Welcome to the Whittington & Associates
e-Newsletter!
Visit and bookmark our web
site.
Our newsletters provide guidance on ISO 9001,
AS9100, ISO 13485, ISO/TS 16949, TL 9000, ISO
14001,
ISO 27001, ISO 20000, ISO 22000, and related ISO
standards, as well as, Six Sigma.
If you have any questions about the articles
appearing in this issue, or you want to suggest
topics for future issues, please let us
know.
ISO 9001 and Risk
What does ISO 9001 say regarding risk
management? Well, ISO 9001:2008, clause 0.4,
repeats this statement unchanged from the ISO
9001:2000 standard (underlines are my
emphasis):
This International Standard does not include requirements specific to
other management systems, such as those
particular to environmental management,
occupational health and safety management,
financial management, or risk
management.
It seems to clearly state there are no
requirements in ISO 9001 for risk management.
However, the revised statement below from ISO
9001:2008, clause 0.1, says "risk" will
influence how you set up your quality
management system:
"The design and implementation of an
organization's quality management system is
influenced by its organizational environment,
change in that environment, and the risks
associated with that environment, "
Although ISO 9001:2008 doesn't include any
requirements for risk management, does it
include any that are risk-related? Consider
clause 5.6.2, Input (Management Review),
which states:
"The input to management review shall
include information on (f) changes that
could affect the quality management system."
To determine how a change might affect the
quality management system, you should assess
the likelihood of the change happening, when
it might happen, and its impact if it did
happen. This sounds like considering the risk
associated with a change to understand its
effect.
And, what about clause 8.5.3, Preventive
Action, when you consider potential problems
and try to keep them from happening? Wouldn't
that involve identifying, assessing, and
mitigating the risk associated with a
potential problem?
Risk Guidance
Although ISO 9001:2008 doesn't include a
specific requirement for risk management,
several places in the standard would cause us
to consider risks. And, the guidance
standard, ISO 9004:2000, states that an
organization "should" consider risk
management.
For example, ISO 9004:2000, clause 5.1.2,
"Issues to be Considered", states that
management should consider identifying and
managing risks. And, clause 5.4.2, "Quality
Planning", says that inputs for effective and
efficient planning include risk assessment
and mitigation data.
Clause 5.6.3, "Management Review Output",
says additional outputs may include loss
prevention and mitigation plans for
identified risks. Clause 6.3,
"Infrastructure", states that infrastructure
planning should consider the identification
and mitigation of associated risks.
Clause 7.1.3.1, "Managing Processes -
General", says an operating plan should be
defined to manage the processes, including
identification, assessment, and mitigation of
risk.
Clause 7.1.3.3, "Product and Process
Validation and Changes", says that risk
assessment should be undertaken to assess the
potential for, and the effect of, possible
failures or faults in processes. And, that
the results of the assessment should be used
to define and implement preventive actions to
mitigate the identified risks.
Clause 7.3.1, "Design and Development", says
management has the responsibility to ensure
steps are taken to identify and mitigate
potential risk to the users of the product
and the processes of the organization. Risk
assessment should be undertaken to assess the
potential for, and effect of, possible
failures or faults in products or processes.
The results of the assessment should be used
to define and implement preventive actions to
mitigate the identified risks.
Clause 7.4.1, "Purchasing Process", says
management should identify and mitigate any
risk associated with the purchased product.
Clause 7.5.2, "Product Identification" (yes,
7.5.2 in ISO 9004; not 7.5.3 as in ISO 9001)
says the need for identification and
traceability may arise from the mitigation of
identified risks. Clause 8.5.3, "Loss
Prevention" refers to the data generated from
the use of risk analysis tools, such as,
fault mode and effects analysis.
But what is risk management?
Risk Management
Risk is a product of the uncertainty of
future events and is a part of any process.
It is a fact for any organization. We
typically try to stay away from situations
that involve high risk. However, when we
cannot avoid risk, we look for ways to reduce
it (or its impact). Yet, even with careful
planning and preparation, risks cannot be
completely eliminated because they cannot be
completely identified in advance. However,
strange as it may seem, risk is essential to
progress.
The opportunity to succeed also carries the
opportunity to fail. So, we have to learn to
balance the possible negative consequences of
risk with the potential benefits of its
associated opportunity. Risk may be defined
as the possibility to suffer damage or loss.
The possibility is characterized by three
factors:
1. The probability, or likelihood, that loss
or damage will occur.
2. The expected time of occurrence.
3. The magnitude of the negative impact that
can result from its occurrence.
