Addressing ISO 9001 Risk

Management Requirements

Roger Crist – Quality Director, Moxtek, Inc.;

and Strategic Partner, MasterControl Inc.St. Louis Section Annual Quality Conference - Nov 6, 2017

In this session you will:

• Become more familiar with the ISO

9001:2015 risk management

requirements

• Be shown examples of how risk

management requirements can be

addressed using various tools

• Learn from our management system

examples and experience!

Learning Objectives

• Determining the risks and opportunities

that need to be addressed in order to:a) Assure objectives will be achieved

b) Enhance desirable effects (opportunities)

c) Prevent, or reduce, undesired effects (risks)

d) Achieve improvement

• Planning the actions to address risks

and opportunities (mitigation)

See ISO 9001:2015, section 6.1.1

ISO “Risk-based thinking”

IS…

• “Addressing risks and opportunities

associated with the organization’s

context and objectives”*

• “Determining factors that could cause

management system processes to

deviate from planned results,

implementing preventive controls to

minimize negative effects, and making

maximum use of opportunities as they

arise”**See ISO 9001:2015, section 0.1

ISO “Risk-based thinking”

IS…

ISO “Risk-based thinking”

IS NOT…

• Is not a prescriptive requirement to

establish “formal methods for risk

management or a documented risk

management process”*

• Is not a prescriptive requirement to

“retain documented information as

evidence of its determination of risks”*

*See ISO 9001:2015, A.4

However…

• The organization IS required “to plan and

implement actions to address risks and

opportunities” *

• Doesn’t it make sense to plan what types

of risks you will assess, when you will

assess these risks, how you will assess

these risks (tools), your risk prioritization,

and maintain a history of risk

assessments and mitigating actions

taken?*See ISO 9001:2015, 0.3.3, and 6.1.2

1. “Proportionate to the potential impact”*

on conformance (quality)

2. “Integrated and implemented”* into the

management system

3. Evaluated for “effectiveness”*

*See ISO 9001:2015, section 6.1.2, 9.1.3, 9.3.2

And don’t forget to include how

mitigating actions will be…

12 Risk Requirements # Risk Requirement Reference

1 Context Risks - External and Internal Issues ISO 9001, 4.1

2 Context Risks - Interested Parties Requirements ISO 9001, 4.2

3 Process Design and Change Risks ISO 9001, 4.4.1

4 Customer Satisfaction Risks ISO 9001, 5.1.2

5 System Change Risks ISO 9001, 6.3

6 Resource Requirements Risks ISO 9001, 7.1.1

7 Unintended Change Risks ISO 9001, 8.1

8 Product Design and Change Risks ISO 9001, 8.3.3, 8.3.6

9 Supplier Risks ISO 9001, 8.4.2

10 Reliability Risks ISO 9001, 8.5.5

11 Nonconforming Product Risks ISO 9001, 8.7.1

12 Nonconformity and Corrective Action Risks ISO 9001, 10.1, 10.2.1

*See ISO 9001:2015, 4.1, 4.2, 6.1

1-2) Context Risks (Issues & Rqmts)

Risk Assessment (6.1)

Determine risks and opportunities that need to

be addressed

Strategic / Business Planning Context - Internal Issues

(4.1)

Strategic / Business Planning Context - External Issues

(4.1)

Strategic / Business Planning Context - Stakeholder Rqmts

(4.2)

3) Process Design & Change Risks

*See ISO 9001:2015, 4.4.1, 6.1

Risk Assessment (6.1)

Determine risks and opportunities that need to

be addressed

Management System Process Planning and

Change Planning

(4.4.1 f, g, and 6.3)

Manufacturing Process Planning and

Change Planning

(4.4.1 and 8.1)

4) Customer Satisfaction Risks

*See ISO 9001:2015, 5.1.2, 6.1

Risk Assessment (6.1)

Determine risks and opportunities that need to

be addressed

Product Quality Planning and Change Planning

(5.1.2)

5) System Change Risks

*See ISO 9001:2015, 6.3, 6.1

Risk Assessment (6.1)

Determine risks and opportunities that need to

be addressed

Management System Process Change Planning

(6.3 a)

6) Resource Requirements Risks

*See ISO 9001:2015, 7.1.1, 6.1

Risk Assessment (6.1)

Determine risks and opportunities that need

to be addressed

Strategic / Business Planning - Resource Requirements

(~7.1.1)

Project Planning - Resource Requirements

(~7.1.1)

Management System Planning - Resource Requirements

(~7.1.1)

7) Unintended Change Risks

*See ISO 9001:2015, 8.1, 6.1

Risk Assessment (6.1)

Determine risks and opportunities that need to

be addressed

Planning for risks resulting from changes that have unintended

consequences (8.1)

Potential Risks• Identified in Risk

Assessments prior to occurrence (preventive actions)

Adverse Events• Identified in Risk

Assessments as soon as possible after occurrence (corrections and corrective actions)

8) Design and Design Change Risks

Risk Assessment (6.1)

