
 7.3.6 Design and Development Validation
 7.3.7 Control of Design and Development Changes

In this new standard Review, Verification and Validation has been combined as a single clause "Design
and development controls".

8.3.1 General
ISO 9001:2015 Requirement
The organization shall establish, implement, and maintain a design and development process that is
appropriate to ensure the subsequent provision of products and services.

What has changed from ISO 9001:2008

In earlier version of the standard clause 7.3 Design and development did not have a general
requirement. This new standard gives option to the organizations to have the design and development
process as appropriate.

8.3.2 Design and development planning

ISO 9001:2015 Requirement
In determining the stages and controls for design and development, the organization shall "consider"
the :

a) nature, duration, and complexity of the design and development activities

b) required process stages, including applicable design and development reviews

c) required design and development verification and validation activities

d) responsibilities and authorities involved in the design and development process

e) internal and external resources needed for the design and development of products and services

f) need to control interfaces between persons involved in the design and development process

g) need for involvement of customer and users in the design and development process

h) requirements for subsequent provisions of products and services

i) Level of control expected by customers and other relevant interested parties

j) necessary documented information to demonstrate that design and development requirements have
been met.
 What has changed from ISO 9001:2008
This clause expands the requirements of clause 7.3.1 (design and development planning) of ISO
9001:2008.
This new clause requires organizations to "consider" these factors when planning for the design and
development process.

8.3.3 Design and development inputs

ISO 9001:2015 Requirement
The organization shall determine the requirements essential for the specific types of products and
services to be designed and developed. The organization shall consider:

a) functional and performance requirements

b) information derived from previous similar design and development activities

c) statutory and regulatory requirements

d) standards or codes of practice that the organization has committed to implement

e) potential "consequences of failure" due to the nature of products and services

Inputs shall be adequate for design and development purpose, complete, and unambiguous. Resolve
conflicts among D &D inputs.

The organization shall retain documented information on D & D. (Mandatory documented information)

What has changed from ISO 9001:2008

This clause replaces clause 7.3.2 (Design and Development Inputs) of ISO 9001:2008.

By adding "consequences of failure" this new standard is looking for risk based thinking in design
process as well.

8.3.4 Design and development controls

ISO 9001:2015 Requirement
The organization shall apply controls to the design and development process to ensure that:

a) the results to be achieved are clearly defined

b) reviews are conducted to evaluate the ability of the results of design and development process to
meet requirements

c) verification activities are conducted to ensure that the design and development outputs have
meets the design and development input requirements;

d) validation is conducted to ensure that the resulting products and services are capable of meeting
the requirements for the specified application or intended use
e) any necessary actions are taken on problems identified during the design review, design verification
and design validation process

f) documented information is maintained (Mandatory documented information)

Note:

D&D reviews, verification and validation have distinct purpose. They can be conducted separately or in
any combination, as is suitable for the products and services of the organization.

What has changed from ISO 9001:2008

This clause combines together three clause of ISO 9001:2008.

 7.3.4 Design and development review

 7.3.5 Design and development verification
 7.3.6 Design and development validation

The need to complete (wherever practicable) design validation prior to delivery or implementation has
been dropped.

8.3.5 Design and development outputs

The organization shall ensure that design and development outputs:

a) meet the input requirements

b) are adequate for the subsequent processes for the provision of products and services

c) include or reference monitoring and measuring requirements, as appropriate and acceptance

criteria

d) specify characteristics of the products or services that are essential for their intended purpose and
their safe and proper use.

The organization shall retain the documented information on outputs. (Mandatory documented
information)

What has changed from ISO 9001:2008

These requirements replace the requirements of clause 7.3.3 (Design and development outputs) of
ISO 9001:2008.

Now there is no requirement to have the design and development output approved prior to release.
Since the design and development has already gone through review, verification and validation there
is no need to have it approved once again as an output.

The requirement to have design output contain monitoring and measuring requirements been added.

The need to keep the documented information has been added in this version of the standard.
 8.3.6 Design and development changes
ISO 9001:2015 Requirement
The organization shall identify, review and control changes made during, or subsequent to the design
and development of product and services, to the extent necessary to ensure that there is no adverse
impact on conformity to requirement. The organization shall retain documented information on:
(Mandatory documented information)

a) design and development changes

b) the result of reviews

c) the authorization of the changes

d) the actions taken to prevent adverse impacts

What has changed from ISO 9001:2008
This clause replace clause 7.3.7 (control of design and development changes) of ISO 9001:2008.

In the previous version there as a requirement related to "evaluating effect on constituent parts and
delivered product". That specific requirement has been dropped in the new standard. However the
new version requires to control changes to ensure that there is no adverse impact on conformity to
requirements.

