AN AUDITOR’S PERSPECTIVE: MANAGING CHANGE …...One ISO 9001:2015 goal is to enhance requirements for addressing changes at system and operational levels. ISO 9001:2015 requirements

The IAQG is a legally incorporated interna6onal not for profit associa6on (INPA) with membership from the Americas, Europe and the Asia Pacific Region (Rev. 08-2015)

ANAUDITOR’SPERSPECTIVE:MANAGINGCHANGETOANORGANIZATION'SQMSANDPRODUCTION/SERVICEPROVISION

AAQG WORKSHOP – JULY 20, 2017 GEORGE J. RINGGER, MSA, P.E.

ASACB ACCREDITATION MANAGER


Purpose

ThisworkshopisintendedtohelpaFendeesbeFerunderstand,fromanauditor’sperspecMve,theconceptofmanagingchangestoanorganizaMon'sQMSandproducMon/serviceprovisionasdepictedinrequirementsofISO9001:2015andapplicableAS9100D/AS9110C/AS9120Bstandards.


Some definitions…

Change (Merriam-Webster) •  tomakedifferent;•  togiveadifferentposiMoncourse,ordirecMonto;•  toreplacewithanother;•  toundergoamodificaMonof.

Control (Merriam-Webster) •  to check, test, or verify by

evidence or experiments; •  to exercise restraining or

directing influence over: •  to have power over.

Page§3

Change Control (from ISO 9000:2015 (3.3.10): <configuration management> activities for control of the output (3.7.5) after formal approval of its product configuration information (3.6.8)

The IAQG is a legally incorporated interna6onal not for profit associa6on (INPA) with membership from the Americas, Europe and the Asia Pacific Region (Rev. 08-2015) 4

Some definitions… Risk AS91XX:2016; Annex A.4: Within aviation, space, and defense, risk is expressed as a combination of severity and likelihood of having a potential negative impact to processes, products, services, customer, or end users. Risk (from ISO 9000:2015, (3.7.9): Effect of uncertainty; Uncertainty: The state, even partial, of deficiency of information (3.8.2} related to, understanding or knowledge of, an event, its consequence or likelihood.


Some definitions… The relationship between Change and Risk: Whenever there is a change from a ‘current state’ to a ‘future state’ ‘uncertainty’ is introduced. How certain is the organization in achieving their objectives? It is this ‘uncertainty’ (characterized by likelihood and consequence) that we define as ‘risk’. So. when managing change (to QMS or to operations), an organization should use risk-based thinking to address any uncertainty introduced by the change. These risks should be identified, considered and controlled throughout organization’s QMS and operations.

Page§5


Some definitions… ManagementISO9000(3.3.3):CoordinatedacMviMestodirectandcontrolanorganiza(on(3.2.1)•  Managementcanincludeestablishingpolicies(3.5.8)andobjec(ves(3.7.1).andprocesses(3.4.1)toachievetheseobjecMves.

•  Theword"management"someMmesreferstopeople,i.e.apersonorgroupofpeoplewithauthorityandresponsibilityfortheconductandcontrolofanorganizaMon.

Page§6


Some definitions…

Review ISO 9000 (3.11.2): Determination (3.11.1) of the suitability, adequacy or effectiveness (3.7.11) of an object (3.6.1) to achieve established objectives (3.7.1) Review can also include the determination of efficiency (3.7.10). Object ISO 9000 (3.6.1): Entity; item; anything perceivable or conceivable

Page§7

The IAQG is a legally incorporated interna6onal not for profit associa6on (INPA) with membership from the Americas, Europe and the Asia Pacific Region (Rev. 08-2015) Page § 8

Where does risk (uncertantity) reside?


Corporate risk

StrategicRisk

CreditRisk MarketRisk

OperaMonalRisk

LiquidityRiskInvestmentRisk

RegulatoryRisk

ReputaMonalRisk

ProjectRisk


QMS risk

Support and

Operation (7, 8)

Planning (6)

Performance Evaluation

(9)

Leadership (5)

Plan Do

Check Act

Organization and its context

(4)

Customer requirements

Needs and expectations of

relevant Interested parties (4)

Products and services

Customer satisfaction

Results of the QMS

Improvement (10)

QMS(4)

10


Operational Risk within the QMS

Support and

Operation (7, 8)

Planning (6)

Performance Evaluation

(9)

Leadership (5)

Plan Do

Check Act

Organization and its context

(4)


Needs and expectations of

relevant Interested parties (4)


Customer satisfaction

Results of the QMS

Improvement (10)

QMS(4)

11


Operational Risk within Core Processes

Design (2)

Sales (1) (Contract Review)

Production (Mfg.)

