AS9100D Internal Audit Tool from NSF-ISR

Disclaimer: To provide our clients with an optional tool for use in their respective internal audit
process. This tool is intended to be a supplement to an already robust IA program and not to be
used as a replacement for such a program. This checklist, by itself, does not meet all of the
AS9100D requirements for an effective internal audit program.
This tool can be used to gather objective evidence during the audit process and to ensure a
complete review of the elements associated with the organization’s process-based audit program.
Organizations may copy this information into their own format, as it makes sense for their business
needs.
For additional tools and resources on the AS9100D transition, visit www.nsf.org/info/iso-updates.

This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 1
 9100D Conf. /
Line Clause Evidence
Clause NCR
The organization shall determine external and
internal issues that are relevant to its purpose
1 4.1 and its strategic direction and that affect its ability
to achieve the intended result(s) of its quality
management system.
The organization shall monitor and review
2 4.1 information about these external and internal
issues.
NOTE 1: Issues can include positive and negative
3 4.1 factors or conditions for consideration.
NOTE 2: Understanding the external context can
be facilitated by considering issues arising from
4 4.1 legal, technological, competitive, market, cultural,
social, and economic environments, whether
international, national, regional, or local.
NOTE 3: Understanding the internal context can
be facilitated by considering issues related to
5 4.1 values, culture, knowledge, and performance of
the organization.
Due to their effect or potential effect on the
organization’s ability to consistently provide
products and services that meet customer and
6 4.2 applicable statutory and regulatory requirements,
the organization shall determine:
a. the interested parties that are relevant to the
quality management system;
Due to their effect or potential effect on the
organization’s ability to consistently provide
products and services that meet customer and
applicable statutory and regulatory requirements,
7 4.2 the organization shall determine:
b. the requirements of these interested parties
that are relevant to the quality management
system.
The organization shall monitor and review
8 4.2 information about these interested parties and
their relevant requirements.
The organization shall determine the boundaries
9 4.3 and applicability of the quality management
system to establish its scope.
When determining this scope, the organization
shall consider:
10 4.3 a. the external and internal issues referred to in
4.1;
When determining this scope, the organization
shall consider:
11 4.3 b. the requirements of relevant interested parties
referred to in 4.2;
When determining this scope, the organization
12 4.3 shall consider:
c. the products and services of the organization.
The organization shall apply all the requirements
of this International Standard if they are
13 4.3 applicable within the determined scope of its
quality management system.
The scope of the organization’s quality
14 4.3 management system shall be available and be
maintained as documented information.
This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 2
 9100D Conf. /
Line Clause Evidence
Clause NCR
The scope shall state the types of products and
services covered, and provide justification for any
15 4.3 requirement of this International Standard that
the organization determines is not applicable to
the scope of its quality management system.
Conformity to this International Standard may
only be claimed if the requirements determined
as not being applicable do not affect the
16 4.3 organization’s ability or responsibility to ensure
the conformity of its products and services and
the enhancement of customer satisfaction.
The organization shall establish, implement,
maintain, and continually improve a quality
17 4.4.1 management system, including the processes
needed and their interactions, in accordance with
the requirements of this International Standard.
The organization’s quality management system
shall also address customer and applicable
18 4.4.1 statutory and regulatory quality management
system requirements.
The organization shall determine the processes
needed for the quality management system and
19 4.4.1 their application throughout the organization,
and
The organization...shall:
20 4.4.1 a. determine the inputs required and the outputs
expected from these processes;
The organization...shall:
21 4.4.1 b. determine the sequence and interaction of
these processes;
The organization...shall:
c. determine and apply the criteria and methods
(including monitoring, measurements and related
22 4.4.1 performance indicators) needed to ensure the
effective operation and control of these
processes;
The organization...shall:
23 4.4.1 d. determine the resources needed for these
processes and ensure their availability;
The organization...shall:
24 4.4.1 e. assign the responsibilities and authorities for
these processes;
The organization...shall:
f. address the risks and opportunities as
25 4.4.1 determined in accordance with the requirements
of 6.1;
The organization...shall:
g. evaluate these processes and implement any
26 4.4.1 changes needed to ensure that these processes
achieve their intended results;
The organization...shall:
27 4.4.1 h. improve the processes and the quality
management system.
To the extent necessary, the organization shall:
28 4.4.2 a. maintain documented information to support
the operation of its processes;
To the extent necessary, the organization shall:
b. retain documented information to have
29 4.4.2 confidence that the processes are being carried
out as planned.
This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 3
 9100D Conf. /
Line Clause Evidence
Clause NCR
The organization shall establish and maintain
documented information that includes:
30 4.4.2 − a general description of relevant interested
parties (see 4.2 a);
The organization shall establish and maintain
documented information that includes:
31 4.4.2 − the scope of the quality management system,
including boundaries and applicability (see 4.3);
The organization shall establish and maintain
documented information that includes:
32 4.4.2 − a description of the processes needed for the
quality management system and their application
throughout the organization;
The organization shall establish and maintain
documented information that includes:
33 4.4.2 − the sequence and interaction of these
processes;
The organization shall establish and maintain
documented information that includes:
34 4.4.2 − assignment of the responsibilities and
authorities for these processes.
NOTE: The above description of the quality
management system can be compiled into a
35 4.4.2 single source of documented information and
referred to as a quality manual.
Top management shall demonstrate leadership
and commitment with respect to the quality
36 5.1.1 management system by:
a. taking accountability for the effectiveness of
the quality management system;
Top management shall demonstrate leadership
and commitment with respect to the quality
management system by:
b. ensuring that the quality policy and quality
37 5.1.1 objectives are established for the quality
management system and are compatible with the
context and strategic direction of the
organization;
Top management shall demonstrate leadership
and commitment with respect to the quality
management system by:
38 5.1.1 c. ensuring the integration of the quality
management system requirements into the
organization’s business processes;
Top management shall demonstrate leadership
and commitment with respect to the quality
39 5.1.1 management system by:
d. promoting the use of the process approach and
risk-based thinking;
Top management shall demonstrate leadership
and commitment with respect to the quality
40 5.1.1 management system by:
e. ensuring that the resources needed for the
quality management system are available;
Top management shall demonstrate leadership
and commitment with respect to the quality
management system by:
41 5.1.1 f. communicating the importance of effective
quality management and of conforming to the
quality management system requirements;

This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 4
 9100D Conf. /
Line Clause Evidence
Clause NCR
Top management shall demonstrate leadership
and commitment with respect to the quality
42 5.1.1 management system by:
g. ensuring that the quality management system
achieves its intended results;
Top management shall demonstrate leadership
and commitment with respect to the quality
management system by:
43 5.1.1 h. engaging, directing, and supporting persons to
contribute to the effectiveness of the quality
management system;
Top management shall demonstrate leadership
and commitment with respect to the quality
44 5.1.1 management system by:
i. promoting improvement;
Top management shall demonstrate leadership
and commitment with respect to the quality
management system by:
45 5.1.1 j. supporting other relevant management roles to
demonstrate their leadership as it applies to their
areas of responsibility.
NOTE: Reference to “business” in this
International Standard can be interpreted broadly
to mean those activities that are core to the
46 5.1.1 purposes of the organization’s existence, whether
the organization is public, private, for profit, or
not for profit.
Top management shall demonstrate leadership
and commitment with respect to customer focus
by ensuring that:
47 5.1.2 a. customer and applicable statutory and
regulatory requirements are determined,
understood, and consistently met;
Top management shall demonstrate leadership
and commitment with respect to customer focus
by ensuring that:
48 5.1.2 b. the risks and opportunities that can affect
conformity of products and services and the
ability to enhance customer satisfaction are
determined and addressed;
Top management shall demonstrate leadership
and commitment with respect to customer focus
49 5.1.2 by ensuring that:
c. the focus on enhancing customer satisfaction is
maintained;
Top management shall demonstrate leadership
and commitment with respect to customer focus
by ensuring that:
50 5.1.2 d. product and service conformity and on-time
delivery performance are measured and
appropriate action is taken if planned results are
not, or will not be, achieved.
Top management shall establish, implement, and
maintain a quality policy that:
51 5.2.1 a. is appropriate to the purpose and context of
the organization and supports its strategic
direction;
52 5.2.1 Top management shall establish, implement, and
maintain a quality policy that:
b. provides a framework for setting quality