8.4 Control of externally provided resources, products

and services
ISO 9001:2015 Requirement
Table of contents:

 8.4.1 General
 8.4.2 Types and extent of control
 8.4.3 Information for external providers

8.4.1 General
ISO 9001:2015 Requirement
The organization shall ensure that externally provided processes, products and services conform to
requirements.
The organization shall determine the controls to be applied to externally provided processes, products
and services when:
a) Products and services from external providers are intended for incorporation into the
organization’s own products and services;
b) Products and services are provided directly to the customer(s) by external providers on behalf of
the organization;
c) A process, or part of a process, is provided by an external provider as a result of a decision by the
organization.
The organization shall determine and apply criteria for the evaluation, selection, monitoring of
performance, and re-evaluation of external providers, based on their ability to provide process or
product and services in accordance with requirements. The organization shall retain documented
information of these activities and any necessary actions arising from the evaluations.

What has changed from ISO 9001:2008

This clause replace clause 7.4.1 (Purchasing Process) of ISO 9001:2008 with some additional
requirements.
“Purchasing” has changed to “externally provided processes, products and services “

8.4.2 Type and extent of control

The organization shall ensure that externally provided processes, product and services do not
adversely affect the organization’s ability to consistently deliver conforming products and services to
its customers.

The organization shall:

a) Ensure that externally provided processes remain within the control of its QMS;
b) Define both the control that it intends to apply to an external provider and those it
intends to apply to the resulting output;
c) Take into consideration:
1) The potential impact of the externally provided processes, product and
services on the organization’s ability to consistently meet customer and
applicable statutory and regulatory requirement.
2) The effectiveness of the control applied by the external provider;
d) Determine the verification, or other activities, necessary to ensure that the externally
provided processes, products and services meet requirements.

What has changed from ISO 9001:2008

This clause replace clause 7.4.3 (verification of purchased product) of ISO 9001:2008 with some
additional requirements.

8.4.3 Information for external providers

The organization shall ensure the adequacy of requirement prior to their communication to the external
provider.

The organization shall communicate to external providers its requirements for:

a) The processes, products and services to be provided;

b) The approval of:
1) Products and services;
2) Methods, processes and equipment;
3) The release of products and services;
c) Competence, including any required qualification of persons;
d) The externally providers’ interactions with the organization;
 e) Control and monitoring of the external providers’ performance to be applied by the
organization;
f) Verification or validation activities that the organization, or its customer, intends to perform at
the external providers’ premises.

What has changed from ISO 9001:2008

This clause replace clause 7.4.2 (Purchasing Info) of ISO 9001:2008 with some additional
requirements.

8.5 Product and service provision

ISO 9001:2015 Requirement
Table of contents:

 8.5.1 Control of production and service provision

 8.5.2 Identification and traceability
 8.5.3 Property belonging to customers or external providers
 8.5.4 Preservation
 8.5.5 Post-delivery activities
 8.5.6 Control of changes

8.5.1 Control of production and service provision

ISO 9001:2015 Requirement

The organization shall implement production and service provision under controlled conditions.
Controlled conditions shall include, as applicable:

a) the availability of documented information that defines:

 The characteristics of products to be produced, the services to be provided, or the activities to

be performed; (what is being done)
 the results to be achieved; (what are the expected results)

b) the availability and use of suitable monitoring and measuring resources; (to measure the results of
the processes and the results)

c) the implementation of monitoring and measurement activities at appropriate stages to verify that
criteria for control of processes or outputs, and the acceptance criteria for products and services, have
been met;

d) the use of suitable infrastructure and environment for the operation of processes;

e) the appointment of competent persons, including any required qualification;

f) the validation, and periodic revalidation, of the ability to achieve planned results of the processes
for production and service provision, where the resulting output cannot be verified by subsequent
monitoring or measurement; (way back in 1987 version of the standard thee processes were called
special processes)

g) the implementation of actions to prevent human error; (this is a new requirement in this standard)

h) the implementation of release, delivery and post-delivery activities.

8.5.2 Identification and traceability

ISO 9001:2015 Requirement

The organization shall use suitable means to identify outputs when it is necessary to ensure the
conformity of products and services.

The organization shall identify the status of outputs with respect to monitoring and measurement
requirements throughout production and service provision.

The organization shall control the unique identification of the outputs when traceability is a
requirement, and shall retain the documented information necessary to enable traceability.

Guide
Identification is required to monitor the inspection status. It could be a tag, a sticker or a job number
on the piece being produced.

Also during production process the organization would need to have the connection between the
product and the monitoring and measuring requirements. To put it in simple words, the organization
need to establish what measurement was taken with what gauge. For example the pressure test on
this was done using the Pressure Gauge PR-003. Once you know the gauge you can look at the gauge
calibration record.

