Risk

Risks, AS9100D 6.1 and 8.1.1

The management system defined by ISO9001:2015 and AS9100D depend on you defining your processes and assessing the risks associated with these processes. The organization mitigates risks though planning, action and review. To do this, the AS9100D standard requires that the context of the organization be understood, see AS9100D 4.1. This entails determining external and internal issues that are relevant to the business and the organization’s strategic direction and how these affect the organization’s ability to achieve its goals.

Strategic direction is a course of action that lead to achieving the organization’s goals.

Three common areas of focus in a strategic plan are vision planning (future vision), scenario planning (what if) and issues planning (solving challenges).

Examples of Strategic Plan Includes: Evaluating the strengths and weaknesses of the organization.

 

You will also need to define organization’s the interested parties, their requirements and expectations as related to the QMS. These must be monitored over time and included in your management review, see AS9100D 9.3.2 b.

 

Now that you have all of this in place, we can discuss risk.

Starting with AS9100D 6.1, when planning for the QMS (function, structure, mechanics), you must consider context and interested parties as we have stated above. Hopefully, you can enhance the desired affects and prevent or reduce the undesired affects.

In addition, the organization must plan actions to address risks and opportunities and how to implement and evaluate these actions. As guidance, the AS9100D states:

Options to address risks can include avoiding risk, taking risk in order to pursue an opportunity, eliminating the risk source, changing the likelihood or consequences, sharing the risk, or retaining risk by informed decision.

Opportunities can lead to the adoption of new practices, launching new products, opening new markets, addressing new customers, building partnerships, using new technology and other desirable and viable possibilities to address the organization’s or its customers’ needs.

 

To meet these requirements, the QMS Database includes a section for Context, Interested Parties and SWOT analysis. Without the QMS Database, you could create spreadsheets for each, or some other tool to record the data.

 

AS9100D 8.1.1 also includes requirements for operational risk. If you are familiar with AS9100C, you are likely to recognize these requirements. These risks relate to requirements applied to processes and products by customers, POs, drawings and specifications.

Often these risks are captured and managed using an FMEA process for processes, product families, customers, etc. Also, risks are identified and assessed on an order-by-order basis as defined by the organization.

Important to note:

Clause 6.1 addresses the risks and opportunities when planning for the quality management system.

Clause (8.1.1) is limited to the risks associated to the operational processes needed for the provision of products and services.

 

But Wait There’s’ More!

There is more to risk in AS9100D. Paragraph 8.2.2 d requires that you identify operational risks.

Paragraph 8.4.1 requires that you identify and manage risks associated with suppliers and that this is reflected in your verification (aka receiving inspection) activities.

When raw material has been identified as a high risk you shall implement a process to evaluation test reports. Be sure raw material is a part of your risk assessment!

Paragraph 8.5.1.3 Production Process Verification suggests risk assessment activities.

Paragraph 9.1.34 Analysis and Evaluation includes actions taken to address risks.

Paragraph 9.3.3 Management Review Outputs item d is risks identified.

Paragraph 10.2 Nonconformity and Corrective Action includes update risk and opportunities determined during planning.

 

KPIs - AS9100D 4.4.1C

The standard says; “c. determine and apply the criteria and methods (including monitoring, measurements and related performance indicators) needed to ensure the effective operation and control of these processes;”

To comply with AS9100D and/or ISO9001:2015 you must define your QMS processes. In so doing, you must also define the measurement(s) that will be used to track performance for each of these processes. The measure must be numeric, specific to the process and add value. In addition, you need to establish acceptance performance criteria. For example, if you have a process you call “Production” you may have a process measure like “percent defective per month to be less than 1.5%.” You must measure, monitor and report the percent defective each month as an indicator of performance of the process called Production. This data and data over time (some graphic to show trends) must also be reported in management review (see AS9100 and ISO9001 paragraph 9.3).