This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 5
 9100D Conf. /
Line Clause Evidence
Clause NCR
objectives;
Top management shall establish, implement, and
maintain a quality policy that:
53 5.2.1 c. includes a commitment to satisfy applicable
requirements;
Top management shall establish, implement, and
maintain a quality policy that:
54 5.2.1 d. includes a commitment to continual
improvement of the quality management system.
The quality policy shall:
55 5.2.2 a. be available and maintained as documented
information;
The quality policy shall:
56 5.2.2 b. be communicated, understood, and applied
within the organization;
The quality policy shall:
57 5.2.2 c. be available to relevant interested parties, as
appropriate.
Top management shall ensure that the
responsibilities and authorities for relevant roles
58 5.3 are assigned, communicated, and understood
within the organization.
Top management shall assign the responsibility
and authority for:
59 5.3 a. ensuring that the quality management system
conforms to the requirements of this
International Standard;
Top management shall assign the responsibility
and authority for:
60 5.3 b. ensuring that the processes are delivering their
intended outputs;
Top management shall assign the responsibility
and authority for:
c. reporting on the performance of the quality
61 5.3 management system and on opportunities for
improvement (see 10.1), in particular to top
management;
Top management shall assign the responsibility
and authority for:
c. reporting on the performance of the quality
62 5.3 management system and on opportunities for
improvement (see 10.1), in particular to top
management;
Top management shall assign the responsibility
and authority for:
e. ensuring that the integrity of the quality
63 5.3 management system is maintained when changes
to the quality management system are planned
and implemented.
Top management shall appoint a specific member
64 5.3 of the organization’s management, identified as
the management representative…
...who shall have the responsibility and authority
65 5.3 for oversight of the above requirements
The management representative shall have the
organizational freedom and unrestricted access to
66 5.3 top management to resolve quality management
issues.
67 5.3 NOTE: The responsibility of a management
representative can include liaison with external
This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 6
 9100D Conf. /
Line Clause Evidence
Clause NCR
parties on matters relating to the quality
management system.
When planning for the quality management
system, the organization shall consider the issues
referred to in 4.1 and the requirements referred
68 6.1.1 to in 4.2 and determine the risks and
opportunities that need to be addressed to:
a. give assurance that the quality management
system can achieve its intended result(s);
When planning for the quality management
system, the organization shall consider the issues
referred to in 4.1 and the requirements referred
69 6.1.1 to in 4.2 and determine the risks and
opportunities that need to be addressed to:
b. enhance desirable effects;
When planning for the quality management
system, the organization shall consider the issues
referred to in 4.1 and the requirements referred
70 6.1.1 to in 4.2 and determine the risks and
opportunities that need to be addressed to:
c. prevent, or reduce, undesired effects;
When planning for the quality management
system, the organization shall consider the issues
referred to in 4.1 and the requirements referred
71 6.1.1 to in 4.2 and determine the risks and
opportunities that need to be addressed to:
d. achieve improvement.
The organization shall plan:
72 6.1.2 a. actions to address these risks and
opportunities;
The organization shall plan:
b. how to:
73 6.1.2 1. integrate and implement the actions into its
quality management system processes (see 4.4);
2. Evaluate the effectiveness of these actions.
Actions taken to address risks and opportunities
74 6.1.2 shall be proportionate to the potential impact on
the conformity of products and services.
NOTE 1: Options to address risks can include
avoiding risk, taking risk in order to pursue an
75 6.1.2 opportunity, eliminating the risk source, changing
the likelihood or consequences, sharing the risk,
or retaining risk by informed decision.
NOTE 2: Opportunities can lead to the adoption
of new practices, launching new products,
opening new markets, addressing new customers,
76 6.1.2 building partnerships, using new technology and
other desirable and viable possibilities to address
the organization’s or its customers’ needs.
The organization shall establish quality objectives
77 6.2.1 at relevant functions, levels, and processes
needed for the quality management system.
The quality objectives shall:
78 6.2.1 a. be consistent with the quality policy;
The quality objectives shall:
79 6.2.1 b. be measurable;
The quality objectives shall:
80 6.2.1 b. be measurable;
The quality objectives shall:
81 6.2.1 c. take into account applicable requirements;
This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 7
 9100D Conf. /
Line Clause Evidence
Clause NCR
The quality objectives shall:
d. be relevant to conformity of products and
82 6.2.1 services and to enhancement of customer
satisfaction;
The quality objectives shall:
83 6.2.1 e. be monitored;
The quality objectives shall:
84 6.2.1 f. be communicated;
The quality objectives shall:
85 6.2.1 g. be updated, as appropriate.
The organization shall maintain documented
86 6.2.1 information on the quality objectives.
When planning how to achieve its quality
87 6.2.2 objectives, the organization shall determine:
a. what will be done;
When planning how to achieve its quality
88 6.2.2 objectives, the organization shall determine:
b. what resources will be required;
When planning how to achieve its quality
89 6.2.2 objectives, the organization shall determine:
c. who will be responsible;
When planning how to achieve its quality
90 6.2.2 objectives, the organization shall determine:
d. when it will be completed;
When planning how to achieve its quality
91 6.2.2 objectives, the organization shall determine:
e. how the results will be evaluated.
When the organization determines the need for
changes to the quality management system, the
92 6.3 changes shall be carried out in a planned manner
(see 4.4).
The organization shall consider:
93 6.3 a. the purpose of the changes and their potential
consequences;
The organization shall consider:
94 6.3 b. the integrity of the quality management
system;
The organization shall consider:
95 6.3 c. the availability of resources;
The organization shall consider:
96 6.3 d. the allocation or reallocation of responsibilities
and authorities.
The organization shall determine and provide the
resources needed for the establishment,
97 7.1.1 implementation, maintenance, and continual
improvement of the quality management system.
The organization shall consider:
98 7.1.1 a. the capabilities of, and constraints on, existing
internal resources;
The organization shall consider:
99 7.1.1 b. what needs to be obtained from external
providers.
The organization shall determine and provide the
persons necessary for the effective
100 7.1.2 implementation of its quality management
system and for the operation and control of its
processes.
101 7.1.3 The organization shall determine, provide, and
maintain the infrastructure necessary for the
operation of its processes and to achieve
This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 8
 9100D Conf. /
Line Clause Evidence
Clause NCR
conformity of products and services.
NOTE: Infrastructure can include:
a. buildings and associated utilities;
102 7.1.3 b. equipment, including hardware and software;
c. transportation resources;
d. information and communication technology.
The organization shall determine, provide, and
maintain the environment necessary for the
103 7.1.4 operation of its processes and to achieve
conformity of products and services.
NOTE: A suitable environment can be a
combination of human and physical factors, such
as:
a. social (e.g., non-discriminatory, calm, non-
104 7.1.4 confrontational);
b. psychological (e.g., stress-reducing, burnout
prevention, emotionally protective);
c. physical (e.g., temperature, heat, humidity,
light, airflow, hygiene, noise).
These factors can differ substantially depending
105 7.1.4 on the products and services provided.
The organization shall determine and provide the
resources needed to ensure valid and reliable
106 7.1.5.1 results when monitoring or measuring is used to
verify the conformity of products and services to
requirements.
The organization shall ensure that the resources
provided:
107 7.1.5.1 a. are suitable for the specific type of monitoring
and measurement activities being undertaken;
The organization shall ensure that the resources
provided:
108 7.1.5.1 b. are maintained to ensure their continuing
fitness for their purpose.
The organization shall retain appropriate
documented information as evidence of fitness
109 7.1.5.1 for purpose of the monitoring and measurement
resources.
When measurement traceability is a requirement,
or is considered by the organization to be an
essential part of providing confidence in the
validity of measurement results, measuring
110 7.1.5.2 equipment shall be:
a. calibrated or verified, or both, at specified
intervals, or prior to use, against measurement
standards traceable to international or national
measurement standards;...
When measurement traceability is a requirement,
or is considered by the organization to be an
essential part of providing confidence in the
validity of measurement results, measuring
111 7.1.5.2 equipment shall be:
a. ...when no such standards exist, the basis used
for calibration or verification shall be retained as
documented information;
112 7.1.5.2 When measurement traceability is a requirement,
or is considered by the organization to be an
essential part of providing confidence in the
validity of measurement results, measuring
equipment shall be:

