Addressing ISO 9001 Risk Management Requirements Roger Crist Quality Director, Moxtek, Inc.; and Strategic Partner, MasterControl Inc. St. Louis Section Annual Quality Conference - Nov 6, 2017
Learning Objectives In this session you will: Become more familiar with the ISO 9001:2015 risk management requirements Be shown examples of how risk management requirements can be addressed using various tools Learn from our management system examples and experience!
ISO Risk-based thinking IS Determining the risks and opportunities that need to be addressed in order to: a) Assure objectives will be achieved b) Enhance desirable effects (opportunities) c) Prevent, or reduce, undesired effects (risks) d) Achieve improvement Planning the actions to address risks and opportunities (mitigation) See ISO 9001:2015, section 6.1.1
ISO Risk-based thinking IS Addressing risks and opportunities associated with the organization s context and objectives * Determining factors that could cause management system processes to deviate from planned results, implementing preventive controls to minimize negative effects, and making maximum use of opportunities as they arise * * See ISO 9001:2015, section 0.1
ISO Risk-based thinking IS NOT Is not a prescriptive requirement to establish formal methods for risk management or a documented risk management process * Is not a prescriptive requirement to retain documented information as evidence of its determination of risks * * See ISO 9001:2015, A.4
However The organization IS required to plan and implement actions to address risks and opportunities * Doesn t it make sense to plan what types of risks you will assess, when you will assess these risks, how you will assess these risks (tools), your risk prioritization, and maintain a history of risk assessments and mitigating actions taken? * See ISO 9001:2015, 0.3.3, and 6.1.2
And don t forget to include how mitigating actions will be 1. Proportionate to the potential impact * on conformance (quality) 2. Integrated and implemented * into the management system 3. Evaluated for effectiveness * *See ISO 9001:2015, section 6.1.2, 9.1.3, 9.3.2
12 Risk Requirements # Risk Requirement Reference 1 Context Risks - External and Internal Issues ISO 9001, 4.1 2 Context Risks - Interested Parties Requirements ISO 9001, 4.2 3 Process Design and Change Risks ISO 9001, 4.4.1 4 Customer Satisfaction Risks ISO 9001, 5.1.2 5 System Change Risks ISO 9001, 6.3 6 Resource Requirements Risks ISO 9001, 7.1.1 7 Unintended Change Risks ISO 9001, 8.1 8 Product Design and Change Risks ISO 9001, 8.3.3, 8.3.6 9 Supplier Risks ISO 9001, 8.4.2 10 Reliability Risks ISO 9001, 8.5.5 11 Nonconforming Product Risks ISO 9001, 8.7.1 12 Nonconformity and Corrective Action Risks ISO 9001, 10.1, 10.2.1
1-2) Context Risks (Issues & Rqmts) Strategic / Business Planning Context - Internal Issues (4.1) Strategic / Business Planning Context - External Issues (4.1) Risk Assessment (6.1) Determine risks and opportunities that need to be addressed Strategic / Business Planning Context - Stakeholder Rqmts (4.2) * See ISO 9001:2015, 4.1, 4.2, 6.1
3) Process Design & Change Risks Management System Process Planning and Change Planning (4.4.1 f, g, and 6.3) Manufacturing Process Planning and Change Planning (4.4.1 and 8.1) Risk Assessment (6.1) Determine risks and opportunities that need to be addressed * See ISO 9001:2015, 4.4.1, 6.1
4) Customer Satisfaction Risks Product Quality Planning and Change Planning (5.1.2) Risk Assessment (6.1) Determine risks and opportunities that need to be addressed * See ISO 9001:2015, 5.1.2, 6.1
5) System Change Risks Management System Process Change Planning (6.3 a) Risk Assessment (6.1) Determine risks and opportunities that need to be addressed * See ISO 9001:2015, 6.3, 6.1
6) Resource Requirements Risks Project Planning - Resource Requirements (~7.1.1) Strategic / Business Planning - Resource Requirements (~7.1.1) Management System Planning - Resource Requirements (~7.1.1) Risk Assessment (6.1) Determine risks and opportunities that need to be addressed * See ISO 9001:2015, 7.1.1, 6.1
7) Unintended Change Risks Potential Risks Identified in Risk Assessments prior to occurrence (preventive actions) Planning for risks resulting from changes that have unintended consequences (8.1) Adverse Events Identified in Risk Assessments as soon as possible after occurrence (corrections and corrective actions) Risk Assessment (6.1) Determine risks and opportunities that need to be addressed * See ISO 9001:2015, 8.1, 6.1
