Cost for QD employees to rent an apartment in Chico, CA. $1,200/month. Please turn off your ad blocker in Quality Digest
Our landlords thank you.
Richard Harpster
Published: Wednesday, January 10, 2018 - 12:01 The concept of risk-based thinking has been implicit in previous editions of ISO 9001 through requirements planning, review, and improvement. But ISO 9001:2015 requires companies to use risk-based thinking to manage their business. If you want to implement an ISO 9001:2015-compliant quality management system (QMS) that uses risk-based thinking, there are 10 things you need to know. 1. What is risk? 2. How is risk reduced? 3. Where are the sources of risk in a company? Risk-based thinking is preventive. It requires a company to analyze its processes to determine the potential causes of its processes not performing as intended. Once the potential causes are identified, controls are created to prevent the causes and the resultant failures in performance. Additional controls can be created to minimize the effects of the process not performing as intended. The implementation of prevention controls and effect mitigation controls are also potential sources of risk. Risk-based thinking is also used to select the opportunities the company will pursue. While opportunities provide benefits to a company, they can also expose it to risk if the wrong opportunity is selected. 4. What processes does ISO 9001:2015 require risk-based thinking to be used on? 5. What is the relationship between risk-based thinking and plan-do-check-act? 6. What are the key steps in managing process risk within the QMS system? • The inputs and outputs for each process in the QMS system must be defined. 7. How does a company prioritize which QMS process risks to work on? 8. What types of risk management tools does the standard require companies to use? • Requirements Risk Assessment (RRA): Two of the greatest sources of risk for companies that design products are improper definitions of customer requirements and design requirements. Companies can end up spending millions of dollars in design changes when customer requirements and/or design requirements are improperly defined. Companies that provide their products to a marketplace have the considerable challenge of creating a single product that multiple customers with different wants and needs will purchase. An RRA is performed to define a set of risk-optimized customer and design requirements. 9. What elements of the risk management system must be documented? 10. Should a company implement a risk management system that is more robust that the system described in the standard? There is a lot of misunderstanding about what it ISO 9001:2015 means by its requirement to implement risk-based thinking. I believe people are making it much more difficult than it is. If you are a successful company, there is a high likelihood that you are already implementing some form of risk-based thinking. Hopefully, this article will assist you in properly implementing risk-based thinking to manage your company so you can experience the many benefits of its use. Join Harpco Systems’ Richard Harpster and Quality Digest’s editor in chief Dirk Dusharme for the webinar, “Ten Things You Need to Know When Implementing ISO 9001:2015-Compliant Risk-Based Thinking,” on Wed., Jan. 17, 2018, at 11 a.m. Pacific/2 p.m. Eastern. Register here. Quality Digest does not charge readers for its content. We believe that industry news is important for you to do your job, and Quality Digest supports businesses of all types. However, someone has to pay for this content. And that’s where advertising comes in. Most people consider ads a nuisance, but they do serve a useful function besides allowing media companies to stay afloat. They keep you aware of new products and services relevant to your industry. All ads in Quality Digest apply directly to products and services that most of our readers need. You won’t see automobile or health supplement ads. So please consider turning off your ad blocker for our site. Thanks, Richard Harpster is president of Harpco Systems, which he founded in 1987. Harpco Systems specializes in providing software, training, and consulting for risked-based product lifecycle management (RBPLM). During the past 30 years, Harpster has helped hundreds of companies implement improved risk-based design and manufacturing systems in a wide variety of industries. He is a recognized expert in the application of FMEAs and has invented several new concepts, including the linking of design FMEAs to process FMEAs in 1990, which became an automotive industry standard 18 years later. His latest inventions in the field of RBPLM include Requirements Risk Assessment (RRA), Usage Risk Assessment (URA), Multiple Integrated Cause Analysis (MICA), and Rapid Integrated Problem Solving (RIPS). He has published several papers on the topic of RBPLM.Top 10 Things You Need to Know About Implementing Risk-Based Thinking
Understanding ISO 9001:2015’s new requirement
Top 10 things you need to know
Risk has two components. The first is the probability of an objectionable incident occurring. The second is the severity of harm when the objectionable incident occurs.
Risk can be reduced by reducing the probability of occurrence of the objectionable incident or the severity of harm when the objectionable incident occurs. It is typically much more difficult to reduce the severity of harm than to reduce the probability of the objectionable incident from occurring.
Every process in company is a source of risk. An objectionable incident occurs whenever a process does not perform as intended. The severity of harm is based on the type of process.
The standard is nonprescriptive when defining the processes that risk-based thinking must be used on. The standard allows the company to define the processes that make up the QMS. Once the company defines the processes that make up the QMS, risk-based thinking must be implemented on them.
The standard requires that risk-based thinking be integrated with the plan-do-check-act cycle. The integration is accomplished by assessing the risk of the “plan” before performing the “do” step.
Once the processes that make up the QMS system are defined, there are four steps to managing process risk with the QMS system:
• The sequence and interaction of the QMS processes must be defined.
• The risks of the required processes must be defined.
• An action plan must be developed to address the risks of the required processes to confirm the QMS can achieve its intended results, enhance the probability of desirable process outputs, and prevent or reduce the probability of undesirable outputs.
Actions taken to reduce risk shall be proportionate to the potential impact the actions will have on the quality of delivered products and services. Because companies do not have unlimited resources, it is not possible to work on all the sources of risk within QMS processes.
The standard does not require the use of any specific risk management tools. The following risk-management tools can be very effective when used correctly.
• Design failure mode and effects analysis (DFMEA): Once the design requirements have been optimized, product design specifications must be created that define a product that will meet them. DFMEA is a risk assessment of the adequacy of the product design specifications in defining a product that will meet the design requirements.
• Process failure mode and effects analysis (PFMEA): The product must be manufactured to the design specifications. The PFMEA is a risk assessment of the adequacy of the process in manufacturing a product that will meet the product design specifications.
• Usage Risk Assessment (URA): A product can fail if it is not used as intended. A URA is conducted to assess the adequacy of the design and usage instructions to prevent failure due to improper use.
The standard does not require the risk management system to be formalized or documented. The standard does not define the elements that the risk management system must have.
Because risk management is very critical to business success and it is difficult to effectively implement a system that is neither formalized or documented, businesses may want to do more than the standard requires to facilitate effective implementation of the risk management system. A good starting point would be creating a formalized and documented risk management system as well as training on it.Summary
Our PROMISE: Quality Digest only displays static ads that never overlay or cover up content. They never get in your way. They are there for you to read, or not.
Quality Digest Discuss
About The Author
Richard Harpster
© 2023 Quality Digest. Copyright on content held by Quality Digest or by individual authors. Contact Quality Digest for reprint information.
“Quality Digest" is a trademark owned by Quality Circle Institute, Inc.