This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 9
 9100D Conf. /
Line Clause Evidence
Clause NCR
b. identified in order to determine their status;
When measurement traceability is a requirement,
or is considered by the organization to be an
essential part of providing confidence in the
validity of measurement results, measuring
113 7.1.5.2 equipment shall be:
c. safeguarded from adjustments, damage, or
deterioration that would invalidate the calibration
status and subsequent measurement results.
The organization shall establish, implement, and
maintain a process for the recall of monitoring
114 7.1.5.2 and measuring equipment requiring calibration or
verification.
The organization shall maintain a register of the
115 7.1.5.2 monitoring and measuring equipment.
The register shall include the equipment type,
unique identification, location, and the calibration
116 7.1.5.2 or verification method, frequency, and
acceptance criteria.
NOTE: Monitoring and measuring equipment can
include, but are not limited to: test hardware, test
software, automated test equipment (ATE), and
117 7.1.5.2 plotters used to produce verification data. It also
includes personally owned and customer supplied
equipment used to provide evidence of product
and service conformity.
Calibration or verification of monitoring and
118 7.1.5.2 measuring equipment shall be carried out under
suitable environmental conditions (see 7.1.4).
The organization shall determine if the validity of
previous measurement results has been adversely
119 7.1.5.2 affected when measuring equipment is found to
be unfit for its intended purpose,
120 7.1.5.2 And shall take appropriate action as necessary.
The organization shall determine the knowledge
121 7.1.6 necessary for the operation of its processes and
to achieve conformity of products and services.
This knowledge shall be maintained and be made
122 7.1.6 available to the extent necessary.
When addressing changing needs and trends, the
organization shall consider its current knowledge
123 7.1.6 and determine how to acquire or access any
necessary additional knowledge and required
updates.
NOTE 1: Organizational knowledge is knowledge
specific to the organization; it is generally gained
124 7.1.6 by experience. It is information that is used and
shared to achieve the organization’s objectives.
NOTE 2: Organizational knowledge can be based
on:
a. internal sources (e.g., intellectual property;
knowledge gained from experience; lessons
learned from failures and successful projects;
125 7.1.6 capturing and sharing undocumented knowledge
and experience; the results of improvements in
processes, products and services);
b. external sources (e.g., standards; academia;
conferences; gathering knowledge from
customers or external providers).
126 7.2 The organization shall:
This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 10
 9100D Conf. /
Line Clause Evidence
Clause NCR
a. determine the necessary competence of
person(s) doing work under its control that affects
the performance and effectiveness of the quality
management system;
The organization shall:
b. ensure that these persons are competent on
127 7.2 the basis of appropriate education, training, or
experience;
The organization shall:
c. where applicable, take actions to acquire the
128 7.2 necessary competence, and evaluate the
effectiveness of the actions taken;
The organization shall:
129 7.2 d. retain appropriate documented information as
evidence of competence.
NOTE: Consideration should be given for the
130 7.2 periodic review of the necessary competence.
NOTE: Applicable actions can include, for
example, the provision of training to, the
131 7.2 mentoring of, or the re-assignment of currently
employed persons; or the hiring or contracting of
competent persons.
The organization shall ensure that persons doing
work under the organization’s control are aware
132 7.3 of:
a. the quality policy;
The organization shall ensure that persons doing
work under the organization’s control are aware
133 7.3 of:
b. relevant quality objectives;
The organization shall ensure that persons doing
work under the organization’s control are aware
of:
134 7.3 c. their contribution to the effectiveness of the
quality management system, including the
benefits of improved performance;
The organization shall ensure that persons doing
work under the organization’s control are aware
135 7.3 of:
d. the implications of not conforming with the
quality management system requirements;
The organization shall ensure that persons doing
work under the organization’s control are aware
136 7.3 of:
e. relevant quality management system
documented information and changes thereto;
The organization shall ensure that persons doing
work under the organization’s control are aware
137 7.3 of:
f. their contribution to product or service
conformity;
The organization shall ensure that persons doing
work under the organization’s control are aware
138 7.3 of:
g. their contribution to product safety;
The organization shall ensure that persons doing
work under the organization’s control are aware
139 7.3 of:
h. the importance of ethical behavior.
140 7.4 The organization shall determine the internal and
This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 11
 9100D Conf. /
Line Clause Evidence
Clause NCR
external communications relevant to the quality
management system, including:
a. on what it will communicate;
The organization shall determine the internal and
external communications relevant to the quality
141 7.4 management system, including:
b. when to communicate;
The organization shall determine the internal and
external communications relevant to the quality
142 7.4 management system, including:
c. with whom to communicate;
The organization shall determine the internal and
external communications relevant to the quality
143 7.4 management system, including:
d. how to communicate;
The organization shall determine the internal and
external communications relevant to the quality
144 7.4 management system, including:
e. who communicates.
NOTE: Communication should include internal
145 7.4 and external feedback relevant to the quality
management system.
The organization’s quality management system
shall include:
146 7.5.1 a. documented information required by this
International Standard;
The organization’s quality management system
shall include:
147 7.5.1 b. documented information determined by the
organization as being necessary for the
effectiveness of the quality management system.
NOTE: The extent of documented information for
a quality management system can differ from one
organization to another due to:
− the size of organization and its type of activities,
148 7.5.1 processes, products, and services;
− the complexity of processes and their
interactions;
− the competence of persons.
When creating and updating documented
information, the organization shall ensure
149 7.5.2 appropriate:
a. identification and description (e.g., a title, date,
author, or reference number);
When creating and updating documented
information, the organization shall ensure
150 7.5.2 appropriate:
b. format (e.g., language, software version,
graphics) and media (e.g., paper, electronic);
When creating and updating documented
information, the organization shall ensure
151 7.5.2 appropriate:
c. review and approval for suitability and
adequacy.
NOTE: Approval implies authorized persons and
approval methods are identified for the relevant
152 7.5.2 types of documented information, as determined
by the organization.
153 7.5.3.1 Documented information required by the quality
management system and by this International

This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 12
 9100D Conf. /
Line Clause Evidence
Clause NCR
Standard shall be controlled to ensure:
a. it is available and suitable for use, where and
when it is needed;
Documented information required by the quality
management system and by this International
154 7.5.3.1 Standard shall be controlled to ensure:
b. it is adequately protected (e.g., from loss of
confidentiality, improper use, or loss of integrity).
For the control of documented information, the
organization shall address the following activities,
155 7.5.3.2 as applicable:
a. distribution, access, retrieval, and use;
For the control of documented information, the
organization shall address the following activities,
156 7.5.3.2 as applicable:
b. storage and preservation, including
preservation of legibility;
For the control of documented information, the
organization shall address the following activities,
157 7.5.3.2 as applicable:
c. control of changes (e.g., version control);
For the control of documented information, the
organization shall address the following activities,
158 7.5.3.2 as applicable:
d. retention and disposition;
For the control of documented information, the
organization shall address the following activities,
as applicable:
159 7.5.3.2 e. prevention of the unintended use of obsolete
documented information by removal or by
application of suitable identification or controls if
kept for any purpose.
Documented information of external origin
determined by the organization to be necessary
160 7.5.3.2 for the planning and operation of the quality
management system shall be identified as
appropriate, and be controlled.
Documented information retained as evidence of
161 7.5.3.2 conformity shall be protected from unintended
alterations.
When documented information is managed
electronically, data protection processes shall be
162 7.5.3.2 defined (e.g., protection from loss, unauthorized
changes, unintended alteration, corruption,
physical damage).
NOTE: Access can imply a decision regarding the
permission to view the documented information
163 7.5.3.2 only, or the permission and authority to view and
change the documented information.
The organization shall plan, implement, and
control the processes (see 4.4) needed to meet
the requirements for the provision of products
164 8.1 and services, and to implement the actions
determined in clause 6, by:
a. determining the requirements for the products
and services;
165 8.1 NOTE: Determination of requirements for the
products and services should include
consideration of:
− personal and product safety;

This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 13
 9100D Conf. /
Line Clause Evidence
Clause NCR
− reducibility and inspect ability;
− reliability, availability, and maintainability;
− suitability of parts and materials used in the
product;
− selection and development of embedded
software;
− product obsolescence;
− prevention, detection, and removal of foreign
objects;
− handling, packaging, and preservation;
− recycling or final disposal of the product at the
end of its life.
The organization shall plan, implement, and
control the processes (see 4.4) needed to meet
the requirements for the provision of products
and services, and to implement the actions
166 8.1 determined in clause 6, by:
b. establishing criteria for:
1. the processes;
2. the acceptance of products and services;
NOTE: According to the nature of the product and
depending on the specified requirements,
statistical techniques can be used to support:
− design verification (e.g., reliability,
maintainability, product safety);
− process control;
167 8.1 • selection and verification of key characteristics;
• process capability measurements;
• statistical process control;
• design of experiments;
− verification;
− failure mode, effects, and criticality analysis.
The organization shall plan, implement, and
control the processes (see 4.4) needed to meet
the requirements for the provision of products
and services, and to implement the actions
168 8.1 determined in clause 6, by:
c. determining the resources needed to achieve
conformity to the product and service
requirements and to meet on-time delivery of
products and services;
The organization shall plan, implement, and
control the processes (see 4.4) needed to meet
the requirements for the provision of products
169 8.1 and services, and to implement the actions
determined in clause 6, by:
d. implementing control of the processes in
accordance with the criteria;
The organization shall plan, implement, and
control the processes (see 4.4) needed to meet
the requirements for the provision of products
and services, and to implement the actions
determined in clause 6, by:
170 8.1 e. determining, maintaining, and retaining
documented information to the extent necessary:
1. to have confidence that the processes have
been carried out as planned;
2. to demonstrate the conformity of products and
services to their requirements;
171 8.1 The organization shall plan, implement, and

This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 14
 9100D Conf. /
Line Clause Evidence
Clause NCR
control the processes (see 4.4) needed to meet
the requirements for the provision of products
and services, and to implement the actions
determined in clause 6, by:
f. determining the processes and controls needed
to manage critical items, including production
process controls when key characteristics have
been identified;
The organization shall plan, implement, and
control the processes (see 4.4) needed to meet
the requirements for the provision of products
and services, and to implement the actions
172 8.1 determined in clause 6, by:
g. engaging representatives of affected
organization functions for operational planning
and control;
The organization shall plan, implement, and
control the processes (see 4.4) needed to meet
the requirements for the provision of products
and services, and to implement the actions
173 8.1 determined in clause 6, by:
h. determining the process and resources to
support the use and maintenance of the products
and services;
The organization shall plan, implement, and
control the processes (see 4.4) needed to meet
the requirements for the provision of products
174 8.1 and services, and to implement the actions
determined in clause 6, by:
I. determining the products and services to be
obtained from external providers;
The organization shall plan, implement, and
control the processes (see 4.4) needed to meet
the requirements for the provision of products
and services, and to implement the actions
175 8.1 determined in clause 6, by:
j. establishing the controls needed to prevent the
delivery of nonconforming products and services
to the customer.
NOTE: One method to achieve operational
176 8.1 planning and control can be through using
integrated phased processes.
As appropriate to the organization, customer
requirements, and products and services, the
organization shall plan and manage product and
service provision in a structured and controlled
177 8.1 manner including scheduled events performed in
a planned sequence to meet requirements at
acceptable risk, within resource and schedule
constraints.
NOTE: This activity is generally referred to as
178 8.1 project planning, project management, or
program management.
The output of this planning shall be suitable for
179 8.1 the organization's operations.
NOTE: As an output of this planning, documented
information specifying the processes of the
180 8.1 quality management system and the resources to
be applied to a specific product, service, project,
or contract can be referred to as a quality plan.

