Guide to ISO 9001 Clause 8.3 Design and Development of Products and Services

CertBetter

Team CertBetter

13 min read
Guide to ISO 9001 Clause 8.3 Design and Development of Products and Services

What Is Clause 8.3 and Why Does It Matter?

If your business designs products or develops services before delivering them to customers, Clause 8.3 of ISO 9001:2015 applies directly to you. It covers the entire design and development process, from the initial planning stage through to the final output that gets handed over to production or delivery. It is one of the more detailed clauses in the standard, and it trips up a lot of organisations during certification audits.

The clause exists for a good reason. Poor design is one of the most expensive quality failures a business can experience. Catching a design flaw at the concept stage costs a fraction of what it costs to fix it after production has started, or worse, after a customer has already received the product. Clause 8.3 gives you a structured framework to reduce that risk.

It is worth noting that this clause is one of the few in ISO 9001 where organisations can apply an exclusion. If your business does not carry out any design or development activities, meaning you manufacture or deliver entirely to customer-provided specifications, you may be able to exclude this clause from your scope. However, that exclusion needs to be justified and documented. Auditors will challenge it if your business has any input into product or service specifications.

The Structure of Clause 8.3: Seven Sub-Clauses

Clause 8.3 is broken into seven sub-clauses, each addressing a different phase or aspect of the design and development process. Understanding how they connect is important before you try to implement them.

8.3.1 General

This sub-clause simply states that your organisation must establish, implement and maintain a design and development process. It is the foundation. The standard does not prescribe exactly how your process must look, which gives you flexibility to design something that fits your industry and business model. What it does require is that the process is systematic and that you can demonstrate it is being followed.

8.3.2 Design and Development Planning

Planning is where most organisations either get this right or start to unravel. Clause 8.3.2 requires you to determine the nature, duration and complexity of your design activities. You also need to identify the stages involved, the review and verification points, and who is responsible for what.

There are several specific things the standard expects you to consider during planning. These include the resources needed, both human and infrastructure, any interfaces between different teams or functions involved in the design process, the level of customer and user involvement, and any requirements for handover to subsequent production or service delivery steps.

A practical way to document this is through a design and development plan. This does not need to be a lengthy document. For a small product company, it might be a one-page project plan that maps out the design stages, who is responsible, and when reviews will occur. For a more complex engineering organisation, it will naturally be more detailed.

8.3.3 Design and Development Inputs

Before you can design anything, you need to know what the design must achieve. Clause 8.3.3 requires you to identify and document the inputs to your design process. These inputs typically include functional and performance requirements, applicable legal and regulatory requirements, standards that must be met, information from previous similar designs, and any other requirements considered essential.

The standard also requires that inputs be adequate, complete and unambiguous. Conflicting inputs must be resolved before design work begins. This is a common audit finding in organisations that start design work based on vague or incomplete briefs from clients or internal stakeholders.

A real-world example here is useful. Imagine a manufacturer developing a new industrial valve. The design inputs would include the pressure and temperature ratings required, the relevant Australian Standards or international standards the valve must comply with, material specifications, dimensional constraints, and any lessons learned from previous valve designs that had field failures. All of these need to be captured and reviewed before the drawing board gets touched.

8.3.4 Design and Development Controls

This is the heart of the clause. Clause 8.3.4 requires you to apply controls throughout the design and development process. Those controls take three specific forms: reviews, verification, and validation.

Design reviews involve evaluating the design at planned stages to check that it is meeting its requirements. Reviews should involve people with relevant competence, and the results need to be recorded. A common mistake is treating design reviews as a rubber stamp exercise. An auditor will look at whether your review records show genuine evaluation and any issues that were identified and addressed.

Design verification is the process of confirming that the design outputs meet the design inputs. In simple terms, it answers the question: did we build what we said we would build? Verification activities might include calculations, prototype testing, comparison with proven designs, or alternative calculations. The outputs of verification must be recorded.

Design validation goes a step further. It confirms that the resulting product or service will actually meet the needs of the intended use or application. Verification checks the design against its specification. Validation checks the design against its intended purpose in the real world. These are two different things, and auditors know the difference. If you want a detailed explanation of how these two concepts differ, the article on the difference between verification and validation in ISO covers this clearly.

The standard also requires that you take actions on any problems identified during reviews, verification or validation. Simply recording that a problem exists without addressing it is not sufficient.

8.3.5 Design and Development Outputs

Clause 8.3.5 addresses what comes out of the design process. Design outputs must meet the input requirements and must be adequate for the subsequent processes of production, service delivery or procurement. They must also include or reference monitoring and measuring requirements, and specify the characteristics of the product or service that are essential for its intended purpose.

In practice, design outputs might include engineering drawings, specifications, bills of materials, software code, service procedures, or formulations. Whatever form they take, they need to be documented and retained as evidence. The outputs must also be reviewed and approved before being released for use.

