SBS - The best value in QMS software

Informational Confusion about Risks for Processes in ISO 9001:2015

tony s

Information Seeker
Trusted Information Resource
#21
Be careful with this line of thinking. Certification bodies issue certificates based on evidence of conformity to requirements. While the types of activities and evidence are not specified for this requirement of the standard, the CB will issue NO certificate if there is NO evidence of conformity.
I will be really interested to see how an auditor will write an NC statement to claim that an organization has no evidence to demonstrate against an specific clause of ISO 9001:2015 that has a requirement on risks and opportunities.
 
Elsmar Forum Sponsor

Stijloor

Staff member
Super Moderator
#22
I will be really interested to see how an auditor will write an NC statement to claim that an organization has no evidence to demonstrate against an specific clause of ISO 9001:2015 that has a requirement on risks and opportunities.
Managers and Employees will be interviewed. The "fun" starts when they can not provide adequate explanations how this is implemented. The worst experience I had was when they start contradicting each other.

The documented information requirement may have been diluted in the 2015 version, but consistent explanations and results of addressing risks and opportunities must still be demonstrated.

If not, wait until NC's are written.
 
R

randomname

#23
FMEAs are mentioned often because there are one of the most widely used tools for looking for detailed risks within QMS processes. Automotive has required them since at least the 1980's, and Q9 for pharma and they're also for meeting ISO 14971 requirements. No, they aren't required under 9001 but if people know about them they can better know when they might be useful.

And risk registers are a tool used by senior management to document and track high-level risks. Anything we do regarding risk in QM that is similar to what senior management uses is likely to be better understood and accepted. Having a list of key QMS risks that are reviewed at the MR meeting is one way of meeting the RBT requirements.
 

tony s

Information Seeker
Trusted Information Resource
#24
If not, wait until NC's are written.
I always believe that to have a valid statement of NC, at least two important information must be presented:
  • Audit criteria - i.e. policy, procedure or requirement - exactly what the organization has committed itself to fulfill;
  • Audit evidence - records, statements of fact or other info w/c are relevant to the audit criteria and verifiable - exactly what the organization has or hasn't done that cause the non-fulfillment of the audit criteria.
I would expect any NC statement has clearly indicated both to make it valid.

If an auditor claims that I am not using an FMEA or SWOT or Risk Matrix or a documented risk management process, then he has to point me where are those in any applicable requirement that we need to fulfill?
 

howste

Thaumaturge
Super Moderator
#25
I will be really interested to see how an auditor will write an NC statement to claim that an organization has no evidence to demonstrate against an specific clause of ISO 9001:2015 that has a requirement on risks and opportunities.
Here's an example:

Requirement: "6.1.1 When planning for the quality management system, the organization shall... determine risks and opportunities that need to be addressed..."

Finding: There was no evidence found that the organization has determined risks to be addressed.

Evidence: In discussions with top management, they were unable to state any risks identified or actions to address risks. Records of management review inputs did not include any information on the effectiveness of actions to address risks (see 9.1.3e and 9.3.2e). Records of management review outputs did not include any decisions or actions related to risks (see 9.3.3).
 

tony s

Information Seeker
Trusted Information Resource
#26
Here's an example:

Requirement: "6.1.1 When planning for the quality management system, the organization shall... determine risks and opportunities that need to be addressed..."

Finding: There was no evidence found that the organization has determined risks to be addressed.

Evidence: In discussions with top management, they were unable to state any risks identified or actions to address risks. Records of management review inputs did not include any information on the effectiveness of actions to address risks (see 9.1.3e and 9.3.2e). Records of management review outputs did not include any decisions or actions related to risks (see 9.3.3).
Specifically, this NC will be raised against 6.1.1?
 

Ninja

Looking for Reality
Staff member
Super Moderator
#28
...
Evidence: In discussions with top management, they were unable to state any risks identified or actions to address risks. Records of management review inputs did not include any information on the effectiveness of actions to address risks (see 9.1.3e and 9.3.2e). Records of management review outputs did not include any decisions or actions related to risks (see 9.3.3).
That finding (hypothetical as it is), would be very sad.
Top Management deals with risk and mitigates risk on an hourly basis...
Financial Risk, Liability Risk, Employee retention risk, sales risk, investment risk, commodity stability risk, it is endless.

The only way to get written up with that finding is for the top management person being interviewed to be confused about what the auditor is asking...
Methinks that this happens all too often...

I would hope the auditor would recognize that there is a failure to communicate (both ways) and work to reestablish clarity of communication.
(I would also hope that Top Management would be confused about this in the first place...)
 

tony s

Information Seeker
Trusted Information Resource
#29
That's where I put it in this hypothetical NC. You could probably make a case for other clauses too.
Thanks howste. I'm interested in this because I have previously performed an initial gap assessment for a solar panel manufacturer here in the Philippines in their transition effort. One of my issues that I raised concerns about the absence of documented information regarding actions on risks and opportunities as part of the records of their management review. Here's my finding statement (though it was raised as an OFI):

Ensure that Management Review records include the results of the review of the effectiveness of the actions taken to address risks and opportunities. This will support the fulfillment of the following requirements:
- Cl. 6.1.2a – “The organization shall plan actions to address risks and opportunities”;
- Cl. 9.1.3e – “The organization shall analyze and evaluate appropriate data…the results shall be used to…the effectiveness of actions taken to address risks and opportunities”;
- Cl. 9.3.2e – “The management review shall…take into consideration…the effectiveness of actions taken to address risks and opportunities”;
- Cl. 9.3.3 – “The organization shall retain documented information as evidence of the results of management reviews”.
 

howste

Thaumaturge
Super Moderator
#30
That finding (hypothetical as it is), would be very sad.
Top Management deals with risk and mitigates risk on an hourly basis...
Financial Risk, Liability Risk, Employee retention risk, sales risk, investment risk, commodity stability risk, it is endless.
I agree that the NC as written is unlikely to happen. I was responding to this statement:
I've once read before, and agree, that the challenge is not with the auditee to prove that they are using RBT but with the auditors to prove that an organization don't use RBT.
If an organization was uncooperative and played games to "make the auditor prove we don't use RBT" then this could happen.

