8.5.4 Preservation

Why don’t we just put our feet up this week?  We’re not even going to break a sweat.  Not only is the section easy, but there isn’t much in the way of changes.

“The organization shall preserve the outputs during production and service provision, to the extent necessary to ensure conformity to requirements.”  Gosh, this isn’t a hard one to sell.  It is, of course, in any organization’s best interest to protect outputs at each phase of provision until it becomes a saleable product or service.  There wouldn’t be much of a reason to begin making something (or stocking raw materials, packaging, etc) if the intent were anything other than ultimately becoming a saleable product/service.

“NOTE  Preservation can include identification, handling, contamination, control, packaging, storage, transmission or transportation, and protection.”  ISO9001:2015 provides a little clarity adding “contamination” and “transmission or transportation” (in place of delivery).  This helps move along the idea of the standard applying to services and intangibles, rather than just manufactured items.  Pretty simple stuff.

THIS WEEK’S HOMEWORK

There IS no homework!  This section is too easy to actually have required actions or reading.  Enjoy your week and if you’ve fallen behind in other areas, take this opportunity to catch up.

Stay involved and engaged – SUBSCRIBE!

8.5.3 Property belonging to customers or external providers

This week, we’ll discuss some of the situations when organizations along the whole supply chain cooperate in order to produce a product or service.  As important as defining requirements prior to entering into a contractual agreement, it is also important to clearly define responsibilities where materials or equipment is shared as part of the agreement.  The standard states:

“The organization shall exercise care with property belonging to customers or external providers while it is under the organization’s control or being used by the organization.”  It’s tough to be more specific than “exercise care” when defining how far an organization should go to protecting a customer’s or external provider’s property.  When trying to demonstrate compliance, there could be some grey area here, unless the specifics are actually defined in a contract somewhere.  But common sense says, an organization should take appropriate measures to protect anything that is temporarily stored or on loan from someone else.

“The organization shall identify, verify, protect and safeguard customers’ or external providers’ property provided for use or incorporation into the products and services.”  I take issue with the requirements of “identify” and “verify”, because it is my opinion that this should be the responsibility of the owner (customer or external provider).  But, I must relent that if this is not already done, it must be done by the organization to ensure anything not belonging to the organization is clearly identified as such.

“When the property of a customer or external provider is lost, damaged or otherwise found to be unsuitable for use, the organization shall report this to the customer or external provider and retain documented information on what has occurred.”  Nothing much new here.  The only caution is to ensure that “documented information” is retained, should a report of this nature take place.

“NOTE  A customer’s or external provider’s property can include materials, components, tools and equipment, premises, intellectual property and personal data.”  I like this additional clarification which includes intellectual property and data.  These are commonly shared, and there has been little attention to this previously.

THIS WEEK’S HOMEWORK

Have a look at your process and how this area is dealt with in your QMS.  But so much more importantly, get out there and look around!  How much property belonging to customers or external providers do you actually have?  Do have returnable packaging?  Consignment materials?  Borrowed tooling?  Proprietary software?  Fixtures/gauges?  Labels?  Are you leasing land or space from an external provider?  Open your mind and look around.  Be sure your system’s scope includes all the scenarios and requirements in the standard.  Then, take things a step further and ask, “What if?”  What if something belonging to a customer or supplier was actually “lost, damaged or otherwise found to be unsuitable for use”?  Is the notification process sufficient?

Stay involved and engaged – SUBSCRIBE!

8.5.1 Control of production and service provision

Hello everyone!  The great news this week is that we get to open a new chapter in the standard.  We switch gears from external to internal.  Previously we discussed the controls necessary to ensure any external providers do not impact our ability to provide consistent delivery of a quality product/service to the customer.

Now, we have to look inside to see what we must do to put our best foot forward as well.  Like previously discussed with outsourcing, certain information must be available if we are to meet expectations.

“The organization shall implement controlled conditions for production and service provision, including delivery and post-delivery activities.”  Delivery and post-delivery activities include things such as logistics, shipping, returns, ongoing service such as subscription or auto-delivery, drop shipping, etc.  This opens the playing field to the requirement of having the following information for more than just the manufacturing or transactional service process.