8) Design and Design Change Risks Design Planning (8.3.3) Design Change Planning (8.3.6) Control Methods Mistake- Proofing SPC Procedures Risk Assessment (6.1) Determine risks and opportunities that need to be addressed Training Inspection * See ISO 9001:2015, 8.3.3, 8.3.6, 6.1
9) External Provider (Supplier) Risks Supplier Evaluation, Selection, Monitoring, and Re-Evaluation Planning Make, Buy, or (~8.4.1) Outsource Process Planning (~8.4.1) Type and Extent of Controls applied to Supplier and Output Verification (Incoming Insp) Planning (8.4.2 c1) Risk Assessment (6.1) Determine risks and opportunities that need to be addressed * See ISO 9001:2015, 8.4.1, 8.4.2, A.8, 6.1
10) Reliability Risks Product Lifetime and Warranty (Reliability) Risk Planning (8.5.5 b) Risk Assessment (6.1) Determine risks and opportunities that need to be addressed * See ISO 9001:2015, 8.5.5, 6.1
11) Nonconforming Product Risks Nonconformance Action Planning (8.7.1 p2) Risk Assessment (6.1) Determine risks and opportunities that need to be addressed * See ISO 9001:2015, 8.7.1, 6.1
12) Nonconformity and Corrective Action Risks Correction and Corrective Action Planning (10.1 b, 10.2.1 b3, e) Risk Assessment (6.1) Determine risks and opportunities that need to be addressed * See ISO 9001:2015, 10.1, 10.2.1, 6.1
Take-aways Through this session, you should have: Become more familiar with the ISO 9001:2015 risk management requirements Reviewed some examples of how risk management requirements can be addressed using various tools Learned from Moxtek Management System (MoxSys) examples!
Questions? Roger Crist Desk Phone: (801) 717-4260 Cell Phone: (801) 709-4049 Email: rcrist@moxtek.com, kwality.nerd@gmail.com
Appendix: ISO 31000:2009
Suppliers Customers Appendix: MoxSys Processes 1- Leadership / Planning Processes 2- Support Processes 3- Operations Processes - Customers 4- Operations Processes - Design 5- Operations Processes - Suppliers 6- Operations Processes - Production 7- Performance Evaluation Processes 8- Improvement Processes External and Internal Issues Market Legal / Regulatory Technology Competition Culture Competencies Capabilities Other Interested Parties (Stakeholders) Employees and Families Communities Stockholders Moxtek Products / Services Design and Development (Phase Review Process) DO Production Processes (Procedures, Travelers, etc.) Customer Purchase Order Review Process Reliability Process Purch / Receiving / Inventory / Production Control / Shipping Customer Communication Process Regulatory Compliance and Legal Process QC Process (Incoming / In Process / Final Inspection) Customer Returns (RMA) Process Requirements Supplier Management Process HR / EHS / IT / Facilities / Maint / Finance Support Processes Supply Chain Process Training Process Document and Records Control Process Incoming Inspection (IQA) Process Calibration Process Document Change Notice (DCN) Process PLAN ACT CHECK Vision / Mission / Values / Charter / Strategic Plan Business Planning (P1 Projects) Process Quality Policy and Quality Objectives Non-Conformance Review (NCR) Process Corrective Action (CAPA) Process Continuous Improvement Process (CI Suggestions, PDCA Projects/Activities) Customer Satisfaction Process Internal Audit Process Management Review Process Customer Satisfaction
Appendix: MoxSys SIPOC and 7M Control Plan Improve your processes with a SIPOC Map and 7M Control Plan ASQ World Conference Session W20 May 3, 2017
Project Team- Design and Process Engineering, Product Management / Marketing, Production Management, and Quality / Reliability Appendix: MoxSys Quality Planning Guide PRD, Specs, Drawings DFMEA Key Product Characteristics Internal Metrics (Revenue, Profitability, Yield / Scrap, Inventory Loss, etc.) FEEDBACK LOOP Phase Review Project Quality Planning Guide Reliability Planning, Testing, and FMEA Support PFMEA Key Process Characteristics *Mistake Proofing Customer Change Requests (CR s), Product Returns (RMA s), Customer CAPA s, Customer Surveys, Customer Scorecards, Product Lifetime/Warranty Analysis, etc. Flowchart Control Plan *SPC *Control Methods FEEDBACK LOOP *Procedures, Travelers, etc. *Inspection *Training External Customer Requirements Design Validation (External Qualification) Product Design Verification (Internal Qualification) Internal Customer Requirements
Appendix: MasterControl Risk Module (1 of 2)
Appendix: MasterControl Risk Module (2 of 2) 1-Risk Assessment 2-Risk Mitigation 3-Mitigation Approval 4-Risk Reassessment 5-Approval