If the auditor asks the right questions, and the organization answers them, there will generally be no problem. If the organization really is dealing with risk on a regular basis, top management would most likely be able to give both verbal and written evidence. Records of management reviews and analysis of data would probably include this information because it makes sense for the organization to use it for effective communication and follow-up (not just for the auditor).
 
Thread starter Similar threads Forum Replies Date
B EMPB (Erstmusterprufbericht) VDA form confusion + PSW VDA Standards - Germany's Automotive Standards 2
M Risk Analysis Flow - Confusion between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
S Some confusion about the creepage and clearance distance? IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
S CE Mark - Classification Confusion EU Medical Device Regulations 12
A CE mark - Measuring Instruments Directive confusion! CE Marking (Conformité Européene) / CB Scheme 0
B Confusion on the new FMEA guidebook - Are we supposed to replace our FMEAs? IATF 16949 - Automotive Quality Systems Standard 3
Q Buy American Act - COTS confusion Manufacturing and Related Processes 7
M IAS (USA) Accreditation with IAF for ISO 13485 Logo Confusion EU Medical Device Regulations 10
K Design and Development Exemption/NA confusion Design and Development of Products and Processes 6
M Accept/Reject (Ac/Re) Numbers (ISO 2859-1) Confusion Inspection, Prints (Drawings), Testing, Sampling and Related Topics 3
supadrai Confusion on 510(k) Transfer Guidance - Device Listing 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
I Gage R&R confusion on a part that has little variation Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 6
M "Single Patient Use" Terminology Confusion Other Medical Device Related Standards 9
M Health Canada Private Label Guidance Confusion - Quality System Required? Canada Medical Device Regulations 5
S Ionograph Testing - MIL-PRF-55110 Confusion AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
N Confusion within CE Mark and European Regulations CE Marking (Conformité Européene) / CB Scheme 5
C Clause 6.3 Infrastructure - Clearing the Confusion ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 18
T Acronym COP - Acronym Confusion Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 21
O Hazards vs. Hazardous Situation Confusion ISO 14971 - Medical Device Risk Management 11
S EN ISO 13485:2012 vs. ISO 13485:2003 - Confusion? ISO 13485:2016 - Medical Device Quality Management Systems 25
A Documentation Confusion - Agile BOM Structure ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
M Defining what is a Medical Device Accessory and what isn't - Much Confusion EU Medical Device Regulations 8
T Product Realization Confusion - Manufacturer Specifications Aspects and Requirements ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
B 510k exempt Class I Medical Device - Confusion during the facility registration US Food and Drug Administration (FDA) 3
D Confusion in writing a SIPOC (Supplier, Input, Process, Output, Customer) Six Sigma 5
thisby_ Confusion between Software Medical Device and Health Software to do a QM IEC 62304 - Medical Device Software Life Cycle Processes 5
S Confusion DPU, PPM & DPMO vs. Sigma Level - ASQ Six Sigma Black Belt hand book Six Sigma 14
Hershal Participation...........(Which Clause(s) cause you the most confusion or question?) General Measurement Device and Calibration Topics 6
P Confusion on declared (part of the quality manual) and non-declared documents Document Control Systems, Procedures, Forms and Templates 18
Marc Confusion Reigns As Analog TV Begins Shutdown After Work and Weekend Discussion Topics 2
Q Confusion over REACH Chemical List RoHS, REACH, ELV, IMDS and Restricted Substances 5
V How to use Sampling Plans - Confusion on Lot Sampling Inspection, Prints (Drawings), Testing, Sampling and Related Topics 3
I Six Sigma - Confusion while creating SIPOC diagram Six Sigma 6
G Health & Safety Executive - ISO 14001 and OHSAS 18001 Confusion Occupational Health & Safety Management Standards 6
T ISO/TS 16949:2002 Audit Confusion Internal Auditing 21
Manix WEEE and the confusion surrounding whether we fall into the scope of the directive! Other ISO and International Standards and European Regulations 9
Domoreto IATF Confusion - Our Registrar bought by another Registrar IATF 16949 - Automotive Quality Systems Standard 6
D Confusion regarding design responsibility - What can arguably be excluded? Design and Development of Products and Processes 10
R Confusion - Which tools are used and why on a daily basis? Quality Tools, Improvement and Analysis 3
M PPAP vs. Annual layout confusion - Customer "emergency PPAP" request APQP and PPAP 14
Randy Confusion and Castor Oil Coffee Break and Water Cooler Discussions 6
Manix Staging Process - Some confusion about what this stage actually is Manufacturing and Related Processes 10
S Control chart limit calculation confusion concerning SPC control limit calculation Statistical Analysis Tools, Techniques and SPC 27
F ISO 9001:2000 Confusion - Process Aspects: Interactions, Inputs, Outputs, Etc. ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
M Clause 4.2.3 Confusion: Documents that predate the doc control procedure. Document Control Systems, Procedures, Forms and Templates 17
S Numbering Confusion - BS EN ISO 9001:2000 vs. Other national versions ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
Q ISO Confusion - Do we comply and other questions ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
I Сorrespondence between hazards and risks ISO 14971 - Medical Device Risk Management 2
T Risks of failure to meet intended use ISO 14971 - Medical Device Risk Management 6
L Sampling Plan Risks AQL - Acceptable Quality Level 6

Similar threads

Top Bottom