“Controlled conditions shall include, as applicable;

a)  the availability of documented information that defines the characteristics of the products and services;”  As we attempt to set up our production/service process, this information should have already been defined long ago during 8.2 Determination of requirements for products and services.  So, we should be able to continue moving right along.  But please note, it is a “documented information” required sort of thing.

“b)  the availability of documented information that defines the activities to be performed and results to be achieved;”  This is where many companies’ quality management systems begin to disintegrate and fragment into tiny pieces.  This one little bullet point, if recognized and dealt with properly can make or break the user friendliness and manageability (in terms of documentation) of the whole ball of wax.  That’s simply my opinion, but as “root causes” go in terms of disappointed ISO9001 quality management system users, this is the most common one I’ve seen.  As we create controls for production/service, there are a multitude of tools available.  We must “define the activities to be performed and the results to be achieved”.  If we choose one best method, a large bulk of the supporting documentation can follow this one pivot point.   Unfortunately, things don’t typically go this way.  Instead, we get document crazy – the documentation gets away from us – and users are frustrated.

Many organizations will start this section by using a control plan, which is great to meet the requirements of “define the activities to be performed” and “the results to be achieved”.  But later, additional layers are added such as procedures, work instructions, training documents, and on and on until the number of documents is unmanageable and ultimately the system becomes so cumbersome that users begin to squirrel away their own notes in order to work their production process.  This is a shame and is completely unnecessary.

In every case, I recommend that creators or modifiers of a quality management system consider this one key point first and as a pivot point for their entire system.  If a control plan is to be used – leverage the use of this popular tool to function as your “documented information” (in lieu of a procedure).  It can also work as a work instruction.  It can dual purpose as a training document also (assuming training is given in how to use, read and interpret a control plan), which can be converted into a training record as well.  There is no need to create multiple documents which all basically say the same thing.  The core requirements of this clause explain all the controls necessary to create a stable and robust production/service process.  Keep this in mind as other requirements come up – ask yourself if you already have a tool which will work, rather than have a knee-jerk reaction to create more paper.  OK – rant over.  Let’s move on.

“c)  monitoring and measurement activities at appropriate stages to verify that criteria for control of processes and process outputs, and acceptance criteria for products and services, have been met.”  Again, a simple control plan will automatically include this information.  If you don’t like the looks of a control plan, use any tool you like, but be sure to include this information.

“d)  the use, and control of suitable infrastructure and process environment;”  Many companies include process setup parameters including maintenance and readiness as a central part of their production and service provision.  For example, there may be a startup process, routine checking and maintenance by the operator, a shutdown process, inspection of area & equipment, 5S checks, etc that may be integral to the whole process itself.

“e)  the availability and use of suitable monitoring and measuring resources;” Control plans include this information, but again, if using a different format, just be sure to include the information.

“f)  the competence and, where applicable, required qualification of persons;”  We just talked about this last week when dealing with external providers.  We must, of course include this information for our own internal processes as well.  Keeping this linked with training (and avoiding additional documents whenever possible) is a great opportunity to keep our quality system as lean as possible.

“g)  the validation, and periodic revalidation, of the ability to achieve planned results of any process for production and service provision where the resulting output cannot be verified by subsequent monitoring or measurement;”  Processes must be validated and revalidated (and validated again) to ensure acceptable results.  We cannot rely on inspection for quality, and in some cases, inspection is not even possible.  So, validated processes are critical to controlled production/service.

“h)  the implementation of products and services release, delivery and post-delivery activities.”  All steps in the process, including release and shipment should be described and controlled.

THIS WEEK’S HOMEWORK

Review your approach to this clause as a whole.  As the bullets tick off above, is your system fragmented or streamlined?  Do you describe these bullets in multiple places?  Ask yourself why?  Is there an opportunity to consolidate?  Are all of the bullets adequately addressed?  Is this documented?  Are you happy with your system?  Next, ask how well controlled the processes actually are and how well they are performing. Are you getting the quality you expect after all the effort you’ve put into your quality system?

