“RISK” IN ISO 9001:2015/AS 9100
to explain how risk is addressed in ISO 9001/AS 9100
to explain what is meant by ‘opportunity’ in ISO 9001/AS 9100
to address the concern that risk-based thinking replaces the process approach
to address the concern that preventive action has been removed from ISO 9001/AS 9100 to explain in simple terms each element of a risk-based approach
One of the key changes in the revision of ISO 9001/AS 9100 is to establish a systematic approach to risk, rather than treating it as a single component of a quality management system.
In previous editions of ISO 9001/AS 9100, a clause on preventive action was separated from the whole. Now risk is considered and included throughout the standard.
By taking a risk-based approach, an organization becomes proactive rather than purely reactive, preventing or reducing undesired effects and promoting continual improvement. Preventive action is automatic when a management system is risk-based.
3. What is risk-based thinking?
Risk-based thinking is something we all do automatically.
Example: If I wish to cross a road I look for traffic before I begin. I will not step in front of a moving car.
Risk-based thinking has always been in ISO 9001/AS 9100 – this revision builds it into the whole management system.
In ISO 9001/AS 9100 risk is considered from the beginning and throughout the standards, making preventive action part of strategic planning as well as operation and review.
Risk-based thinking is already part of the process approach.
Example: To cross the road I may go directly or I may use a nearby footbridge.
Which process I choose will be determined by considering the risks.
Risk is commonly understood to be negative. In risk-based thinking opportunity can also be found – this is sometimes seen as the positive side of risk.
Example: Crossing the road directly gives me an opportunity to reach the other side quickly, but there is an increased risk of injury from moving cars.
The risk of using a footbridge is that I may be delayed. The opportunity of using a footbridge is that there is less chance of being injured by a car.
Opportunity is not always directly related to risk but it is always related to the objectives. By considering a situation it may be possible to identify opportunities to improve.
Example: Analysis of this situation shows further opportunities for improvement: a subway leading directly under the road pedestrian traffic lights, or diverting the road so that the area has no traffic
It is necessary to analyze the opportunities and consider which can or should be acted on. Both the impact and the feasibility of taking an opportunity must be considered. Whatever action is taken will change the context and the risks and these must then be reconsidered.
4. Where is risk addressed in ISO 9001/AS 9100?
The concept of risk-based thinking is explained in the introduction of ISO 9001/AS 9100.
- ISO 9001/AS 9100 defines risk as the effect of uncertainty on an expected result. An effect is a deviation from the expected – positive or negative.
2. Risk is about what could happen and what the effect of this happening might be
3. Risk also considers how likely it is
The target of a management system is to achieve conformity and customer satisfaction.
ISO 9001/AS 9100 uses risk-based thinking to achieve this in the following way:
Clause 4 (Context) the organization is required to determine the risks which may affect this.
Clause 5 (Leadership) top management are required to commit to ensuring
Clause 4 is followed.
Clause 6 (Planning) the organization is required to take action to identify risks and opportunities.
Clause 8 (Operation) the organization is required to implement processes to address risks and opportunities.
In Clause 9 (Performance evaluation) the organization is required to monitor, measure, analyze and evaluate the risks and opportunities.
In Clause 10 (Improvement) the organization is required to improve by responding to changes in risk.
5. Why use risk-based thinking?
By considering risk throughout the organization the likelihood of achieving stated objectives is improved, output is more consistent and customers can be confident that they will receive the expected product or service. Risk-based thinking therefore:
builds a strong knowledge base
establishes a proactive culture of improvement
assures consistency of quality of goods or services
improves customer confidence and satisfaction
Successful companies intuitively take a risk-based approach
6. How do I do it?
Use a risk-driven approach in your organizational processes. Identify what YOUR risks and opportunities are – it depends on context
Example: If I cross a busy road with many fast-moving cars the risks are not the same as if the road is small with very few moving cars. It is also necessary to consider such things as weather, visibility, personal mobility and specific personal objectives.
Analyze and prioritize your risks and opportunities
What is acceptable, what is unacceptable? What advantages or disadvantages are there to one process over another?
