Internal Quality AuditorsLearning Session 01

February 14, 2009NTC Boardroom, 1:00-3:30 pm

Auditing the Design and Development Process ISO 9001:2008 clause 7.3 Meaning:

refers only to design and development of products and services.not design and development of processes, although it can be beneficial to apply the methodology of clause 7.3 to the latter.

Auditing the Design and Development ProcessAuditing Objective: Determine whether the process is managed and controlled to enable products to meet their intended use and specified requirements.

Note: Auditing Design and Development Process for Service organization may be different from traditional manufacturing organization.

What is Product Design and Development?Product RequirementSpecified Product Characteristicsi.e. specifications, statutory requirements and specific or implied customer requirementsdistinguishing features of the productTransforminto

Examples of product characteristics ISO 9000:2005 clause 3.4.1Physical (e.g. mechanical, electrical, chemical or biological characteristics)Sensory (e.g. related to smell, touch, taste, sight, hearing)Behavioral (e.g. courtesy, honesty, veracity)Temporal (e.g. punctuality, reliability, availability)Ergonomic (e.g. physiological characteristic, or related to human safety)Functional (e.g. maximum speed of an aircraft)

How to evaluate if exclusion of 7.3 is correct?Establish who is responsible for defining the characteristics of product or service together with how and when it is carried out.

ISO 9001:2008 Clause 1.2 Application

are not acceptable unless these exclusions are limited w/in Clause 7, and such exclusions do not affect the organizations ability, or responsibility, to provide product that meets customer and applicable statutory and regulatory requirements.

Each stage has specific deliverables that cover both the commercial and technical aspects of design and development of a product. In some cases, organizations might be able to justify the exclusion of certain sub-clauses or individual requirements from their QMS without necessarily excluding the entire clause.

How to start?Establish what design and development projects have been, and are currently being undertaken. = select a sufficient number of projects to be able to audit all stages of the design process

How to evaluate if there is on-going D&D activity?Validate by:

Ensuring that no changes have been effected to the previous design

Reviewing relevant documents and records such as:Relevant document to find out whether any amendment has been issued during the review period.Customer feedback to find out whether any design-related comment has been received and auditee has taken appropriate action.Nonconformity reports to find out whether any design-related NCs have been recorded.

Records that we can take a look at7.3.2 Design and development inputs relating to product requirements 7.3.4 Results of design and development reviews and any necessary actions 7.3.5 Results of design and development verification and any necessary actions 7.3.6 Results of design and development validation and any necessary actions 7.3.7 Results of the review of design and development changes and any necessary actions

Auditing the need for design & development Triggering factors:

the organizations strategic planning;market intelligence and research;service reports;customer feedback and demand;new or changed statutory and regulatory requirements;process changes;new technology;suppliers.

(7.3.1) Auditing design and development planningISO 9001:2008 Clause 7.3.1

The organization shall plan and control the design and development of product.

During the design and development planning, the organization shall determine

The design and development stages,The review, verification and validation that are appropriate to each design and development stage, andThe responsibilities and authorities for design and development.

The organization shall manage the interfaces between different groups involved in design and development to ensure effective communication and clear assignment of responsibility.

Planning output shall be updated, as appropriate, as the design and development progresses.

ISSUES to CONSIDER:

what is the overall flow of the design planning process?how is it described?what resources and competencies are required?what part of the design will be outsourced?who is responsible and are the authorities defined?how are (internal and external) interfaces between various groups identified and managed?are the required verification, validation and review points defined?are the main milestones and timelines identified?is the implementation and effectiveness of the plan monitored?is the plan updated and communicated to all relevant functions as necessary?

(7.3.2) Auditing design and development inputsISO 9001:2008 Clause 7.3.2

Inputs relating to product requirements shall be determined and records maintained. These inputs shall include

Functional and performance requirementsApplicable statutory and regulatory requirementsWhere applicable, information derived from previous similar designs, andOther requirements essential for design and development.

The inputs shall be reviewed for adequacy. Requirements shall becomplete, unambiguous and not in conflict with each other.

(7.3.2) Auditing design and development inputsWhen auditing the design and development inputs, auditors should develop an understanding of how the organization identifies its own inputs based on:

the organizations products and processes;financial, environmental, health and safety issues; organizational risks and impacts;customers requirements and expectations;statutory and regulatory requirements applicable to the product .