This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 15
 9100D Conf. /
Line Clause Evidence
Clause NCR
The organization shall control planned changes
and review the consequences of unintended
181 8.1 changes, taking action to mitigate any adverse
effects, as necessary.
The organization shall ensure that outsourced
182 8.1 processes are controlled (see 8.4).
The organization shall establish, implement, and
maintain a process to plan and control the
183 8.1 temporary or permanent transfer of work, to
ensure the continuing conformity of the work to
requirements.
The process shall ensure that work transfer
184 8.1 impacts and risks are managed.
NOTE: For the control of work transfer from the
organization to an external provider, or from an
external provider to another external provider,
185 8.1 see 8.4. For the control of work transfer from one
organization facility to another, or from an
external provider to the organization, see 8.5.
The organization shall plan, implement, and
control a process for managing operational risks
to the achievement of applicable requirements,
186 8.1.1 which includes as appropriate to the organization
and the products and services:
a. assignment of responsibilities for operational
risk management;
The organization shall plan, implement, and
control a process for managing operational risks
to the achievement of applicable requirements,
187 8.1.1 which includes as appropriate to the organization
and the products and services:
b. definition of risk assessment criteria (e.g.,
likelihood, consequences, risk acceptance);
The organization shall plan, implement, and
control a process for managing operational risks
to the achievement of applicable requirements,
188 8.1.1 which includes as appropriate to the organization
and the products and services:
c. identification, assessment, and communication
of risks throughout operations;
The organization shall plan, implement, and
control a process for managing operational risks
to the achievement of applicable requirements,
which includes as appropriate to the organization
189 8.1.1 and the products and services:
d. identification, implementation, and
management of actions to mitigate risks that
exceed the defined risk acceptance criteria;
The organization shall plan, implement, and
control a process for managing operational risks
to the achievement of applicable requirements,
190 8.1.1 which includes as appropriate to the organization
and the products and services:
e. acceptance of risks remaining after
implementation of mitigating actions.
191 8.1.1 NOTE 1: While clause 6.1 addresses the risks and
opportunities when planning for the quality
management system of the organization, the
scope of this clause (8.1.1) is limited to the risks
associated to the operational processes needed

This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 16
 9100D Conf. /
Line Clause Evidence
Clause NCR
for the provision of products and services (clause
8).
NOTE 2: Within the aviation, space, and defense
industry, risk is generally expressed in terms of
192 8.1.1 the likelihood of occurrence and the severity of
the consequences.
The organization shall plan, implement, and
control a process for configuration management
as appropriate to the organization and its
193 8.1.2 products and services in order to ensure the
identification and control of physical and
functional attributes throughout the product
lifecycle.
This process shall:
a. control product identity and traceability to
194 8.1.2 requirements, including the implementation of
identified changes;
This process shall:
b. ensure that the documented information (e.g.,
requirements, design, verification, and validation
195 8.1.2 and acceptance documentation) is consistent
with the actual attributes of the products and
services.
The organization shall plan, implement, and
control the processes needed to assure product
196 8.1.3 safety during the entire product life cycle, as
appropriate to the organization and the product.
NOTE: Examples of these processes include:
− assessment of hazards and management of
associated risks (see 8.1.1);
− management of safety critical items;
197 8.1.3 − analysis and reporting of occurred events
affecting safety;
− communication of these events and training of
persons.
The organization shall plan, implement, and
control processes, appropriate to the organization
198 8.1.4 and the product, for the prevention of counterfeit
or suspect counterfeit part use and their inclusion
in product(s) delivered to the customer.
NOTE: Counterfeit part prevention processes
should consider:
− training of appropriate persons in the
awareness and prevention of counterfeit parts;
− application of a parts obsolescence monitoring
program;
− controls for acquiring externally provided
product from original or authorized
manufacturers, authorized distributors, or other
199 8.1.4 approved sources;
− requirements for assuring traceability of parts
and components to their original or authorized
manufacturers;
− verification and test methodologies to detect
counterfeit parts;
− monitoring of counterfeit parts reporting from
external sources;
− quarantine and reporting of suspect or detected
counterfeit parts.
200 8.2.1 Communication with customers shall include:

This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 17
 9100D Conf. /
Line Clause Evidence
Clause NCR
a. providing information relating to products and
services;
Communication with customers shall include:
201 8.2.1 b. handling enquiries, contracts, or orders,
including changes;
Communication with customers shall include:
c. obtaining customer feedback relating to
202 8.2.1 products and services, including customer
complaints;
Communication with customers shall include:
203 8.2.1 d. handling or controlling customer property;
Communication with customers shall include:
204 8.2.1 e. establishing specific requirements for
contingency actions, when relevant.
When determining the requirements for the
products and services to be offered to customers,
the organization shall ensure that:
a. the requirements for the products and services
205 8.2.2 are defined, including:
1. any applicable statutory and regulatory
requirements;
2. those considered necessary by the
organization;
When determining the requirements for the
products and services to be offered to customers,
206 8.2.2 the organization shall ensure that:
b. the organization can meet the claims for the
products and services it offers;
When determining the requirements for the
products and services to be offered to customers,
207 8.2.2 the organization shall ensure that:
c. special requirements of the products and
services are determined;
When determining the requirements for the
products and services to be offered to customers,
the organization shall ensure that:
208 8.2.2 d. operational risks (e.g., new technology, ability
and capacity to provide, short delivery time
frame) have been identified.
The organization shall ensure that it has the
209 8.2.3.1 ability to meet the requirements for products and
services to be offered to customers.
The organization shall ensure that it has the
ability to meet the requirements for products and
services to be offered to customers. The
organization shall conduct a review before
210 8.2.3.1 committing to supply products and services to the
customer, to include:
a. requirements specified by the customer,
including the requirements for delivery and post-
delivery activities;
The organization shall ensure that it has the
ability to meet the requirements for products and
services to be offered to customers. The
organization shall conduct a review before
211 8.2.3.1 committing to supply products and services to the
customer, to include:
b. requirements not stated by the customer, but
necessary for the specified or intended use, when
known;

This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 18
 9100D Conf. /
Line Clause Evidence
Clause NCR
The organization shall ensure that it has the
ability to meet the requirements for products and
services to be offered to customers. The
212 8.2.3.1 organization shall conduct a review before
committing to supply products and services to the
customer, to include:
c. requirements specified by the organization;
The organization shall ensure that it has the
ability to meet the requirements for products and
services to be offered to customers. The
organization shall conduct a review before
213 8.2.3.1 committing to supply products and services to the
customer, to include:
d. statutory and regulatory requirements
applicable to the products and services;
The organization shall ensure that it has the
ability to meet the requirements for products and
services to be offered to customers. The
organization shall conduct a review before
214 8.2.3.1 committing to supply products and services to the
customer, to include:
e. contract or order requirements differing from
those previously expressed.
This review shall be coordinated with applicable
215 8.2.3.1 functions of the organization.
If upon review the organization determines that
some customer requirements cannot be met or
216 8.2.3.1 can only partially be met, the organization shall
negotiate a mutually acceptable requirement
with the customer.
The organization shall ensure that contract or
217 8.2.3.1 order requirements differing from those
previously defined are resolved.
The customer requirements shall be confirmed by
the organization before acceptance, when the
218 8.2.3.1 customer does not provide a documented
statement of their requirements.
NOTE: In some situations, such as internet sales, a
formal review is impractical for each order.
219 8.2.3.1 Instead, the review can cover relevant product
information, such as catalogues.
The organization shall retain documented
220 8.2.3.2 information, as applicable:
a. on the results of the review;
The organization shall retain documented
information, as applicable:
221 8.2.3.2 b. on any new requirements for the products and
services.
The organization shall ensure that relevant
documented information is amended, and that
222 8.2.4 relevant persons are made aware of the changed
requirements, when the requirements for
products and services are changed.
The organization shall establish, implement, and
maintain a design and development process that
223 8.3.1 is appropriate to ensure the subsequent provision
of products and services.
224 8.3.2 In determining the stages and controls for design
and development, the organization shall consider:
a. the nature, duration, and complexity of the

