What You Need To Know About ISO 45001

Worldwide over 6300 people die each day from work-related accidents or diseases – nearly 2.3million every year.  ISO is developing a new standard, ISO 45001, Occupational health and safety management systems – Requirements, to provide a framework to improve employee safety, reduce workplace risks and create better, safer working conditions, all over the world. ISO 45001 is targeted to be published in the first quarter of 2018 and will replace OHSAS 18001. Current users of OHSAS 18001 will need to update their systems according to the requirements of the new international health and safety standard within a three year transition period that will commence after ISO 45001 is published.

 

Sign Up For Our Newsletter

Risk Management for Aerospace and Defense Industries

Aerospace transport and people. Two pilots dressed in uniform flying jet airliner on sunny day sitting inside aircraft cockpit surrounded by equipment. Selective focus on captain's hand on power lever

In a business environment failure and negative consequences are the last things anyone wants to encounter.  But the reality is that risk is always present and comes from multiple sources, whether from inside the organization or from external elements. Due to the complexity of aviation, space, and defense processes, products, and services, and the severity of the potential consequences of failures, a formal process to manage operational risks is required.

The exercise of risk management is how a company proactively applies quality standards to keep a lid on risk as much as possible from creating negative ramifications in the supply chain or to production or scheduling, etc. While to some it can seem like bureaucracy or unnecessary controls, risk management pays for itself many times over with the cost avoidance it helps secure. All it takes is one bad event to see why risk management is so important, that’s assuming the company survives that event.

The elements of risk management are clear and straightforward as well. It’s an ongoing, cyclical process of identifying risks, assessing them, proactively reducing their probability of occurring by control, and mitigating those that are allowable. But just following the process alone doesn’t explain why a business should have a risk management process in the first place.

In AS9100 the operational risk management process is supported by specific requirements throughout clause 8, to drive an enhanced focus on:

  • understanding risk impacts on operational processes; and
  • making decisions on operational processes and actions to manage (e.g., prevent, mitigate, control) potential undesired effects.

Within aviation, aerospace, and defense, risk is expressed as a combination of severity and likelihood of having a potential negative impact to processes, products, services, customer, or end users. In AS9100, operational risk management must include how the company defines their risk assessment criteria (e.g., likelihood, consequences, risk acceptance), and ultimately acceptance of risks remaining after implementation of any mitigating actions. Something as simple as the example below may be the simplest way to quantify risks. More detail could be utilized with scoring.

table

The standard requires an aerospace quality management system that takes into account the identification of various risks related to organizational circumstances in regard to its needs, business objectives, product range, applied processes and the size of the organization.  Given the fact that risk can trigger catastrophic results when unmanaged, every aerospace process must have the ability to reduce the occurrences and impacts of unacceptable risks, if not eliminate them entirely. And a risk management process is the only consistent way to assess risks and quantify when they are acceptable risks or when action is required.

Benefits to companies that incorporate risk management through ISO and AS quality standards include:

  • An increased probability of meeting schedules, budgets and production objectives
  • The means of making management proactive instead of reactive to risk issues
  • An increased awareness across the organization to recognize and mitigate risk
  • Reduced warranty and field complaints
  • Reduced supply chain risks
  • An increased ability to successfully plan, manage and implement changes (whether customer, supplier or self-initiated)
  • An increased ability to comply with laws, regulations, and customer requirements
  • An enhanced capability to track financial expenditures to poor results, and
  • Improved relations with stakeholders who see the results of quality and risk management in place

Look Fors – Part 3: Planning for Risk and Change

A pen and a magnifying glass focusing on a chart.

Would you like to know what 3rd party auditors are looking for when auditing how your company complies with quality system standards like ISO 9001:2015?

016_1469JimFLOffice 1What are 3rd party auditors looking for?  This is the third of a three part series by Jim Lee, President of simpleQuE

Clause 6 of ISO 9001:2015 – Planning for Risk and Change
In parts one and two of this series of articles, Context of the Organization and Leadership were covered. Next is the topic of Planning for Risk, which brings risk-based thinking to the forefront. Once the organization has identified the risks and opportunities in Clause 4, it needs to stipulate how to address these.  The planning phase examines who, what, how and when risks must be addressed.  It’s a proactive approach that replaces preventative action and hopefully reduces the need for corrective actions later on.

Particular focus is also placed on the objectives of the management system.  These should be consistent with the quality policy and be measurable, monitored, communicated and updated when needed.  Changes to the QMS should also be planned and consequences understood to assess risk and minimize potential negative impact.