Example: Objective: I need to safely cross a road to reach a meeting at a given time.
It is UNACCEPTABLE to be injured.
It is UNACCEPTABLE to be late.
The opportunity of reaching my goal more quickly must be balanced against the likelihood of injury. It is more important that I reach my meeting uninjured than it is for me to reach my meeting on time.
It may be ACCEPTABLE to delay arriving at the other side of the road by using a footbridge if the likelihood of being injured by crossing the road directly is high.
I analyze the situation. The footbridge is 200 meters away and will add time to my journey. The weather is good, the visibility is good and I can see that the road does not have many cars at this time.
I decide that walking directly across the road carries an acceptably low level of risk of injury and an opportunity to reach my meeting on time. Plan actions to address the risks
How can I avoid or eliminate the risk? How can I mitigate risks?
Example: I could eliminate risk of injury by using the footbridge but I have already decided that the risk involved in crossing the road is acceptable.
Now I plan how to reduce the likelihood of injury and/or the effect of injury. I cannot reasonably expect to control the effect of a car hitting me. I can reduce the probability of being hit by a car.
I plan to cross at a time when there are no cars moving near me and so reduce the likelihood of an accident. I also choose to cross the road at a place where I have good visibility and can safely stop in the middle to re-assess the number of moving cars, further reducing the probability of an accident. Implement the plan – take action
Example: I move to the side of the road, check that there are no barriers to crossing and that there is a safe place in the center of the moving traffic. I check there are no cars coming. I cross half of the road and stop in the central safe place. I assess the situation again and then cross the second part of the road.
Check the effectiveness of the actions – does it work?
Example: I arrive at the other side of the road unharmed and on time: this plan worked and undesired outcomes have been avoided.
Learn from experience – continual improvement
Example: I repeat the plan over several days, at different times and in different weather conditions.
This gives me data to understand that changing context (time, weather, quantity of cars) directly affects the effectiveness of the plan and increases the probability that I will not achieve my objectives (being on time and avoiding injury).
Experience teaches me that crossing the road at certain times of day is very difficult because there are too many cars.
To limit the risk I revise and improve my process by using the footbridge at these times.
I continue to analyze the effectiveness of the processes and revise them when the context changes.
I also continue to consider innovative opportunities:
can I move the meeting place so that the road does not have to be crossed?
can I change the time of the meeting so that I cross the road when it is quiet?
can we meet electronically?
risk-based thinking is not new.
risk-based thinking is something you do already.
risk-based thinking is continuous.
risk-based thinking ensures greater knowledge and preparedness.
risk-based thinking increases the probability of reaching objectives.
risk-based thinking reduces the probability of poor results.
risk-based thinking makes prevention a habit.
Transitioning From ISO/TS 16949:2009 to IATF 16949:2016
A NEW EVOLUTION
First developed in 1999, ISO/TS 16949 has become one of the most widely used International Standards in the automotive industry today. In 2016, the industry is set to evolve with the publication of a new global industry standard by the International Automotive Task Force (IATF).
ISO/TS 16949 was first developed by the IATF in conjunction with ISO’s technical committee for quality management, ISO/TC 176. As a result, ISO/TS 16949 integrated with ISO 9001 by including specific requirements from the automotive sector.
In October 2016, the IATF will publish a revised automotive industry standard, and the first edition will be referred to as “IATF 16949.”
This new standard will supersede and replace the current ISO/TS 16949:2009, defining the requirements of a quality management system for organizations in the automotive industry.
IATF 16949 is aligned with and refers to the most recent version of ISO’s quality management systems standard, ISO 9001:2015, fully respecting its structure and requirements. IATF 16949 is not a standalone quality management standard, but is implemented as a supplement to, and in conjunction with, ISO 9001:2015. This means that an organization in the automotive sector seeking IATF 16949 certification must also comply with ISO 9001:2015.
