ISO 9001 - Clause 8.5 Production and Service Provision Explained

A product well-made and a service well-delivered is key to the success of any business. Processes involved in producing the products and provisioning the services is the most critical activity for any business. Clause 8.5 of ISO 9001:2015: Production and Service Provision defines the requirements that a company should implement to ensure that their production and service provision processes run smoothly.

This clause describes the controls that a company should apply to ensure their products and services meet the customer’s requirements, needs and expectations.

Listed below are the sub-clauses of this clause, described in more detail in this article.

  • 5.1 Control of production and service provision

  • 5.2 Identification and traceability

  • 5.3 Property belonging to customer or external providers

  • 5.4 Preservation

  • 5.5 Post-delivery activities

  • 5.6 Control of changes

Why is it important?

Imagine what will happen if the personnel required to work on a process is not even aware of the product/service that needs to be delivered due to a lack of clear instructions/documentation. Or a case where suitable tools/systems are not available and the product created is not as per the requirement. If there is no quality control and the product delivered does not meet the acceptance criteria, you are sure to lose your customers, and it becomes difficult to sustain such a business for long.

That is why Production and Service Provision is critical to any company’s operations.

Many processes are involved in production and service provision, and each one is dependent on the other. Each of these processes should be well-planned so that operations run smoothly without any hindrances. Additionally, controls need to be planned in terms of reviews, verification, validation, and training at required places to ensure that what you are delivering meets the customer’s requirements. Let’s look at each sub-clause in detail to understand this better.

Control of production and service provision

This clause requires an organization to design controlled conditions under which the production and service provision should take place. These include:

  • Documented information on the characteristics of the product or service and activities to be performed

    This control requires that the product or service characteristics be documented, which could include work instructions, designs, drawings, or simple signage at your desk.

    Also, documented information related to the activities that need to be undertaken to produce the product or deliver the service should be available. This documented information should specify the results that are to be achieved.

    These details may typically be available in your project programs or plans. These plans or programs should be made so that they should indicate how different units interact with each other. All activities that need to be performed starting from customer delivery requirements, raw material purchase, resources required, production, storage, packaging, delivery with clearly outlined plans outlining who, what, when and how a product is made or service is delivered. The plans can also define the sequence in which material or equipment is required, measurement and monitoring tools that would be used, verifications that need to be carried out, stages at which verification is done, and how problems, if any arise, would be handled, etc.

    For a builder, an example of documented information can be Project programmes which are updated on a two-weekly basis to show progress with the project tasks.

    For service delivery, if you are selling software as a service, this can be preparing a roadmap for the product and managing the backlog of tasks, or setting up epics and stories within a tool like JIRA.

    The level of detail that would go into such documents is decided by the organization and can be just a brief description, a process flowchart, or a detailed project plan, etc. These should be readily available to the personnel responsible for carrying out these activities. The amount of documentation required should be decided based on the complexity, size and risk involved in the work being performed. However, if a job required a particular document, for example, work instructions, these should be available and relevant.

  • Resource Availability

    The management should ensure that adequate resources are available to carry out the work. The resources that should be made available include:

      1. Infrastructure

      2. Monitoring and measurements resources

      3. Competent human resources

The right environment and infrastructure required for the operation of all processes are essential and should be made available. Management should ensure that the resources, including the process environment and infrastructure, are suitable. In addition, monitoring and measurement resources, including tools, trained personnel, equipment, etc., should be made available. All personnel using monitoring and measuring tools should be competent and trained to handle such tools.

Human Resources required to deliver the product or service should be made available, and it should be ensured that they are competent based on their education, skill and training.

  • Validation of the results of the processes

    Results of the processes should be validated wherever possible. If the product cannot be verified without damaging or destroying the product, this clause recommends that the process is initially validated and evaluated periodically. Some examples may be welding, painting, electroplating or a simple pizza delivery service where the quality of these activities may only be learned after use.

    However, most organizations would have some intermediate verification steps to validate the products. Validation of such services can involve conducting capability studies and inspection or testing methods to ensure the product or service meets the customer’s requirements.

    A simple example to conduct verification and validation activities can be inspection and test plans and checklists used by builders with a list of verification and validation activities to ensure that the project requirements (i.e. drawings and specifications) are met.

    Testing Validation may also require customer or regulatory approval of the process.

  • Products and services release, delivery, and post-delivery processes

    Products and service release, delivery and post-delivery activities should be defined and implemented as planned. Depending on the product or service you deliver, this could be an email sent to the customer, or this can involve multiple steps of packaging, transportation, shipping, etc.

Identification and Traceability

This clause requires that organizations implement three controls to ensure that the products are uniquely identifiable and traceable to inputs.

  • Product identification: An organization should make arrangements so that the process outputs are identified where this is necessary.

    This can simply be done by assigning project numbers wherever required. If you are refurbishing an aged care facility, the room numbers can be used to identify or trace all items attached to the room. For a bulk earthwork’s company, this can be work lot numbers that are marked on drawings/site maps or chainage used to track construction for a construction company. In a software company, this can be assigning names to code repositories, components, infrastructure items, etc.

