Informational Risk Management Implementation for ISO 9001:2015

S

SystemsQualityGuy

#1
The new ISO 9001 2015 standards place much emphasis on risk based thinking and risk management See below:

4.4.2 - Process approach
?The organization shall:
d) determine the risks to conformity of goods and services and customer satisfaction if unintended outputs are delivered or process interaction is ineffective;?

5.1.2 - Leadership and commitment with respect to the needs and expectations of customers
?Top management shall demonstrate leadership and commitment with respect to customer focus by ensuring that:
a) the risks which can affect conformity of goods and services and customer satisfaction are identified and addressed;

Right now I am concerned with operational changes my organization will have to implement be compliant with the new standards. From what I understand our company will essentially have to draft a Process Failure Modes and Effect Analysis for all of our processes.

We will have three years to get our organization up to date. I have never gone through an ISO revision process before. I am interested to find out from more experienced quality people what new types of procedures/policies will be necessary to meet the new risk management requirements. Any input would be a great help.
 
Elsmar Forum Sponsor

dsheaffe

Involved In Discussions
#2
Re: Risk Management Implementation for ISO 9001 2015 Standards.

You will no doubt get vastly different opinions, but based on the discussions that I have had with our external auditor (and the feedback from an information session run by our CB on the draft version), they are not expecting that we implement a full Risk Assessment program based on ISO 31000 or FMEA.

Their only expectation is that we can demonstrate that we have considered/addressed risks. So this may be as simple as eg, showing that when implementing a new process (or changing an existing process) that have identified what risks are involved in the change and addressing those that we consider appropriate.

Of course different CB's may have different expectations so start the conversation with your auditor/CB to see what they are expecting.
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#3
I agree with dsheaffe. :agree1:

There with certainly be confusion among CB auditors about what is acceptable evidence. We can't even agree on which documents need to be controlled and which can be just tools.

I can offer that my training thus far has stressed that FMEAs will not be required for all the processes, and an expectation there will be no defined required format for exhibiting risk based thinking.

The six required documented procedures will no longer be required. The new version of ISO 9001 will require documented procedures for process controls so as to ensure product and service conform to customer requirements, which you are probably doing now. The standard will also ask us to measure and monitor so as to know if we are succeeding, which you may also already be doing. The new idea may be making controls to avoid other undesired outcomes that might include the business interests, maybe even employee turnover if your intellectual capital is critical to your organization.
 
Last edited:
#4
The new ISO 9001 2015 standards place much emphasis on risk based thinking and risk management See below:

4.4.2 - Process approach
?The organization shall:
d) determine the risks to conformity of goods and services and customer satisfaction if unintended outputs are delivered or process interaction is ineffective;?

5.1.2 - Leadership and commitment with respect to the needs and expectations of customers
?Top management shall demonstrate leadership and commitment with respect to customer focus by ensuring that:
a) the risks which can affect conformity of goods and services and customer satisfaction are identified and addressed;

Right now I am concerned with operational changes my organization will have to implement be compliant with the new standards. From what I understand our company will essentially have to draft a Process Failure Modes and Effect Analysis for all of our processes.

We will have three years to get our organization up to date. I have never gone through an ISO revision process before. I am interested to find out from more experienced quality people what new types of procedures/policies will be necessary to meet the new risk management requirements. Any input would be a great help.
I can't find 4.4.2 in my copy of the DIS for ISO 9001:2015. Can you tell me where you found it? Have they published the FDIS and I missed it? I understood it would be out in June or July.
 
#5
I agree with dsheaffe. :agree1:

There with certainly be confusion among CB auditors about what is acceptable evidence. We can't even agree on which documents need to be controlled and which can be just tools.

I can offer that my training thus far has stressed that FMEAs will not be required for all the processes, and an expectation there will be no defined required format for exhibiting risk based thinking.