(7.3.2) Auditing design and development inputsAuditors should

evaluate the risks, the possible implications for customer satisfaction, and issues that the organization may encounter if some relevant inputs are not considered.

(7.3.3) Auditing design and development outputsISO 9001:2008 Clause 7.3.3

The outputs of design and development shall be in a form suitable for verification against the design and development input and shall be approved prior to release.Design and development outputs shall

Meet the input requirements for design and developmentProvide appropriate information for purchasing, production and service provision,Contain or reference product acceptance criteria, andSpecify the characteristics of the product that are essential for its safe and proper use.

Note: Information for production and service provision can include details for the preservation of products.

(7.3.3) Auditing design and development outputsD&D outputs should comply with the identified needs in order to ensure that the resulting product can fulfil its intended use. Outputs can include information relevant to the following:

marketing, sales and purchasing;production;quality assurance;information for service provision and maintenance of the product after deliveryand, should be provided in a form that enables verification and validation activities to be performed.

(7.3.3) Auditing design and development outputsAuditors should obtain evidence from the projects selected to confirm that:

information regarding the completion of design and development stages is available; the design and development process has been completed for the stage under review;design and development outputs have been confirmed

(7.3.4) Auditing the design and development process and design reviewsISO 9001:2008 Clause 7.3.4

At suitable stages, systematic reviews of desig and development shall be performed in accordance with planned arrangement (see 7.3.1)

To evaluate the ability of the results of the design and development to meet requirements, andTo identify any problems and propose necessary actions.

Participants in such reviews shall include representatives of functions concerned with the design and development stage(s) being reviewed. Records of the results of the reviews and any necessary actions shall be maintained.

(7.3.4) Auditing the design and development process and design reviewsAuditors should

verify that the overall design and development process is controlled in accordance with the organizations original plan being reviewed

the design and development reviews take place at appropriate planned stages

Participated by representatives from concerned/related functions

(7.3.4) Auditing the design and development process and design reviewsThe following issues should be considered by auditors when examining the review process:

do reviews occur at planned stages throughout the design process?are the reviews carried out in a systematic way involving representatives of the functions concerned with the stage(s) being reviewed?have all original and any new inputs been considered ?are the original outputs still relevant or have revised outputs been identified?have revised inputs and outputs been reviewed and approved by those with the relevant responsibility and authority (including the customer where appropriate)?does the output demonstrate the suitability, adequacy and effectiveness of the designed product? are the relevant design objectives being achieved?are there adequate records of reviews?

(7.3.5) Auditing design and development verificationISO 9001:2008 clause 7.3.5

Verification shall be performed in accordance with planned arrangements (see 7.3.1)to ensure that the design and development outputs have met the design and development input requirements. Records of the results of the verification and any necessary actions shall be maintained (see 4.2.4)

(7.3.5) Auditing design and development verificationDesign and development verification is aimed at providing assurance that the outputs of a design and development activity have met the input requirements for this activity as shown in Figure 2 below.

(7.3.5) Auditing design and development verificationVerification can comprise activities such as:

performing alternative calculations;comparing a new design specification with a similar proven design specification;undertaking demonstrations including prototypes, simulations or tests; and,reviewing documents prior to issue.

(7.3.5) Auditing design and development verificationAuditors should determine that the design and development verification activities should provide confidence that:

required verifications are planned and that verification is performed as appropriate during the design and development process;the completed design or development is acceptable and the results are consistent with and traceable to the initial requirements;the completed design or development is the result of implementation of a proper sequence of events, inputs, outputs, interfaces, logic flow, allocation of timing, etc;the design or development provides safety, security, and compliance with other requirements and design inputs; evidence is available to demonstrate that the verification results and any further actions have been recorded and confirmed when actions are completed.

Auditors should determine that only verified design and development outputs have been submitted to the next stage, as appropriate.

(7.3.6) Auditing design and development validationISO 9001:2008 Clause 7.3.6

Design and development validation shall be performed in accordance with planned arrangements (see 7.3.1) to ensure that the resulting product is capable of meeting the requirements for the specified application or intended use, where known. Wherever applicable, validation shall be completed prior to the delivery or implementation of the product. Records of the results of validation and any necessary actions shall be maintained (see 4.2.4).

(7.3.6) Auditing design and development validation

confirmation by examination, provision of evidence, that the particular requirements for specific intended use are fulfilled.