  • Product status: This identification should also help an organization identify the status of process outputs regarding any monitoring and measurement requirements at all stages of production or service provision. For example, Inspection and test plans and checklists are prepared and completed throughout the works to show traceability of work and steps completed in accordance with standards, drawings and specifications.

    In a software company, using tools such as JIRA for tracking work and GitHub for traceability of code changes helps in monitoring the status of process outputs.

  • Unique Product Identification: In some cases, unique product identification is a contractual requirement from the customers or regulatory bodies. In such circumstances, the organization must maintain detailed records of the manufacturer of material, tools, equipment, inspection and test results for each product or product batches. This is particularly true in certain high-risk industries like aerospace or pharmaceutical, etc. This is due to the high safety and life-threatening risks of the products made by these companies.

Property Belonging to Customers or External Providers

This sub-clause requires that an organization should control any property belonging to customers or external providers while under the organization’s control or be used by the organization. This clause could be applied to protecting the subcontractor’s tools, materials and plant onsite against theft or damage. For a company dealing with refurbishments of rooms, this could be the processes to protect existing items / the structure, such as covering furniture and flooring with protective plastic/drop sheets. This exact requirement would also extend to protecting client data, such as project documents and data in systems such as Aconex. In a services company that does not have physical customer or external provider property, this could be limited to managing customers’ information, including personal information.

Customer property always carries the risk of being lost, damaged, stolen or misused, or their conditions may deteriorate over time. An organization should implement mechanisms to identify all such cases and notify the customer/external provider when this happens. This can be done effectively by maintaining an inventory management system, identifying customer property, traceability and maintenance or control over the use of the property through access controls, etc. The controls can be decided by the organization, as required.


During any time of their life cycle, the product is a raw material, work-in-progress item or finished products, which run the risk of being lost, damaged, stolen or misused, and becomes unsuitable to use over time, or it may be perishable. To prevent products from becoming unsuitable for use, adequate controls should be applied in terms of procedures being followed and the environment required for such products. This could include, but is not limited to:

  • using identification, status and traceability

  • tracking shelf life of perishable items

  • management of hazardous material

  • Methods such as FIFO

  • control on the environment like temperature or humidity, etc.

These controls should be included in your operation processes through your product project/quality plans, standard operating procedures, work instructions, etc.

A simple example could be, builders need to ensure the preservation of materials delivered to the site. This can be done by storing material in a locked compound and protected from the weather. This would also extend to installed products, such as glass, which may have a protective coating to protect against scratches or floor protection used to protect installed flooring (e.g. carpet or floorboards).

While in a software company, this could be backing up the various systems in use, including those with customer data, and testing the restoration of backups to ensure that data is available and not lost during a disaster scenario.

Post-Delivery Activities

Post-delivery activities may differ for each company, and it is required that the organization determine the nature and extent of any post-delivery activities applicable to their type of work.

Post-delivery activities mean providing support for their product or services post the delivery which may or may not be required by the customer, as per your contractual agreements. While planning the post-delivery activities, the organization should consider few important parameters:

  • Statutory and regulatory requirements: In some cases, post-delivery activities are statutory or regulatory requirements. Such requirements should be addressed. For example, there is a mandated 13 weeks for the defects and liability period in New South Wales, Australia, which may be longer depending on what is included in the contract for the project. These requirements, including statutory and contractual, will need to be considered in the organization’s processes.

  • Risks associated with its products and services: The organization must consider all risks or potential consequences related to its product or service and create a response plan on how they will address the situation. For builders, this would be the defect liability period that commences once the project is handed over. There should be timely responses to issues raised and comprehensive reporting during the defects liability period as it is generally the last major interaction with the customer and can have a significant impact on customer satisfaction. The reporting can assist the sales/estimating teams and construction teams for future projects to identify lessons learnt.

    In a software company, this can be fixing bugs and other issues post-release. A post-delivery maintenance window may be defined in the contract with the customer in many cases.

  • Nature, use and intended lifetime of its products and services: This is very commonly stated in the organization’s return policy. This is generally based upon the intended lifetime of the product and warranties return if something goes wrong with the product before that time.

  • Customer requirements or feedback: Some client contracts may have post-delivery, support, maintenance or warranty requirements. Such post-delivery activities should be clearly described and implemented. Any customer feedback on post-delivery activities should be considered. If required by the customer, any requests for changes should be accounted for if found feasible by the company.

Control of Changes

Many planned or unplanned changes may be required to be implemented in a project. The organization should have controls to ensure that the products or services continue to meet the specified requirements despite the changes. An organization shall do a detailed analysis of such changes, determine the impact on different areas, authorize the change, and maintain all documented information of such changes.

Some examples of how changes can happen and how these should be managed:

  • A change could result from an RFI to the design consultant (e.g. architect or structural engineer) resulting in updated drawings and specifications which then need to be reviewed, assessed by the construction team and incorporated into the planned works. Builders and other parties such as external providers (e.g. suppliers and subcontractors) need to have the latest drawings and specifications to address the changes. The changes would then need to be reflected in the relevant Inspection and Test Plans and Inspection and Test Checklists to ensure that these items are included in the verification and validation activities.
  • This could involve assessing changes to the requirements and incorporating them into either current work or future changes as part of a backlog for a software company.

Recent Posts