NOTE:  It’s time to get a new reference document.   Now that ISO9001:2015 has been published, we will begin using the newly published standard beginning next week.
Stay involved and engaged – SUBSCRIBE!

8.4.3 Information for external providers

Readers, I appreciate your patience as we work carefully through this section.  It is one of the most detailed, which is a plus because it is clearly defined so it can be easily understood.  However, the section is wordy and can be somewhat redundant.  I’m happy to continue, though, because all these words and stating and restating, make the importance of this process clear.

External providers can potentially introduce considerable risk to an organization’s ability to function successfully.  And today’s economy is stimulating an increase in the use of external providers or outsourcing as companies try harder and harder to find ways to specialize in their core competency and rely on less expensive outsourcing for other activities.

Control of external providers has always been an important clause, but not always well understood by either many organizations or by many individual auditors.

Traditionally, an organization may have an “approved source” list which was created using some sort of selection process and some sort of performance evaluation such as a score card.  This is pretty simple, but in many cases, marginally effective.  The troubles come when the system is implemented purely as an intent to comply with little or no use or interaction with the procurement or purchasing people.  Many companies try the popular workaround of simply requiring all their suppliers to be registered to ISO9001 or similar national standard and everyone else is considered “non-critical” or some additional inspection may be used to confirm the quality of their product.  There is often a disconnect between the system and the actual usefulness by the impacted users.

Many audits of this clause have included a superficial dance by the organization and its CB/auditor simply “checking the boxes” to ensure compliance with the requirements of purchased products/services.  Sadly, this is a parallel weakness so many organizations have suffered while seeking compliance to ISO9001.  There are a lot of areas where compliance can be rather easily achieved without a discernible impact on the actual quality of the product/service provided by the organization.  Thus, frustration by so many organizations (and also consumers of those organizations).  Past weakness in this area has also provided a rich environment for a poor sourcing management process resulting in poor performance by their vendors/external providers.

The additional language and painstaking detail now included does help to put some more teeth in the requirements.  Our previous week’s discussions have included our obligation to first create a process adequate to meet our needs, to clearly define its workings and also its applicability.  It pushes the envelope somewhat in requiring an organization to actually create a working, live and dynamic sourcing management process with consideration of risk and more immediate consequences of actual performance.

There are now requirements to communicate specific information to external providers (which by default will force the organization to have a disciplined process for identifying them):

“The organization shall communicate to external providers applicable requirements for the following:

a)  the products and services to be provided or the processes to be performed on behalf of the organization;”  This is such a simple, self-evident requirement, but it is very common to accidentally leave things out if not carefully evaluated and stated.

“b)  approval or release of products and services, methods, processes or equipment;”  Required qualification and testing is very important and it is critical that all parties understand the expectations and their roles and responsibilities.  It should be clearly defined (and acknowledged) as part of the provider agreement.

“c)  competence of personnel, including necessary qualification;”  This requirement is not new, but it is still rarely understood or complied with properly.  External providers must be required to create and maintain a system for ensuring all requirements are understood and consistently met by its personnel.  It’s not hard to understand why this language is here – outsourcing is risky business as it is.  When faced with pressure to deliver, and forced to obtain assistance from an external provider, we often choose something “easy” to offload.  This can include outside processing, temporary workers, etc.  While something may seem “easy” to an experienced organization, without the external provider’s willingness and ability to ensure the competence and qualification of their personnel (including a clear understanding of all the requirements), the external provider may introduce significant risk to an otherwise reliable organization, and potentially severely impact its customers.

“d)  their interactions with the organization’s quality management system;”  When an external provider is utilized for an organization’s products/services, the quality management system doesn’t stop with the organization, it becomes automatically associated with the provider as well.  This is meant to eliminate “exclusions” and potential shell games of getting ISO9001 registration for the easy parts of the organization, while outsourcing the rest.

“e)  the control and monitoring of the external provider’s performance to be applied to the organization;”  A clear process of not only monitoring (score cards), but control meaning consequences or countermeasures to minimize risk to the product/service provided to the ultimate customer must be in place.  Should an external provider fail to perform, the organization must have some method of still ensuring the ongoing quality and integrity of its products/services.