Is the validation process capable of checking that the final product and/or service will meet, or does meet, the customers needs when it is in use ?

Validation methods should be specified as part of the design and development planning process, although these could be modified during the realization of design and development.

(7.3.7) Auditing design and development changesISO 9001:2008 Clause 7.3.7

Design and development changes shall be identified ad records maintained. The changes shall be reviewed, verified and validated, as appropriate, and approved before implementation. The review of design and development changes shall include the evaluation of the effect of the changes on constituent parts and product already delivered. Records of the results of the review of changes and any necessary actions shall be maintained (see 4.2.4)

(7.3.7) Auditing design and development changesChanges to design and development shall be:

IdentifiedReviewedVerified and validated, as appropriateApproved before implementationRecords maintained

(7.3.7) Auditing design and development changesReview of changes shall include:

Evaluation of the effect of the changes on constituent parts and product and products already deliveredMaintain records of the results of review and any necessary actions

(7.3.7) Auditing design and development changesDesign and development changes made during the design processneed to be controlled.

Auditors should consider the following:

are the sources and requests for changes properly identified and communicated?is the impact of any change evaluated?is any additional design proving or testing undertaken where appropriate?are the effects of the changes on constituent parts and product already delivered evaluated?has appropriate approval been given before a change is implemented (this could include statutory or regulatory approval or approval by the client)?are the changes fully documented and do records include information regarding any necessary additional actions?

KEY POINTS IN SUMMARY

Plan design activities, Determine the requirements, Execute the initial design, Test the design to see if it met requirements, Change the design if you have to until you can confirm you met the requirements, Document the process, specs and changes, and Get the customer to confirm it's what they wanted.

Examples

Scenario 1 : Customer property (intellectual property) controlled by a bank Situation:

A bank provides a variety of services to its customers (i.e. personal and company bank accounts), but chooses to implement a QMS only for its Internet banking services. For this service the bank has claimed conformity to ISO 9001:2008. The bank clearly states in its Quality Manual which services are covered by the QMS. The bank applies all the requirements of ISO 9001:2008 for the realization of its Internet banking services, with the exception of sub-clause 7.5.4 Customer property. The bank does not feel that it has possession of any customer property as part of its Internet banking services and has stated this in the justification for the exclusion of sub-clause 7.5.4 Customer property from its QMS.

Issue(s):

Can the bank exclude sub-clause 7.5.4 Customer property from its QMS and claim conformity to ISO 9001:2008?

Scenario 2 : Exclusion of design and development by a contract manufacturer Situation:

XYZ Electronics is building a new factory to perform manufacturing of mobile phones, as a subcontractor. It has only one customer and this customer maintains responsibility and authority for product design. XYZ Electronics is responsible for purchasing of all components and for performing the manufacturing activities. The customer provides XYZ with the manufacturing and parts specifications, and is also responsible for notifying XYZ of any design changes and providing the appropriate change information.XYZ Electronics, in the development of its QMS, has excluded the requirements of ISO 9001:2008 sub-clause 7.3 Design and development. XYZ Electronics considers the customer specifications as a customer supplied product and therefore controls this according to ISO 9001:2008 sub-clause 7.5.4 Customer property.

Issue(s):

Can the XYZ Electronics exclude sub-clause 7.3 Design and development from its QMS and claim conformity to ISO 9001:2008?

Scenario 3 : Regulators permit the exclusion of design development Situation:

KML designs and fabricates pressure vessels for electricity generating stations, in accordance with various mandatory pressure vessel regulations. The regulatory authority has not yet revised its requirements to take ISO 9001:2008 into account, but has confirmed that it will continue not to require manufacturers QMSs to include design. On this basis KML decides to exclude sub-clause 7.3 Design and development from its QMS and to claim conformity to ISO 9001:2008.

Issue(s):

Can KML exclude sub-clause 7.3 Design and development from its QMS and claim conformity to ISO 9001:2008?

The whole process is a continuum. The key thing regardless of the industry is to:

Plan design activities, Determine the requirements, Execute the initial design, Test the design to see if it met requirements, Change the design if you have to until you can confirm you met the requirements, Document the process, specs and changes, and Get the customer to confirm it's what they wanted. If you do these things, you should meet requirements for controlling designs regardless of what you want to call the different steps.