8.3.6 Design and Development Changes

Designs rarely stay static. Components get changed, customer requirements evolve, or testing reveals that something needs to be modified. Clause 8.3.6 requires you to identify, review and control changes made during or after the design and development of products and services.

The review of changes must consider the potential impact on the product or service as a whole, including any effects on already-delivered products or services. Changes must be authorised before implementation, and records of the changes, the reviews, and any authorisations must be retained.

This is an area where organisations frequently get caught out. A design change is made informally, without going through the proper review process, and the change creates a downstream quality problem. An effective change control process prevents this from happening.

8.3.7 Design and Development Outputs (External Provision)

Wait, there is no 8.3.7 in the standard. The clause structure ends at 8.3.6. However, it is worth noting that the outputs from design and development feed directly into Clause 8.4, which covers the control of externally provided processes, products and services. If your design outputs are passed to external suppliers for manufacturing or delivery, those handover requirements become part of your purchasing and supplier control processes.

Who Does Clause 8.3 Apply To?

This is a question worth spending time on, because the answer is broader than many organisations expect. The obvious candidates are manufacturers who design their own products. But Clause 8.3 also applies to service organisations that develop new service offerings before delivering them.

Consider a consulting firm that develops a new training programme. The programme has to be designed, tested, and refined before it is delivered to clients. That is a design and development process. Or think about a software company building a custom application. The development cycle from requirements through to deployment is design and development in the context of this clause.

Even some construction companies, professional services firms, and healthcare organisations have design and development activities that fall within the scope of this clause. The key question to ask is whether your organisation makes decisions about what the product or service will be, or whether you simply execute to a specification provided entirely by someone else.

If you are still working out what your ISO 9001 scope should cover, the guide on limiting the scope of your ISO 9001 certification is worth reading before you finalise your approach.

Common Audit Findings Under Clause 8.3

Having spent years auditing organisations against ISO 9001, certain patterns come up repeatedly under this clause. Knowing them in advance will save you from an embarrassing nonconformance during your certification audit.

Incomplete or Vague Design Inputs

Organisations often start design work before inputs have been properly defined. The brief from the client or internal team is ambiguous, conflicting requirements have not been resolved, or applicable regulatory requirements have not been identified. Auditors will ask to see your design inputs and will probe whether they were adequate before work commenced.

No Evidence of Reviews or Verification

Many organisations carry out design reviews informally, through conversations and emails, without creating any structured records. When an auditor asks for evidence of design reviews, there is nothing to show. The review does not need to be a formal board meeting, but it does need to be documented. A simple review checklist or meeting minutes that reference the design stage and any issues identified is sufficient.

Validation Not Performed or Confused With Verification

As mentioned earlier, validation and verification are different activities. Organisations frequently document verification activities and call them validation. An auditor will ask what evidence you have that the product or service meets its intended use in real conditions, not just that it meets the specification on paper.

Change Control Not Applied Consistently

Design changes made outside the formal change control process are a frequent finding. This is particularly common in fast-moving product development environments where teams feel the formal process slows them down. The solution is not to remove the process but to make it proportionate and practical so that people actually use it.

Exclusion Claimed Without Justification

Some organisations attempt to exclude Clause 8.3 when they actually do carry out design activities. Auditors will look at your products and services and ask questions. If it becomes apparent that you make design decisions, the exclusion will not hold. Be honest in your assessment of whether this clause applies.

Practical Steps to Implement Clause 8.3

Here is a straightforward approach to getting this clause implemented properly, without creating unnecessary bureaucracy.

Step 1: Determine Whether the Clause Applies

Start by honestly assessing whether your organisation carries out design and development activities. If you do, identify the scope of those activities and document your rationale. If you genuinely do not, document your justification for the exclusion clearly.

Step 2: Map Your Existing Design Process

Most organisations that do design work already have some kind of process, even if it is informal. Map it out. Identify the stages, the decision points, who is involved, and what outputs are produced at each stage. This gives you a baseline to work from.

Step 3: Establish a Design and Development Plan Template

Create a simple template that captures the planning requirements of Clause 8.3.2. This should include the scope of the design activity, the stages and timeline, the people involved and their responsibilities, the review and verification points, and any specific regulatory or customer requirements.

Step 4: Define Your Input and Output Requirements

Create a checklist or template for capturing design inputs at the start of each project. Include a sign-off step to confirm inputs are adequate before work begins. Similarly, define what your design outputs must include before they are released for production or delivery.

Step 5: Formalise Your Review, Verification and Validation Activities

Decide what evidence you will create at each stage. This does not need to be elaborate. A review record that captures the date, who was involved, what was reviewed, any issues identified, and the outcome is entirely sufficient. For verification and validation, document the method used and the results obtained.

Step 6: Implement a Change Control Process

Design a simple change request process that requires changes to be assessed for impact before implementation. Even a one-page form that captures the change description, the reason for the change, the impact assessment, and the authorisation signature will satisfy the standard.