This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 19
 9100D Conf. /
Line Clause Evidence
Clause NCR
design and development activities;
In determining the stages and controls for design
and development, the organization shall consider:
225 8.3.2 b. the required process stages, including
applicable design and development reviews;
In determining the stages and controls for design
and development, the organization shall consider:
226 8.3.2 c. the required design and development
verification and validation activities;
In determining the stages and controls for design
and development, the organization shall consider:
227 8.3.2 d. the responsibilities and authorities involved in
the design and development process;
In determining the stages and controls for design
and development, the organization shall consider:
228 8.3.2 e. the internal and external resource needs for
the design and development of products and
services;
In determining the stages and controls for design
and development, the organization shall consider:
229 8.3.2 f. the need to control interfaces between persons
involved in the design and development process;
In determining the stages and controls for design
and development, the organization shall consider:
230 8.3.2 g. the need for involvement of customers and
users in the design and development process;
In determining the stages and controls for design
and development, the organization shall consider:
231 8.3.2 h. the requirements for subsequent provision of
products and services;
In determining the stages and controls for design
and development, the organization shall consider:
232 8.3.2 i. the level of control expected for the design and
development process by customers and other
relevant interested parties;
In determining the stages and controls for design
and development, the organization shall consider:
233 8.3.2 j. the documented information needed to
demonstrate that design and development
requirements have been met.
When appropriate, the organization shall divide
the design and development effort into distinct
234 8.3.2 activities and, for each activity, define the tasks,
necessary resources, responsibilities, design
content, and inputs and outputs.
Design and development planning shall consider
235 8.3.2 the ability to provide, verify, test and maintain
products and services (reference output of 8.1 a).
The organization shall determine the
requirements essential for the specific types of
236 8.3.3 products and services to be designed and
developed.
The organization shall consider:
237 8.3.3 a. functional and performance requirements;
The organization shall consider:
238 8.3.3 b. information derived from previous similar
design and development activities;
The organization shall consider:
239 8.3.3 c. statutory and regulatory requirements;
This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 20
 9100D Conf. /
Line Clause Evidence
Clause NCR
The organization shall consider:
240 8.3.3 d. standards or codes of practice that the
organization has committed to implement;
The organization shall consider:
241 8.3.3 e. potential consequences of failure due to the
nature of the products and services;
The organization shall consider:
f. when applicable, the potential consequences of
242 8.3.3 obsolescence (e.g., materials, processes,
components, equipment, products).
Inputs shall be adequate for design and
243 8.3.3 development purposes, complete, and
unambiguous.
Conflicting design and development inputs shall
244 8.3.3 be resolved.
The organization shall retain documented
245 8.3.3 information on design and development inputs.
NOTE: The organization can also consider as
design and development inputs other information
246 8.3.3 such as benchmarking, external provider
feedback, internally generated data, and in-
service data.
The organization shall apply controls to the design
247 8.3.4 and development process to ensure that:
a. the results to be achieved are defined;
The organization shall apply controls to the design
and development process to ensure that:
248 8.3.4 b. reviews are conducted to evaluate the ability of
the results of design and development to meet
requirements;
The organization shall apply controls to the design
and development process to ensure that:
249 8.3.4 c. verification activities are conducted to ensure
that the design and development outputs meet
the input requirements;
The organization shall apply controls to the design
and development process to ensure that:
d. validation activities are conducted to ensure
250 8.3.4 that the resulting products and services meet the
requirements for the specified application or
intended use;
The organization shall apply controls to the design
and development process to ensure that:
251 8.3.4 e. any necessary actions are taken on problems
determined during the reviews, or verification
and validation activities;
The organization shall apply controls to the design
and development process to ensure that:
252 8.3.4 f. documented information of these activities is
retained;
The organization shall apply controls to the design
253 8.3.4 and development process to ensure that:
g. progression to the next stage is authorized.
Participants in design and development reviews
shall include representatives of functions
254 8.3.4 concerned with the design and development
stage(s) being reviewed.
255 8.3.4 NOTE: Design and development reviews,
verification, and validation have distinct
purposes. They can be conducted separately or in
This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 21
 9100D Conf. /
Line Clause Evidence
Clause NCR
any combination, as is suitable for the products
and services of the organization.
When tests are necessary for verification and
validation, these tests shall be planned,
controlled, reviewed, and documented to ensure
and prove the following:
256 8.3.4.1 a. test plans or specifications identify the test
item being tested and the resources being used,
define test objectives and conditions, parameters
to be recorded and relevant acceptance criteria;
When tests are necessary for verification and
validation, these tests shall be planned,
controlled, reviewed, and documented to ensure
257 8.3.4.1 and prove the following:
b. test procedures describe the test methods to
be used, how to perform the test, and how to
record the results;
When tests are necessary for verification and
validation, these tests shall be planned,
controlled, reviewed, and documented to ensure
258 8.3.4.1 and prove the following:
c. the correct configuration of the test item is
submitted for the test;
When tests are necessary for verification and
validation, these tests shall be planned,
controlled, reviewed, and documented to ensure
259 8.3.4.1 and prove the following:
d. the requirements of the test plan and the test
procedures are observed;
When tests are necessary for verification and
validation, these tests shall be planned,
260 8.3.4.1 controlled, reviewed, and documented to ensure
and prove the following:
e. the acceptance criteria are met.
Monitoring and measuring devices used for
261 8.3.4.1 testing shall be controlled as defined in clause
7.1.5.
At the completion of design and development,
the organization shall ensure that reports,
calculations, test results, etc., are able to
262 8.3.4.1 demonstrate that the design for the product or
service meets the specification requirements for
all identified operational conditions.
The organization shall ensure that design and
263 8.3.5 development outputs:
a. meet the input requirements;
The organization shall ensure that design and
development outputs:
264 8.3.5 b. are adequate for the subsequent processes for
the provision of products and services;
The organization shall ensure that design and
development outputs:
265 8.3.5 c. include or reference monitoring and measuring
requirements, as appropriate, and acceptance
criteria;
The organization shall ensure that design and
development outputs:
266 8.3.5 d. specify the characteristics of products and
services that are essential for their intended
purpose and their safe and proper provision;

This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 22
 9100D Conf. /
Line Clause Evidence
Clause NCR
The organization shall ensure that design and
development outputs:
267 8.3.5 e. specify, as applicable, any critical items,
including any key characteristics, and specific
actions to be taken for these items;
The organization shall ensure that design and
development outputs:
268 8.3.5 f. are approved by authorized person(s) prior to
release.
The organization shall define the data required to
269 8.3.5 allow the product to be identified, manufactured,
verified, used, and maintained.
NOTE: Data can include:
− the drawings, part lists, and specifications
necessary to define the configuration and the
design features of the product;
− the material, process, manufacturing, assembly,
270 8.3.5 handling, packaging, and preservation data
needed to provide and maintain a conforming
product or service;
− the technical data and repair schemes for
operating and maintaining the product.
The organization shall retain documented
271 8.3.5 information on design and development outputs.
The organization shall identify, review, and control
changes made during, or subsequent to, the
design and development of products and
272 8.3.6 services, to the extent necessary to ensure that
there is no adverse impact on conformity to
requirements.
The organization shall implement a process with
criteria for notifying its customer, prior to
273 8.3.6 implementation, about changes that affect
customer requirements.
The organization shall retain documented
274 8.3.6 information on:
a. design and development changes;
The organization shall retain documented
275 8.3.6 information on:
b. the results of reviews;
The organization shall retain documented
276 8.3.6 information on:
c. the authorization of the changes;
The organization shall retain documented
277 8.3.6 information on:
d. the actions taken to prevent adverse impacts.
Design and development changes shall be
278 8.3.6 controlled in accordance with the configuration
management process requirements.
The organization shall ensure that externally
279 8.4.1 provided processes, products, and services
conform to requirements.
The organization shall be responsible for the
conformity of all externally provided processes,
280 8.4.1 products, and services, including from sources
defined by the customer.
The organization shall ensure, when required,
that customer-designated or approved external
281 8.4.1 providers, including process sources (e.g., special
processes), are used.
This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 23
 9100D Conf. /
Line Clause Evidence
Clause NCR
The organization shall identify and manage the
risks associated with the external provision of
282 8.4.1 processes, products, and services, as well as the
selection and use of external providers.
The organization shall require that external
providers apply appropriate controls to their
283 8.4.1 direct and sub-tier external providers, to ensure
that requirements are met.
The organization shall determine the controls to
be applied to externally provided processes,
products, and services when:
284 8.4.1 a. products and services from external providers
are intended for incorporation into the
organization’s own products and services;
The organization shall determine the controls to
be applied to externally provided processes,
products, and services when:
285 8.4.1 b. products and services are provided directly to
the customer(s) by external providers on behalf
of the organization;
The organization shall determine the controls to
be applied to externally provided processes,
products, and services when:
286 8.4.1 c. a process, or part of a process, is provided by
an external provider as a result of a decision by
the organization.
The organization shall determine and apply
criteria for the evaluation, selection, monitoring
of performance, and re-evaluation of external
287 8.4.1 providers, based on their ability to provide
processes or products and services in accordance
with requirements.
The organization shall retain documented
288 8.4.1 information of these activities and any necessary
actions arising from the evaluations.
NOTE: During external provider evaluation and
selection, the organization can use quality data
from objective and reliable external sources, as
evaluated by the organization (e.g., information
from accredited quality management system or
process certification bodies, external provider
289 8.4.1 approvals from government authorities or
customers). Use of such data would be only one
element of an organization’s external provider
control process and the organization remains
responsible for verifying that externally provided
processes, products, and services meet specified
requirements.
The organization shall:
a. define the process, responsibilities, and
authority for the approval status decision,
290 8.4.1.1 changes of the approval status, and conditions for
a controlled use of external providers depending
on their approval status;
The organization shall:
b. maintain a register of its external providers
291 8.4.1.1 that includes approval status (e.g., approved,
conditional, disapproved) and the scope of the
approval (e.g., product type, process family);
292 8.4.1.1 The organization shall:

This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 24
 9100D Conf. /
Line Clause Evidence
Clause NCR
c. periodically review external provider
performance including process, product and
service conformity, and on-time delivery
performance;
The organization shall:
d. define the necessary actions to take when
293 8.4.1.1 dealing with external providers that do not meet
requirements;
The organization shall:
e. define the requirements for controlling
294 8.4.1.1 documented information created by and/or
retained by external providers.
The organization shall ensure that externally
provided processes, products, and services do not
295 8.4.2 adversely affect the organization’s ability to
consistently deliver conforming products and
services to its customers.
The organization shall:
a. ensure that externally provided processes
296 8.4.2 remain within the control of its quality
management system;
The organization shall:
b. define both the controls that it intends to apply
297 8.4.2 to an external provider and those it intends to
apply to the resulting output;
The organization shall:
c. take into consideration:
1. the potential impact of the externally provided
processes, products, and services on the
organization’s ability to consistently meet
298 8.4.2 customer and applicable statutory and regulatory
requirements;
2. the effectiveness of the controls applied by the
external provider;
3. the results of the periodic review of external
provider performance (see 8.4.1.1 c);
The organization shall:
d. determine the verification, or other activities,
299 8.4.2 necessary to ensure that the externally provided
processes, products, and services meet
requirements.
Verification activities of externally provided
processes, products, and services shall be
300 8.4.2 performed according to the risks identified by the
organization.
These shall include inspection or periodic testing,
301 8.4.2 as applicable, when there is high risk of
nonconformities including counterfeit parts.
NOTE 1: Customer verification activities
performed at any level of the supply chain does
302 8.4.2 not absolve the organization of its responsibility
to provide acceptable processes, products, and
services and to comply with all requirements.
303 8.4.2 NOTE 2: Verification activities can include:
− review of objective evidence of the conformity
of the processes, products, and services from the
external provider (e.g., accompanying
documentation, certificate of conformity, test
documentation, statistical documentation,
process control documentation, results of