The seriousness of a risk can be determined
by multiplying the probability of the event
actually occurring by the potential negative
impact to cost, schedule, or performance:
Risk Severity = Probability of Occurrence x
Potential Negative Impact
Risks where the probability of occurrence is
high and the potential impact is very low, or
vice versa, are not considered as serious as
the risks where both the probability of
occurrence and the potential impact are
medium to high. Managers should recognize and
accept the fact that risk is inherent in any
activity.
There are two ways of dealing with this risk.
One, risk management, is proactive and
carefully analyzes future project events and
past projects to identify potential risks.
Once risks are identified, they are dealt
with by taking measures to reduce their
probability or to reduce their impact. The
alternative to risk management is crisis
management. It is a reactive and
resource-intensive process, with available
options constrained or restricted by events.
Because risk will be found in all areas, and
will often be interrelated, risk management
should address all processes of the system.
Learning to balance the possible negative
consequences of risk with its potential
benefits is the key to successful risk
management.
Prepare for an Audit
To prepare your organization for an external
audit:
Communicate the audit scope and schedule
Ensure key contacts are available for
interview
Verify process owners can clearly describe
inputs and outputs
resources and methods
controls and measures
Arrange for auditor access to documentation
Plan the logistics for the audit team visit
Managers of the areas to be audited should:
Become familiar with the documents in
their area
Walk through the area for a spot check
on operations
Verify that only valid documents are
being used
Identify records that prove requirements
are met
Be prepared to share performance results
for area
Ensure that the work areas are clean and
orderly
Confirm that past nonconformities have
been fixed
Brief employees on how to interact with
auditors
Communicate a positive, learning view of
the audit
Participate in the audit briefings and
meetings
Auditors will need escorts, so their guides
should:
Know the quality system and how it operates
Understand the audit plan and functional
areas
Be available by staying with the audit team
Clarify, not answer, for the person
interviewed
Act as witnesses for any audit
nonconformities
Help keep the auditors on the planned
schedule
Take good notes for possible follow-up
actions
Of course, employees in the areas to be
audited should:
Understand the quality policy and their role
Prepare by participating in internal audits
Know where their documents are located
Be able to quickly retrieve their records
Know how to respond to auditor questions
Be prepared to demonstrate their activities
Be aware of quality objectives for their
area
Employees should be ready to answer audit
questions such as:
What is the overall purpose of this process?
Please describe your job and
responsibilities.
What are the process inputs and who
supplies them?
What resources are needed for this process?
What are the process outputs and who
receives them?
How do you know what to do?
What training, skill, and experience are
needed?
Show me, or tell me, how you do the job.
How do you know if it is done right?
When it is not right, what do you do?
What records are kept of this activity?
How is the process controlled?
What are the process objectives?
How is the performance measured?
How could this process be improved?
When being interviewed, employees should:
Listen carefully to the auditor questions
Provide brief, accurate, honest answers
Answer specific questions, not volunteer
Avoid steering auditor to other discussions
Be cooperative, not misleading or defensive
Avoid digressing, speculating, or
embellishing
Ask for clarification if they don't
understand
Admit if they don't know the answer to
question
Refer auditor to right person for an answer
After the audit, be sure to:
Thank everyone for their participation
Summarize audit results to organization
Request corrective actions, as needed
Monitor actions for timely completion
Verify corrective actions are effective
Inform the audit body, as appropriate
Analyze results and identify any trends
Initiate preventive actions, as needed
Actions After Audits
According to ISO 9001:2000, clause 8.2.2, on
internal audits, we were to " ... ensure
that actions are taken without undue delay to
eliminate the detected nonconformities and
their causes". Many organizations
interpreted these actions to be taken as
"corrective actions", and they were partially
right.
ISO 9001:2008 expanded the internal audit
requirement to say "ensure that any necessary corrections and corrective actions are taken ... ". This revision
tells us that an immediate correction might
be needed before determining the cause of the
nonconformity and taking corrective action to
prevent its recurrence.
The only other place in the standard that
refers to correction is in clause 8.2.3,
Monitoring and Measurement of Processes. It
continues to state in ISO 9001:2008, as it
did in ISO 9001:2000, that "When planned
results are not achieved, correction and
corrective action shall be taken, as
appropriate ...".
Clauses 8.2.2 and 8.2.3 both call for process
monitoring. If you are monitoring a process
as required by clause 8.2.3, and it doesn't
achieve its planned results, you are to (as
appropriate) take correction and corrective
action. Clause 8.2.2 now matches 8.2.3 by
saying if processes being monitored by an
internal audit don't meet their requirements,
then take the necessary corrections and
corrective actions.
