Addressing ISO 9001 Risk Management Requirements Roger Crist – Quality Director, Moxtek , Inc.; and Strategic Partner, MasterControl Inc. St. Louis Section Annual Quality Conference - Nov 6, 2017
Addressing ISO 9001 Risk
Management Requirements
Roger Crist – Quality Director, Moxtek, Inc.;
and Strategic Partner, MasterControl Inc.St. Louis Section Annual Quality Conference - Nov 6, 2017
In this session you will:
• Become more familiar with the ISO
9001:2015 risk management
requirements
• Be shown examples of how risk
management requirements can be
addressed using various tools
• Learn from our management system
examples and experience!
Learning Objectives
• Determining the risks and opportunities
that need to be addressed in order to:a) Assure objectives will be achieved
b) Enhance desirable effects (opportunities)
c) Prevent, or reduce, undesired effects (risks)
d) Achieve improvement
• Planning the actions to address risks
and opportunities (mitigation)
See ISO 9001:2015, section 6.1.1
ISO “Risk-based thinking”
IS…
• “Addressing risks and opportunities
associated with the organization’s
context and objectives”*
• “Determining factors that could cause
management system processes to
deviate from planned results,
implementing preventive controls to
minimize negative effects, and making
maximum use of opportunities as they
arise”**See ISO 9001:2015, section 0.1
ISO “Risk-based thinking”
IS…
ISO “Risk-based thinking”
IS NOT…
• Is not a prescriptive requirement to
establish “formal methods for risk
management or a documented risk
management process”*
• Is not a prescriptive requirement to
“retain documented information as
evidence of its determination of risks”*
*See ISO 9001:2015, A.4
However…
• The organization IS required “to plan and
implement actions to address risks and
opportunities” *
• Doesn’t it make sense to plan what types
of risks you will assess, when you will
assess these risks, how you will assess
these risks (tools), your risk prioritization,
and maintain a history of risk
assessments and mitigating actions
taken?*See ISO 9001:2015, 0.3.3, and 6.1.2
1. “Proportionate to the potential impact”*
on conformance (quality)
2. “Integrated and implemented”* into the
management system
3. Evaluated for “effectiveness”*
*See ISO 9001:2015, section 6.1.2, 9.1.3, 9.3.2
And don’t forget to include how
mitigating actions will be…
12 Risk Requirements # Risk Requirement Reference
1 Context Risks - External and Internal Issues ISO 9001, 4.1
2 Context Risks - Interested Parties Requirements ISO 9001, 4.2
3 Process Design and Change Risks ISO 9001, 4.4.1
4 Customer Satisfaction Risks ISO 9001, 5.1.2
5 System Change Risks ISO 9001, 6.3
6 Resource Requirements Risks ISO 9001, 7.1.1
7 Unintended Change Risks ISO 9001, 8.1
8 Product Design and Change Risks ISO 9001, 8.3.3, 8.3.6
9 Supplier Risks ISO 9001, 8.4.2
10 Reliability Risks ISO 9001, 8.5.5
11 Nonconforming Product Risks ISO 9001, 8.7.1
12 Nonconformity and Corrective Action Risks ISO 9001, 10.1, 10.2.1
*See ISO 9001:2015, 4.1, 4.2, 6.1
1-2) Context Risks (Issues & Rqmts)
Risk Assessment (6.1)
Determine risks and opportunities that need to
be addressed
Strategic / Business Planning Context - Internal Issues
(4.1)
Strategic / Business Planning Context - External Issues
(4.1)
Strategic / Business Planning Context - Stakeholder Rqmts
(4.2)
3) Process Design & Change Risks
*See ISO 9001:2015, 4.4.1, 6.1
Risk Assessment (6.1)
Determine risks and opportunities that need to
be addressed
Management System Process Planning and
Change Planning
(4.4.1 f, g, and 6.3)
Manufacturing Process Planning and
Change Planning
(4.4.1 and 8.1)
4) Customer Satisfaction Risks
*See ISO 9001:2015, 5.1.2, 6.1
Risk Assessment (6.1)
Determine risks and opportunities that need to
be addressed
Product Quality Planning and Change Planning
(5.1.2)
5) System Change Risks
*See ISO 9001:2015, 6.3, 6.1
Risk Assessment (6.1)
Determine risks and opportunities that need to
be addressed
Management System Process Change Planning
(6.3 a)
6) Resource Requirements Risks
*See ISO 9001:2015, 7.1.1, 6.1
Risk Assessment (6.1)
Determine risks and opportunities that need
to be addressed
Strategic / Business Planning - Resource Requirements
(~7.1.1)
Project Planning - Resource Requirements
(~7.1.1)
Management System Planning - Resource Requirements
(~7.1.1)
7) Unintended Change Risks
*See ISO 9001:2015, 8.1, 6.1
Risk Assessment (6.1)
Determine risks and opportunities that need to
be addressed
Planning for risks resulting from changes that have unintended
consequences (8.1)
Potential Risks• Identified in Risk
Assessments prior to occurrence (preventive actions)