The six required documented procedures will no longer be required. The new version of ISO 9001 will require documented procedures for process controls so as to ensure product and service conform to customer requirements, which you are probably doing now. The standard will also ask us to measure and monitor so as to know if we are succeeding, which you may also already be doing. The new idea may be making controls to avoid other undesired outcomes that might include the business interests, maybe even employee turnover if your intellectual capital is critical to your organization.
I agree that the concept of involving risk is not nearly as daunting as some seem to fear. Most companies have always practiced some level of risk mitigation anyway. The ultimate risk mitigation is to no bid a project that a company is not comfortable with.

I do question your thought that there is a requirement for a procedure for process controls. From the last paragraph of 4.4 in the DIS:

"The organization shall maintain documented information to the extent necessary to support the operation of processes and retain documented information to the extent necessary to have confidence that the processes are being carried out as planned."

Documented information is defined in Section 3 of the DIS.

Documented information controls are detailed in 7.5 of the DIS.

In my search of all of this I cannot find where any written procedures are required. Every place that documented information is mentioned appear to require keeping what we now know as records. It appears that documented information may include what we now know as procedures, but at the organizations discretion.

As I see it, 4.4 certainly does not require a written procedure.
 

John Broomfield

Staff member
Super Moderator
#7
This is the problem:

"The organization shall maintain documented information to the extent necessary to support the operation of processes and retain documented information to the extent necessary to have confidence that the processes are being carried out as planned."

Whose confidence? The auditor's?

This rephrasing of:

ISO 9001:2008's clause 4.2.1d "to the extent necessary for effective planning, operation and control" had the benefit of being objective.

Effectiveness is verifiable, confidence is not.
 
S

SystemsQualityGuy

#8
That is a good question. I can't find it in clause 4 either. I have seen this text referred to in other threads and on the Certified Enterprise Risk Manager Academy website. In any case, risk will still be a major part of ISO 9001 2015.
 
#9
4.4.2 - Process approach
“The organization shall:
d) determine the risks to conformity of goods and services and customer satisfaction if unintended outputs are delivered or process interaction is ineffective;”


This clause seems conditional. Note that the determination is required IF unintended outputs are delivered OR process interaction is ineffective. Sort of like a corrective action here, not any advance planning.
 

Paul Simpson

Trusted Information Resource
#10
4.4.2 - Process approach
“The organization shall:
d) determine the risks to conformity of goods and services and customer satisfaction if unintended outputs are delivered or process interaction is ineffective;”


This clause seems conditional. Note that the determination is required IF unintended outputs are delivered OR process interaction is ineffective. Sort of like a corrective action here, not any advance planning.
Like others I can't find the clause reference mentioned and the text you've quoted is not that included in my copy of the DIS. :confused:

So I'm not sure of the value in responding to text that doesn't exist in a draft standard that is soon to be superseded by another (final) draft standard! :D
 
