Management system guidance
8.3 Design and development of products and services
ISO Navigator Pro™ is a free tool that provides practical, expert guidance for businesses wishing to interpret and better implement the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018.
Our range of templates cover the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018, and offer an easy way to implement your next management system.
8.3.4 Design and development controls
This requirement is comparable to the requirements from ISO 9001:2008 Clauses 7.3.3, 7.3.4, 7.3.5 and 7.3.6. You should seek and record evidence that your organization has applied the necessary controls to its design and development process and has retained the following documented information:
- Defined outcomes including such as specifications, design intent, functional and performance requirements, customer/end user expectations;
- Design review process with functional representation from the customer, engineering, production, quality, project management etc.), design review gates (e.g. preliminary design review, detail design review, critical design review), commercial/technical considerations, authorized progression to next stage;
- Verification activities such as modelling, simulations, alternative calculations, comparison with other proven designs, experiments, tests, and specialist technical reviews;
- Validation activities such as functional testing, performance testing, trials, prototypes, demonstrations, and simulations;
- Management of actions arising from design reviews, verification or validation activities e.g. action registers, ownership, timescales, escalation, changes to risk profile.
Design controls, which may include; design validation, design verification, assurance gate reviews, design review, design checking, safety risk management, design risk management, Design Failure Mode Effects Analysis, value engineering and CAD management are an interrelated set of practices and procedures that are focused on managing the design of a product or service and are intended to reduce uncertainty until a detailed and solidified and approved design is reached.
As a system of checks and balances, design control activities make a systematic assessment of the design an integral part of product development. As a result, deficiencies in design input requirements, and discrepancies between the proposed designs and requirements, are made evident and corrected. If you need a procedure and forms to help control your business's design and development process, click here.
The essential quality aspects and the regulatory requirements, such as safety, performance, and dependability of a product (whether hardware, software, services, or processed materials) are established during the design and development phase. The controls referred to in the sections below can be incorporated into your design and management process.
Although various design controls are described, they are included for illustrative purposes only as there may be alternative ways that are better suited to a particular manufacturer or design activity. The use of these techniques must be proportional to the nature of the risks of the product or service.
Drawings should be prepared using computer aided design (CAD) software and should be undertaken in accordance with best practice methods. The production of digital models and drawings must be managed using document control and approval software which has the facility for the use of secure electronic signatures.
The process records the individuals who sign off each stage of the work flow and allow the design to proceed to the next stage of the process. The system controls who is allowed to authorise each stage, for example preparers, checkers and approvers will be restricted to people who, under the designer's competence management system, are competent to carry out that stage of the process.
As required, a work flow will be agreed with the Design Team and used to manage and record all stages of the CAD production process. CAD deliverables are monitored to ensure all stages of the process are recorded and auditable.
The primary aim for engineering design is to produce safe, economic and compliant designs that produce the Lowest Total Cost (LTC). Although engineering design costs are monitored and incentivised to be held to a minimum, value engineering will be focused on maximising the opportunities to reduce the LTC. Value Engineering (VE) will be conducted throughout the life cycle of the design project but it is recognised that early VE initiatives usually yield the greatest cost benefits.
Design Failure Mode Effects Analysis (DFMEA)
Design Failure Mode Effects Analysis (DFMEA) is an analysis technique which facilitates the identification of potential problems in the design by examining the effects of lower level failures, while providing an objective evaluation of design requirements and design alternatives.
Starting early in the design process, the Engineering Manager is usually responsible for completing the design failure mode effects analysis DFMEA before the time preliminary drawings are done, and before any tooling requirements are specified, in order to:
- Analyze hardware, functions, and products before they are released to production;
- Identify potential failure modes of products (system, subsystem, and component levels) caused by design deficiencies;
- Provide an initial design for manufacturing and assembly requirements;
- Increase the probability that potential failure modes and their effects have been considered in the design and development process;
- Provide additional information to help plan thorough and efficient test programs;
- Develop a list of potential failure modes ranked according to their effect on the customer;
- Establish a priority system for design improvements;
- Provide an open issue format for recommending and tracking risk reducing actions;
- Provide future reference to aid in analyzing field concerns;
- Report risk analysis and DFMEA results at Design Reviews.
