Standard Requirements 

The new ISO 9001:2015 text for reference

 

8 Operation

8.1 Operational planning and control

The organization shall plan, implement and control the processes (see 4.4) needed to meet the requirements for the provision of products and services, and to implement the actions determined in Clause 6, by:

a) determining the requirements for the products and services;

b) establishing criteria for:

1) the processes;

2) the acceptance of products and services;

c) determining the resources needed to achieve conformity to the product and service requirements;

d) implementing control of the processes in accordance with the criteria;

e) determining, maintaining and retaining documented information to the extent necessary:

1) to have confidence that the processes have been carried out as planned;

2) to demonstrate the conformity of products and services to their requirements.

The output of this planning shall be suitable for the organization's operations.

The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary.

The organization shall ensure that outsourced processes are controlled (see 8.4).

8.2 Requirements for products and services

8.2.1 Customer communication

Communication with customers shall include:

a) providing information relating to products and services;

b) handling enquiries, contracts or orders, including changes;

c) obtaining customer feedback relating to products and services, including customer complaints;

d) handling or controlling customer property;

e) establishing specific requirements for contingency actions, when relevant.

8.2.2 Determining the requirements for products and services

When determining the requirements for the products and services to be offered to customers, the organization shall ensure that:

a) the requirements for the products and services are defined, including:

1) any applicable statutory and regulatory requirements;

2) those considered necessary by the organization;

b) the organization can meet the claims for the products and services it offers.

8.2.3 Review of the requirements for products and services

8.2.3.1 The organization shall ensure that it has the ability to meet the requirements for products and services to be offered to customers. The organization shall conduct a review before committing to supply products and services to a customer, to include:

a) requirements specified by the customer, including the requirements for delivery and post-delivery activities;

b) requirements not stated by the customer, but necessary for the specified or intended use, when known;

c) requirements specified by the organization;

d) statutory and regulatory requirements applicable to the products and services;

e) contract or order requirements differing from those previously expressed.

The organization shall ensure that contract or order requirements differing from those previously defined are resolved.

The customer's requirements shall be confirmed by the organization before acceptance, when the customer does not provide a documented statement of their requirements

8.2.3.2 The organization shall retain documented information, as applicable:

a) on the results of the review;

b) on any new requirements for the products and services.

 

8.2.4 Changes to requirements for products and services

The organization shall ensure that relevant documented information is amended, and that relevant persons are made aware of the changed requirements, when the requirements for products and services are changed.

8.3 Design and development of products and services

8.3.1 General

The organization shall establish, implement and maintain a design and development process that is appropriate to ensure the subsequent provision of products and services.

8.3.2 Design and development planning

In determining the stages and controls for design and development, the organization shall consider:

a) the nature, duration and complexity of the design and development activities;

b) the required process stages, including applicable design and development reviews;

c) the required design and development verification and validation activities;

d) the responsibilities and authorities involved in the design and development process;

e) the internal and external resource needs for the design and development of products and services;

f) the need to control interfaces between persons involved in the design and development process;

g) the need for involvement of customers and users in the design and development process;

h) the requirements for subsequent provision of products and services;

i) the level of control expected for the design and development process by customers and other relevant interested parties;

j) the documented information needed to demonstrate that design and development requirements have been met.

8.3.3 Design and development inputs

The organization shall determine the requirements essential for the specific types of products and services to be designed and developed. The organization shall consider:

a) functional and performance requirements;

b) information derived from previous similar design and development activities;

c) statutory and regulatory requirements;

d) standards or codes of practice that the organization has committed to implement;

e) potential consequences of failure due to the nature of the products and services.

Inputs shall be adequate for design and development purposes, complete and unambiguous.

Conflicting design and development inputs shall be resolved.

The organization shall retain documented information on design and development inputs.

8.3.4 Design and development controls

The organization shall apply controls to the design and development process to ensure that:

a) the results to be achieved are defined;

b) reviews are conducted to evaluate the ability of the results of design and development to meet requirements;

c) verification activities are conducted to ensure that the design and development outputs meet the input requirements;

d) validation activities are conducted to ensure that the resulting products and services meet the requirements for the specified application or intended use;

e) any necessary actions are taken on problems determined during the reviews, or verification and validation activities;

f) documented information of these activities is retained.

NOTE Design and development reviews, verification and validation have distinct purposes. They can be conducted separately or in any combination, as is suitable for the products and services of the organization.

8.3.5 Design and development outputs

The organization shall ensure that design and development outputs:

a) meet the input requirements;

b) are adequate for the subsequent processes for the provision of products and services;

c) include or reference monitoring and measuring requirements, as appropriate, and acceptance criteria;

d) specify the characteristics of the products and services that are essential for their intended purpose and their safe and proper provision.

The organization shall retain documented information on design and development outputs.

8.3.6 Design and development changes

The organization shall identify, review and control changes made during, or subsequent to, the design and development of products and services, to the extent necessary to ensure that there is no adverse impact on conformity to requirements.

The organization shall retain documented information on:

a) design and development changes;

b) the results of reviews;

c) the authorization of the changes;

d) the actions taken to prevent adverse impacts.

8.4 Control of externally provided processes, products and services

8.4.1 General

The organization shall ensure that externally provided processes, products and services conform to requirements.

The organization shall determine the controls to be applied to externally provided processes, products and services when:

a) products and services from external providers are intended for incorporation into the organization's own products and services;

b) products and services are provided directly to the customer(s) by external providers on behalf of the organization;

c) a process, or part of a process, is provided by an external provider as a result of a decision by the organization.