What is a correction? ISO 9000:2005 defines
it as the "action to eliminate a detected
nonconformity", whereas, it says corrective
action is the "action to eliminate the
cause of a detected nonconformity ...".
So, when a process is not meeting its
requirements (per 8.2.2) or planned results
(per 8.2.3), the problem must be eliminated,
as necessary (8.2.2) or appropriate (8.2.3).
And, then when we know what caused the
nonconforming situation, corrective action
must be taken (as necessary or appropriate)
to remove the cause and prevent the
recurrence of the nonconforming situation.
Another view of clause 8.2.2 and clause 8.2.3
is through the ISO 9000:2005 definition of
effectiveness, the "extent to which planned activities are realized and planned results achieved". Part of
clause 8.2.2 calls for audits to determine if
a system conforms to planned
arrangements and is effectively
implemented. Clause 8.2.3 says to take action
when planned results are not achieved.
So, clauses 8.2.2 and 8.2.3 both monitor
process effectiveness and both expect
correction and corrective action to be taken.
How Many Shalls?
Have you ever been asked how many
requirements are in ISO 9001:2008? Well, one
answer might be that there are 136 "shall"
statements in the standard, spread across the
five major clauses as shown below:
But, how do you count a "shall" with multiple
sub-clauses? Should each sub-clause be viewed
as a separate requirement? For example, look
at clause 4.1, General Requirements. It has a
total of five "shall" statements. However,
one of the "shall" statements has six
sub-clauses, identified as "a" through "f",
each of which could be viewed as a unique
requirement.
And, take a look at clause 6.3,
Infrastructure. It has one "shall" statement,
then in the next sentence, continues with a
sub-clause list of items that could be
considered as infrastructure examples, as
applicable.
So, how many requirements would you count for
clause 6.3? One or four?
As you can see, coming up with a total
requirement count for the standard is not an
easy task, or a necessary one. What is
important is that we are aware of the
requirements, and conform to them, and not
worry about the best way to count them.
AS9100C Differences
AS9100C Transition Plan
The International Aerospace Quality Group
(IAQG) has proposed a 30-month transition
timeline for existing certified
organizations. However, due to the need for
global harmonization and the release of
supporting standards, the start date for
transition had not been set (as of the date
of this article).
A possible scenario could be:
January 2009:
AS9100C was released.
March 2009 - August 2009
(6 months for training providers to develop
training for the new standard)
September 2009 - August 2010:
(12 months to train certification bodies and
auditors)
September 2010 - August 2011:
(12 months for all companies to update to the
new standard at their next surveillance or
recertification)
The On-line Aerospace Supplier Information
System (OASIS) database will be used to share
IAQG expectations and track client transition
activity via certification body issuance of
AS9100C certificates. The AS9100C transition
start date will be communicated via OASIS
when it becomes available.
In regard to auditor training, the IAQG Other
Party Management Team (OPMT) is developing
sanctioned training for aerospace auditors.
All Aerospace Auditors (AA, AEA, and AIEA)
will be required to complete this
supplemental training prior to conducting any
AS9100C audits for certification purposes
under the Industry Controlled Other Party
(ICOP) process. This training will cover
transition and client assessment to the
AS9100 series of standards (9100, 9101, 9110,
and 9120).
The Aerospace standard, AS9100:2009, Revision
C, is available for purchase at the SAE web
site (http://www.sae.org) for a member price
of $48.00, or list price of $61.00. The
standard can be ordered at the ASQ web site
(http://www.asq.org) for a member and list
price of $61.00.
AS9100C Differences
The differences in AS9100C versus AS9100B are
described in my paper, Changes
in AS9100C, that can be downloaded as a
PDF file from our web site.
Additions based on the changes from ISO
9001:2008 are underlined and highlighted in
the paper as yellow.
Additions in the
unique AS9100C parts of the text are
underlined and highlighted in green.
All the unique unchanged AS9100C text is shown in bold.
The underlining of new text will allow
readers to spot the additions, even if the
paper is printed without color. AS9100C and
ISO 9001:2008 texts are shown inside boxes
and in Italics to help separate the text from
the comments. Deleted text from ISO 9001:2000
and AS9100B is indicated by strikethroughs.
Most of the text in AS9100B (and ISO
9001:2000) was not affected by AS9100C (and
ISO 9001:2008). The unaffected parts of
AS9100B, carried over unchanged into AS9100C,
are not repeated in the paper.
Whittington & Associates provides training, consulting and auditing services for
management systems based on
ISO 9001, ISO/TS16949, ISO/TS 29001, TL 9000, AS9100, ASS9110, AS9120, ISO 13485,
ISO 27001, ISO 20000, and ISO 14001.