Design risk management
Design risk management begins with the development of the design input requirements. As the design evolves, new risks may become evident. To systematically identify and, when necessary, reduce these risks, the risk management process is integrated into the design process.
In this way, unacceptable risks can be identified and managed earlier in the design process when changes are easier to make and less costly. Elements of a risk assessment include but are not limited to the following;
- Quality performance (past and current);
- Required approvals;
- Customer satisfaction;
- Human resources;
- Improvement activities;
- Manufacturing capability and capacity;
- Supplier make/buy decisions and supplier control;
- Design capability and capacity;
- Special processes;
- Design complexity;
- Manufacturing complexity.
The Design Manager should be responsible for implementing regular design risk reviews and for capturing its output in order to ensure that all functional requirements are included and evaluated. The Design Manager should ensure that the design risk analysis reflects the latest configuration of the design solution and that design risk analysis is continually managed and updated with each design modification. All identified risks should be summarized for risk mitigation, communication and knowledge sharing.
Safety risk management
The legal obligation to produce designs that are safe to manufacture, operate and maintain is embedded into the design processes. The design process should contain appropriate checks and reviews to ensure that the Design Team discharge their responsibilities and produce deliverables that comply with the relevant design standards. Safety in design is provided through the following key aspects:
- Controlling the level of individual technical competence;
- Defining the processes that establish the framework for the elimination of hazards and mitigation of risks within the design and at interfaces;
- Ensuring that the design satisfies the project requirements.
The Design Team is required to eliminate hazards where possible and to reduce construction, operation and maintenance risks in the final design. It is recognised that the risk profile changes as the design proceeds but the overriding obligation is to reduce the risks to an acceptable minimum. The Design Team are required to:
- Carry out Designer’s Risk Assessment;
- Reduce safety risks to be a tolerable ALARP for all parties;
- Reduce the commercial impact of risk to acceptable levels whilst remaining within the Law; and
- Know what the risks are at any point in time.
Tools and techniques
The appropriate tools and techniques used by competent personnel and are applied to meet the needs of the unique product or process being designed.
The Engineering Manager is responsible for providing a design, which is producible, verifiable, and controllable under the specified production, installation, and operational conditions. Project management tools and methodologies are used to manage the development process in order to deliver timely, profitable solutions.
All software that is used in calculations and other design and development activities should be validated, verified and approved. Software developed in-house is validated and approved prior to release. Software documentation includes validation specifications approved by the Engineering Manager and validation records attesting to acceptable performance.
Standard and/or commercial CAD and calculation modelling software can be accepted without validation. Software that has been successfully used in design and development prior and has proven to demonstrate successful performance for at least one year may be used without validation testing.
All spreadsheets should be validated by manual calculation or alternative analysis methods and records of the process are provided as part of the design submission. When setting up a new Excel spreadsheet for calculations, the following good practices reduce the risk of accidental modifications of the template and erroneous data input:
- All calculating cells shall be locked (Format Cells > Protection > Locked) in order to protect cells containing calculations against unintended modification, except those used for data input;
- Data validation rules (Data tab > Data Validation) can be applied to data input cells to prevent the introduction of aberrant values;
- Input messages and Error alert messages should be used to inform the end user of the expected data type and acceptable range;
- Cells used for presenting the results of the calculations (output) can be identified by a specific colour. When the results are tested against acceptance criteria it is recommended using conditional formatting (Home tab > Conditional Formatting) to highlight out-of-specifications results;
- The name of the operator responsible for data entry, and the date and time of data entry should be recorded in dedicated input cells or the spreadsheet is printed, signed and dated after calculation;
- Password protection is recommended for all cells containing calculations (Review tab > Protect Sheet), with only the default options checked;
- The same password should be used for all sheets and can be documented in the validation file;
- After protecting each sheet, the workbook structure should also be password protected (Review tab > Protect Workbook). The same password can be used as the one for sheet protection.
The name of the spreadsheet, unique identification, localisation, and the person responsible for the spreadsheet are documented. The records should also include verification, regular verification and other issues such as updates or any problem encountered. Verification is completed after installation and recorded.
All design and development output documentation must be reviewed and checked by competent and skilled personnel, and approved by the Engineering Manager prior to release. To provide technical assurance, all designs follow the ‘Prepare’, ‘Check’, and ‘Approve’ process, evidenced by the signatures of competent individuals.
