8.1 Operational Planning and Control

The organization shall plan, implement, and control the processes (see 4.4) needed to meet the requirements for the provision of products and services, and to implement the actions determined in clause 6, by:

a. determining the requirements for the products and services;

NOTE: Determination of requirements for the products and services should include consideration of:

− personal and product safety;

− producibility and inspectability;

− reliability, availability, and maintainability;

− suitability of parts and materials used in the product;

− selection and development of embedded software;

− product obsolescence;

− prevention, detection, and removal of foreign objects;

− handling, packaging, and preservation;

− recycling or final disposal of the product at the end of its life.

b. establishing criteria for:

1. the processes;

2. the acceptance of products and services;

NOTE: According to the nature of the product and depending on the specified requirements, statistical techniques can be used to support:

− design verification (e.g., reliability, maintainability, product safety);

− process control;

• selection and verification of key characteristics;

• process capability measurements;

• statistical process control;

• design of experiments;

− verification;

− failure mode, effects, and criticality analysis.

c. determining the resources needed to achieve conformity to the product and service requirements and to meet on-time delivery of products and services;

d. implementing control of the processes in accordance with the criteria;

e. determining, maintaining, and retaining documented information to the extent necessary:

1. to have confidence that the processes have been carried out as planned;

2. to demonstrate the conformity of products and services to their requirements;

f. determining the processes and controls needed to manage critical items, including production process controls when key characteristics have been identified;

g. engaging representatives of affected organization functions for operational planning and control;

h. determining the process and resources to support the use and maintenance of the products and services;

i. determining the products and services to be obtained from external providers;

j. establishing the controls needed to prevent the delivery of nonconforming products and services to the customer.

NOTE: One method to achieve operational planning and control can be through using integrated phased processes.

As appropriate to the organization, customer requirements, and products and services, the organization shall plan and manage product and service provision in a structured and controlled manner including scheduled events performed in a planned sequence to meet requirements at acceptable risk, within resource and schedule constraints.

NOTE: This activity is generally referred to as project planning, project management, or program management.

The output of this planning shall be suitable for the organization's operations.

NOTE: As an output of this planning, documented information specifying the processes of the quality management system and the resources to be applied to a specific product, service, project, or contract can be referred to as a quality plan.

The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary.

The organization shall ensure that outsourced processes are controlled (see 8.4).

The organization shall establish, implement, and maintain a process to plan and control the temporary or permanent transfer of work, to ensure the continuing conformity of the work to requirements. The process shall ensure that work transfer impacts and risks are managed.

NOTE: For the control of work transfer from the organization to an external provider, or from an external provider to another external provider, see 8.4. For the control of work transfer from one organization facility to another, or from an external provider to the organization, see 8.5.

8.1.1 Operational Risk Management

The organization shall plan, implement, and control a process for managing operational risks to the achievement of applicable requirements, which includes as appropriate to the organization and the products and services:

a. assignment of responsibilities for operational risk management;

b. definition of risk assessment criteria (e.g., likelihood, consequences, risk acceptance);

c. identification, assessment, and communication of risks throughout operations;

d. identification, implementation, and management of actions to mitigate risks that exceed the defined risk acceptance criteria;

e. acceptance of risks remaining after implementation of mitigating actions.

NOTE 1: While clause 6.1 addresses the risks and opportunities when planning for the quality management system of the organization, the scope of this clause (8.1.1) is limited to the risks associated to the operational processes needed for the provision of products and services (clause 8).

NOTE 2: Within the aviation, space, and defense industry, risk is generally expressed in terms of the likelihood of occurrence and the severity of the consequences.

8.1.2 Configuration Management

The organization shall plan, implement, and control a process for configuration management as appropriate to the organization and its products and services in order to ensure the identification and control of physical and functional attributes throughout the product lifecycle. This process shall:

a. control product identity and traceability to requirements, including the implementation of identified changes;

b. ensure that the documented information (e.g., requirements, design, verification, validation and acceptance documentation) is consistent with the actual attributes of the products and services.

8.1.3 Product Safety

The organization shall plan, implement, and control the processes needed to assure product safety during the entire product life cycle, as appropriate to the organization and the product.

NOTE:  Examples of these processes include:

− assessment of hazards and management of associated risks (see 8.1.1);

− management of safety critical items;

− analysis and reporting of occurred events affecting safety;

− communication of these events and training of persons.

8.1.4 Prevention of Counterfeit Parts

The organization shall plan, implement, and control processes, appropriate to the organization and the product, for the prevention of counterfeit or suspect counterfeit part use and their inclusion in product(s) delivered to the customer.

NOTE: Counterfeit part prevention processes should consider:

− training of appropriate persons in the awareness and prevention of counterfeit parts;

− application of a parts obsolescence monitoring program;

− controls for acquiring externally provided product from original or authorized manufacturers, authorized distributors, or other approved sources;

− requirements for assuring traceability of parts and components to their original or authorized manufacturers;

− verification and test methodologies to detect counterfeit parts;

− monitoring of counterfeit parts reporting from external sources;

− quarantine and reporting of suspect or detected counterfeit parts.

8.2 Requirements for Products and Services

8.2.1 Customer Communication Communication with customers shall include:

a. providing information relating to products and services;

b. handling enquiries, contracts, or orders, including changes;

c. obtaining customer feedback relating to products and services, including customer complaints;

d. handling or controlling customer property;

e. establishing specific requirements for contingency actions, when relevant.

8.2.2 Determining the Requirements for Products and Services

When determining the requirements for the products and services to be offered to customers, the organization shall ensure that:

a. the requirements for the products and services are defined, including:

1. any applicable statutory and regulatory requirements;

2. those considered necessary by the organization;

b. the organization can meet the claims for the products and services it offers;

c. special requirements of the products and services are determined;

d. operational risks (e.g., new technology, ability and capacity to provide, short delivery time frame) have been identified.

8.2.3 Review of the Requirements for Products and Services

8.2.3.1 The organization shall ensure that it has the ability to meet the requirements for products and services to be offered to customers. The organization shall conduct a review before committing to supply products and services to the customer, to include:

a. requirements specified by the customer, including the requirements for delivery and post-delivery activities;

b. requirements not stated by the customer, but necessary for the specified or intended use, when known;

c. requirements specified by the organization;

d. statutory and regulatory requirements applicable to the products and services;

e. contract or order requirements differing from those previously expressed.

This review shall be coordinated with applicable functions of the organization.

If upon review the organization determines that some customer requirements cannot be met or can only partially be met, the organization shall negotiate a mutually acceptable requirement with the customer.

The organization shall ensure that contract or order requirements differing from those previously defined are resolved.

The customer requirements shall be confirmed by the organization before acceptance, when the customer does not provide a documented statement of their requirements.

NOTE: In some situations, such as internet sales, a formal review is impractical for each order. Instead, the review can cover relevant product information, such as catalogues.

8.2.3.2 The organization shall retain documented information, as applicable:

a. on the results of the review;

b. on any new requirements for the products and services.

8.2.4 Changes to Requirements for Products and Services

The organization shall ensure that relevant documented information is amended, and that relevant persons are made aware of the changed requirements, when the requirements for products and services are changed.