Search the Elsmar Cove!
**Search ALL of Elsmar.com** with DuckDuckGo including content not in the forum - Search results with No ads.

Risk Management and Its Documentation

W

warrock

#1
After discussing the concept of contract review with my manager, several department heads, and a senior quality manager from another company, the conclusion drawn regarding risk management in the review process is that an engineering stamp or signature on the purchase order is sufficient for evidence of both requirement review and risk review, as long as the employee has actually done so.

This conclusion is bothering me for several reasons, one among them being what could be considered informal approvals for something that may possibly be flight-critical. The other is sufficient record-keeping; would an auditor interview an auditee regarding the process steps after seeing the signature, or would they simply issue a finding? Would an auditor pull up an old quote and ask what risks were associated with the job? If so we would be hosed because we could only prove that we assessed risk, not what risks we assessed.

The fear among us is that we will be adding paperwork that isn't necessary because we trust our personnel to follow the procedure regarding review, but then there's the issue of records in a particularly risky area of business:

AS9100 is a QMS model for the Aviation, Space & Defense supply chain. Most of the products involved in this supply chain have a HIGH DEGREE OF CRITICALITY. While nobody should create unnecessary, non-value-added bureaucracy, when you work in a sector where risks are high, and product failure can lead to catastrophic consequences, you should have a robust QMS in place, including adequate records to demonstrate robust processes of order review.

I've dealt with many machine shops as an auditor and, one of the typical failure modes for them was exactly the issue surrounding the capture, communication and flowdown of customer requirements. Too informal processes were in place, in many cases.

It is time for people to realize that, if they want to play in high-risk supply chains, they better have robust systems. People have to realize that, if you want to play high stake games, there is a price to be paid.
 
B

bluepagen

#2
We have a risk register that is kept. We also do contract review and supplemental contract reviews. Our documents for the reviews have a statement about the risks being reviewed and accepted. Works for us.
 
W

warrock

#3
We have a risk register that is kept. We also do contract review and supplemental contract reviews. Our documents for the reviews have a statement about the risks being reviewed and accepted. Works for us.
Is this risk register used for every contract you perform?
 

dsanabria

Quite Involved in Discussions
#4
After discussing the concept of contract review with my manager, several department heads, and a senior quality manager from another company, the conclusion drawn regarding risk management in the review process is that an engineering stamp or signature on the purchase order is sufficient for evidence of both requirement review and risk review, as long as the employee has actually done so.

This conclusion is bothering me for several reasons, one among them being what could be considered informal approvals for something that may possibly be flight-critical. The other is sufficient record-keeping; would an auditor interview an auditee regarding the process steps after seeing the signature, or would they simply issue a finding? Would an auditor pull up an old quote and ask what risks were associated with the job? If so we would be hosed because we could only prove that we assessed risk, not what risks we assessed.

The fear among us is that we will be adding paperwork that isn't necessary because we trust our personnel to follow the procedure regarding review, but then there's the issue of records in a particularly risky area of business:
At the end of the day.... Heve you met the listed requiremnts below and where is the objective evidence that you did?

The organization shall establish, implement and maintain a configuration management process that includes, as appropriate to the product
a) configuration management planning,
b) configuration identification,
c) change control,
d) configuration status accounting, and
e) configuration audit.
NOTE See ISO 10007 for guidance. 7.1.4 Control of Work Transfers
The organization shall establish, implement and maintain a process to plan and control the temporary or permanent transfer of work (e.g., from one organization facility to another, from the organization to a supplier, from one supplier to another supplier) and to verify the conformity of the work to requirements.
 
W

warrock

#5
At the end of the day.... Heve you met the listed requiremnts below and where is the objective evidence that you did?

The organization shall establish, implement and maintain a configuration management process that includes, as appropriate to the product
a) configuration management planning,
b) configuration identification,
c) change control,
d) configuration status accounting, and
e) configuration audit.
NOTE See ISO 10007 for guidance. 7.1.4 Control of Work Transfers
The organization shall establish, implement and maintain a process to plan and control the temporary or permanent transfer of work (e.g., from one organization facility to another, from the organization to a supplier, from one supplier to another supplier) and to verify the conformity of the work to requirements.
I'm a little unsure how CM plays into risk assessment outside of using old parts in a new assembly and similar planning/manufacturing configurations. Does it account for missing lead time because of operator error, for example? Either way, we can provide evidence for CM through showing appropriate revision levels for designs as they progress through development, or prove that assemblies use proper revision levels on job routers/travelers.

But for processes like risk, my company does not want to use paperwork for risk assessment (or contract review, for that matter). Can stamps or initials be considered "objective evidence"? My biggest problem is understanding what can or cannot constitute objective evidence at the moment.
 
Last edited by a moderator:
Top Bottom