Determine risks and opportunities that need

to be addressed

Design Planning (8.3.3)

Design Change Planning

(8.3.6)

*See ISO 9001:2015, 8.3.3, 8.3.6, 6.1

Control Methods

Inspection

Training

Procedures

SPC

Mistake-Proofing

9) External Provider (Supplier) Risks

*See ISO 9001:2015, 8.4.1, 8.4.2, A.8, 6.1

Risk Assessment (6.1)

Determine risks and opportunities that need

to be addressed

Type and Extent of Controls applied to

Supplier and Output Verification

(Incoming Insp) Planning (8.4.2 c1)

Supplier Evaluation, Selection, Monitoring,

and Re-Evaluation Planning (~8.4.1)Make, Buy, or

Outsource Process Planning

(~8.4.1)

10) Reliability Risks

*See ISO 9001:2015, 8.5.5, 6.1

Risk Assessment (6.1)

Determine risks and opportunities that need to

be addressed

Product Lifetime and Warranty (Reliability)

Risk Planning (8.5.5 b)

11) Nonconforming Product Risks

*See ISO 9001:2015, 8.7.1, 6.1

Risk Assessment (6.1)

Determine risks and opportunities that need to

be addressed

Nonconformance Action Planning (8.7.1 p2)

12) Nonconformity and Corrective Action Risks

*See ISO 9001:2015, 10.1, 10.2.1, 6.1

Risk Assessment (6.1)

Determine risks and opportunities that need to

be addressed

Correction and Corrective Action

Planning (10.1 b, 10.2.1 b3, e)

Through this session, you should have:

• Become more familiar with the ISO

9001:2015 risk management

requirements

• Reviewed some examples of how risk

management requirements can be

addressed using various tools

• Learned from Moxtek Management

System (MoxSys) examples!

Take-aways

Questions?

Roger Crist

Desk Phone: (801) 717-4260

Cell Phone: (801) 709-4049

Email: rcrist@moxtek.com, kwality.nerd@gmail.com

Appendix: ISO 31000:2009

Appendix: MoxSys Processes

External and Internal IssuesMarket | Legal / Regulatory | Technology | Competition | Culture | Competencies | Capabilities

Other Interested Parties (Stakeholders)Employees and Families | Communities | Stockholders

Cus

tom

ers

Sup

plie

rs

PLAN ACT CHECK

DO

Moxtek Products / Services

2- Support Processes3- Operations Processes - Customers4- Operations Processes - Design5- Operations Processes - Suppliers6- Operations Processes - Production

1- Leadership / Planning Processes

8- Improvement Processes7- Performance Evaluation Processes

Corrective Action (CAPA) Process

Non-Conformance Review (NCR) Process

Continuous Improvement Process (CI Suggestions,

PDCA Projects/Activities)

Customer Satisfaction Process

Management Review Process

Internal Audit Process

Vision / Mission / Values / Charter / Strategic Plan

Business Planning (P1 Projects) Process

Quality Policy andQuality Objectives

Design and Development (Phase Review Process)

Reliability Process

Regulatory Compliance and Legal Process

Production Processes (Procedures, Travelers, etc.)

Purch / Receiving / Inventory / Production Control / Shipping

QC Process (Incoming / In Process / Final Inspection)

Customer Purchase Order Review Process

Customer Communication Process

Customer Returns (RMA) Process

HR / EHS / IT / Facilities / Maint / Finance

Support Processes

Calibration Process

Training Process

Document and Records Control Process

Document Change Notice (DCN) Process

Supplier Management Process

Supply Chain Process

Incoming Inspection (IQA) Process

Customer Satisfaction

Requirements

Appendix: MoxSys SIPOC and 7M Control Plan

“Improve your processes with a SIPOC Map and 7M Control Plan” ASQ World Conference –Session W20 – May 3, 2017

Appendix: MoxSys Quality Planning Guide

DFMEA PFMEA*Procedures,

Travelers, etc.

Control Plan

*Training

*Mistake Proofing

*SPC *Inspection

Key Product Characteristics

Key Process Characteristics

*Control Methods

Phase Review Project

Quality Planning Guide

Reliability Planning, Testing, and FMEA Support

Customer Change Requests (CR’s), Product Returns (RMA’s), Customer CAPA’s,

Customer Surveys, Customer Scorecards, Product Lifetime/Warranty Analysis, etc.

Product

External Customer

RequirementsFEEDBACK LOOP

Project Team-Design and

Process Engineering,

Product Management /

Marketing, Production

Management, and Quality /

Reliability

Internal Customer

Requirements

FEEDBACK LOOP

Internal Metrics (Revenue, Profitability, Yield / Scrap, Inventory Loss, etc.)

PRD, Specs, Drawings

Flowchart

Design Verification (Internal Qualification)

Design Validation (External Qualification)

Appendix: MasterControl Risk Module (1 of 2)

Appendix: MasterControl Risk Module (2 of 2)

1-Risk Assessment

2-Risk Mitigation

3-Mitigation Approval

4-Risk Reassessment

5-Approval