ISO 9001:2015 Clause 8 – Operation
In a nutshell, this section covers how we meet customer (and interested parties) needs and expectations. And remember to assess expectations within your own context and the context of your interested parties.
In the PDCA fashion, this section starts with a requirement to ‘…meet requirements for provision of products and services and to implement the actions determined in clause 6…’ where we have to make sure we can actually do the work. The 6.1 sub-clause also refers back to clauses 4.1 (Context) and 4.2 (Needs and expectations of interested parties) – do we know what they want and can we do it?
This first section (8.1) also reminds us to ‘…control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects…‘. This requirement underlines the emphasis on Risk Management and Change Control. Welcome additions, in my view. This will save us a lot of money, not having to ‘do it over’. Poor quality has costs attached as we’re all aware.
As we would expect, the requirements in Requirements for products and services mimic the 2008 requirements for ‘Customer related processes’, clauses 7.2.1, 2 and 3. An additional requirement has us ‘…establishing specific requirements for contingency actions, when relevant…’ (8.1.2 e). Meeting this requirement will help us avoid ‘surprises’ and give our customers a better sense of assurance.
In Clause 8.3, ‘Design and development of products and services’ looks and feels a lot like the current 7.3 Design and development with a couple of enhancements. There’s more emphasis on communication in this sub-clause where we have to ‘…shall consider the need for involvement of customers and users in the design and development process…’ (8.3.2 g). It may not be ‘new’ for everyone, but some smaller organizations may not have this formalized yet.
Risk management shows up here, too and it identifies some areas of risk and opportunities to address during design and development:
- ‘…the level of control expected of the development process by customers and other relevant interested parties…’ (8.3.2 i)
- …potential consequences of failure due to the nature of the products and services (sounds like FMEA to me!) … ‘. (8.3.3 e)’ and
- ‘…identify, review and control changes made during, or subsequent to, the design and development of products and services, to the extent necessary to ensure that there is no adverse impact on conformity to requirements…’ (8.3.6)
These clauses seem to roll a few earlier design and customer requirements into the risk management mode.
Purchasing is covered off here, too, and uses this new phrase, “Control of externally provided processes, products and services” (8.4). This may or may not change our current practice, depending on how we view purchasing now. Of course we’ll assess increased risks from outsourcing and include this in our assessment of potential suppliers.
This clause now includes two new ideas. First we have the word ‘processes’. Most of us would think of non-tangibles as outsourcing a service, but there might be some value in thinking in terms of outsourcing a process or part of a process (8.4.1 c). See if it works for you.
Next we need to ‘…define both the controls that it intends to apply to an external provider and those it intends to apply to the resulting output…’ (8.4.2 b). These ideas were implied in the 2008 version, but there’s an onus on us now to clarify these controls.
Production and service provision processes look a lot like our 7.5 sub-clauses, but have a new requirement to include ‘…the implementation of actions to prevent human error…’ (8.5.1g). I think this will help some of us become more proactive, a theme throughout the Standard.
We see Identification and traceability in here (8.5.2), customer and supplier property (8.5.3) , Preservation (8.5.4) and Post delivery activities (8.5.5). There are requirements around ‘change control’ (8.5.6) that are part of a package that has been extended to controlling changes in general.
This, too, should help reduce errors and push us closer to a real understanding of ‘The Process Approach’.
This section is wrapped up with ‘Release of goods and services’, 8.6, (including documented authorization) and ‘Non-conforming goods and services’ (8.7). Whatever we’re doing now will likely take care of these requirements.
So there you have it – the heart of the matter to ensure we truly are a ‘Smooth Operator’. The enhancements should all work in our favour and help us keep our customers happy. Improvement is the key to success, and these requirements have the guidance to get us on that path!
Now that you’re operating, let’s measure performance: Clause 9: Performance Evaluation