ISO 9001 Clause 8: Operation
Clause 8 is where your Quality Management System meets the real world. It governs the planning, execution and control of every process involved in delivering your products and services — from initial customer requirements through to final release.
Why Clause 8 Matters
Clause 8 is the largest and most operationally intensive section of ISO 9001:2015. While other clauses set the context, leadership intent and support framework, Clause 8 deals with the day-to-day reality of turning customer requirements into conforming products and services. It is the clause that auditors will spend the most time examining because it directly affects what your customers receive. Getting Clause 8 right means fewer defects, fewer complaints and stronger customer confidence in your organisation.
Clause 8.1: Operational Planning and Control
The organisation must plan, implement and control the processes needed to meet the requirements for the provision of products and services. This includes establishing criteria for those processes, implementing control of the processes in accordance with the criteria, and retaining documented information to the extent necessary to have confidence that the processes have been carried out as planned. Operational planning should take into account the outputs from Clause 6 (risk-based thinking and quality objectives) and translate them into actionable process controls. Where planned changes are introduced, the organisation must control those changes and review the consequences of unintended changes, taking action to mitigate any adverse effects.
Clause 8.2: Requirements for Products and Services
8.2.1 Customer Communication
Effective communication with customers is the starting point for getting requirements right. The standard requires you to establish processes for providing information about your products and services, handling enquiries, contracts and orders (including changes), obtaining customer feedback including complaints, handling or controlling customer property, and establishing specific requirements for contingency actions when relevant.
8.2.2 Determining Requirements
Before you can deliver a product or service, you must be certain about what is required. This means determining any applicable statutory and regulatory requirements, as well as requirements the organisation considers necessary. You must also be able to demonstrate that you can meet the claims you make for the products and services you offer.
8.2.3 Review of Requirements
The organisation must review requirements before committing to supply products or services to a customer. This review must ensure that requirements are defined and agreed, that contract or order requirements differing from those previously expressed are resolved, and that the organisation has the ability to meet them. The results of the review, and any new requirements for the products and services, must be retained as documented information.
8.2.4 Changes to Requirements
When requirements for products and services are changed, the organisation must ensure that relevant documented information is amended and that relevant people are made aware of the changed requirements. This prevents production or service delivery continuing against outdated specifications.
Clause 8.3: Design and Development
8.3.1 General
The organisation must establish, implement and maintain a design and development process that is appropriate to ensure the subsequent provision of products and services. Not every organisation designs products — if you manufacture to a customer-supplied design, Clause 8.3 may be limited in scope. However, where design activities do exist, this sub-clause requires a formal, structured approach.
8.3.2 Design and Development Planning
When planning design and development, you must consider the nature, duration and complexity of the activities, the required process stages (including applicable design reviews), the verification and validation activities needed, the responsibilities and authorities involved, the internal and external resource needs, the need to control interfaces between persons involved, the need for customer and user involvement, the requirements for subsequent provision, and the level of control expected by customers and other relevant interested parties.
8.3.3 Design and Development Inputs
Inputs must be determined for each specific type of product or service being designed. These include functional and performance requirements, information derived from previous similar design activities, statutory and regulatory requirements, standards or codes of practice the organisation has committed to implement, and the potential consequences of failure due to the nature of the products and services.
8.3.4 Design and Development Controls
Controls must be applied to the design and development process to ensure that the results to be achieved are defined, reviews are conducted to evaluate the ability of the results to meet requirements, verification activities are conducted to ensure outputs meet input requirements, and validation activities are conducted to ensure the resulting products and services meet the requirements for their specified application or intended use.
8.3.5 Design and Development Outputs
Design outputs must be adequate for the subsequent processes for the provision of products and services. They must meet input requirements, include or reference monitoring and measurement requirements and acceptance criteria, and specify the characteristics of the products and services that are essential for their intended purpose and safe provision.
8.3.6 Design and Development Changes
Changes made during or after design and development must be identified, reviewed and controlled to prevent adverse impact on conformity to requirements. Documented information on design changes, review results, authorisation of changes and actions taken to prevent adverse impacts must be retained.
Clause 8.4: Control of Externally Provided Processes, Products and Services
8.4.1 General
The organisation must ensure that externally provided processes, products and services conform to requirements. This applies when products and services from external providers are intended for incorporation into your own products and services, when they are provided directly to customers on your behalf, or when a process or part of a process is provided by an external provider as a result of your decision. You must determine the controls to apply and define criteria for the evaluation, selection, monitoring of performance and re-evaluation of external providers. For supplier control, use our supplier audit checklist.
8.4.2 Type and Extent of Control
The organisation must ensure that externally provided processes remain within the control of its QMS. You must define both the controls you intend to apply to the external provider and those you intend to apply to the resulting output. The extent of control should consider the potential impact of the externally provided processes, products and services on the organisation's ability to consistently meet customer and applicable statutory and regulatory requirements, and the effectiveness of the controls applied by the external provider.
8.4.3 Information for External Providers
Before communicating with external providers, you must ensure the adequacy of the requirements you specify. This includes communicating your requirements for the processes, products and services to be provided, approval of products, services, methods, processes and equipment, competence of personnel, interactions with the organisation's QMS, control and monitoring of performance, and any verification or validation activities.