The organization shall determine and apply criteria for the evaluation, selection, monitoring of performance, and re-evaluation of external providers, based on their ability to provide processes or products and services in accordance with requirements. The organization shall retain documented information of these activities and any necessary actions arising from the evaluations.

8.4.2 Type and extent of control

The organization shall ensure that externally provided processes, products and services do not adversely affect the organization's ability to consistently deliver conforming products and services to its customers.

The organization shall:

a) ensure that externally provided processes remain within the control of its quality management system;

b) define both the controls that it intends to apply to an external provider and those it intends to apply to the resulting output;

c) take into consideration:

1) the potential impact of the externally provided processes, products and services on the organization's ability to consistently meet customer and applicable statutory and regulatory requirements;

2) the effectiveness of the controls applied by the external provider;

d) determine the verification, or other activities, necessary to ensure that the externally provided processes, products and services meet requirements.

8.4.3 Information for external providers

The organization shall ensure the adequacy of requirements prior to their communication to the external provider.

The organization shall communicate to external providers its requirements for:

a) the processes, products and services to be provided;

b) the approval of:

1) products and services;

2) methods, processes and equipment;

3) the release of products and services;

c) competence, including any required qualification of persons;

d) the external providers' interactions with the organization;

e) control and monitoring of the external providers' performance to be applied by the organization;

f) verification or validation activities that the organization, or its customer, intends to perform at the external providers' premises.

8.5 Production and service provision

8.5.1 Control of production and service provision

The organization shall implement production and service provision under controlled conditions.

Controlled conditions shall include, as applicable:

a) the availability of documented information that defines:

1) the characteristics of the products to be produced, the services to be provided, or the activities to be performed;

2) the results to be achieved;

b) the availability and use of suitable monitoring and measuring resources;

c) the implementation of monitoring and measurement activities at appropriate stages to verify that criteria for control of processes or outputs, and acceptance criteria for products and services, have been met;

d) the use of suitable infrastructure and environment for the operation of processes;

e) the appointment of competent persons, including any required qualification;

f) the validation, and periodic revalidation, of the ability to achieve planned results of the processes for production and service provision, where the resulting output cannot be verified by subsequent monitoring or measurement;

g) the implementation of actions to prevent human error;

h) the implementation of release, delivery and post-delivery activities.

8.5.2 Identification and traceability

The organization shall use suitable means to identify outputs when it is necessary to ensure the conformity of products and services.

The organization shall identify the status of outputs with respect to monitoring and measurement requirements throughout production and service provision.

The organization shall control the unique identification of the outputs when traceability is a requirement, and shall retain the documented information necessary to enable traceability.

8.5.3 Property belonging to customers or external providers

The organization shall exercise care with property belonging to customers or external providers while it is under the organization's control or being used by the organization. The organization shall identify, verify, protect and safeguard customers' or external providers' property provided for use or incorporation into the products and services.

When the property of a customer or external provider is lost, damaged or otherwise found to be unsuitable for use, the organization shall report this to the customer or external provider and retain documented information on what has occurred.

NOTE A customer's or external provider's property can include materials, components, tools and equipment, premises, intellectual property and personal data.

8.5.4 Preservation

The organization shall preserve the outputs during production and service provision, to the extent necessary to ensure conformity to requirements.

NOTE Preservation can include identification, handling, contamination control, packaging, storage, transmission or transportation, and protection.

8.5.5 Post-delivery activities

The organization shall meet requirements for post-delivery activities associated with the products and services.

In determining the extent of post-delivery activities that are required, the organization shall consider:

a) statutory and regulatory requirements;

b) the potential undesired consequences associated with its products and services;

c) the nature, use and intended lifetime of its products and services;

d) customer requirements;

e) customer feedback.

NOTE Post-delivery activities can include actions under warranty provisions, contractual obligations such as maintenance services, and supplementary services such as recycling or final disposal.

8.5.6 Control of changes

The organization shall review and control changes for production or service provision, to the extent necessary to ensure continuing conformity with requirements.

The organization shall retain documented information describing the results of the review of changes, the person(s) authorizing the change, and any necessary actions arising from the review.

8.6 Release of products and services

The organization shall implement planned arrangements, at appropriate stages, to verify that the product and service requirements have been met.

The release of products and services to the customer shall not proceed until the planned arrangements have been satisfactorily completed, unless otherwise approved by a relevant authority and, as applicable, by the customer.

The organization shall retain documented information on the release of products and services. The documented information shall include:

a) evidence of conformity with the acceptance criteria;

b) traceability to the person(s) authorizing the release.

8.7 Control of nonconforming outputs

8.7.1 The organization shall ensure that outputs that do not conform to their requirements are identified and controlled to prevent their unintended use or delivery.

The organization shall take appropriate action based on the nature of the nonconformity and its effect on the conformity of products and services. This shall also apply to nonconforming products and services detected after delivery of products, during or after the provision of services.

The organization shall deal with nonconforming outputs in one or more of the following ways:

a) correction;

b) segregation, containment, return or suspension of provision of products and services;

c) informing the customer;

d) obtaining authorization for acceptance under concession.

Conformity to the requirements shall be verified when nonconforming outputs are corrected.

8.7.2 The organization shall retain documented information that:

a) describes the nonconformity;

b) describes the actions taken;

c) describes any concessions obtained;

d) identifies the authority deciding the action in respect of the nonconformity.