Adverse Events• Identified in Risk
Assessments as soon as possible after occurrence (corrections and corrective actions)
8) Design and Design Change Risks
Risk Assessment (6.1)
Determine risks and opportunities that need
to be addressed
Design Planning (8.3.3)
Design Change Planning
(8.3.6)
*See ISO 9001:2015, 8.3.3, 8.3.6, 6.1
Control Methods
Inspection
Training
Procedures
SPC
Mistake-Proofing
9) External Provider (Supplier) Risks
*See ISO 9001:2015, 8.4.1, 8.4.2, A.8, 6.1
Risk Assessment (6.1)
Determine risks and opportunities that need
to be addressed
Type and Extent of Controls applied to
Supplier and Output Verification
(Incoming Insp) Planning (8.4.2 c1)
Supplier Evaluation, Selection, Monitoring,
and Re-Evaluation Planning (~8.4.1)Make, Buy, or
Outsource Process Planning
(~8.4.1)
10) Reliability Risks
*See ISO 9001:2015, 8.5.5, 6.1
Risk Assessment (6.1)
Determine risks and opportunities that need to
be addressed
Product Lifetime and Warranty (Reliability)
Risk Planning (8.5.5 b)
11) Nonconforming Product Risks
*See ISO 9001:2015, 8.7.1, 6.1
Risk Assessment (6.1)
Determine risks and opportunities that need to
be addressed
Nonconformance Action Planning (8.7.1 p2)
12) Nonconformity and Corrective Action Risks
*See ISO 9001:2015, 10.1, 10.2.1, 6.1
Risk Assessment (6.1)
Determine risks and opportunities that need to
be addressed
Correction and Corrective Action
Planning (10.1 b, 10.2.1 b3, e)
Through this session, you should have:
• Become more familiar with the ISO
9001:2015 risk management
requirements
• Reviewed some examples of how risk
management requirements can be
addressed using various tools
• Learned from Moxtek Management
System (MoxSys) examples!
Take-aways
Questions?
Roger Crist
Desk Phone: (801) 717-4260
Cell Phone: (801) 709-4049
Email: [email protected], [email protected]
Appendix: ISO 31000:2009
Appendix: MoxSys Processes
External and Internal IssuesMarket | Legal / Regulatory | Technology | Competition | Culture | Competencies | Capabilities
Other Interested Parties (Stakeholders)Employees and Families | Communities | Stockholders
Cus
tom
ers
Sup
plie
rs
PLAN ACT CHECK
DO
Moxtek Products / Services
2- Support Processes3- Operations Processes - Customers4- Operations Processes - Design5- Operations Processes - Suppliers6- Operations Processes - Production
1- Leadership / Planning Processes
8- Improvement Processes7- Performance Evaluation Processes
Corrective Action (CAPA) Process
Non-Conformance Review (NCR) Process
Continuous Improvement Process (CI Suggestions,
PDCA Projects/Activities)
Customer Satisfaction Process
Management Review Process
Internal Audit Process
Vision / Mission / Values / Charter / Strategic Plan
Business Planning (P1 Projects) Process
Quality Policy andQuality Objectives
Design and Development (Phase Review Process)
Reliability Process
Regulatory Compliance and Legal Process
Production Processes (Procedures, Travelers, etc.)
Purch / Receiving / Inventory / Production Control / Shipping
QC Process (Incoming / In Process / Final Inspection)
Customer Purchase Order Review Process
Customer Communication Process
Customer Returns (RMA) Process
HR / EHS / IT / Facilities / Maint / Finance
Support Processes
Calibration Process
Training Process
Document and Records Control Process
Document Change Notice (DCN) Process
Supplier Management Process
Supply Chain Process
Incoming Inspection (IQA) Process
Customer Satisfaction
Requirements
Appendix: MoxSys SIPOC and 7M Control Plan
“Improve your processes with a SIPOC Map and 7M Control Plan” ASQ World Conference –Session W20 – May 3, 2017
Appendix: MoxSys Quality Planning Guide
DFMEA PFMEA*Procedures,
Travelers, etc.
Control Plan
*Training
*Mistake Proofing
*SPC *Inspection
Key Product Characteristics
Key Process Characteristics
*Control Methods
Phase Review Project
Quality Planning Guide
Reliability Planning, Testing, and FMEA Support
Customer Change Requests (CR’s), Product Returns (RMA’s), Customer CAPA’s,
Customer Surveys, Customer Scorecards, Product Lifetime/Warranty Analysis, etc.
Product
External Customer
RequirementsFEEDBACK LOOP
Project Team-Design and
Process Engineering,
Product Management /
Marketing, Production
Management, and Quality /
Reliability
Internal Customer
Requirements
FEEDBACK LOOP
Internal Metrics (Revenue, Profitability, Yield / Scrap, Inventory Loss, etc.)
PRD, Specs, Drawings
Flowchart
Design Verification (Internal Qualification)
Design Validation (External Qualification)
Appendix: MasterControl Risk Module (1 of 2)
Appendix: MasterControl Risk Module (2 of 2)
1-Risk Assessment
2-Risk Mitigation
3-Mitigation Approval
4-Risk Reassessment
5-Approval