Clause 8.5: Production and Service Provision
8.5.1 Control of Production and Service Provision
Production and service provision must be implemented under controlled conditions. These include the availability of documented information that defines the characteristics of the products or services and the activities to be performed, the availability and use of suitable monitoring and measuring resources, the implementation of monitoring and measurement activities at appropriate stages, the use of suitable infrastructure and environment, the appointment of competent persons, the validation and periodic revalidation of processes where the resulting output cannot be verified by subsequent monitoring or measurement, and the implementation of actions to prevent human error.
8.5.2 Identification and Traceability
The organisation must use suitable means to identify outputs when it is necessary to ensure the conformity of products and services. You must identify the status of outputs with respect to monitoring and measurement requirements throughout production and service provision. Where traceability is a requirement, you must control the unique identification of the outputs and retain the documented information necessary to enable traceability.
8.5.3 Property Belonging to Customers or External Providers
The organisation must exercise care with property belonging to customers or external providers while it is under the organisation's control or being used by the organisation. You must identify, verify, protect and safeguard such property. When property is lost, damaged or otherwise found to be unsuitable for use, you must report this to the customer or external provider and retain documented information on what occurred.
8.5.4 Preservation
The organisation must preserve the outputs during production and service provision to the extent necessary to ensure conformity to requirements. Preservation can include identification, handling, contamination control, packaging, storage, transmission or transportation, and protection.
8.5.5 Post-Delivery Activities
The organisation must meet requirements for post-delivery activities associated with its products and services. The extent of post-delivery activities must consider statutory and regulatory requirements, the potential undesired consequences associated with the products and services, the nature, use and intended lifetime of the products and services, customer requirements, and customer feedback.
8.5.6 Control of Changes
The organisation must review and control changes for production or service provision to the extent necessary to ensure continuing conformity with requirements. You must retain documented information describing the results of the review of changes, the person or persons authorising the change, and any necessary actions arising from the review.
Clause 8.6: Release of Products and Services
The organisation must implement planned arrangements at appropriate stages to verify that product and service requirements have been met. The release of products and services to the customer must not proceed until the planned arrangements have been satisfactorily completed, unless otherwise approved by a relevant authority and, as applicable, by the customer. Documented information must be retained on the release, including evidence of conformity with acceptance criteria and traceability to the person or persons authorising the release.
Clause 8.7: Control of Nonconforming Outputs
The organisation must ensure that outputs that do not conform to their requirements are identified and controlled to prevent their unintended use or delivery. Appropriate action must be taken based on the nature of the nonconformity and its effect on the conformity of products and services. This applies equally to nonconforming products and services detected after delivery, as well as during production and service provision.
The standard provides several options for dealing with nonconforming outputs: correction (rework or repair), segregation, containment, return to the supplier, informing the customer, and obtaining authorisation for acceptance under concession. When nonconforming outputs are corrected, they must be re-verified to demonstrate conformity. Documented information must be retained that describes the nonconformity, the actions taken, any concessions obtained, and the authority that decided the action in respect of the nonconformity.
Requirements Summary
| Sub-Clause | Title | Key Requirement |
|---|---|---|
| 8.1 | Operational Planning | Plan, implement and control processes; establish criteria; manage planned and unintended changes |
| 8.2 | Product/Service Requirements | Communicate with customers, determine and review requirements, control changes to requirements |
| 8.3 | Design and Development | Establish design process with planning, inputs, controls, outputs and change management |
| 8.4 | External Providers | Evaluate, select and monitor external providers; define type and extent of control; communicate requirements |
| 8.5 | Production and Service Provision | Controlled conditions, identification, traceability, customer property, preservation, post-delivery, change control |
| 8.6 | Release | Verify requirements met before release; retain evidence of conformity and authorisation |
| 8.7 | Nonconforming Outputs | Identify, control and disposition nonconforming outputs; correct, segregate, contain, return or obtain concession |
Audit Questions for Clause 8
- How does the organisation plan and control operational processes, and what documented information demonstrates that processes are carried out as planned?
- Can you show evidence that product and service requirements are reviewed and agreed before the organisation commits to supplying them to the customer?
- What design and development controls are in place to ensure that design outputs meet input requirements, and how are design changes reviewed and authorised?
- How are external providers evaluated, selected and monitored, and what criteria determine the type and extent of control applied to externally provided processes?
- What controlled conditions are implemented for production and service provision, and how does the organisation validate processes whose output cannot be verified by subsequent inspection?
- When nonconforming outputs are identified, what process is followed to determine the appropriate action — and how is re-verification carried out after correction?
Operations Audit Checklist
Comprehensive checklist covering every Clause 8 sub-requirement
Process Control Templates
Work instructions, process maps and control plans
Supplier Management Pack
Evaluation forms, approved supplier lists and monitoring records
Nonconformance Procedure
NCR forms, disposition workflow and concession request templates
Ready to Audit Clause 8?
Our complete ISO 9001:2015 audit checklist includes detailed questions for every sub-clause of Clause 8, with space for recording objective evidence, audit findings and corrective actions. Download the full checklist and start your operational audit today.