Coming to the next item in this clause, which is tracebility. In some cases you would need to keep the
record of product for long time. You would have seen batch numbers on medicines. These are put to
keep the traceability. At any later day by knowing the batch number, the company will be able to pull
out all production and test reports for that batch.

Difference between Identification and Traceability

You identify the product by putting a tag, sticker, etching or permanent marker etc.

Traceability can help in finding out what all went into making of this piece.
 8.5.3 Property belonging to customers or external
providers
ISO 9001:2015 Requirement
The organization shall exercise care with customer property belonging to customer or external providers
while it is under the organization’s control or being used by the organization.
The organization shall identify, verify, protect and safeguard customers’ or external providers’ property
provided for use or incorporation into the product and services.
When the property of customer or external provider customer property is lost, damaged or otherwise
found to be unsuitable for use, the organization shall report this to the customer or external provider
and retain documented information on what has occurred.
NOTE:
A Customers’ or external provider’s property can include materials, components, tools and
equipment, premises, intellectual property and personal data.
Guide
The requirements of this clause are simple and straight forward.
Many time your customer will provide a piece to be incorporated in the final product.
Example could be
- Steel provided by customers to fabricate a vessel.
- Equipment provided by customer to repair. (e.g. car service, dry cleaning)
- Employee data provided for salary administration to a third party. (So this material could be even
data)

As a service provider, or as a manufacturer, you would need to take care of customer product.
You should not be mishandling customer provided product. You should not be keeping plates provided
by the customer outdoor to rust and deteriorate, you should not be keeping the car provided to you
for service unlocked on the street. You should not be keeping the employee data provided by the
company with proper password protection.

And just in case you mess up! Tell your customer that you messed up and keep a documented report
of that.

So as I said earlier, there is no rocket science here in this clause. Just the common sense.

You shall treat the customer provided things with care. If you mess up, then tell them and
keep a record of that.

8.5.4 Preservation
ISO 9001:2015 Requirement
The organization shall preserve the outputs during production and service provision, to the extent
necessary to ensure conformity to requirements.

Note:
Preservation can include identification, handling, contamination control, packaging, storage,
transmission or transportation, and protection.
 8.5.5 Post-delivery activities
ISO 9001:2015 Requirement
The organization shall meet requirement for post-delivery activities associated with the products and
services.
In determining the extent of post-delivery activities that are required, the organization shall consider:
a) statutory and regulatory requirements;
b) the potential undesired consequences associated with its product and services;
c) the nature, use and intended lifetime of its products and services;
d) customer requirement;
e) customer feedback.
Note:
Post-delivery activities can include actions under warranty provisions, contractual obligations such as
maintenance services, and supplementary services such as recycling or final disposal.

What has changed from ISO 9001:2008

This is a new requirement.

8.5.6 Control of changes

The organization shall review and control changes for production or service provision, to the extent
necessary to ensure continuing conformity with requirements.

The organization shall retain documented information describing the results of the review of changes,
the person(s) authorizing the change, and necessary actions arising from the review.

What has changed from ISO 9001:2008

This is a new requirement.

8.6 Release of products and services

ISO 9001:2015 Requirement
The organization shall implement planned arrangements, at appropriate stages, to verify that the
product and service requirements have been met.
The release of products and services to the customer shall not proceed until the planned arrangement
have been satisfactorily completed, unless otherwise approved by a relevant authority and, as
applicable, by the customer.

The organization shall retain documented information on the release of products and services. The
documented information shall include:

a) Evidence of conformity with the acceptance criteria;

b) Traceability to the person(s) authorizing the release.

What has changed from ISO 9001:2008

This clause replace clause 8.2.(Monitoring and measurement of product)with some additional
requirements.
 8.7 Control of nonconforming output
8.7.1

The organization shall ensure that outputs that do not conform to their requirements are identified and
controlled to prevent their unintended use or delivery.

The organization shall take appropriate action based on the nature of the nonconformity and its effect
on the conformity of products and services. This shall also apply to nonconformity products and services
detected after delivery of products, during or after the provision of services.

The organization shall deal with nonconforming outputs in one or more of the following ways:

a) correction
b) segregation, containment, return or suspension of provision of products and services;
c) informing the customer
d) obtaining authorization for acceptance under concession.

Conformity to the requirements shall be verified when nonconforming outputs are corrected.

8.7.2

The organization shall retain documented information that:

a) describes the nonconformity;

b) describes the action taken;
c) describes any concessions obtained;
d) identifies the authority deciding the action in respect of the nonconformity.

What has changed from ISO 9001:2008

This clause replace clause 8.3.(control of non-conforming product)with some additional requirements.