This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 25
 9100D Conf. /
Line Clause Evidence
Clause NCR
production process verification and assessment of
changes to the production process thereafter);
− inspection and audit at the external provider’s
premises;
− review of the required documentation;
− review of production part approval process
data;
− inspection of products or verification of services
upon receipt;
− review of delegations of product verification to
the external provider.
When externally provided product is released for
production use pending completion of all
required verification activities, it shall be
304 8.4.2 identified and recorded to allow recall and
replacement if it is subsequently found that the
product does not meet requirements.
When the organization delegates’ verification
activities to the external provider, the scope and
305 8.4.2 requirements for delegation shall be defined and
a register of delegations shall be maintained.
The organization shall periodically monitor the
306 8.4.2 external provider’s delegated verification
activities.
When external provider test reports are utilized
to verify externally provided products, the
307 8.4.2 organization shall implement a process to
evaluate the data in the test reports to confirm
that the product meets requirements.
When a customer or organization has identified
raw material as a significant operational risk (e.g.,
308 8.4.2 critical items), the organization shall implement a
process to validate the accuracy of test reports.
The organization shall ensure the adequacy of
309 8.4.3 requirements prior to their communication to the
external provider.
The organization shall communicate to external
providers its requirements for:
a. the processes, products, and services to be
310 8.4.3 provided including the identification of relevant
technical data (e.g., specifications, drawings,
process requirements, work instructions);
The organization shall communicate to external
providers its requirements for:
b. the approval of:
311 8.4.3 1. products and services;
2. methods, processes, and equipment;
3. the release of products and services;
The organization shall communicate to external
providers its requirements for:
312 8.4.3 c. competence, including any required
qualification of persons;
The organization shall communicate to external
providers its requirements for:
313 8.4.3 d. the external providers’ interactions with the
organization;
314 8.4.3 The organization shall communicate to external
providers its requirements for:
e. control and monitoring of the external
providers’ performance to be applied by the

This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 26
 9100D Conf. /
Line Clause Evidence
Clause NCR
organization;
The organization shall communicate to external
providers its requirements for:
315 8.4.3 f. verification or validation activities that the
organization, or its customer, intends to perform
at the external providers’ premises;
The organization shall communicate to external
316 8.4.3 providers its requirements for:
g. design and development control;
The organization shall communicate to external
providers its requirements for:
317 8.4.3 h. special requirements, critical items, or key
characteristics;
The organization shall communicate to external
providers its requirements for:
318 8.4.3 i. test, inspection, and verification (including
production process verification);
The organization shall communicate to external
providers its requirements for:
319 8.4.3 j. the use of statistical techniques for product
acceptance and related instructions for
acceptance by the organization;
The organization shall communicate to external
providers its requirements for:
k. the need to:
− implement a quality management system;
− use customer-designated or approved external
providers, including process sources (e.g., special
processes);
− notify the organization of nonconforming
processes, products, or services and obtain
approval for their disposition;
320 8.4.3 − prevent the use of counterfeit parts (see 8.1.4);
− notify the organization of changes to processes,
products, or services, including changes of their
external providers or location of manufacture,
and obtain the organization’s approval;
− flow down to external providers applicable
requirements including customer requirements;
− provide test specimens for design approval,
inspection/verification, investigation, or auditing;
− retain documented information, including
retention periods and disposition requirements;
The organization shall communicate to external
providers its requirements for:
l. the right of access by the organization, their
321 8.4.3 customer, and regulatory authorities to the
applicable areas of facilities and to applicable
documented information, at any level of the
supply chain;
The organization shall communicate to external
providers its requirements for:
m. ensuring that persons are aware of:
322 8.4.3 − their contribution to product or service
conformity;
− their contribution to product safety;
− the importance of ethical behavior.
The organization shall implement production and
323 8.5.1 service provision under controlled conditions.
324 8.5.1 Controlled conditions shall include, as applicable:

This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 27
 9100D Conf. /
Line Clause Evidence
Clause NCR
a. the availability of documented information that
defines:
1. the characteristics of the products to be
produced, the services to be provided, or the
activities to be performed;
2. the results to be achieved;
NOTE 1: Documented information that defines
characteristics of products and services can
325 8.5.1 include digital product definition data, drawings,
parts lists, materials, and process specifications.
NOTE 2: Documented information for activities to
be performed and results to be achieved can
include process flow charts, control plans,
326 8.5.1 production documents (e.g., manufacturing plans,
travelers, routers, work orders, process cards),
and verification documents.
Controlled conditions shall include, as applicable:
327 8.5.1 b. the availability and use of suitable monitoring
and measuring resources;
Controlled conditions shall include, as applicable:
c. the implementation of monitoring and
measurement activities at appropriate stages to
verify that criteria for control of processes or
outputs, and acceptance criteria for products and
services, have been met;
1. ensuring that documented information for
monitoring and measurement activity for product
acceptance includes:
− criteria for acceptance and rejection;
− where in the sequence verification operations
are to be performed;
328 8.5.1 − measurement results to be retained (at a
minimum an indication of acceptance or
rejection);
− any specific monitoring and measurement
equipment required and instructions associated
with their use;
2. Ensuring that when sampling is used as a
means of product acceptance, the sampling plan
is justified on the basis of recognized statistical
principles and appropriate for use (i.e., matching
the sampling plan to the criticality of the product
and to the process capability).
Controlled conditions shall include, as applicable:
329 8.5.1 d. the use of suitable infrastructure and
environment for the operation of processes;
NOTE: Suitable infrastructure can include product
330 8.5.1 specific tools (e.g., jigs, fixtures, molds) and
software programs.
Controlled conditions shall include, as applicable:
331 8.5.1 e. the appointment of competent persons,
including any required qualification;
Controlled conditions shall include, as applicable:
f. the validation, and periodic revalidation, of the
ability to achieve planned results of the processes
332 8.5.1 for production and service provision, where the
resulting output cannot be verified by subsequent
monitoring or measurement;
NOTE: These processes can be referred to as
333 8.5.1 special processes (see 8.5.1.2).

This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 28
 9100D Conf. /
Line Clause Evidence
Clause NCR
Controlled conditions shall include, as applicable:
334 8.5.1 g. the implementation of actions to prevent
human error;
Controlled conditions shall include, as applicable:
335 8.5.1 h. the implementation of release, delivery, and
post-delivery activities;
Controlled conditions shall include, as applicable:
i. the establishment of criteria for workmanship
336 8.5.1 (e.g., written standards, representative samples,
illustrations);
Controlled conditions shall include, as applicable:
j. the accountability for all products during
337 8.5.1 production (e.g., parts quantities, split orders,
nonconforming product);
Controlled conditions shall include, as applicable:
k. the control and monitoring of identified critical
338 8.5.1 items, including key characteristics, in accordance
with established processes;
Controlled conditions shall include, as applicable:
l. the determination of methods to measure
339 8.5.1 variable data (e.g., tooling, on-machine probing,
inspection equipment);
Controlled conditions shall include, as applicable:
m. the identification of in-process
340 8.5.1 inspection/verification points when adequate
verification of conformity cannot be performed at
later stages;
Controlled conditions shall include, as applicable:
n. the availability of evidence that all production
341 8.5.1 and inspection/verification operations have been
completed as planned, or as otherwise
documented and authorized;
Controlled conditions shall include, as applicable:
342 8.5.1 o. the provision for the prevention, detection, and
removal of foreign objects;
Controlled conditions shall include, as applicable:
p. the control and monitoring of utilities and
343 8.5.1 supplies (e.g., water, compressed air, electricity,
chemical products) to the extent they affect
conformity to product requirements (see 7.1.3);
Controlled conditions shall include, as applicable:
q. the identification and recording of products
released for subsequent production use pending
344 8.5.1 completion of all required measuring and
monitoring activities, to allow recall and
replacement if it is later found that the product
does not meet requirements.
Equipment, tools, and software programs used to
automate, control, monitor, or measure
345 8.5.1.1 production processes shall be validated prior to
final release for production…
Equipment, tools, and software programs used to
automate, control, monitor, or measure
346 8.5.1.1 production processes … (and) shall be
maintained.
Storage requirements shall be defined for
production equipment or tooling in storage
347 8.5.1.1 including any necessary periodic preservation or
condition checks.
348 8.5.1.2 For processes where the resulting output cannot
This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 29
 9100D Conf. /
Line Clause Evidence
Clause NCR
be verified by subsequent monitoring or
measurement, the organization shall establish
arrangements for these processes including, as
applicable:
a. definition of criteria for the review and
approval of the processes;
For processes where the resulting output cannot
be verified by subsequent monitoring or
measurement, the organization shall establish
349 8.5.1.2 arrangements for these processes including, as
applicable:
b. determination of conditions to maintain the
approval;
For processes where the resulting output cannot
be verified by subsequent monitoring or
measurement, the organization shall establish
350 8.5.1.2 arrangements for these processes including, as
applicable:
c. approval of facilities and equipment;
For processes where the resulting output cannot
be verified by subsequent monitoring or
measurement, the organization shall establish
351 8.5.1.2 arrangements for these processes including, as
applicable:
d. qualification of persons;
For processes where the resulting output cannot
be verified by subsequent monitoring or
measurement, the organization shall establish
352 8.5.1.2 arrangements for these processes including, as
applicable:
e. use of specific methods and procedures for
implementation and monitoring the processes;
For processes where the resulting output cannot
be verified by subsequent monitoring or
measurement, the organization shall establish
353 8.5.1.2 arrangements for these processes including, as
applicable:
f. requirements for documented information to
be retained.
The organization shall implement production
process verification activities to ensure the
354 8.5.1.3 production process is able to produce products
that meet requirements.
NOTE: These activities can include risk
355 8.5.1.3 assessments, capacity studies, capability studies,
and control plans.
The organization shall use a representative item
from the first production run of a new part or
assembly to verify that the production processes,
356 8.5.1.3 production documentation, and tooling are able
to produce parts and assemblies that meet
requirements.
This activity shall be repeated when changes
occur that invalidate the original results (e.g.,
357 8.5.1.3 engineering changes, production process
changes, tooling changes).
NOTE: This activity can be referred to as First
358 8.5.1.3 Article Inspection (FAI).
359 8.5.1.3 The organization shall retain documented
information on the results of production process