Inventory Control


+ 8.2.3.1

(product conformity; OTD


Purchasing

Core(Primary)Processes)

12 External

Providers

Performance+8.4.1.1(c)(productconformity;OTD

Performance+9.1.2(productconformity;OTD)


Managing change to the QMS & production/service provision


Key word usage between AS9001C and AS9001D

KeyWord AS9100C AS9100DRisk 19Imes 85ImesChange 31Imes 57ImesControl 69Imes 106Imes



One ISO 9001:2015 goal is to enhance requirements for addressing changes at system and operational levels. ISO 9001:2015 requirements provide a strong basis for a managing the strategic direction of the organization. Once the organization has identified its context and interested parties; and then identified the processes that support this linkage, addressing changes becomes an increasingly important for continued success.

Page § 15



Once its processes are determined, an organization will need to identify the risks and opportunities associated with these processes. There are new requirements for managing ‘change’.

6.3 Planning of changes; 8.1 Operational planning and control; 8.1.1 Operational risk management (AS91XX:2016) 8.3.6 Design and development changes, and 8.5.6 Production and Service Provision, Control of changes.

Page § 16


Triggers can cause changes to QMS or production/service

Triggers: –  Customer feedback / complaint –  Product failure –  Employee feedback –  Innovation –  Determined opportunity –  Audit results –  Management Review results –  Identified nonconformity –  others

Things to consider: –  Consequences of the change –  Likelihood of the consequence –  Impact on customers –  Impact on interested parties –  Impact on quality objectives –  Effectiveness of QMS or business

processes –  others

Page § 17


Managing change to the QMS 6.3 Planning of changes; When the organization determines the need for changes to the QMS, the changes shall be carried out in a planned and systematic manner (see 4.4). The organization shall consider the: a) purpose of the changes and their potential consequences; b) integrity of the quality management system; c) availability of resources; d) allocation or reallocation of responsibilities and authorities.

Page § 18

M-WDefiniMon:totakeintoaccount


6 – Risk within an organization


Operational Risk Management 8.1OperaMonalPlanningandControl

TheorganizaMonshallplan,implement,andcontroltheprocesses(see4.4)neededtomeettherequirementsfortheprovisionofproductsandservices,andtoimplementtheacMonsdeterminedinclause6,by:a.  determiningtherequirementsfortheproductsandservices;b.establishingcriteriafor:1.theprocesses;2.theacceptanceofproductsandservices;

c.determiningtheresourcesneededtoachieveconformitytotheproductandservicerequirementsandtomeeton-(medeliveryofproductsandservices;

Page § 20


Audit Trails for 8.1

•  What is their approach to Operational Planning and Control? •  How do they plan? •  Who approves their plan? •  How do they implement their plan? •  What impact does their plan have on the QMS (6.3)? •  Does the output of their plan meet the requirements for the

provision of products and services? How do they know? •  How do they control their operations? •  How do they know the process is in control? •  Who has the authority to control their operations?

Page§21


Audit Trails for 8.1 (a), (b), and (c )

(a):Howdotheydeterminethetherequirementsfortheproductsandservices?(b1):Whatcriteriahavetheyestablishedfortheirprocessesthatcons(tutesbeing‘incontrol’?(b2):Whatcons(tutesacceptancefordeliveryfortheirproductsandservices?(c)Howhavetheydeterminedtheresourcesneededtoachieveconformitytotheproductandservicerequirements?(c)Howhavetheydeterminedtheresourcesneededtomeeton-(medeliveryofproductsandservices;

Page§22


Operational Risk Management

8.1OperaMonalPlanningandControld.implemenMngcontroloftheprocessesinaccordancewiththecriteria;

Page § 23

Audit Trails for 8.1 (d)

•  Whatcontrolsareinplace?•  Howdotheircontrolsrelatetotheircriteria?•  Doesthecriteriasupportthecontractrequirements?


Operational Risk Management 8.1OperaMonalPlanningandControl

e.determining,maintaining,andretainingdocumentedinformaMontotheextentnecessary:1.tohaveconfidencethattheprocesseshavebeencarriedoutasplanned;2.todemonstratetheconformityofproductsandservicestotheirrequirements;

TheoutputofthisplanningshallbesuitablefortheorganizaMon'soperaMons.

