SGRII Insights · ISO 9001:2015 · 2026
Product & Service Delivery — The Requirements Nobody Reads and the Design Nobody Controls
Customer requirements fail upstream, not downstream. By the time nonconforming product reaches final inspection, the system has already failed — at contract review, at design input, or at production validation.
SGRII Performance & Digital Solutions
QMS Practice · April 2026 · 11 min read
SGRII Pillar Lens
Risk
Clauses 8.2–8.5 form the operational core where product and service conformity is either built in or built out. Every upstream failure — an incomplete contract review, an uncontrolled design change, an unevaluated supplier — surfaces here as a nonconforming output. Risk visibility in operations means seeing the failure before the customer does.
Clause 8.2 — Requirements for Products and Services: The Contract Review That Doesn’t Happen
Clause 8.2.2 requires the organisation to ensure it can meet the claims for products and services it offers. Clause 8.2.3 requires a review of requirements related to the product or service before commitment to supply — including requirements specified by the customer, requirements not stated but necessary for intended use, statutory and regulatory requirements, and any requirements differing from those previously expressed.
In SMEs, this is where the system breaks first. A sales team commits to a delivery date without checking production capacity. A quotation is issued against a technical specification that operations hasn’t reviewed. A contract is signed with terms that conflict with the organisation’s standard operating procedures. By the time production discovers the problem, the commitment is binding and the solution is expedited work, overtime, or quality compromise.
The root cause is structural: the contract review process either doesn’t involve the functions that need to evaluate feasibility, or it happens after commitment rather than before. Clause 8.2.3.1 explicitly requires that the review be completed “prior to the organization’s commitment to supply.” A post-commitment review is not a review — it’s damage assessment.
Clause 8.3 — Design and Development: Not Just for Engineers
Many service organisations exclude Clause 8.3 from their QMS scope on the basis that they “don’t do design.” This exclusion is frequently invalid. Any organisation that takes customer requirements and translates them into a specification for delivery is performing design and development — whether it’s a consulting firm developing a project methodology, a logistics company designing a supply chain solution, or a training provider creating a curriculum.
Clause 8.3 requires the organisation to establish a design and development process that includes planning, inputs, controls (reviews, verification, validation), and outputs. Each of these stages serves a specific control function: inputs ensure the design starts from correct and complete requirements; controls ensure the design evolves through disciplined evaluation; outputs ensure the result is sufficient for the subsequent production or service provision processes.
The most common audit finding on Clause 8.3 isn’t a missing design procedure — it’s a missing design review. Organisations produce designs but skip the formal review stage where cross-functional input validates the design against its inputs. Design verification (does the output meet the design input?) and design validation (does the final product meet the user’s needs?) are often conflated or omitted entirely. These are distinct checks at distinct stages, and both are required.
Clause 8.4 — External Providers: The Purchasing Blind Spot
Clause 8.4 addresses the control of externally provided processes, products, and services. It replaces the old “purchasing” clause with a broader framework that covers suppliers, subcontractors, outsourced process providers, and any external entity whose output is incorporated into or directly affects the organisation’s product or service.
The clause requires the organisation to establish criteria for the evaluation, selection, monitoring of performance, and re-evaluation of external providers. Most organisations have an approved supplier list and an annual evaluation form. Few have a dynamic supplier performance system that feeds real-time quality data — rejection rates, delivery performance, specification compliance — back into procurement decisions.
The disconnect between supplier performance data and procurement decisions is where alignment fails. Purchasing decisions driven by cost without quality data input create a systematic risk that Clause 8.4 was designed to prevent. When the supplier evaluation exists in the quality department and the purchase order exists in the commercial department, with no structured connection between them, the organisation has two systems running independently — and neither is controlling the external provision process.
Clause 8.5 — Production and Service Provision: Controlled Conditions in Practice
Clause 8.5.1 requires production and service provision to be carried out under controlled conditions, including the availability of documented information that defines product characteristics or activities to be performed, monitoring and measurement resources, process validation where outputs cannot be verified by subsequent monitoring or measurement, and actions to prevent human error.
That final requirement — actions to prevent human error — is frequently misunderstood. It does not mean training people not to make mistakes. It means designing processes with controls that prevent errors from occurring or detect them before they affect the output. Poka-yoke devices, checklists, automated verification, sequential interlocks, mandatory hold points — these are system controls that reduce dependence on individual vigilance.
Clause 8.5.2 (Identification and traceability) and Clause 8.5.3 (Property belonging to customers or external providers) are implementation requirements that most organisations address adequately. Clause 8.5.4 (Preservation) — ensuring product integrity during internal processing and delivery — is where SMEs frequently underperform. Storage conditions, shelf life controls, handling procedures, and packaging specifications are operational requirements that affect conformity but receive less attention than production processes.
Clause 8.5.6 (Control of changes) reinforces the Clause 8.1 change control requirement at the production level: changes to production or service provision must be reviewed and controlled to ensure continuing conformity with requirements. A production change that bypasses this control is a Clause 8.5.6 nonconformity — and the investigation should trace back to the system mechanism that failed to capture the change.
THE SGRII ISO 9001:2015 QMS FRAMEWORK
Core Procedures covering contract review, design control, supplier evaluation, and production control — structured for SME operations with built-in process criteria and acceptance checkpoints.
EXPLORE THE QMS FRAMEWORK ›Join the Conversation
Does your contract review happen before or after commercial commitment? And if you’ve excluded Clause 8.3 from your scope — are you certain the exclusion is valid?
Practitioner perspectives that challenge or extend this analysis are particularly welcome. Leave your comment below — the SGRII team responds to every substantive contribution.
Build it, don’t just read about it
SGRII ISO 9001:2015 QMS Framework
Six-module QMS with clause-referenced procedures, registers and an audit pack for SMEs.
View the Framework → Get the newsletterCoverage is not compliance. SGRII frameworks provide structured coverage, templates and guidance. They are designed for audit defensibility and structured for certification readiness; they do not certify you, do not guarantee a successful audit, and are not legal advice. The official ISO standard remains the only authoritative source of requirements.