“f)  verification activities that the organization, or its customer, intends to perform at the provider’s premises.”  This is an old requirement as well, but it is important to mention to ensure all interested parties are clear in their intent, as well as their roles and responsibilities.

“The organization shall ensure the adequacy of specified requirements prior to their commitment to the external provider.”  Each of these considerations should be made prior to entering into an agreement with an external provider.  Basically, the rules can’t be made up as we go along.  And suppliers must be selected on their ability to meet all requirements, and of course, the requirements must first be known in order to make the best selection of an external provider.

THIS WEEK’S HOMEWORK

You’ve already reviewed your source management process and its scope.  Now, connect the dots and ensure that the process as defined is actually implemented as designed.  Are the items above consistently determined and communicated through the use of contracts, purchase orders, terms and conditions, etc?  Are providers selected based on their ability to meet all requirements?  Is there a method to detect and mitigate and shortfall of provider performance?  Does the process actually work?

You may also rely on customer feedback, results of corrective actions/root cause analyses, internal disruptions, etc.  Are any of these a result of a provider performance issue?  Are all the proper connections in place within the source management process to ensure that external providers are adequately controlled?  Consider any improvements that may be required.

Stay involved and engaged – SUBSCRIBE!

8.4.2 Type and extent of control of external provision

Last week, we reviewed 8.4.1 where the requirements of how the standard applies.  This week, we begin to peel back the layers, so to speak, about what must actually be done to be compliant.

Before we get down to business, I’d like to point out the potential in this area for “risk based thinking”.  This stuff is pretty common sense, but the language is pretty “squishy” and I suspect it will be difficult to audit.  Let’s read on……

“In determining the type and extent of controls to be applied to the external provision of processes, products and services, the organization shall take into consideration:
a)  the potential impact of the externally provided processes, products and services on the organization’s ability to consistently meet customer and applicable statutory and regulatory requirements;”

So, this leaves the door wide open for a “judgment call” on the part of the organization.  There would be little reason to apply its external provision process to those processes, products and services that are unlikely to impact their ability to make good product.  Organizations have historically taken this approach when defining how and where the process applies.  In other words, “No, we don’t send a vendor performance report card to our vending machine provider in the break room, because we doubt a breakdown in their service would affect our ability to make shipments today”.  Wherever the ideas of likely or unlikely appear, so does the idea of risk based thinking.

“b)  the perceived effectiveness of the controls applied by the external provider.”

Again, the organization must ask itself what controls it intends to implement and whether its controls are or will be effective.  Many organizations do a full rescreening of products/services from external sources prior to incorporating them into their process.  And those organizations typically feel pretty confident that their controls will be effective.  Other organizations defer back to “if they have achieved registration to ISO9001, they’re good to go”.  Which is why the standard goes on to require additional requirements beyond just accepting certification.

“The organization shall establish and implement verification or other activities necessary to ensure the externally provided processes, products and services do not adversely affect the organization’s ability to consistently deliver conforming products and services to its customers.”

Most organizations use some combination of verification activities such as requiring certificates of analysis or SPC data in tandem with random audits of inbound materials, products, etc to monitor the risk associated with the external provider and/or the practice of outsourcing a process, product or service.  Vendor performance information should also be considered, because a vendor failure could definitely impact the organization’s ability to perform.  Therefore, a whole process of selection, monitoring and maintaining vendors must be integrated to ensure the organization’s quality performance remains unencumbered by outsourcing.

“Processes or functions of the organization which have been outsourced to an external provider remain within the scope of the organization’s quality management system; accordingly, the organization shall consider a) and b) above and define both the controls it intends to apply to the external provider and those it intends to apply to the resulting process output.”

This is a fun little side note indicating that outsourcing a process, product or service does not preclude the organization from responsibility for the output.  No, we can’t “exclude” it from our quality system.  And “no, we can’t hold a vendor solely responsible” should something they contribute have a negative impact on our product or service.  We have to have a process in place to control both provider and output to some extent.