Page § 24

Audittrailsfor8.1(e):•  Reviewrecordsfortheirprocess.•  Howdotherecordsdemonstrateproduc(on/serviceconformity?•  Aretheysuitable?Dotheymatchthecontractrequirements?



f.  determiningtheprocessesandcontrolsneededtomanagecriMcalitems,includingproducMonprocesscontrolswhenkeycharacterisMcshavebeenidenMfied;

Page§25

AS9100D:


AudittrailsforAS9100D,8.1(f):

Verify the organization has determined the KC’s for: §  Their processes; §  Their tools; §  Their manufacturing capabilities; Verify how they determined the KC’s ?: Typically based on risk analysis methodology.



g.  engaging representatives of affected organization functions for operational planning and control;

Definition: Engagement ISO9000, (3.1.4): involvement (3.1.3) in, and contribution to, activities to achieve shared objectives (3.7.1)

Page§27

AS9100D: Verb!


AudittrailsforAS9100D,8.1(g):

•  Who is affected by the change? Were they engaged in the change-decision process?

•  Review meeting attendee minutes, approval sign-offs, etc. •  Interview representatives of affected organization functions



h.  determiningtheprocessandresourcestosupporttheuseandmaintenanceoftheproductsandservices;

•  Viaobserva(on;•  Walk-throughoffacility;•  Viainterviews;•  Reviewofmaintenancecontracts/agreements•  Reviewofcustomercomplaints

Page§29

AS9100D:

AudittrailsforAS9100D,8.1(e):



i.  determining the products and services to be obtained from external providers;

Page§30

AS9100D:


AudittrailsforAS9100,8.1(i):

•  How do you determine what products or services you need from external providers to support production?

•  Are there any products &/or services supplied by: –  The customer or the customer’s customer (Tier-1s)? –  Suppliers, including any specialized services? –  Other organization facilities (e.g. multi-site, campus, Several-site,

etc.)? –  Other interested parties? –  Examination of design review; –  Review of the external providers and their appoval; –  Review of criteria and authority for supplier approval;



j.  establishingthecontrolsneededtopreventthedeliveryofnonconformingproductsandservicestothecustomer.

Page§32

AS9100D:


AudittrailsforAS9100,8.1(j):

•  Reviewcriteriaandauthorityforsupplierapproval;•  ReviewApprovedSupplierList;•  ReviewPurchasingandInspec(ontrainingrecords;•  Verifytheoutboundinspec(onprocessincludesthedetec(onofnonconformingproductandservice;

•  Review‘ControlofNon-conformingproduct’process.



8.1 Operational Planning and Control AS9100D; AS9110C; AS9120B: As appropriate to the organization, customer requirements, and products and services, the organization shall plan and manage product and service provision in a structured and controlled manner including scheduled events performed in a planned sequence to meet requirements at acceptable risk, within resource and schedule constraints.

Page § 34



8.1 Operational Planning and Control AS9100D; AS9120B: The organization shall establish, implement, and maintain a process to plan and control the temporary or permanent transfer of work, to ensure the continuing conformity of the work to requirements. The process shall ensure that work transfer impacts and risks are managed.

Page § 35


AudittrailsforAS9100,8.1:

•  Reviewtravelers,frozenprocesses,etc.;

•  Interviewproduc(onsupervisorsonallshiUs;

•  VerifysourcesofsupplywiththosespecifiedbyEngineeringSourceApprovalrequirements;

Page § 36


8.1.1 Operational Risk Management (AS9100D, only. See AS9110C for other requirements)

TheorganizaMonshallplan,implement,andcontrolaprocessformanagingoperaMonalriskstotheachievementofapplicablerequirements,whichincludesasappropriatetotheorganizaMonandtheproductsandservices:a.  assignmentofresponsibiliMesforoperaMonalriskmanagement;

b.  definiMonofriskassessmentcriteria(e.g.,likelihood,consequences,riskacceptance);

c.  idenMficaMon,assessment,andcommunicaMonofrisksthroughoutoperaMons;

Page § 37


Audit trails for 8.1.1 (a), (b) and (c): •  Havetheorganiza(onwalkyouthroughhowtheyplan,implement,andcontroltheirprocessformanagingopera(onalrisks.

•  Whoisassignedresponsibilityformanagingopera(onalrisk?

•  Isriskassessmentcriteriadefined?Ifso,where?Howso?(e.g.,likelihood,consequences,riskacceptance)?•  Whointheorganiza(onisresponsiblefor:

–  Iden(fyingrisks?Whereisthisdocumented?

