Understanding Risk Management Requirements according to AS9100

K

kmalysiak

Hello Aerospace experts,

I am just trying to understand the notion of risk management in AS9100 and its aplications. I carefully read the AS9100 + appropriate materials from SCMH manual but their generality just kills me.
In the AS9100C itself the risk phrase appears in:

1. review of risks connected to requirements related to product
2. special requirements treatment (those require risk management)
3. planning and managing product realization to meet requirements at acceptable risk

4. selection and supplier usage
5. Preventive actions (one type of which is risk management and following actions to mitigate risks)

So from my point of view, the sufficient approach to risk management would be:
Ad.1 design FMEA
Ad.2 both design FMEA and processs FMEA
Ad.3 process FMEA
Ad.4 Supplier assesment register + checklist when supplier changed
Ad.5 These would be primarily based on design and process FMEA output

Special requirements has to be covered by both design and process risk analysis as some of them can be managed at the level of design, and some of them on the level of process.

I would also add the disaster recovery plan / procedure to mitigate risks on a more general level.
And that basically would be it.

Plase advise me if my thinking is right...

Cheers,

Chris
 
Last edited by a moderator:

dsanabria

Quite Involved in Discussions
Hello Aerospace experts,

I am just trying to understand the notion of risk management in AS9100 and its aplications. I carefully read the AS9100 + appropriate materials from SCMH manual but their generality just kills me.
In the AS9100C itself the risk phrase appears in:

1. review of risks connected to requirements related to product
2. special requirements treatment (those require risk management)
3. planning and managing product realization to meet requirements at acceptable risk

4. selection and supplier usage
5. Preventive actions (one type of which is risk management and following actions to mitigate risks)

So from my point of view, the sufficient approach to risk management would be:
Ad.1 design FMEA
Ad.2 both design FMEA and processs FMEA
Ad.3 process FMEA
Ad.4 Supplier assesment register + checklist when supplier changed
Ad.5 These would be primarily based on design and process FMEA output

Special requirements has to be covered by both design and process risk analysis as some of them can be managed at the level of design, and some of them on the level of process.

I would also add the disaster recovery plan / procedure to mitigate risks on a more general level.
And that basically would be it.

Plase advise me if my thinking is right...

Cheers,

Chris



Why yes - you are on the right path however, not knowing the product and size of the company - you could also be going overboard with to many document, forms and procedures - remember - keep it simple and effective.

furthermore,

This is from the IAQG - Auditors Guidance Material.

7.1.2 Risk management

What to look for

Consideration by the organization of:
? maintaining risk management activities during all product life
? the project phases when risk analysis are performed and update
? the assurance that the risk analysis is updated whenever a new component or part or a new or changed process/sub-process or a new or changed supplier is introduced
? taking into account lessons learnt from risk management activities

Examples of objective evidence:
? objectives, input and output of the risk management process are identified
? risks identification include risks regarding human factors
? effectiveness and risk status are monitored
? risk management regarding product, suppliers, program, process is handled
? responsibility for all types of risks (financial industrial, suppliers, product, project, operators, ?) is assigned (where applicable, cross functions are involved)
? method used to quantify risk (e.g., FMEA methodology)
? risks and associated mitigation plan are communicated to appropriate level
? mitigation plan are reviewed periodically
? residual risk levels are assessed and reviewed / approved by management
? residual or major risks review is part of Management review
? where applicable, customer is informed about residual risks

NOTES:
? Risk management is appropriate to the organization and the product. The method should ensure the identification of all risks liable to disrupt the operational/industrial process and/or achievement of customer expectations
The concept of risk can be viewed from two perspectives:
? Risk management process can be applied at various levels in an organization (organization, project, process, product, etc.). It can be a stand alone process or integrated into key points of the organization?s realization processes
? Risk based decisions: once risks are identified (7.1.2.c) from various potential sources (customer, organization, statutory/regulatory, etc.) the risks need to be communicated to various departments or individuals within the organization. As this risk communication is received, an assessment of these risks should be performed to determine potential impacts

:2cents:
 
K

kmalysiak

Hello dsanabria,

thanks for the answer. We already have an ISO/TS 16949 system in place, so for current products all these documents (DFMEA, PFMEA, supplier assessments), exists and are alive. For the AS9100 we are planning to certify, I am trying to get as much from the currently existing system as possible.