HIGH RISK, HIGH COST
The automotive industry produces high-risk, high-cost products and services and has tightly controlled industry requirements; therefore, IATF 16949 better aligns with the needs of its stakeholders. According to the IATF 16949 Revision Team, the goal of this standard is the development of a quality management system that provides for continual improvement, emphasizing defect prevention, and the reduction of variation and waste in the supply chain.
A SMOOTH TRANSITION
IATF 16949 plays an essential role in ensuring quality requirements are met, thus reducing the risk of product and service failure for automotive production, service and/or accessory parts organizations. Certification to IATF 16949 is mandatory for organizations who wish to manufacture parts for the automotive industry.
To get you pointed in the right direction, this whitepaper will cover the following topic:
- Transition Guidance
- Transition Timeline
- New High Level Structure
- Preview of IATF 16949 changes
INTENT BEHIND THE REVISION
ISO standards are reviewed every five years to determine what changes, if any, are required to keep the standards up-to-date and relevant. Since the ISO 9001:2008 revision, business needs and expectations have changed significantly.
The new ISO 9001:2015 better meets customer requirements, adapts to new technologies, better integrates with complex supply chains, and addresses the need for more sustainable development initiatives.
This is accomplished through a better understanding of the organization’s context and relevant interested parties, and by taking appropriate actions to address risks and opportunities at every level.
IATF 16949 fully supports these changes in ISO 9001:2015 with additional requirements that better meet automotive industry needs. Alignment with the ISO 9001:2015 structure makes it easier for organizations that need to implement more than one quality management system standard. If IATF 16949 is implemented and properly managed, an organization will:
Receive recognition from regulatory authorities
Produce safer and more reliable products
Meet or exceed customer requirements
Improve processes and documentation system
ISO 9001:2015 ISO’s flagship quality management systems standard was published on September 23, 2015.
IATF 16949 was projected to be published in October 2016.
Rules for Achieving and Maintaining IATF Recognition 5th Edition was projected to publish in November 2016.
Auditor Registration: All active third-party auditors registered in the IATF ADP must pass the IATF 16949 and Rules 5th training and quiz modules or they will be subject to deactivation.
Future Audits to IATF16949: Beginning October 1, 2017, all audits must be to IATF 16949 using Rules 5th Edition, and all organizations seeking initial certification can no longer certify to ISO/TS 16949.
IATF 16949 Transition Complete: Transition to IATF 16949 must be complete by September 14, 2018. All ISO/TS 16949 certificates will no longer be valid.
TRANSITION GUIDANCE: SUPPLIERS
The IATF has communicated that there will only be one transition option for organizations: Transition in line with the organization’s current ISO/TS 16949 audit cycle.
Organizations transitioning from ISO/TS 16949:2009 to IATF 16949 must transition to the new standard through a transition audit in line with the organization’s current regularly scheduled recertification audit or surveillance audit, as defined in the IATF:
For organizations currently certified to ISO/TS 16949, here is a recommended action plan for transitioning:
Familiarize yourself ISO 9001:2015 and IATF 16949.
Perform an organizational gap analysis against ISO 9001:2015 and IATF 16949 to identify the differences that need to be addressed to ensure your organization’s QMS meets all the new requirements, including those related to external providers.
Based on the results of the gap analysis, develop an implementation plan specific to your organization.
Provide appropriate training for all individuals involved in implementing ISO 9001:2015 and IATF 16949 at your organization.
Update your existing system and provide evidence that your organization meets the new requirements.
NEW HIGH LEVEL STRUCTURE
ISO 9001 embraces a new structure by switching from eight clauses to ten clauses in the 2015 revision.This change allows the standard to better align with business strategic direction, become more compatible with other management system standards, and incorporate the Plan-Do-Check-Act approach, as shown below.
Terms and definitions
Set objectives and build processes necessary to deliver results.
