Informational How the addition of "Risk" will affect ISO 9001:2015

Right now the authors are repeatedly saying ISO 9001:2015 requires no preventive action. But this is baloney. TC176 may have remove the clause specifying preventive action but for RM to be effective it must predominantly be preventive.
For someone to say that the new ISO 9001 requires no preventive action is, I think, misleading.
In an effectively managed system there is no discernible difference between Continual Improvement and Preventive Action.
You may be Jennifer, but considering how poorly many organizations and internal/external auditors have addressed the "Process Approach" (even after 14 years), I am very concerned. Unless there is a standard audit approach based on actual RBT evidence rather than auditor's opinion, I am not convinced that this RBT is a good idea.
My DNV auditors do a pretty good job of evaluating the state of the QMS as a whole: robust processes, plenty of DFMEA and PFMEA in evidence (even when not required), extremely low cost of poor quality, extremely high ratings from customers, years of 99.8%+ on time delivery, etc. and figuring out that you are taking a "process approach". Some better than others.
"What does that look like?" is an entry question. No, I don't expect documentation just to appease an auditor. Far from it. People can also show me outcomes, describe examples, we can review projects, etc. Unless records are required, of course. And there will be the clause requiring documentation to help control things as needed, similar to 14001 approach. I'm more comfortable with that than some auditees will be if they never worked with 14001 or 18001.

As for Boeing, my understanding is they operate to the aerospace standard, yes? I'm not an aerospace auditor but my guess is that they have project requirements like automotive does. If I was auditing the 787 project it is indeed worth looking at whether or not they applied risk based thinking. Did they just pick any old supplier or did they qualify the supplier first? Did they try to anticipate the inherent challenges of all that production outsourcing, and other issues? If they used an FMEA approach then they applied risk based thinking. As an auditor I am chartered with having enough imagination to consider whether the auditee's approach conforms to the standard, why or why not.
You are a rare bird, Jen. In my experience, the majority of auditors have little to no imagination. I expect that your imagination would allow you to take the same approach as in my comment above.
You are right to be concerned. Observing the variation that I do even in document control expectations, this one is going to be hard. Auditors are notoriously difficult to calibrate. I see it all the time.
Auditor calibration is a finding rich environment.:lmao:
There will be a percentage of organizations AND auditors that will embrace the intent of RBT and do a good job at it.
I expect DNV and their auditors to be among them.
Maybe organizations seeking certification should identify the risk that the auditor will not understand their risk-based approach ...
I have: Risk Priority Number = 910.

My company cannot design power conversion electronics that will survive absolutely everything that comes down the input line, or back up the output line. To do so would create a product that is so expensive that no customer would buy it. Therefore, we evaluate the risk of potential (pun intended) events outside of the expected parameters. Then we design for the most likely suspects. Then we verify and validate against a variety of SAE specifications to assure that we got it right. Only then do we release the product. I am currently dividing a 3 year span of warranty returns by a 2 year span of shipments. My line item return rate is less than 1%. My warranty costs are less than 0.5% of total revenue. My management approves that these rates and costs are acceptable risks. That approval is documented during Management Review.

And that's just page 1 of this thread. I am in the middle of addressing any changes I need to make to my Procedures Manual to address the 2015 versions so I am reading up...
 

Jen Kirley

Quality and Auditing Expert
Leader
Admin
You are too kind, Icy Mountain.

Auditors will need to develop imaginations or there will be (I hope) a LOT of disputes filed with CBs.

I am cranking up to provide internal and lead auditor training. It won't be accredited but I will provide my best product and service possible.

There is still preventive action. It is called operational controls to address risks, and error proofing: as you know, the standard calls out for both.
 
Prevention is still there under Section 10 Improvement. How many of you have said, thought or discussed in a meeting: "Some day that is going to bite us in the ass"? Well, write down what "that" is. Treat it like it already happened. Do root cause analysis and corrective action (no containment, YAY, it didn't happen!).

That's Preventive Action.
 

Helmut Jilling

Auditor / Consultant
You are too kind, Icy Mountain.

Auditors will need to develop imaginations or there will be (I hope) a LOT of disputes filed with CBs.

I am cranking up to provide internal and lead auditor training. It won't be accredited but I will provide my best product and service possible.

There is still preventive action. It is called operational controls to address risks, and error proofing: as you know, the standard calls out for both.

I have promoted Preventive Action as one of 5 internal audit outputs....and will continue to do so. The only change is now it is optional.

Corrective Actions, Preventive Actions, Opportunities for Improvement, Simple Action Items, and Document Change Requests -5 simple audit outputs...
 
Top Bottom