For more guidance on how documentation fits into your broader quality management system, the article on controlled documents and how to implement them is a practical resource.

Clause 8.3 in the Context of the Broader ISO 9001 Standard

Clause 8.3 does not sit in isolation. It connects directly to several other parts of the standard. Your design inputs will draw on the customer requirements captured under Clause 8.2. Your design outputs feed into the production and service delivery controls under Clause 8.5. The risks associated with design activities should be addressed through your risk and opportunity management processes under Clause 6.1.

Leadership commitment under Clause 5 is also relevant here. Design and development requires resources, time, and skilled people. Without genuine commitment from senior management to provide those resources, the process will be inadequate regardless of how well you document it.

The ISO 9001:2015 standard itself provides the authoritative source for understanding the exact requirements of each clause, and it is worth reading the clause text directly alongside any guidance material.

If you are working through the standard clause by clause, the guide to Clause 9 on performance evaluation is a useful next step once you have Clause 8 under control.

A Note on Proportionality

One thing that confuses smaller businesses is the assumption that implementing Clause 8.3 requires a large engineering department and a formal stage-gate process borrowed from a multinational. It does not. The standard explicitly acknowledges that the extent of design and development controls should be determined based on the nature, duration and complexity of the activities involved.

A small business designing a new product line does not need the same process as a defence contractor. What it does need is a process that is appropriate to its context, consistently applied, and properly documented. Keep it proportionate. A three-stage process with simple review records is far better than a twelve-stage process that nobody follows.

Getting Help With Clause 8.3 Implementation

If you are working through ISO 9001 implementation and finding Clause 8.3 more complex than expected, you are not alone. This clause requires genuine process thinking, and getting it right the first time is much easier with guidance from someone who has seen how auditors approach it in practice.

CertBetter connects businesses with verified ISO consultants and accredited certification bodies across Australia and globally. You submit one form, and you receive up to three competing quotes from vetted providers who understand your industry. The service is completely free for businesses seeking certification help. Whether you are implementing ISO 9001 for the first time or addressing gaps found in a previous audit, getting the right expert in your corner makes a significant difference to the outcome.

Get 3 ISO Quotes. 24 Hours Response

Tell us what you need and compare vetted ISO consultants or certification bodies within 24 hours. Free, no obligation.

Trusted by 400+ businesses like yours

Frequently Asked Questions

It depends on what the service business actually does. If the organisation delivers services entirely to specifications provided by the customer and makes no design decisions of its own, then an exclusion may be justified. However, if the business develops new service offerings, creates service procedures, or makes decisions about how a service will be structured before delivering it, Clause 8.3 is likely to apply. Any exclusion must be documented with a clear justification, and an auditor will challenge it if the evidence suggests design activities are taking place.

Verification confirms that the design output meets the design input requirements. It is essentially checking that you built what you said you would build, typically through testing, calculations, or comparison against the specification. Validation goes further and confirms that the product or service will meet the needs of the intended user in real-world conditions. A product can pass verification and still fail validation if the original specification did not fully capture what the customer actually needed. Both activities are required under Clause 8.3.4, and both must be documented.

No. The standard does not prescribe a specific process model. It requires that design and development activities are planned, controlled, and documented in a way that is appropriate to the nature and complexity of the work involved. A small business might manage this with a simple project plan and a few review records. A large engineering organisation might use a formal stage-gate process with multiple approval levels. Both approaches can satisfy the clause as long as the core requirements around inputs, outputs, reviews, verification, validation, and change control are addressed.

Auditors will generally ask to see documented design and development plans, records of design inputs that were identified and reviewed before work began, evidence of design reviews at planned stages, verification records showing that outputs meet inputs, validation evidence demonstrating fitness for intended use, and records of any design changes including the impact assessment and authorisation. The records do not need to be elaborate, but they do need to exist and they need to tell a coherent story about how the design process was managed.

Design outputs often become the inputs to procurement and supplier management processes. When a design is finalised, the specifications, drawings, and requirements generated by the design process are passed to suppliers or used to control production. This means the quality of your design outputs directly affects the quality of what you purchase and produce. Under ISO 9001, this connection runs from Clause 8.3 into Clause 8.4, which covers externally provided processes, products and services. Weak design outputs lead to ambiguous purchasing specifications, which in turn create supplier quality problems.

Unauthorised design changes are a common source of nonconformances under Clause 8.3.6. If a change is made without a proper impact assessment and authorisation, there is a risk that the change introduces a defect, creates a regulatory compliance issue, or affects other parts of the product or service that were not considered. From an audit perspective, an undocumented change also creates a traceability gap. If something goes wrong downstream, there will be no record of when or why the design was altered. A proportionate change control process, even a simple one, prevents these problems from occurring.

Dilawar Laghari

Hi! I am Dilawar Laghari, founder of CertBetter.

I created CertBetter to help anyone compare ISO certification providers for free.

ISO 9001 Clause 8.3 Design and Development Guide - CertBetter