Either from an internal or external audit perspective, processes scheduled to be audited should take into account the status of the activity. If the process was deemed conforming during the last audit and no additional design & development work has taken place since then, there is no value re-auditing it.

Things/areas to look into to verify if really there is no D&D work has taken place:1. Masterlist of docs to find out whether any amendment has been issued during the review period. 2. Customer feedback to find out whether any design-related comment has been received and auditee has taken appropriate action. 3. Nonconformity reports to find out whether any design-related NCs have been recorded. There can be a few more like these. Additionally ensure that no changes have been effected to the previous design

Take a look at all your records relating to 7.3 viz. 7.3.2 Design and development inputs relating to product requirements 7.3.4 Results of design and development reviews and any necessary actions 7.3.5 Results of design and development verification and any necessary actions 7.3.6 Results of design and development validation and any necessary actions 7.3.7 Results of the review of design and development changes and any necessary actions Auditors should evaluate whether organizations have in place, and perform, activities for the review of such needs. Whilst it is not a requirement of the standard it is useful to review how the decision to proceed with design and development is taken,

i.e. have risks and cost implications been considered and have all relevant functions (internal or external) been consulted.

ISO 9004:2000 Clause 7.3.1

Top Management should ensure that the organization has defined, implemented and maintained the necessary design and development processes to respond effectively and efficiently to the needs and expectations of its customers and other interested parties.

When designing and developing products and processes, management should ensure that the organization is not only capable of considering their basic performance or function, but all factors that contribute to meeting the product and process performance expected by customers and other interested parties.

For example, the organization should consider life cycle, safety and health, testability, usability, user-friendliness, dependability, durability, ergonomics, the environment, product disposal and identified risks.

Management also has the responsibility to ensure that steps are taken to identify and mitigate potential risk to the users of the products and processes of the organization. Risk assessment should be undertaken to assess the potential for, and the effect of, possible failures or faults in products or processes. The results of the assessment should be used to define and implement preventive actions to mitigate the identified risks.

Examples of tools for risk assessment of design and development includeDesign fault modes and effects analysisFault tree analysisReliability predictionRelationship diagramsRanking techniquesSimulation techniquesInput is really a list of requirements from customers (either direct from customer or indirect through market studies), tempered by realities of budget, competition, capability, capacity, government regulation. Input:Customer wants a car that goes 250 mph, runs on regular gas, costs less than $100,000. Output: The design meeting these points:Can designers bring it in under budget? meet EPA regs? and actually build it?

The additional points of Bill of Materials, physical drawings, schematics, etc. are probably output resulting from input from customer and meeting regulations.

Other examples:

Input: - Test Market Evaluation - machine validation - Chemical Pharmacopoeia compliance testing on irradiated Device - Accelerated ageing study - Device functional evaluation - R&I test program - Sterilization validation program - product specification - Non-clinical study protocols - Stability protocol - validation plan - Test Program & test protocol - transport tets - GLP Study protocol - Material data sheets - Specifications Output: - reports from Design-Input items (= protocols) - bioburden - Validation report - Sterility tests & validation reports - QC/Batch release - Stability test reports - Release Certificates ISO 9004:2000 Clause 7.3.2

The organization should identify process inputs that affect the design and development of products and facilitate effective and efficient process performance in order to satisfy the needs and expectations of customers, and those of other interested parties. These external needs and expectations, coupled with those internal to the organization, should be suitable for translation into input requirements for the design and development processes.

Examples:a) External inputs such as:Customer or marketplace needs and expectationsNeeds and expectation of other interested partiesSuppliers contributionUser input to achieve robust design and developmentChanges in relevant statutory and regulatory requirementsInternational or national standards. AndIndustry codes of practiceb) Internal inputs such as:Policies and objectives,Needs and expectations of people in the organization, including those receiving the output of the processTechnological developmentsCompetence requirements for people performing design and development.Feedback information from past experienceRecords and data on existing processes and products, andOutputs from other processes

Operation, installation and applicationStorage , handling and deliveryPhysical parameters and the environment, andRequirements for disposal of the products.

Product-related inputs based on appreciation of the needs and expectations of end-users, as well as those of the direct customer, can be important. Such inputs should be formulated in a way that permits the product to be verified and validated effectively and efficiently.