THIS WEEK’S HOMEWORK

Review your process for selecting, evaluating and monitoring externally supplied resources.  Does it meet the criteria as shown above?  Now, take a random sampling of your outsourced items (your purchasing or procurement group can probably help).  Based on the scope of your external sourcing process, are you satisfied that the controls apply to the right vendors and in the right situations?  Is any more required?  Anything less?

Stay involved and engaged – SUBSCRIBE!

8.4.1 Control of externally provided products and services

Make it or buy it?  That is the question.

Organizations with a focus on core competencies often choose to outsource rather than try to do themselves those things that fall outside of their “wheelhouse”.  When making this choice, the organization is relying on an outside provider to provide the same level of quality that they themselves would expect to provide to their customers.  This is why this clause is so important and managing suppliers is so critical.

Having a look at the introduction in this section, the statement is a simple “shall”.

“The organization shall ensure that externally provided processes, products, and services conform to specified requirements.”  Great.  Let’s move on.

“The organization shall apply the specified requirements for the control of externally provided products and services when:

a)  products and services are provided by external providers for incorporation into the organization’s own products and services:”

This is a great help in defining exactly how much control we must have, and over whom.  I was once asked if my uniform and floor mat providers were on my approved source list by an auditor.  I’m glad to have this definition to prevent from ever having to have that conversation again.  The scope of the requirements is those outside products/services to be incorporated into our own products and services.  Nice and tidy.

“b)  products and services are provided directly to the customer(s) by external providers on behalf of the organization;”

This area can be a little bit tricky.  Not overly so, but a little bit.  Often when an organization has products or services essentially “drop shipped” to a customer, there is a little bit of a sense of disconnect.  The organization may “wash their hands of it”, so to speak.  But, when you rely on an outside source to be your customer-facing provider, you better have some good controls in place.   It’s important to carefully define the criteria for the purchased product or service, then carefully evaluate and select a provider based on their ability to meet all expectations (both yours and your customer’s).

“c)  a process or part of a process is provided by an external provider as a result of a decision by the organization to outsource a process or function.”

The third qualifier of “when this applies” is whenever a decision is made to outsource a process or function.  This is very important, because this pulls into the mix any outside processing, which is more than just purchased parts.  It’s outside processing like post-manufacturing treatments such as painting, plating, assembly.  It may also apply to logistics, specialize packaging, inspection, etc.  Or it may be simply the temporary outsourcing of a process due to capacity.  In any case, a structured method for evaluating, selecting and monitoring the provider must be put in place.

Now that we know when the standard applies, the clause goes on to define exactly what is needed for the organization to be considered compliant.  For all the scenarios listed above, the following requirements apply:

“The organization shall establish and apply criteria for the evaluation, selection, monitoring of performance and re-evaluation of external providers based on their ability to provide products and services in accordance with specified requirements.”

This clarifies that there must be a defined process for evaluating, selecting and monitoring its providers.  Each of these is an individual requirement where it is expected that criteria be established for 1-evaluating, 2-selecting and 3-monitoring.  And the section wraps up with the big one – “and it shall be documented”.

“The organization shall retain appropriate documented information of the results of the evaluations, monitoring of the performance and re-evaluations of the external providers.”

Again, just as individual criteria are expected for each 1-evaluating, 2-selecting and 3-monitoring, records for each of these activities is also required.

THIS WEEK’S HOMEWORK

Review your current supplier management process and ensure that you have clearly defined where it applies (and does not apply).  Next, be sure that the three areas 1-evaluating, 2-selecting and 3-monitoring are all defined for all scenarios – where products or services are used by the organization, where products or services are provided directly to the customer or where processes are outsourced.  And finally, be sure there is documented information to support all of it.  Good luck!

Stay involved and engaged – SUBSCRIBE!

8.3.6 Design and development changes

One thing is for certain, change happens!

This week, we’ll look at the final section of 8.3 Design and development of products and services.  8.3.6 Design and development changes.  Along with a very specific and disciplined list of required inputs, controls and outputs, we must always consider the importance of controlling changes to these as we move through the design process.