 

Third party auditors may use the following for evidence of risk based thinking and integration into the quality management system:

  • Design reviews
  • Competitive analysis, benchmarking, recall analysis, competitive testing
  • Process control plan, internally tighter tolerances and controls than customer specs
  • Management reviews
  • Process and design FMEA (Failure Mode and Effects Analysis)
  • Corrective Actions, and replicating actions across similar products and processes
  • Metrics related to objective in management review
  • Customer scorecards, dissatisfaction, trends and performance
  • Operational meeting minutes with action items for higher risks
  • Change in leadership or new programs
  • Processes to deal with new technology, new materials, new processes, new products, new suppliers, new packaging, moving production, changing equipment
  • Program plan describing and monitoring change
  • Equipment maintenance plans and programs
  • Calibration frequencies
  • Internal audit frequencies, and the need to audit some areas more than others
  • Contingency plans
  • Strategic or business planning, SWOT (Strength, Weaknesses, Opportunity, Threats) analysis, PEST (Political, Economic, Social and Technological) analysis, etc.
  • Approval for capital, along with the justification and risks to invest now or delay to later
  • Supply chain risk management with supplier performance, financial stability, sole sourcing, geography with lead times and inventory in transit, leverage, long term agreements, etc.

 

Not that all of the elements listed above will be needed, but organizations may experience potential issues if:

  • Risks and opportunities are not identified when there is clear evidence of problems or need for action
  • Risk-based thinking is not driven by leadership
  • Actions to address risks and opportunities are not taken or not effective
  • Risk evaluation is not applied throughout the QMS (supplier selection and evaluation, new product or service, short lead time, capacity constraints, etc.)
  • Measurable objectives are not established
  • Objectives are not monitored or changed as the context of the organization changes
  • Action is not taken when objectives are not met, or trends are going the wrong direction
  • The impact of change is not identified or magnitude of change not understood
  • Costs/schedule are not included in defining change

Also, read more about Context of the Organization in Part 1 and Leadership in Part 2.

 

 

Source:  NQA’s Teaming Conference – August 2017

Risky Business vs Risk-Intelligent Business

Rolling the dice concept for business risk, chance, good luck or gambling

Digitalization, globalization, competition and the speed of technological advances has changed the nature of business.  ISO 9001:2015 has been in effect for a full year and it places a heavy emphasis on using “risk-based thinking” for managing quality-related processes. Risk has always been implicit in ISO 9001.  But the latest revision asks organizations to make a cultural shift—rather than focusing on isolated problem solving and resolution, they’ll focus on prevention and performance improvement.

The International Organization for Standardisation (ISO) explains it this way:

“Risk based thinking ensures these risks are identified, considered and controlled throughout the design and use of the quality management system”.

Under the new guidelines, risk management serves as the cornerstone of quality management system design. As organizations determine the processes needed for a quality management system, they’re also asked to determine the associated risks and opportunities and to plan and implement appropriate actions to address them.

In the context of ISO, the concept of “risk” relates to the uncertainty in achieving the main objectives of International Standards—namely, to provide confidence in the organization’s ability to consistently provide customers with conforming goods and services, and to enhance customer satisfaction. Risk is the possibility of events or activities preventing an organization from achieving its strategic and operational goals.

This shift in thinking does not replace the standard’s process-oriented approach, but enhances it. While the process is still a critical part of ISO 9001:2015, processes must now be implemented with an acute awareness of risk.

Organizations are asked to identify, analyze and prioritize all potential risks as they undergo building or adapting their existing quality management implementations for updated certification.

Risks can be defined by two parameters—the severity, or seriousness, of the harm, and the probability that the harm will occur. Risks can be assessed based on the likelihood they will occur, the likelihood they can be detected, and potential impact should they occur. From there, risks are evaluated based on their importance (what is acceptable, what is unacceptable?) and actions are planned to address the risks, whether that’s avoiding or eliminating the risk or mitigating it.

Once plans are implemented, it’s essential for organizations to check the effectiveness of their actions and continually learn from experience.

What’s the best way to document risk-based thinking and demonstrate the approach during audits?. Evaluate how you evaluate risks today with the processes you have. Understand how you decide when risks are acceptable or unacceptable.  ISO wants to see that you record identified risks when action is required, and the action steps to be taken. 

Putting into place the Plan-Do-Check-Act (PDCA) methodology can be a great way to define, implement and control corrective actions and improvements. Companies should Plan what to do and how to do it, Do what was planned, Check that things happened according to plan, and Act on how to improve the next time around.

Companies have two years to make the transition to ISO 9001:2015, as certifications for the 2008 edition will expire after September 2018.

SimpleQuE was one of the first consulting companies to be ISO 9001:2015 certified and we’re ready to assist organizations with transition or implementation.  Please visit our website for more information about our services.

Preparing for Change and Risk

Shirley Kennedy, simpleQuE Project Manager. Learn more about Shirley here.
Shirley Kennedy, simpleQuE Project Manager. Learn more about Shirley here.

The simpleQuE team is preparing for the ISO changes and recently attended NQA’s overview of the draft changes to ISO 9001:2015 and ISO 14001:2015.

The major revisions of both standards are due by September and will incorporate this high level structure divided into 10 sections: Continue reading “Preparing for Change and Risk”