I just wonder if the sufficient risk assessment / risk mitigation tool in case of ex. suppliers management would be the supplier evaluation list, that qualifies suppliers based on their performance, supplier audits etc.

Anyway, maybe that is just me, but I would really appreciate to have manuals for AS9100 at the same level of details, consistency and applicability as old QS manuals....

Best regards,
KM
 

Kronos147

Trusted Information Resource
We already have an ISO/TS 16949 system in place, so for current products all these documents (DFMEA, PFMEA, supplier assessments), exists and are alive. For the AS9100 we are planning to certify, I am trying to get as much from the currently existing system as possible.

You sound like a highly competent quality resource for your company. I hope they know that.

Too many of 'us' try to re-invent the wheel as opposed to documenting current practices and enhancing where required.

Eric
 
K

kmalysiak

Hello Kronos147,

thanks for compliments :) Anyway, you are right about the wheel reinventions... There is some point of generality when standards become too vague, what to then contradicts the standarisation idea... But maybe that is just me....
 
K

kmalysiak

Correct, and some level of generality is always desired. I understand it for the ISO9001 as this system could be adopted by various organizations from bakery to nails producer, but AS9100 that refers to rather narrow sector of industry could be more specific. I am sure that I am not the only one aerospace noobie looking for something more definitive (and if not the standard itself, the SCMH manuals could be a more specific guide).

How in brief yours risk management looks like? Are you nadcap audited certified?


regards
Chris
 

Kronos147

Trusted Information Resource
How in brief yours risk management looks like? Are you nadcap audited certified?

Chris,

I left one company and went to another this year.

The company I left was AS9100 and Nadcap. The company I'm with now has not pursued Nadcap.

The last company had a mature QMS that had it's roots in ISO9001 and progressed to AS9100 and then added Nadcap. I managed the AS9100 Rev. B to Rev. C transition (and I obtained the Nadcap Cert). For Risk Management, I basically did a nice little cross reference dance in the Quality Manual with (3.1) Risk, (3.2) Special Requirements, (3.3) Critical Items, and (3.4) Key Characteristics.

Manual Section 7.1 describes Project Management and Risk Management and how this stuff all relates with a graphic. It specified a procedure to be more specific. The procedure referenced forms used during Quote and Contract Review, that had some check boxes and empty comments section that covered the Risk Analysis.

It passed muster.

Now for the new employer, their system was less formalized. The QMS is about three years old. The manual stated Risk Analysis was done, and it was being done because there would be training.

It seems it never came up in an audit.

Many of the previous audits concentrated on more fundamental issues. I believe these issues have all been resolved. I eagerly anticipate our next audit next June to confirm that.

I had to revised the Manual when I was promoted to MR. The previous MR was specified by name.

In the new manual, we specify that the procedure will document how we do the process.

In the procedure, there is a table:
A) Planning of Product Realization:
WI-CRP-102 Customer Related Processes - Order Planning
F 0036 Quote Review Checklist
F 0058 Project Costing Worksheet
F 0037 Planning Stamp

B) Project Management:
Traveler

C) Risk Management (and Risk Mitigation):
WI-CRP-102 Customer Related Processes - Order Planning
F 0036 Quote Review Checklist

D) Special Requirements:
WI-CRP-102 Customer Related Processes - Order Planning
F 0036 Quote Review Checklist
Traveler

E) Configuration Management:
Sales Order
Customer Drawing
Traveler

F) Control of Work Transfers:
SOP-7.4 Control of Purchasing
WI-PUR-103 Purchasing - Receiving Purchase Orders
F 0025 Purchase Order General Terms and Conditions
F 0024 Approved Supplier List (ASL)


The table shows work instructions and forms used to manage the entire risk management structure.

We'll see what the CB says next June.

Eric
 
K

kmalysiak

Hello, Kronos147

thanks for elaborate answer. So it seems that the current quality management system you are working with now, resembles more my idea of how the risk management should be incorporated - spread across the procedures / processes and is based mostly on checklists, evaluation lists (supplier list, presumably production plan).

Just two more questions:
-are you 'built to print' or 'built to specification' plant?
-any specific methodology for risk assessment (like FMEA, FTA ?)

Thanks again for you time and support.
Best regards,
Chris
 
Top Bottom