While the previous sections were wordy and repetitive, (but I think appropriately so), this section uses an economy of words to describe a very important part of the design process – dealing with change.

Change happens, and happens often.  Unfortunately, as we become more and more nimble and innovative, we can sometimes introduce difficulty when we do not adequately manage change.  As important to inputs, controls, and outputs are, any changes to these must be carefully assessed for their potential impact on other characteristics of design.

Change to documents, change to processes, change to procedures, change to policies, change to products and services are almost certainly done with the intent of improvement.  However, improvement is most often successfully achieved when these changes are carefully controlled, communicated and carefully implemented.

The requirements read, “The organization shall review, control and identify changes made to design inputs and design outputs during the design and development of products and services or subsequently, to the extent that there is no adverse impact on conformity to requirements.

Documented information on design and development changes shall be retained.”

That’s it.  Like I said, it’s very simply stated.  The most important bits of the requirement are “shall review, control and identify changes”.  And remember, there is a requirement for “documented information” as well.  So, the organization must ensure their process includes a definition of how changes are to be reviewed, controlled and identified.

Within the “controlled” requirement, it might have been nice to have included specifically the ideas of containment and transition.  A change may be satisfactorily controlled through the use of revision levels, distribution of information and communication.  But one must also not forget to include a positive containment/recall of product or services when changes are made.

For example, if a product is changed through a tool change, it is critical that any work in process be contained and decisions made about when a permanent transition will be completed.  It is too easy to forget about components up and downstream, which can result in mixing or comingling of different versions of the product or service.  This can actually create a problem short term as it attempts to improve a product long term.

THIS WEEK’S HOMEWORK

Review your design process (and again, remember to consider whether you have more than one “design” process) for the inclusion of the control of changes.  Be sure the process includes not only how the design documents and infrastructure are controlled, but also how the changed or transitioning products or services are managed as well.  Good luck!

Stay involved and engaged – SUBSCRIBE!

8.3.4 Design and development controls

Hello Readers!  It’s been a very busy summer and last week, an on site client project consumed the week before I knew it had gotten away from me!  So, this week, we have a double edition, talking about 2 sections, “8.3.4 Design and development controls” and “8.3.5 Design and development outputs”.  Please enjoy this week’s topics.

Well, this is more like it!  Straightforward and nothing much to debate about.  The entire section on design and development is very easy to understand and structured in a sensible way for the organization to understand and implement processes for compliance, and for the criteria to be clearly understood in terms of evaluation criteria.  Let’s get right to it.  The section reads:

“8.3.4 Design and development controls

The controls applied to the design and development process shall ensure that:

a)  the results to be achieved by the design and development activities are clearly defined”

This points right back to “inputs” in that the results should clearly be understood before an effective design can take place.

“b)  design and development reviews are conducted as planned;”

This was defined in the “inputs” phase, but it is listed here again to ensure the proper controls are actually implemented in the design process.

“c)  verification is conducted to ensure that the design and development outputs have met the design and development input requirements;”

Again, I really like the point by point connection between defining the requirements and then following up and meeting them, and being sure to have controls in place to monitor it along the way.

“d)  validation is conducted to ensure that the resulting products and services are capable of meeting the requirements for the specified application or intended use (when known).”

This can be a sticky issue and requires a well defined and well disciplined relationship with the customer.  Not only must the specifications be met, but the intent of the product/service as well.  I know I’m not the only one who has experienced a successful launch of a product which completely met specification, but did not perform as intended, meet up with a mating part, match an adjacent component in color/texture, etc until the validation phase.

And now we’re onto “8.3.5 Design and development outputs

The organization shall ensure that design and development outputs:

a)  meet the input requirements for design and development;”

It’s important to note the cascade effect this section creates as it lists its criteria.  Inputs are defined.  Controls for the inputs are created.  And outputs are evaluated to ensure they meet the original inputs.  A closed loop system including inputs-controls-outputs will ensure this is compliant.