Thread starter Similar threads Forum Replies Date
P Risk Management Verification Activities for Implementation and Efficiency ISO 14971 - Medical Device Risk Management 3
Y ISO 31004 - Risk Management Implementation Guidance Risk Management Principles and Generic Guidelines 2
V Factors Influencing Implementation of Risk Management Policies ISO 13485:2016 - Medical Device Quality Management Systems 3
A Implementation of Risk Management for NO DESIGN Aerospace Company AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 31
Antonio Vieira ISO 31000 Guidelines for Principles and Implementation of Risk Management information Risk Management Principles and Generic Guidelines 3
M ISO 13485 training - Understanding of intent and implementation of risk management Training - Internal, External, Online and Distance Learning 1
Thee Bouyyy Risk Assessment and Management Misc. Quality Assurance and Business Systems Related Topics 0
J HELP NEEDED ! Risk Management Exercise ISO 14971 - Medical Device Risk Management 12
O Should a Covid vaccine and testing policy be included as part of ISO9001 or AS9100 risk management? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
Melissa Risk Management Process, How far do I need to go? ISO 14971 - Medical Device Risk Management 13
D Does Risk Management apply to re-labeler (MDR) EU Medical Device Regulations 1
H Risk Management Plan in agile process ISO 14971 - Medical Device Risk Management 14
U Supply risk management Manufacturing and Related Processes 4
T Biological Evaluation (10993) & Risk Management ISO 14971 - Medical Device Risk Management 9
D Cybersecurity and Risk Management: Loss of confidentiality IEC 62304 - Medical Device Software Life Cycle Processes 5
S Risk Management Review ISO 14971 - Medical Device Risk Management 4
S Risk Management and other Files ISO 14971 - Medical Device Risk Management 8
silentmonkey Overall Benefit/Risk Analysis - Risk Management VS Clinical Evaluation ISO 14971 - Medical Device Risk Management 3
Aymaneh Medical Device Cybersecurity Risk Management IEC 27001 - Information Security Management Systems (ISMS) 2
A 21 CFR 820 - Risk Management - Looking for some guidance US Food and Drug Administration (FDA) 3
Sravan Manchikanti Software Risk Management & probability of occurrence as per IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
R Identify Medical Device characterstics as Annex C of ISO 14971 Risk Management ISO 14971 - Medical Device Risk Management 5
N Device Labeling - Medtronic Ventilator Files (Risk Management documents) Coffee Break and Water Cooler Discussions 2
T How do you define your Hazards? <a Risk Management discussion> ISO 14971 - Medical Device Risk Management 16
adir88 MDR requirement: Risk Management Plan for "each device" ISO 14971 - Medical Device Risk Management 5
D Risk Analysis & Technical File - What detail goes in the Risk Management Report ISO 14971 - Medical Device Risk Management 5
C AS9100 Rev D 8.1.1 & APQP - Operational risk management process AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
B ATP 5-19 "Risk Management" Misc. Quality Assurance and Business Systems Related Topics 2
N Risk Management besides mandated FDA requirements 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
M Identifying Hazards - Risk management process ISO 14971 - Medical Device Risk Management 6
R Risk Management in the Medical Device Industry ISO 14971 - Medical Device Risk Management 4
F Linking an ISO 31000 Risk management SOP to ISO 17025 ISO 17025 related Discussions 2
Ronen E The unbearable insensitivity of risk management language Other Medical Device and Orthopedic Related Topics 1
S ISO 14971 Risk Management - Questions for Hazard identification ISO 14971 - Medical Device Risk Management 2
M Risk/Benefit vs. benefit-risk - Revising an SOP covering Risk Management with the MDR in mind EU Medical Device Regulations 10
A Defining Expected Service Life in Risk Management File Reliability Analysis - Predictions, Testing and Standards 5
R Linking the Processes of Continual Improvement, Change Management, Risk Management, Action Planning, etc? Preventive Action and Continuous Improvement 5
D Risk management according to ISO 14971 - When to document risk controls? ISO 14971 - Medical Device Risk Management 10
J Software for Techfiles and Risk management ISO 14971 - Medical Device Risk Management 1
M Informational ISO TC 210 IEC SC 62A JWG 1 Medical device risk management – São Paulo meeting 2019 Medical Device and FDA Regulations and Standards News 6
M Medical Device News ISO TC 210 IEC SC 62A JWG 1 Medical device risk management – São Paulo meeting 2019 Medical Device and FDA Regulations and Standards News 0
D Where does FMEA fit in your ISO 14971 Risk Management process? ISO 14971 - Medical Device Risk Management 13
M Informational ISO TC 210 JWG 1 meeting in São Paulo – Revision of ISO 14971 and ISO TR 24971 – Medical Device Risk Management Medical Device and FDA Regulations and Standards News 0
T Risk Management Report as per MDR Requirements EU Medical Device Regulations 4
S Medical Device Cybersecurity Risk Management File ISO 14971 - Medical Device Risk Management 2
M Medical Device News Health Canada Notice of intent: Strengthening the post-market surveillance and risk management Canada Medical Device Regulations 1
Q Evidence of precautions (clinical evaluation report, risk management report) EU Medical Device Regulations 6
Q Risk / benefit Analysis in Risk Management Report CE Marking (Conformité Européene) / CB Scheme 12
A How to view supplier APQP timeline and do risk management APQP and PPAP 4
O Medical Device EMC Risk Management CE Marking (Conformité Européene) / CB Scheme 4

Similar threads

Top Bottom