The Design Manager should arrange for a design category check to be carried out that is proportionate to the level of risk. The design category checks include a review of the design concepts and assessments in order to critically consider whether the base parameters are valid. The levels of checking are as follows:
- Category I (1) - Designs may be checked in the same group as that which prepared the design but by a person other than the designer;
- Category II (2) - Designs may be checked in the Designer’s office by a separate group, which has not been involved in the original design, or by an approved outside organization;
- Category III (3) - Designs will be checked by an independent engineering organization. A Category III check is applicable for complex or unusual designs.
The Checkers are required to undertake a review of the CDS to confirm that the approach is reasonable. The Checker shouldl also consider the safety and practicability, and the proper functioning of the proposed design. For Category II (2) and III (3) Checks an independent set of design calculations must be prepared. The check also includes an independent technical assessment to determine and confirm design parameters.
Design reviews should be carried out after the initial concept stage and again after the detailed design stage and finally, before the design is released. The design review function is carried out at various stages of the design process in order to check that the design solution is in accordance with the original design inputs and objectives and includes identification of concerns, issues and potential problems with the design.
Design review meetings should be held at pre-defined points during the development process, with reviews held on an as-needed basis, depending upon the complexity of the design. Participants of design review meetings are competent to evaluate the design stage and discipline under review to permit them to examine the design and its implications.
The Design Manager should ensure that design reviews are carried out in accordance with the Design Management Plan when the design has progressed by 20%, 60% and 100%. A cross functional, multidisciplinary team (including at least one individual who does not have direct responsibility for the design stage under review) undertake a documented, comprehensive, systematic examination of the design to evaluate its adequacy, to determines the capability of the design to meet the requirements, and to identify problems, whilst ensuring that:
- The input for the Design Reviews is captured from all stakeholders;
- All open actions from previous Design Reviews are tracked through to closure;
- All areas of concern are highlighted for further discussion and risk mitigation;
- All design reviews are documented and shared with stakeholders in a timely manner.
The following elements are considered during design reviews:
- Customer needs and expectations versus technical specifications;
- Ability to perform under expected conditions of use and environment;
- Safety and potential liability during unintended use and misuse;
- Safety and environmental considerations;
- Compliance with applicable regulatory requirements, national, and international standards;
- Comparison with similar designs for analysis of previous quality problems and possible recurrence;
- Reliability, serviceability, and maintainability;
- Product acceptance/rejection criteria, aesthetic specifications and acceptance criteria;
- Ease of assembly, installation, and safety factors;
- Packaging, handling, storage, shelf life, and disposability;
- Failure modes and effects analysis;
- Ability to diagnose and correct problems;
- Identification, warnings, labelling, traceability, and user instructions;
- Manufacturability, including special processes;
- Capability to inspect and test;
- Materials and components specifications;
- Review and use of standard parts.
The reviewers are responsible for raising any comments, while the Design Manager should be responsible for capturing comments using the Design Review Meeting Minutes. Conclusions drawn during design reviews are considered and implemented as appropriate. Not all identified concerns result in corrective actions, the Engineering Manager should decide whether the issue is relevant, or the issue is erroneous or immaterial.
In most cases, however, resolution involves a design change, a change in requirements, or a combination of the two. Records of design review meetings are retained and identify those present at the meeting and the decisions reached.
Single-consultant Design Review (SDR)
The Single-consultant Design Review (SDR) is a presentation of the design to relevant stakeholders. These reviews are carried out by the Design Manager when the design has progressed by 20%, 60% and 100%. The purpose of the review is to present evidence at each of these stages to confirm that the design is compliant with the standards and requirements defined in the Conceptual Design Statement.
The reviewers are responsible for raising any comments, while the Design Manager should be responsible for capturing comments using the Design Review Meeting Minutes, and referencing the document upon which they are commenting along with their name. If a reviewer cannot attend a session it is their responsibility to ensure adequate cover or to issue their comments the Design Manager for inclusion.
The minutes of SDR meetings are recorded. Meeting minutes include a detailed listing of all the documents that have provided the basis of the review. Issues raised may be addressed in the following design stage.