–  assessingtheeffectofthoserisks?Whereisthisdocumented?

–  communica(ngtherisksthroughoutopera(ons?Howisthisdone?Page§38


8.1.1 Operational Risk Management

d.  idenMficaMon,implementaMon,andmanagementofacMonstomiMgaterisksthatexceedthedefinedriskacceptancecriteria;

e.  acceptanceofrisksremainingajerimplementaMonofmiMgaMngacMons.

NOTE:Whileclause6.1addressestherisksandopportuniMeswhenplanningforthequalitymanagementsystemoftheorganizaMon,thescopeofthisclause(8.1.1)islimitedtotherisksassociatedtotheoperaMonalprocessesneededfortheprovisionofproductsandservices(clause8).

Page § 39


Audit trails for 8.1.1 (d) and (e):

•  Havetheorganiza(onwalk you through how they identify, implement, and manage their actions to mitigate risks that exceed the defined risk acceptance criteria (e.g. PFMEA, FMECA, RPN, Fault-Tree, etc.)

•  Have they defined risk acceptance criteria? •  Have they defined what actions are triggered if the risk acceptance

criteria is exceeded? •  Are the risks that remain (residual risk) within the defined risk acceptance criteria ? Page§40


8.5.6 Control of changes The organization shall review and control changes for production or

service provision, to the extent necessary to ensure continuing conformity with requirements. The organization shall retain documented information describing the results of the review of changes, the persons authorizing the change, and any necessary actions arising from the review. Persons authorized to approve production or service provision changes shall be identified. NOTE: Production or service provision changes can include the changes affecting processes, production equipment, tools, or software programs. Page § 41


Audit trails for 8.5.6

•  Have they established objectives (desired results) of their operation? •  How do they know if their operation is achieving the desired result? •  How do they measure performance (KPIs)? Are they suitable? •  Are they adequate/effective? How do they know? •  Have them explain how the objectives for their operation contribute to

meeting the company’s objectives. •  Who is authorized to approve production or service provision

changes? Where is this documented? •  What documentation do they retain? Does it describe the results of the review of changes, the persons authorizing the change, and any necessary actions arising from the review?

Page§42


Summary / Q&A


Triggers can cause changes to QMS or production/service

Triggers: –  Customer feedback / complaint –  Product failure –  Employee feedback –  Innovation –  Determined opportunity –  Audit results –  Management Review results –  Identified nonconformity –  others

Things to consider: –  Consequences of the change –  Likelihood of the consequence –  Impact on customers –  Impact on interested parties –  Impact on quality objectives –  Effectiveness of QMS or business

processes –  others

Page § 44


Higher Level Audit-Trail Considerations

•  Prior to making a change, has the organization considered unintended consequences?

•  After making a change does the organization monitor the change to determine its effectiveness and to identify any additional problems that might be created?

•  Does the organization retain suitable records (retained information) documenting the change?

Page § 45



•  Where does the organization draw the line on review and approval for change control?

•  Has the organization satisfied all of the ‘Shall(s)’ in the AQMS-2016 Standard?

•  Has the organization defined at what level of change to their QMS or operations requires a review and who needs to be involved?

•  Has the organization’s change-control processes include assessing any impact on their QMS as well as their production/service provision?



Has the organization: – Defined the specifics of what is to be changed? – Have a plan (tasks, timeline, responsibilities, authorities,

budget, resources, needed information, others)? – Engaged other people as appropriate in the change process? – Developed a communication plan (appropriate people within the

organization, customers, suppliers, interested parties, etc. may need to be informed)?

– Trained their people? – Developed measures the effectiveness of the change?

Page § 47


Conclusion Managingchange:•  isnotnew;•  ison-goingasQMSandbusinessprocessevolve;•  Shouldensuregreaterknowledgeofrisks;•  shouldincreasethelikelihoodofreachingobjecMves;•  shouldreducethelikelihoodofnegaMveresults;•  shouldmakeprevenMonahabit.Itistheauditor’sroletoassesshowtheorganizaIonmanageschangeasrequiredbytheStandardanddescribedwithintheorganizaMonsQMS.

Page § 48


QuesIons?

Documents

AN AUDITOR’S PERSPECTIVE: MANAGING CHANGE …...One ISO 9001:2015 goal is to enhance requirements for addressing changes at system and operational levels. ISO 9001:2015 requirements