Organisation must maintain a list of products / services delivered for customers. Product / service owners are designated and responsible for completing the related documentation and possible other quality actions directly related to the product / service.

Product / service documentation must include at least:

• Needed infrastructure to deliver the product / service (e.g. buildings, equipment, ICT...)
• Defined quality requirements for an acceptable product / service
• Main quality-related product / service communication (e.g. updates, contracts, complaints, feedback)

Some of organization's stakeholders can have an effect on the organization’s ability to consistently provide high quality products and services.

The organization needs to identify:

• the stakeholders relevant to the quality management system
• the quality requirements set by these stakeholders (when relevant)

The organization reviews stakeholder information and related requirements regularly.

The organization has established, implemented and maintains a design and development process that is appropriate for delivering its products and services. The nature, duration and complexity of the design and development activities need to be taken to account when defining the needed detail of the process.

The design and development process has a clearly defined owner and other related authorities.

The sequence of the design and development process includes at least:

• the definition phase for results to be achieved
• the required process stages, including applicable design and development reviews
• the required verification and validation activities (to confirm resulting products / services meet requirements)
• the internal and external resources needed

To control the design and development process, the following controls should be considered:

• the need to control interfaces between persons involved
• the need for involvement of customers and users
• the level of control expected by customers and other relevant interested parties
• the requirements for subsequent provision of products and services
• defining needed documented information to demonstrate that process has been followed

Organization has clearly defined the ways for gathering customer feedback relating to products and services, including customer complaints.

Organization has also defined plans for contingency actions (e.g. for disgruntled customers) for relevant situations.

Organization's top management demonstrates leadership and commitment to customer focus by ensuring that:

• customer and applicable other requirements are determined, understood and consistently met
• risks and opportunities that can affect conformity of products and services are determined and addressed
• focus on enhancing customer satisfaction is maintained

The organization has defined which checks need to be implemented to verify that product / service requirements have been met. The release of products / services to the customer doesn't happen until the planned checks have been satisfactorily completed, unless separately approved.

Checks can also include delivery-related acceptance criteria e.g. for product training or other onboarding.

The organization shall retain documented information on the release and acceptance of its products / services. The documented information shall include:

• evidence of conformity with the acceptance criteria
• traceability to the person(s) authorizing releases

The organization shall review and control changes for products and services or their provision, to the extent necessary to ensure continuing conformity with requirements.

The organization shall retain documented information describing the results of the review of changes, the person(s) authorizing the change, and any necessary actions arising from the review.

The organization needs to identify and fill also the post-delivery requirements associated with its products / services. These can include include warranty-related actions, contractual obligations (e.g. support or maintenance services) and supplementary services such as recycling or final disposal.

To identify the extent of required post-delivery activities, the organization needs to consider:

• the nature, use and intended lifetime of its products / services
• legal requirements
• potential undesired consequences related to its products and services
• customer requirements
• customer feedback

To ensure the organization can deliver high quality products, it needs to define a process for reviewing product / service requirements thoroughly before committing to supply the related product / service.

The review needs to include at least:

• reviewing requirements specified by the customer (incl. delivery and post-delivery requirements)
• reviewing requirements not stated by the customer, but necessary for the specified or intended use
• reviewing internal requirements
• reviewing legal requirements applicable to related product / service
• reviewing new contract or order requirements (and resolving conflicts with earlier ones, when necessary)

The organization confirms customer’s requirements before acceptance, when the customer does not provide a documented statement of their requirements.

N.b.! For example in internet sales, when orders are recurring with similar contents, reviewing each order can be impractical, but the reviews can be focused on related product information (e.g. product catalogues).

The organization has defined a process for monitoring design and development outputs. The organization also retains documented information of all design and development outputs.

This process ensures that outputs at least:

• meet the requirements
• are adequate for the subsequent processes for the provision of products and services
• include or reference monitoring and measuring requirements (as appropriate) and acceptance criteria
• specify the characteristics of the products and services that are essential for their intended purpose and their safe and proper provision

The organization has determined the requirements for products and services to be designed and developed.

To define the requirements, the organization should consider at least:

• functional and performance requirements
• information derived from previous similar design and development activities
• legal requirements
• standards or codes of practice that the organization has committed to implement
• potential consequences of failure due to the nature of the products and services

Any conflicting design and development inputs shall be resolved.

The organization shall retain documented information on design and development inputs.

The organization's product / service provisioning needs to happen under controlled conditions. To ensure this, the organization has defined what controlled conditions mean in their operations.

To define controlled conditions, the organization should consider:

• clearly documented product / service definitions and results to be achieved
• the availability of suitable monitoring and measuring resources
• the implementation of monitoring and measurement activities at appropriate stages to verify that criteria for control of processes or outputs, and acceptance criteria for products and services, have been met
• the use of suitable infrastructure and environment for the operation of processes
• the appointment of competent persons, including any required qualification
• the validation of the ability to achieve planned results
• the implementation of actions to prevent human error
• the implementation of release, delivery and post-delivery activities

The organization shall preserve the outputs during production and service provision, to the extent necessary to ensure conformity to requirements.

The organization has defined suitable means to identify outputs when it is necessary to ensure the conformity of products and services. This may involve assigning unique identifiers, such as serial numbers, batch codes, or physical labels, to products or batches.

The organization needs to also identify the status of outputs with respect to monitoring and measurement requirements throughout production and service provision.

When traceability is a requirement, the organization also needs to define controls for the unique identification of outputs, and shall retain the documented information necessary to enable traceability.