4. Context of the organization
4.1 Understanding the organization and its context
4.2 Understanding needs and expectations of interested parties
4.3 Determining the scope of the quality Management system
4.4 Quality management system and its processes
5.1 Leadership and commitment
5.3 Organizational roles, responsibilities and authorities
6.1 Actions to address risks and opportunities
6.2 Quality objectives and planning to achieve them
6.3 Planning of changes
7.5 Documented information
Implement what was planned
8.1 Operational planning and control
8.2 Requirements for products and services
8.3 Design and development of products and services
8.4 Control of externally provided processes, products and services
8.5 Production and service provision
8.6 Release of products and services
8.7 Control of nonconforming outputs
Monitor and measure processes and results against the objectives, including effectiveness, efficiency and risk.
9. Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.3 Management review
Take actions to improve results.
10.2 Nonconformity and corrective action
10.3 Continual improvement
An organization is not required to reflect the new ten-clause structure and terminology in the documentation of their organization’s quality management system.
The purpose of the new structure is to provide a clear presentation of the requirements; it is not to intended to be a model for documenting an organization’s policies, objectives and processes.
If an organization’s quality system documentation is currently aligned based on the structure of a previous standard, you are encouraged to consider realigning your documentation according to your organization’s value stream instead.
Aligning the QMS with the business structure allows organizations to customize their documentation based on their unique business needs.
Too many organizations impose a structure tied to the standard that is neither natural nor easy to understand within the organization.
IATF16949 KEY CHANGES
Unlike ISO/TS 16949 and some other industry-specific standards, IATF 16949 does not contain the ISO 9001:2015 text. The document contains only the automotive-specific additional requirements; however, the organization is still required to comply with ISO 9001:2015. IATF 16949 clarifies that it is a supplement to be used in conjunction with ISO 9001:2015.
IATF 16949 shares the same general section headings and clause structure as ISO 9001:2015, without reciting the text. This ensures all IATF 16949 requirements are fully aligned with the ISO 9001:2015 high level structure.
Risk mitigation takes center stage in IATF 16949, as it does in ISO 9001:2015. IATF 16949 adds a number of specific risk-related requirements to minimize the likelihood of failure during new program development and to maximize the potential realization of planned activities. These additions are the result of industry best practices intended to make businesses safer and more stable by identifying and mitigating risk.
To ensure risk-based thinking is pervasive throughout the organization, top management needs to be actively engaged. Responsibilities include:
Conducting contingency planning reviews
Identifying and supporting of process owners
Participating in the escalation process related to product safety
Ensuring achievement of customer performance targets and quality objectives
Implementing corporate responsibility initiatives including an anti-bribery policy,
an employee code of conduct, and an ethics escalation policy (“whistle-blowing policy”)
IATF 16949 requires that “organizations shall ensure conformance of all products and processes, including service parts and those that are outsourced.” This use of the word “ensure” implies that the organization needs to establish and maintain a system that mitigates the risk of nonconformance throughout the supply chain.
The organization is ultimately responsible for all conformity and must cascade all applicable requirements down the supply chain to the point of manufacture.
The standard reinforces the concept of a “multidisciplinary approach” throughout the product lifecycle, and particularly during design and development planning activities. IATF 16949 adds additional controls for the management of development projects throughout the cycle, which eventually concludes with a product approval process.
As well, the automotive standard adds a large number of requirements to specifically address the development of manufacturing processes. Manufacturing processes may have the same output requirements as those specified for the product; however, customers often require the use of specific Automotive Core Tools, such as capturing and analyzing risk via a PFMEA.
These sorts of considerations are included in IATF 16949 in an attempt to mitigate risk even before manufacturing the product or installing machinery.
Survival in the automotive industry requires continuous change to address internal and external issues. Organizations need to adopt a process to assess the risk of changes and take appropriate action. IATF 16949 requirements to manage changes include:
1. Assessing manufacturing feasibility for changes to existing operations.
2. Evaluating design changes after initial product approval.
3. Reviewing control plans for changes affecting product, manufacturing process,
4. measurement, logistics, supply sources, production volume changes, or risk analysis.
5. Controlling and reacting to changes that impact product realization, including
6. changes caused by the organization, the customer, or any supplier. This includesboth permanent and temporary changes.