Any outstanding issues are recorded in the Design Issues Log (or similar), presented at the Assurance Gate Review meeting as issues for the next design stage and subsequently confirmed as being closed out at the subsequent Gate.
Inter-consultant Design Review (IDR)
The Inter-consultant Design Review (IDR) is a presentation of the design of a work package or packages to interfacing Design Teams. These are carried out by the Design Manager when the design has progressed by 20%, 60% and 100%. Its primary purpose is to seek evidence that all interfaces have been agreed and that the design integrates to deliver the requirements.
At each IDR an Inter-consultant Design Review Certificate is produced to evidence that all interfacing Design Teams are satisfied with the design under consideration. It should be signed by accepted representatives of the interfacing Design Teams and contain a list of any actions required to close out any exceptions raised but not deemed a bar to acceptance.
The reviewers are responsible for issuing any comments in writing using the Design Review Meeting Minutes, and referencing the document upon which they are commenting along with their name. If a reviewer cannot attend a session it is their responsibility to ensure adequate cover. The minutes of IDR meetings are recorded and include a detailed listing of all the documents that have provided the basis of the review. Issues raised may be addressed in the following design stage.
Any outstanding issues are recorded in the Design Issues Log (or similar), presented at the Assurance Gate Review Meeting as issues for the next design stage and subsequently confirmed as being closed out at the subsequent Gate. Other instances of design reviews may be required when the Engineering Manager has identified significant design change that requires a review to revalidate the design.
Assurance gate reviews
The Assurance Gate Reviews 1 to 3 are the primary control mechanism that provides progressive assurance when evidence is reviewed at defined stages to confirm that the designs produced meet the design project’s objectives, requirements, obligations and that the risks associated with the engineering are identified and fully understood.
- Gate 1 - (Initial concept (20% complete) The details will be outline only but will define the character, limit and form of manufacture, fabrication or construction.
- Gate 2 – (Functional design (60% complete) At this stage the design has progressed to an intermediate position (progress check at 60% complete) This Gate is a check point at about the mid-point between Gate 1 and the final design. At the outset of a design project, the target deliverables at Gate 2 are clearly defined so that it provides an interim way point to confirm progress.
- Gate 3 – (Detailed design ready for manufacture, fabrication or construction (100% complete) At this stage the design is complete and ready to be issued for manufacture, fabrication, or construction. Design details are finalised and fully integrated with other interfaces.
The purpose of the Assurance Gate Review process is to provide progressive assurance during the design stage that the objectives of the design intent can be achieved and that the design can progress successfully to the next stage.
The next stage of the design process can only proceed when the Assurance Gate Review is successfully passed.
If the evidence submitted at the Assurance Gate Review demonstrates that the design meets the objectives, it will be approved. If the Gate Review Panel decides that the submitted deliverables fall short of the requirements, the design will not pass through the Assurance Gate Review and is therefore prevented from proceeding to the next stage.
The Gate Review Panel also known as the ‘Approval Authority’ has the responsibility to make the appropriate decision at each Assurance Gate Review. The Gate Review Panel is a multi-discipline committee formed of members from various departments and stakeholders throughout the organization.
The Gate Review Panel members should be selected based on perceived risks, applicable regulatory or legal requirements, technical complexity, financial repercussions and criticality of the product. Department representation should include: Quality, Manufacturing, Engineering, Sales, Planning, Purchasing, Business Development, Contract, Legal, or others as deemed necessary.
Formal, documented design and development Assurance Gate Reviews should be held at appropriate stages of the design and development cycle and include representatives from all concerned functions and stakeholders. Each Assurance Gate Review focuses on assessing whether the design deliverables meet all the objectives and appropriate criteria.
The minimum approval criteria used for determining whether the design meets the intent are set out below. In addition to these minimum requirements, the Engineering Manager may specify further criteria at the outset of each design stage. The Gate Review Panel is responsible for managing the Gates Review process thereby ensuring that:
- The design progress and the design status has successfully reached a stage of development appropriate to the Gate being assessed;
- Cost and programme issues have been agreed and align with budget constraints;
- The assurance evidence presented to the panel is sufficient to support the Gate requirements;
- The risks are either designed out, have appropriate mitigation or have been clearly identified and agreed that they can proceed to the next stage;
- All the necessary deliverables and other legal have been identified, complied with and that the design is compliant with any including undertakings and assurances;
- At the conclusion of the Gate Review Panel and the Gates Chair Person a shall confer, taking full account of the views of the other Panel Members, and decide whether or not the design submission and presentation meets the Assurance Gate Review objectives and consequently can be given a pass or is prevented from passing the Gate.