The output should include information to enable verification and validation to planned requirements. Examples of the output of design and development include

Data demonstrating the comparison of process inputs to process outputs,Product specifications, including acceptance criteriaProcess specifications,Material specifications,Testing specifications,Training requirementsUser and consumer informationPurchase requirementsReports of qualification tests

Design and development outputs should be reviewed against inputs to provide objective evidence that outputs have effectively and efficiently met the requirements for the process and product.

Examples are :characteristics of the product that are essential for its safe and proper use are some wonderful things our legal system has brought us such as warning labels that are typically common sense like the shelf on step ladders that have the notice that says Do not step here. Other greats are the warning labels on lawn mowers telling you not to put your fingers under the deck while the mower is running; and the safety instruction on steam irons that tell you to remove clothing before ironing, whatever that means. Some examples of design outputs are: * Schematics * Drawings * Proposals, or statements of work (SOWs) as in the service * Organizations * Formulas * Prototypes or models (an example of a design output, but not a traditional record) Outputs should also include information that can allow verification and validation to planned requirements. Additional examples of the output of design and development may also be: * Data demonstrating the comparison of process inputs to process outputs, * Product specifications, including acceptance criteria, * Process specifications, * Material specifications, * Testing specifications, * Training requirements, * User and consumer information, * Purchase requirements, * Reports of qualification tests.

Design outputs are typically, but not limited to, informational documents such as engineering drawings, or specifications such as material or performance requirements. Normally the final product is not a design output, but a situation might occur where a product could be considered a design output. A product used as a color master, appearance standard or other type of master are possible examples.

You should specify in the output phase, any special requirements that your product may need in order to use it safely or adequately. Ex : any protection so that no one get hurt using it, warning signs on product, voltage requirements, child proof tops (medicine) etc... Top Management should ensure that appropriate people are assigned to manage and conduct systematic reviews to determine that design and development objectives are achieved. These reviews may be conducted at selected points in the design and development process as well as at completion.

Examples of topics for such reviews include:Adequacy of input to perform the design and development tasks,Progress of the planned design and development process,Meeting verification and validation goals,Evaluation of potential hazards or fault modes in product use,Life-cycle data on performance of the product,Control of changes and their effect during the design and development process,Identification and correction of problems,Opportunities for design and development process improvement, andPotential impact of the product to the environment.

At suitable stages, the organization should also undertake reviews of design and development outputs, as well as the processes, in order to satisfy the needs and expectations of customers and people within the organization who receive the process output. Consideration should also be given to the needs and expectations of other interested parties.

Design review is something we do periodically during the design process to make sure were on track. Is everything going as planned? Have any problems come up? Do we need to do something differently? The whole point of design review is to identify and remove roadblocks to successful design.

During design planning, we identified the various stages of the design. As part of this, we should have also determined the number and timing of the design reviews. Every design will have at least one design review, and complex or troublesome designs may require many more. People involved in design reviews must include the representatives from functions involved in that stage of the design. So, excluding a key player for the sake of convenience would be a problem. When conducting design reviews, make sure youre including the appropriate people. Design Reviews are formal (usually meetings) and cross-functional in nature and conducted at critical points during the design and development process (as defined by plan/schedule). Generally speaking, reviews are scheduled at strategic points in the process and involve things like transition criteria and progression to the next stage of the design process.

Typically, product designs are reviewed and the timing is (most effectively) associated with some other key development milestone(s), like the results of testing, 1st production run off, customer initial feedback, etc. These are often also linked with project reviews (which can be confused with design reviews) but are more about time/money etc. that a critical review of the design's ability to meet requirements.

Finally, design reviews always produce records. The record will indicate the results of the reviews and any necessary actions the design team decided to take. Design reviews could take the form of meeting minutes, memos, design files, emails, or other records.

The design review is more of a minutes of meeting identifying the points discussed, target and responsibility against those points and specifically, the suggestions accepted and rejected with a note for reasons for rejections.

Design and development review is,to evaluate the ability of the results of design and development to fulfill requirements,to identify any problems and propose necessary actions. ISO 9004:2000 Clause 7.3.3Examples of verification activities for output of the design and development process includeComparison of input requirements with the output of the processComparative methods, such as alternative design and development calculations,Evaluation against similar products,Testing simulations or trials to check compliance with specific input requirements, andEvaluation against lessons learned from past process experience, such as nonconformities and deficienciesDesign and Development Verification Verify to the provided specific requirements.