8. Adjusting the frequency of internal audits based on occurrence of process
Other sources of risk, such as how to deal with nonconforming outputs, are covered in more detail to ensure suppliers are aligned with their customers.
INTEGRATION OF CUSTOMER-SPECIFIC REQUIREMENTS
IATF 16949 integrates many common industry practices previously found in customer-specific requirements. Integrating these common practices as requirements encourages commonality throughout the industry and aims to reduce the need for extensive customer-specific requirements in these areas.
Also important is the clear distinction between customer requirements and customer-specific requirements (CSRs). In IATF 16949, these two terms are defined as follows:
Customer Requirements: All requirements specified by the customer (e.g., technical, commercial, product and manufacturing process-related requirements, general terms and conditions, customer-specific requirements, etc.)
Customer-Specific Requirements:Interpretations of or supplemental requirements linked to a specific clause(s) of this Automotive QMS Standard.
The new standard more clearly defines these two terms to reduce misunderstandings, and to facilitate the sampling of customer-specific quality management system requirements for effective implementation.
For example, the organization needs to review and agree with customer requirements such as packaging manuals and manufacturing process guidelines. However, for customer-specific requirements, organizations need to review and agree after considering the impact on their entire QMS.
Here are some examples of areas that were previously customer-specific requirements that are now included in more detail in IATF 16949:
Temporary change of process controls
Supplier quality management system development
Control of changes
Total productive maintenance
FIRST AND SECOND PARTY AUDITOR COMPETENCY
IATF 16949 adds additional requirements for both first and second-party auditors, which include:
Organizations shall have a documented process to verify internal auditor
When training internal auditors, documented information shall be retained to demonstrate trainer’s competency with the additional requirements.
Organizations shall demonstrate the competency of second-party auditors, and second-party auditors shall meet customer-specific requirements for auditor qualification.
This standard also outlines the minimum competencies for auditors, which include:
Automotive process approach for auditing, including risk- based thinking
Applicable core tools requirements
Applicable customer-specific requirements
Software development assessment methodologies, if applicable
These changes may require a competence gap analysis followed by additional auditor training and development activities.
Product safety is an entirely new section in the IATF standard, and a transitioning organization must have documented processes for the management of product-safety related products and manufacturing processes. New requirements related to product safety include, where applicable:
Special approval of control plans and FMEAs
Training identified by the organization or customer for personnel involved in product safety related products and associated manufacturing processes.
Transfer of requirements with regard to product safety throughout the supply chain, including customer- designated sources
This clause highlights the fact that a product should perform to its designed or intended purpose without causing unacceptable harm or damage. Organizations must have processes in place to ensure product safety throughout the entire product lifecycle.
In the new standard, an organization is required to assess if they are capable of achieving the performance and timing targets specified by the customer, otherwise known as manufacturing feasibility.
While ISO/TS 16949 did require this kind of manufacturing feasibility analysis, it did not impose specific requirements. The new standard’s specific requirements include:
Using a multidisciplinary approach
Performing the analysis for any new manufacturing or product technology and for any changed manufacturing process or product desig
Validating their ability to make product specifications at the required rate through production runs, benchmarking studies or other appropriate methods
Based on the increasing importance of warranty management, a new requirement has been added to IATF 16949.
When an organization is required to provide warranty for their product(s), the warranty management process must address and integrate all applicable customer-specific requirements and warranty party analysis procedures to validate No Trouble Found (NTF). Decisions should be agreed upon by the customer, when applicable.
DEVELOPMENT OF PRODUCTS WITH EMBEDDED SOFTWARE
IATF 16949 requirements for products with embedded software reflect the additional challenges as we move toward more of a drive-by-wire world. The standard references embedded software in the requirements for product validation, warranty and troubleshooting of issues in the field.
A product requiring embedded software may need to comply with sourcing-from-origin requirements established by a customer. OEM requirements for sourcing and materials change frequently, and early changes to a program may negatively affect timing and increase risk.
Embedded software is here to stay and the new version of the standard may require companies to look at their purchased parts (now called outsourced components) and identify risks in their current system based on this new focus.