This requirement applies to all processes (defined by you) which fall within section 8.0 of AS9100D or ISO9001:2015. Likely processes are:

  • Sales/Contract Review

  • Design and Development

  • Purchasing

  • Production

You cannot have one key process indicator (KPI) like “Customer Satisfaction” or “On Time Delivery” and apply it to all processes. Of course, all of your processes contribute to customer satisfaction and on time delivery; however, it is not specific, that is, not telling of the process performance. If on time delivery is poor, which process needs improvement? All of them?

Measures need to add value to the business and be important to the organizations’ success. Don’t limit yourself to traditional “quality control” measures. Consider; profit, planned cost variance, customer satisfaction, sales capture rate, inventory turns and the like.

Establish targets that are real based on actual performance data. If your on time delivery averages 65%, then maybe your KPI (aka objective) should not be 100% on time delivery (OTD). In this case, maybe 75% would be realistic. If Production quality is high, say 98% or better, then your KPI should be >98% per month. Do not state 100% only to later beat yourself up because your quality was only 99.2%. There is probably no value in that!

You are likely to have a “Quality” process that includes final inspection activities (AS9100D 8.6) and control of non-conforming product activities (AS9100D 8.7). Given that these requirements are within section 8.0, must you have a KPI for this process of “Quality?” The answer is NO, if you have defined the processes correctly. If your interaction of processes diagram (IOP) shows the process of Quality as a support process, then a KPI (objective) is not required. See our news post titled “Interaction of Processes.” You may have a measure for the process of Quality if you like, but it is not required. Warning: The standard requires monitoring, measurement where applicable, and analysis of QMS processes.

Some data must be collected and reported. These are: on time delivery, supplier quality and supplier on time delivery. In addition; Information to be monitored and used for the evaluation of customer satisfaction shall include, but is not limited to, product and service conformity, on-time delivery performance, customer complaints, and corrective action requests. The organization shall develop and implement plans for customer satisfaction improvement that address deficiencies identified by these evaluations, and assess the effectiveness of the results.

Further, performance to KPIs must be trended over time and reported in management review. KPIs that are not meeting the established criteria must be acted upon, aka, corrective action.

For AS9100D audits, your PEAR score will be affected by performance to objectives. Failure to implement improvements will lower your PEAR score even further.

Processes can have more than one objective (KPI). Keep your objectives, simple, realistic, measurable, numeric, defined time frame and defined responsibility.

Interaction of Processes

The Interaction of Processes (IOP) chart or graphic is very important and a critical starting point for managing your Quality System. The IOP must define your business processes and address all applicable requirements of ISO9001 or AS9100. The requirements for an IOP are the same for both standards and these requirements haven't changed much since ISO9001:2000. Because these requirements have been around for so long, it is surprising how many companies struggle to get it right.

AS9100D 4.4.1 states:

The organization (that's you) shall establish, implement, maintain, and continually improve a quality management system, including the processes needed and their interactions, in accordance with the requirements of this International Standard.
The organization’s quality management system shall also address customer and applicable statutory and regulatory quality management system requirements.
The organization shall determine the processes needed for the quality management system and their application throughout the organization, and shall:
a. determine the inputs required and the outputs expected from these processes;
b. determine the sequence and interaction of these processes;
c. determine and apply the criteria and methods (including monitoring, measurements and related performance indicators) needed to ensure the effective operation and control of these processes;
d. determine the resources needed for these processes and ensure their availability;
e. assign the responsibilities and authorities for these processes;
f. address the risks and opportunities as determined in accordance with the requirements of 6.1;
g. evaluate these processes and implement any changes needed to ensure that these processes achieve their intended results;
h. improve the processes and the quality management system.

Stated plainly, you must list the processes e.g. QA, HR, Sales, Purchasing, Engineering, Production, etc., etc. Included in this "listing" are inputs, outputs and interactions.

How will you assess the performance of these processes? If the process is intended to meet certain AS9100D requirements that fall within section 8, then meaningful, measurable targets must be in place. These need to define the time frame for obtaining the objective and who is responsible and how the objective is to be met (see AS9100D 6.2). The performance of the processes shall be reviewed during management review (see AS9100D 9.3).