- If the Gates Chair Person decides that missing deliverables or evidence do not impact on the ability of the project to proceed, then a conditional pass may be given, subject to the remaining deliverables being completed within a specified time.
- The conditions and timescales are conveyed to the Design Manager at the Review;
- Where conditions are raised that are potentially of a significant risk, consideration shall be given to inclusion of the conditions;
- The Gate Review Panel’s findings and decisions are recorded, together with any supporting data.
The Design Review Meeting Minutes should capture the results of the Gate Review Panel’s review. It serves as a record of the review and summarises the findings. The key aspects of the report are recording the evidence presented to satisfy the approval criteria and using this to support the decision regarding pass or resubmission.
It is the Design Manager’s responsibility to assemble and present to the Gate Review Panel sufficient evidence, see table of deliverables below, when the design has progressed to 20%, 60% and 100%, to enable the Gate Review Panel to discharge their duties. Key design deliverables that are associated with the Assurance Gate Review are provided to the Gate Review Panel at least 5 working days prior to the scheduled review date
Design verification is confirmation by examination and provision of objective evidence that the specified input requirements have been fulfilled. Any approach which establishes conformance with a design input requirement is an acceptable means of verifying the design with respect to that requirement.
Complex designs require more and different types of verification activities. The nature of verification activities varies according to the type of design output. Design verification is carried out to check that the outputs from each design phase meet the stated requirements for the phase.
Requirements traceability verification is undertaken to ensure that the design fulfils the design concept, while expressing the necessary functional and technical requirements. This process verified throughout the Assurance Gate Reviews. In most cases, verification activities are completed prior to each design review, and the verification results are submitted to the reviewers along with the other design deliverables to be reviewed.
The results of the design verification, including identification of the design, method(s), the date, and the individual(s) performing the verification, shall be documented and retained.
Design validation is similar to verification, except this time you should check the designed product under conditions of actual use. If you are designing dune buggies, you might take your creation for a spin on the beach. If you are making beverages, you might conduct a consumer taste test. Verification is a documentary review; while validation is a real-world test. Perform design and development validation by ensuring the product meets the specified requirements. Maintain records of validation activities and approvals.
Design validation follows successful verification, and ensures, by examination and provision of objective evidence, that each requirement for a particular use is fulfilled. The performance characteristics that are to be assessed are identified, and validation methods and acceptance criteria are established.
At the commencement of the design project, the requirements received from the previous design phase form the initial baseline. During design reviews, the requirements are considered to ensure that the right requirements and any assumptions have been captured, to identify missing requirements and ensure that the design intent will meet those requirements.
The results of the design validation, including identification of the design, method(s), the date, and the individual(s) performing the validation, shoul be documented and retained. The organization shall have records that the product designed will meet defined user needs prior to delivery of the product to the customer, as appropriate.
Methods of validation could include simulation techniques, proto-type build and evaluation, comparison to similar proven designs, beta testing, field evaluations, etc. Irrespective of the methods used, the validation activity should be planned, executed with records maintained as defined in the planning activity.
Retain documented information to demonstrate that the any test plans and test procedures have been observed, and that their criteria have been met, and that the design meets the specified requirements for all identified operational conditions e.g. reports, calculations, test results, data, and reviews.
More information on PDCA
Monitoring, measurement, analysis and evaluation
Want to know more?
- Read our customer's feedback
- Client list - who's using our templates?
- How the templates are formatted and download examples
- Why we use turtle diagrams and process maps
- What's the difference between a process and a procedure?
- About documented information
A certificate guarantees the information your internet browser is receiving now originates from the expected domain - https://www.iso9001help.co.uk. It guarantees that when you make a purchase, sensitive data is encrypted and sent to the right place, and not to a malicious third-party.
Free PDCA guidance
ISO Navigator™ is our FREE online training tool that shows you how to apply the principles of PDCA to your operations. We also offer many helpful templates that get you on the road to documenting your management system, please visit the download page.