Design and development verification is to ensure that the design and development outputs have satisfied the design and development input requirements. Verification is where we compare the outputs against the inputs. Does the available evidence indicate that the design will meet our requirements? The verification could consist of calculations, simulations, prototype evaluation, lab tests, comparison against samples, first article inspection, or other methods. You must maintain records of design verification, and these will indicate the results of verifications and any actions necessary. The forms for the Design Verification is more of technical and depends on the product being designed. Further, since the purpose is to verify whether design outputs meet design input requirements, we need to record the results of verification and match with the design inputs. The form is therefore is to be prepared specific to the company. ISO 9004:2000 Clause 7.3.3Validation of the output of the design and development processes is important for the successful reception and use by the customers, suppliers, people in the organizations, and other interested parties.

Participation by the affected parties permits the actual users to evaluate the output by such means asValidation of engineering designs prior to construction, installation or application,Validation of software outputs prior to installation or use, andValidation of service prior to widespread introduction.

Partial validation of the design and development outputs may be necessary to provide confidence in their future application.

Sufficient data should be generated through verification and validation activities to enable design and development methods and decisions to be reviewed. The review of methods should includeProcess and product improvementUsability of outputAdequacy of process and review recordsFailure investigation activities, andFuture design and development process needs.Design and Development ValidationValidate to intended use or application. Design and development validation, to ensure that the resulting product is capable of fulfilling the requirements for the specified or known intended use or application. Validation is similar to verification, except this time were actually checking the designed product under conditions of actual use. So, if were designing dune buggies, we might take our creation for a spin on the beach. If were making beverages, we might conduct consumer taste tests. Verification is theoretical, but validation is the real world. Were required to conduct validation prior to delivery or implementation, if possible. Records of validation must be maintained. For many products and/or services, validation is relatively simple process. An example could be a new design of office furniture, which could be validated by the testing of prototypes, followed by testing of initial samples of the finished product. However, in many other situations, design validation will be more complex. For example, the products or components used in electric or electronic systems may have to comply with several performance requirements established by other system design organizations. In such a situation, design validation can only be completed by obtaining information about the performance of the products or components (preferably formal test results) from such system design organizations or by users of the products or components. Another example of a difficult situation is when design validation is performed by the client or some other external organization (e.g. for the confirmation of architectural and engineering designs). In such complex situations, the organization will need to seek agreement with the relevant external parties as to how design validation will be performed and the results communicated to and shared with it. In such a situation, provision should be incorporated into the organization's design and development planning for completing design validation in this manner.Auditors should ensure that:-there are records to confirm that the validations have been carried out;the validation was carried out in accordance with the planned arrangements for validation;the validation indicates that the resulting product is capable of meeting the requirements of the specification;wherever practical, the validation has been carried out prior to delivery or implementation; and that,there are records of any actions necessary to correct non-compliance with the design and development inputs and the reasons for these deviations.Where validation cannot be carried out prior to delivery or implementation, auditors should ensure that these activities are carried out at the earliest opportunity, such as when commissioning a complex plant or factory, and that this is communicated to the client. Auditors should determine that only validated design and development outputs have been submitted for customer use.Analysis and Conclusion:The decision made by the bank to exclude sub-clause 7.5.4 Customer property was not justified because the bank does receive information from its customers such as personal and confidential data. ISO 9001, 7.5.4 Customer property requires an organization to exercise care with customer property while it is under the organizations control or being used by the organization. And the note of sub-clause 7.5.4 Customer property, clearly indicates Customer property can include intellectual property and personal data. In this situation, the banks customers provide important information in confidence when using the service, which constitutes Customer property. Therefore the bank has to address the requirements for customer property in its QMS.Analysis and Conclusion:XYZ Electronics was justified with its decision to exclude sub-clause 7.3 Design and development from its QMS since it does not have any authority or accountability for design of the mobile phone product. Its customer provides the design.Analysis and Conclusions:This situation deals with the issue of claiming conformity to ISO 9001:2008 with the exclusion of sub-clause 7.3 Design and development because the regulatory authority does not require the fabricator to include design and development in its QMS.KMLs claims of conformity to ISO 9001:2008 are not justified, because design and development can impact the organizations ability to conform to customer requirements. Therefore, KML should not exclude sub-clause 7.3 Design and development, even if the regulatory body allows such exclusions.