This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 30
 9100D Conf. /
Line Clause Evidence
Clause NCR
verification.
The organization shall use suitable means to
360 8.5.2 identify outputs when it is necessary to ensure
the conformity of products and services.
The organization shall maintain the identification
of the configuration of the products and services
361 8.5.2 in order to identify any differences between the
actual configuration and the required
configuration.
The organization shall identify the status of
outputs with respect to monitoring and
362 8.5.2 measurement requirements throughout
production and service provision.
When acceptance authority media are used (e.g.,
stamps, electronic signatures, passwords), the
363 8.5.2 organization shall establish controls for the
media.
The organization shall control the unique
identification of the outputs when traceability is a
364 8.5.2 requirement, and shall retain the documented
information necessary to enable traceability.
NOTE: Traceability requirements can include:
− the identification to be maintained throughout
the product life;
− the ability to trace all products manufactured
from the same batch of raw material, or from the
same manufacturing batch, to the destination
365 8.5.2 (e.g., delivery, scrap);
− for an assembly, the ability to trace its
components to the assembly and then to the next
higher assembly;
− for a product, a sequential record of its
production (manufacture, assembly,
inspection/verification) to be retrievable.
The organization shall exercise care with property
belonging to customers or external providers
366 8.5.3 while it is under the organization’s control or
being used by the organization.
The organization shall identify, verify, protect, and
safeguard customers’ or external providers’
367 8.5.3 property provided for use or incorporation into
the products and services.
When the property of a customer or external
provider is lost, damaged, or otherwise found to
be unsuitable for use, the organization shall
368 8.5.3 report this to the customer or external provider
and retain documented information on what has
occurred.
NOTE: A customer’s or external provider’s
property can include materials, components,
369 8.5.3 tools and equipment, premises, intellectual
property, and personal data.
The organization shall preserve the outputs
during production and service provision, to the
370 8.5.4 extent necessary to ensure conformity to
requirements.
NOTE: Preservation can include identification,
handling, contamination control, packaging,
371 8.5.4 storage, transmission or transportation, and
protection.

This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 31
 9100D Conf. /
Line Clause Evidence
Clause NCR
Preservation of outputs shall also include, when
applicable in accordance with specifications and
372 8.5.4 applicable statutory and regulatory requirements,
provisions for:
a. cleaning;
Preservation of outputs shall also include, when
applicable in accordance with specifications and
applicable statutory and regulatory requirements,
373 8.5.4 provisions for:
b. prevention, detection, and removal of foreign
objects;
Preservation of outputs shall also include, when
applicable in accordance with specifications and
applicable statutory and regulatory requirements,
374 8.5.4 provisions for:
c. special handling and storage for sensitive
products;+C381
Preservation of outputs shall also include, when
applicable in accordance with specifications and
applicable statutory and regulatory requirements,
375 8.5.4 provisions for:
d. marking and labeling, including safety warnings
and cautions;
Preservation of outputs shall also include, when
applicable in accordance with specifications and
376 8.5.4 applicable statutory and regulatory requirements,
provisions for:
e. shelf life control and stock rotation;
Preservation of outputs shall also include, when
applicable in accordance with specifications and
applicable statutory and regulatory requirements,
377 8.5.4 provisions for:
f. special handling and storage for hazardous
materials.
The organization shall meet requirements for
378 8.5.5 post-delivery activities associated with the
products and services.
In determining the extent of post-delivery
activities that are required, the organization shall
379 8.5.5 consider:
a. statutory and regulatory requirements;
In determining the extent of post-delivery
activities that are required, the organization shall
380 8.5.5 consider:
b. the potential undesired consequences
associated with its products and services;
In determining the extent of post-delivery
activities that are required, the organization shall
381 8.5.5 consider:
c. the nature, use, and intended lifetime of its
products and services;
In determining the extent of post-delivery
activities that are required, the organization shall
382 8.5.5 consider:
d. customer requirements;
In determining the extent of post-delivery
activities that are required, the organization shall
383 8.5.5 consider:
e. customer feedback;
384 8.5.5 In determining the extent of post-delivery

This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 32
 9100D Conf. /
Line Clause Evidence
Clause NCR
activities that are required, the organization shall
consider:
f. collection and analysis of in-service data (e.g.,
performance, reliability, lessons learned);
In determining the extent of post-delivery
activities that are required, the organization shall
consider:
385 8.5.5 g. control, updating, and provision of technical
documentation relating to product use,
maintenance, repair, and overhaul;
In determining the extent of post-delivery
activities that are required, the organization shall
386 8.5.5 consider:
h. controls required for work undertaken external
to the organization (e.g., off-site work);
In determining the extent of post-delivery
activities that are required, the organization shall
consider:
387 8.5.5 i. product/customer support (e.g., queries,
training, warranties, maintenance, replacement
parts, resources, obsolescence).
When problems are detected after delivery, the
388 8.5.5 organization shall take appropriate action
including investigation and reporting.
NOTE: Post-delivery activities can include actions
under warranty provisions, contractual
389 8.5.5 obligations such as maintenance services, and
supplementary services such as recycling or final
disposal.
The organization shall review and control changes
for production or service provision, to the extent
390 8.5.6 necessary to ensure continuing conformity with
requirements.
Persons authorized to approve production or
391 8.5.6 service provision changes shall be identified.
NOTE: Production or service provision changes
can include the changes affecting processes,
392 8.5.6 production equipment, tools, or software
programs.
The organization shall retain documented
information describing the results of the review
393 8.5.6 of changes, the person(s) authorizing the change,
and any necessary actions arising from the
review.
The organization shall implement planned
arrangements, at appropriate stages, to verify
394 8.6 that the product and service requirements have
been met.
The release of products and services to the
customer shall not proceed until the planned
395 8.6 arrangements have been satisfactorily completed,
unless otherwise approved by a relevant
authority and, as applicable, by the customer.
The organization shall retain documented
396 8.6 information on the release of products and
services.
The documented information shall include:
397 8.6 a. evidence of conformity with the acceptance
criteria;
398 8.6 The documented information shall include:
This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 33
 9100D Conf. /
Line Clause Evidence
Clause NCR
b. traceability to the person(s) authorizing the
release.
When required to demonstrate product
qualification, the organization shall ensure that
399 8.6 retained documented information provides
evidence that the products and services meet the
defined requirements.
The organization shall ensure that all documented
400 8.6 information required to accompany the products
and services are present at delivery.
The organization shall ensure that outputs that do
not conform to their requirements are identified
401 8.7.1 and controlled to prevent their unintended use or
delivery.
NOTE: The term “nonconforming outputs”
includes nonconforming product or service
402 8.7.1 generated internally, received from an external
provider, or identified by a customer.
The organization shall take appropriate action
403 8.7.1 based on the nature of the nonconformity and its
effect on the conformity of products and services.
This shall also apply to nonconforming products
404 8.7.1 and services detected after delivery of products,
during or after the provision of services.
The organization’s nonconformity control process
shall be maintained as documented information
including the provisions for:
405 8.7.1 − defining the responsibility and authority for the
review and disposition of nonconforming outputs
and the process for approving persons making
these decisions;
The organization’s nonconformity control process
shall be maintained as documented information
including the provisions for:
406 8.7.1 − taking actions necessary to contain the effect of
the nonconformity on other processes, products,
or services;
The organization’s nonconformity control process
shall be maintained as documented information
including the provisions for:
407 8.7.1 − timely reporting of nonconformities affecting
delivered products and services to the customer
and to relevant interested parties;
The organization’s nonconformity control process
shall be maintained as documented information
including the provisions for:
408 8.7.1 − defining corrective actions for nonconforming
products and services detected after delivery, as
appropriate to their impacts (see 10.2).
NOTE: Interested parties requiring notification of
nonconforming products and services can include
409 8.7.1 external providers, internal organizations,
customers, distributors, and regulatory
authorities.
The organization shall deal with nonconforming
410 8.7.1 outputs in one or more of the following ways:
a. correction;
411 8.7.1 The organization shall deal with nonconforming
outputs in one or more of the following ways:
b. segregation, containment, return, or