For these processes, assign responsibilities. This could be an organization chart. This could be defined in procedures. This could be in job descriptions.

Understand and address risks related to each process. This can be a Risk Matrix, or an FMEA or any styling of risk assessment you like.

Finally, improve the performance of these processes over time.

Will a "list" really work for this? No, but it may be a good staring point. The truth is, the best way to meet this set of requirements, is to create a flow chart which depicts the processes and shows the sequence and interactions between processes.

Tips and Tricks

No doubt you'll end up with "support processes" and/or "management processes" and/or "leadership processes."  These are support processes and as such, a defined objective is NOT required if you are careful to note that these are support.

For example: you may have a process called QC and QC is responsible for the requirements of calibration (7.1.5.1, 7.1.5.2) and inspection (8.6) and control of non-conforming outputs (8.7). Processes falling within section 8 shall have objectives. For this example 8.6 and 8.7 are objectives required? Maybe. If QC is support, then no objective is required.

Why not have a process called Production which includes Purchasing, Engineering and Manufacturing? These will be considered "Core processes" and KPIs (objectives) are required. You cannot apply one objective, say on time delivery, to all of these. Objectives must be specific, measurable, and meaningful to the process. If you miss the objective, who is responsible? If you hit the objective, who is rewarded?

It is smarter to divide a large process like production into logical pieces each having their own KPI(s).

Common Mistakes

The IOP defines the business into significant processes. Sales is a likely process. Do not turn the IOP into a department flow chart noting order entry, credit check, decision points and every other activity related to Sales. Keep it simple.

Some IOPs fail to cover all AS9100D requirements. It is not required, but very helpful, to note the paragraphs of the AS9100 that apply to each process.

If you'd like to see a very easy example, please feel free to email to me and I'll send a good (not perfect) IOP back to you.

Will the QMS Database help you with all of this? Of course it does. QMS processes, objectives, responsibilities and management review are all included.

Last Note

The IOP drives the audits performed by your certification body. They must follow the process you define, so keep it simple and ensure all requirements are accounted for on the IOP.

Do I need a Quality Manual?

The short answer..."maybe."

ISO9001:2015 and AS9100D no longer require a "Quality Manual." Of course there are required documented information and the these standards suggest that you can place this information into a single document called a "Quality Manual." What do your customers expect? They are still very likely yo expect you to have a Quality Manual. In this case, you'll need one.  What works for your organization? However you structure your QMS, it must work for you and your customers.

Often, the Quality Manual is a worthless rewrite of the ISO or AS standard.  Don't waste your time! If you are writing a Quality Manual, make it meaningful, tell something that is helpful to the organization.  You don't need 54 pages of fluff. Here is what you must have if you decide that a Quality Manual is right for you...

A cover page with company name, document name date, revision and approver's signature.

Documented information to support the operation, i.e. list of your procedures.
A general description of relevant interested parties and their requirements.
The scope of the quality management system, including boundaries and applicability.
A description of the processes needed for the quality management system and their application throughout the organization;
The sequence and interaction of these processes;
Assignment of the responsibilities and authorities for these processes.

Remember, ISO and AS are about defining processes (and the requirements) and managing risks. Manage risks by identifying them and mitigating them.

Updated Website/Newsletter

Updated Website/Newsletter

AS9100 revision D has been out for some time now. Implementation teams are having difficulties with section 4.0, Context of the Organization and section 6.0, Planning.

Context of the Organization

Be sure you have properly defined your processes and their interaction. The IOP (interaction of processes) chart/graphic must be correct in order to properly manage the QMS and to communicate your QMS to your third-party auditor.

Planning

Prior to revision D, you had to mitigate risks and have objectives. Now in rev D, it is expected that there be formal plans in place for each significant risk to mitigate these risks. Also, plans in place for achieving objectives.

The QMS Database addresses both of these sections and gives you a template to follow for creating these plans