Design Exclusion: When to Include (or Exclude) ISO 9001 Clause 8.3

One of the first decisions in any ISO 9001 implementation is figuring out what applies and what doesn't. For small machine shops and contract manufacturers, Clause 8.3 - Design and Development - is usually the first candidate for exclusion. And in a lot of cases, that's the right call.

But it's not always as clear-cut as it seems.

I've worked with manufacturers who were confident they didn't do design. They machine parts to customer prints. They don't create new products. Open and shut, right? Then somewhere in the conversation, a scenario comes up: "Well, sometimes a customer sends us a physical part with no drawing, and we measure it, create the print, figure out tolerances, and produce from there." That's reverse engineering. And depending on who your auditor is, that can land squarely in Clause 8.3 territory.

What Clause 8.3 Actually Covers

Design and development, in ISO 9001 terms, is broader than most people think. It's not limited to creating a brand-new product from scratch. The standard defines it as establishing requirements for products and services that haven't been previously defined in sufficient detail to allow production.

When a customer hands you a finished part and says "make me more of these," you're doing several things that look a lot like design activity:

• Measuring the original part to determine dimensions
• Establishing tolerances where none were specified
• Creating a print or model that becomes the production reference
• Making decisions about materials, finishes, or processes based on your expertise

You're converting an undefined input (a physical sample) into a defined output (a producible specification). That's the essence of what 8.3 is getting at.

The Blanket Exclusion Approach

Many small manufacturers take the straightforward path: exclude 8.3 entirely. In the scope statement, they note that design and development is not applicable because the organization manufactures to customer-supplied specifications and does not design products.

For shops that genuinely only work from customer prints, models, and purchase orders with clearly defined requirements, this works fine. If every job comes in with a drawing, tolerances, material specs, and finish requirements already defined, you're producing to specification - not designing.

The key question is whether your customer provides sufficient detail for you to produce the product without making design-type decisions. If they do, exclusion is clean and defensible.

Where It Gets Gray

The trouble shows up with contract manufacturers who mostly work from prints but occasionally get jobs that don't come with complete specs. Common scenarios:

Reverse engineering from a physical sample. A customer ships you an existing part - maybe an obsolete component they can't source anymore - and asks you to replicate it. You measure it, determine dimensions, set tolerances, maybe create a CAD model, and develop a print. All from a physical sample with no engineering documentation.

Customer-supplied sketches or napkin drawings. I've seen a client describe getting a hand-drawn sketch of a part on, literally, a napkin. For a simple turning and cutoff cycle, sure, that might be enough. But for a part requiring specific chamfer angles, cross-drilling, and tight tolerances? You're filling in a lot of blanks that the customer didn't specify.

Verbal specifications with no documentation. A customer calls and describes what they need. You translate that into something producible. The engineering decisions are yours.

In each case, you're taking incomplete input and developing the technical specifications that define the product. That's design activity, at least by a strict reading of the standard.

The Auditor Variable

Here's where it gets practical. Whether reverse engineering triggers a Clause 8.3 finding depends heavily on the auditor's interpretation - and auditors vary.

Some auditors take a pragmatic view. If you're a small machine shop, you don't have an engineering department, and you can demonstrate that the customer approved the final specifications before production, they'll accept the exclusion and move on. They'll note that the reverse engineering is rare and that you have controls around getting customer sign-off.

Other auditors read the standard more strictly. If you're establishing product specifications that didn't previously exist, that's design activity, and they expect to see 8.3 controls applied.

The risk with a blanket exclusion when you do occasionally perform reverse engineering isn't catastrophic. In a worst case, you get a minor Nonconformity at certification and have to add 8.3 controls after the fact. It won't tank your audit. But it's a known risk worth evaluating rather than ignoring.

The Scaled-Down Alternative

If you want to avoid that risk entirely, the alternative isn't as painful as it sounds. You don't need to build a full-blown design and development process with stage gates and design reviews like a product engineering company would.

Instead, scope Clause 8.3 specifically to reverse engineering activities. The process might be as simple as:

• Receive customer sample or incomplete specs - Document what you received and what's missing
• Develop specifications - Measure the part, establish dimensions and tolerances, create the print or model
• Customer review and approval - Send the developed specs back to the customer for sign-off before production begins
• Retain records - Keep the customer-approved print, the original sample reference, and the approval documentation

That's it. The standard wants to see that Design Inputs were identified, the output (your developed print) was reviewed and verified, and changes were controlled. For a reverse engineering scenario, the customer-approved print is both your Design Output and your verification record.

Making the Decision

The right answer depends on a few factors:

How often does it happen? If you've never actually reverse-engineered a part for this business entity, exclusion is clean. You can always add 8.3 later if the situation arises. If it happens regularly, build the process now.

What's your risk tolerance? A blanket exclusion with known reverse engineering activity is a calculated risk, not a guaranteed finding. If you'd rather not worry about it, scope 8.3 down to reverse engineering and have the process in place.

Do you anticipate growth in that area? If you're building out capabilities or pursuing customers who are likely to send sample-based work, getting the process documented now - even before you have records to show for it - positions you well. At audit time, you explain that you have the process ready for when it's needed, and the auditor notes there's nothing to audit because it hasn't occurred yet. That's a perfectly acceptable situation.

The Practical Takeaway

For most small contract manufacturers, the decision tree is straightforward:

• You only produce to customer-supplied prints and specs - Exclude 8.3. Clean justification.
• You occasionally reverse-engineer from samples or develop specs from incomplete input - Either accept the risk of a blanket exclusion (knowing an auditor might flag it) or add a simple, scoped 8.3 process for reverse engineering only.
• Reverse engineering or specification development is a regular part of your work - Include 8.3. Build the process. It doesn't have to be complicated, but it should exist.

The worst outcome isn't the auditor finding you should have included 8.3. It's discovering during your Certification Audit that you excluded something you shouldn't have, scrambling to address it, and wishing you'd spent the two hours up front getting it right.

If you're not sure whether Clause 8.3 applies to your operation, or you want help scoping it appropriately, we offer a free initial consultation to help you figure out where you stand.