“b)  are adequate for the subsequent processes for the provision of products and services;”

This begins to shed light on a very important part of design and development, and that is feasibility in “real life”.  Many products have been successfully designed and validated, but after a team of engineers completes the process, there is sometimes an awkward handoff of the project to operations and quality personnel who, without intimate involvement in the design process, may have to fumble through setting up a production and control plan.  Having one of the required outputs from design be that the outputs are helpful in the provision of those products/services is a great way to bridge that gap and provide a smooth transition.

“c)  include or reference monitoring and measuring requirements, and acceptance criteria, as applicable;”

This too is important that the intent of the design be carried through the lifetime of a product/service to ensure the monitoring and measuring requirements support the ongoing suitability of the product/service.

“d)  ensure products to be produced, or services to be provided, are fit for intended purposes, and their safe and proper use. ”

This is more of the same language to ensure that the product or service not only meet the specifications, but that it meet its intended use (and is of course, safe).

“The organization shall retain the documented information resulting from the design and development process.”

This is a clear call for records of all phases of the design process.

We noted a couple of weeks ago, the importance of a design process overall.  Whether the design process apply to a specific product/service, or a provision or realization process, it is important to ensure we tick all the boxes and people work together to not only accomplish their part of the process, but to ensure that as responsibilities are transferred from one area to the next, that the original inputs and intents stay consistent from beginning to end.  I think the language here is clearly written and easily understood and implemented.

THIS WEEK’S HOMEWORK

Take a final look at your design process (being sure to once again consider whether there is more than one process applicable to product/service v process).  Are all inputs-controls-outputs in place and compliant?  Now, look at your records or “documented information” and ensure there is evidence to support the requirements defined here.  Good luck!

Stay involved and engaged – SUBSCRIBE!

8.3.3 Design and development inputs

Ah yes, and now we get to the section so many companies previously chose to “exclude” from their quality management systems.  This is some tough content and these are some tough requirements to meet.  Many companies rely on their customers for the design of their products and services, and therefore, do not provide design services as they are defined here.

While there is no option to “exclude” any longer, there is still the option to address last week’s topic of design planning as it applies to processes, and to indicate that these processes are customer-provided.

However, if the organization provides design support for any products or services, there must be clearly defined processes which address the following requirements:

“The organization shall determine:

a)  requirements essential for the specific type of products and services being designed, developed, including, as applicable, functional and performance requirements:”

The organization is responsible for determining these “essential” requirements and including them in the design of the product/service.  “Functional and performance requirements” means that designs should also be validated to ensure their suitability.

“b)  applicable statutory and regulatory requirements;”

This requirement explains that while the product/service is being designed and developed, that the customer’s requirements are not the only thing to be considered.  All applicable requirements must be known and addressed during the design and development phases.

“c)  standards or codes of practice that the organization has committed to implement;”

This should clearly be defined in the contract or purchase order so that neither party assumes the other has included them.  There may be assumptions on the customer’s part that applicable standards or codes of practice typical in their industry would be included.  It should be specifically stated and agreed upon.

“d)  internal and external resource needs for the design and development of products and services;”

Not only must these be identified, but any external resources employed in the design and development stages are also subject to other requirements within the standard identified for “externally provided” resources.

“e)  the potential consequences of failure due to the nature of products and services;”

The standard once again sneaks “risk” into this bullet point.  Potential consequences of failure (or risk) is expected to be known, defined and addressed in the design/development phase.

“f)  the level of control expected of the design and development process by customers and relevant interested parties.”

Gateways and reviews should specifically be defined to ensure all parties understand their roles, responsibilities and authorities in the design (and more importantly validation and approval) phases.

“Inputs shall be adequate for design and development purposes, complete and unambiguous.  Conflicts among inputs shall be resolved.”

The gateways referred to above should have specific resolution processes to ensure that development, validation and approval are satisfactorily completed to produce a product/service that meets its intent.

Each of these requirements should be specifically addressed in any defined process for design/development.

THIS WEEK’S HOMEWORK

Similar to last week’s homework, review your quality management system.  If this was previously “excluded”, it must now be addressed in the QMS.  Again, it needn’t be overkill if design and development are not performed by your organization, but it should be clearly explained how these requirements are addressed (and by whom).

Stay involved and engaged – SUBSCRIBE!