This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 34
 9100D Conf. /
Line Clause Evidence
Clause NCR
suspension of provision of products and services;
The organization shall deal with nonconforming
412 8.7.1 outputs in one or more of the following ways:
c. informing the customer;
The organization shall deal with nonconforming
outputs in one or more of the following ways:
413 8.7.1 d. obtaining authorization for acceptance under
concession by a relevant authority and, when
applicable, by the customer.
Dispositions of use-as-is or repair for the
acceptance of nonconforming products shall only
be implemented:
414 8.7.1 − after approval by an authorized representative
of the organization responsible for design or by
persons having delegated authority from the
design organization;
Dispositions of use-as-is or repair for the
acceptance of nonconforming products shall only
be implemented:
415 8.7.1 − after authorization by the customer, if the
nonconformity results in a departure from the
contract requirements.
Product dispositioned for scrap shall be
conspicuously and permanently marked, or
416 8.7.1 positively controlled, until physically rendered
unusable.
Counterfeit, or suspect counterfeit, parts shall be
417 8.7.1 controlled to prevent reentry into the supply
chain.
Conformity to the requirements shall be verified
418 8.7.1 when nonconforming outputs are corrected.
The organization shall retain documented
419 8.7.2 information that:
a. describes the nonconformity;
The organization shall retain documented
420 8.7.2 information that:
b. describes the actions taken;
The organization shall retain documented
421 8.7.2 information that:
c. describes any concessions obtained;
The organization shall retain documented
information that:
422 8.7.2 d. identifies the authority deciding the action in
respect of the nonconformity.
The organization shall determine:
423 9.1.1 a. what needs to be monitored and measured;
The organization shall determine:
b. the methods for monitoring, measurement,
424 9.1.1 analysis, and evaluation needed to ensure valid
results;
The organization shall determine:
425 9.1.1 c. when the monitoring and measuring shall be
performed;
The organization shall determine:
426 9.1.1 d. when the results from monitoring and
measurement shall be analyzed and evaluated.
The organization shall evaluate the performance
427 9.1.1 and the effectiveness of the quality management
system.
428 9.1.1 The organization shall retain appropriate
This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 35
 9100D Conf. /
Line Clause Evidence
Clause NCR
documented information as evidence of the
results.
The organization shall monitor customers’
429 9.1.2 perceptions of the degree to which their needs
and expectations have been fulfilled.
The organization shall determine the methods for
430 9.1.2 obtaining, monitoring, and reviewing this
information.
NOTE: Examples of monitoring customer
perceptions can include customer surveys,
customer feedback on delivered products and
431 9.1.2 services, meetings with customers, market-share
analysis, compliments, warranty claims, and
dealer reports.
Information to be monitored and used for the
evaluation of customer satisfaction shall include,
but is not limited to, product and service
432 9.1.2 conformity, on-time delivery performance,
customer complaints, and corrective action
requests.
The organization shall develop and implement
plans for customer satisfaction improvement that
433 9.1.2 address deficiencies identified by these
evaluations, and assess the effectiveness of the
results.
The organization shall analyze and evaluate
434 9.1.3 appropriate data and information arising from
monitoring and measurement.
NOTE: Appropriate data can include information
on product and service problems reported by
435 9.1.3 external sources (e.g., government/industry
alerts, advisories).
The results of analysis shall be used to evaluate:
436 9.1.3 a. conformity of products and services;
The results of analysis shall be used to evaluate:
437 9.1.3 b. the degree of customer satisfaction;
The results of analysis shall be used to evaluate:
438 9.1.3 c. the performance and effectiveness of the
quality management system;
The results of analysis shall be used to evaluate:
439 9.1.3 d. if planning has been implemented effectively;
The results of analysis shall be used to evaluate:
440 9.1.3 e. the effectiveness of actions taken to address
risks and opportunities;
The results of analysis shall be used to evaluate:
441 9.1.3 f. the performance of external providers;
The results of analysis shall be used to evaluate:
442 9.1.3 g. the need for improvements to the quality
management system.
NOTE: Methods to analyze data can include
443 9.1.3 statistical techniques.
The organization shall conduct internal audits at
planned intervals to provide information on
whether the quality management system;
a. conforms to:
444 9.2.1 1. the organization’s own requirements for its
quality management system;
2. the requirements of this International
Standard;
445 9.2.1 NOTE: The organization’s own requirements
This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 36
 9100D Conf. /
Line Clause Evidence
Clause NCR
should include customer and applicable statutory
and regulatory quality management system
requirements.
The organization shall conduct internal audits at
planned intervals to provide information on
446 9.2.1 whether the quality management system;
b. is effectively implemented and maintained.
NOTE: When conducting internal audits,
performance indicators can be evaluated to
447 9.2.1 determine whether the quality management
system is effectively implemented and
maintained.
The organization shall:
a. plan, establish, implement, and maintain an
audit program(s) including the frequency,
methods, responsibilities, planning requirements,
448 9.2.2 and reporting, which shall take into consideration
the importance of the processes concerned,
changes affecting the organization, and the
results of previous audits;
The organization shall:
449 9.2.2 b. define the audit criteria and scope for each
audit;
The organization shall:
c. select auditors and conduct audits to ensure
450 9.2.2 objectivity and the impartiality of the audit
process;
The organization shall:
451 9.2.2 d. ensure that the results of the audits are
reported to relevant management;
The organization shall:
452 9.2.2 e. take appropriate correction and corrective
actions without undue delay;
The organization shall:
f. retain documented information as evidence of
453 9.2.2 the implementation of the audit program and the
audit results.
454 9.2.2 NOTE: See ISO 19011 for guidance.
Top management shall review the organization's
quality management system, at planned intervals,
455 9.3.1 to ensure its continuing suitability, adequacy,
effectiveness, and alignment with the strategic
direction of the organization.
The management review shall be planned and
carried out taking into consideration:
456 9.3.2 a. the status of actions from previous
management reviews;
The management review shall be planned and
carried out taking into consideration:
457 9.3.2 b. changes in external and internal issues that are
relevant to the quality management system;
458 9.3.2 The management review shall be planned and
carried out taking into consideration:
c. information on the performance and
effectiveness of the quality management system,
including trends in:
1. customer satisfaction and feedback from
relevant interested parties;
2. the extent to which quality objectives have
been met;
This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 37
 9100D Conf. /
Line Clause Evidence
Clause NCR
3. process performance and conformity of
products and services;
4. nonconformities and corrective actions;
5. monitoring and measurement results;
6. audit results;
7. the performance of external providers;
8. on-time delivery performance;
The management review shall be planned and
459 9.3.2 carried out taking into consideration:
d. the adequacy of resources;
The management review shall be planned and
carried out taking into consideration:
460 9.3.2 e. the effectiveness of actions taken to address
risks and opportunities (see 6.1);
The management review shall be planned and
461 9.3.2 carried out taking into consideration:
f. opportunities for improvement.
The outputs of the management review shall
462 9.3.3 include decisions and actions related to:
a. opportunities for improvement;
The outputs of the management review shall
include decisions and actions related to:
463 9.3.3 b. any need for changes to the quality
management system;
The outputs of the management review shall
464 9.3.3 include decisions and actions related to:
c. resource needs;
The outputs of the management review shall
465 9.3.3 include decisions and actions related to:
d. risks identified.
The organization shall retain documented
466 9.3.3 information as evidence of the results of
management reviews.
The organization shall determine and select
opportunities for improvement and implement
467 10.1 any necessary actions to meet customer
requirements and enhance customer satisfaction.
These shall include:
a. improving products and services to meet
468 10.1 requirements as well as to address future needs
and expectations;
These shall include:
469 10.1 b. correcting, preventing, or reducing undesired
effects;
These shall include:
470 10.1 c. improving the performance and effectiveness
of the quality management system.
NOTE: Examples of improvement can include
correction, corrective action, continual
471 10.1 improvement, breakthrough change, innovation,
and reorganization.
When a nonconformity occurs, including any
arising from complaints, the organization shall:
472 10.2.1 a. react to the nonconformity and, as applicable:
1. take action to control and correct it;
2. deal with the consequences;
473 10.2.1 When a nonconformity occurs, including any
arising from complaints, the organization shall:
b. evaluate the need for action to eliminate the
cause(s) of the nonconformity, in order that it
This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 38
 9100D Conf. /
Line Clause Evidence
Clause NCR
does not recur or occur elsewhere, by:
1. reviewing and analyzing the nonconformity;
2. determining the causes of the nonconformity,
including, as applicable, those related to human
factors;
3. determining if similar nonconformities exist, or
could potentially occur;
When a nonconformity occurs, including any
474 10.2.1 arising from complaints, the organization shall:
c. implement any action needed;
When a nonconformity occurs, including any
arising from complaints, the organization shall:
475 10.2.1 d. review the effectiveness of any corrective
action taken;
When a nonconformity occurs, including any
arising from complaints, the organization shall:
476 10.2.1 e. update risks and opportunities determined
during planning, if necessary;
When a nonconformity occurs, including any
arising from complaints, the organization shall:
477 10.2.1 f. make changes to the quality management
system, if necessary;
When a nonconformity occurs, including any
arising from complaints, the organization shall:
g. flow down corrective action requirements to an
478 10.2.1 external provider when it is determined that the
external provider is responsible for the
nonconformity;
When a nonconformity occurs, including any
arising from complaints, the organization shall:
479 10.2.1 h. take specific actions when timely and effective
corrective actions are not achieved.
Corrective actions shall be appropriate to the
480 10.2.1 effects of the nonconformities encountered.
The organization shall maintain documented
481 10.2.1 information that defines the nonconformity and
corrective action management processes.
The organization shall retain documented
information as evidence of:
482 10.2.2 a. the nature of the nonconformities and any
subsequent actions taken;
The organization shall retain documented
483 10.2.2 information as evidence of:
b. the results of any corrective action.
The organization shall continually improve the
484 10.3 suitability, adequacy, and effectiveness of the
quality management system.
The organization shall consider the results of
analysis and evaluation, and the outputs from
485 10.3 management review, to determine if there are
needs or opportunities that shall be addressed as
part of continual improvement.
The organization shall monitor the
486 10.3 implementation of improvement activities and
evaluate the effectiveness of the results.
NOTE: Examples of continual improvement
opportunities can include lessons learned,
487 10.3 problem resolutions, and the benchmarking of
best practices.

This tool is OPTIONAL and presented to NSF-ISR clients as a resource for assisting in their transition efforts.
Rev: Feb 2017
Page 39