Informational Risk Management Implementation for ISO 9001:2015

hogheavenfarm

Quite Involved in Discussions
#11
My comment was strictly on the grammar used in the OP, not on the validity of the quoted section. I did find in my ever-growing expansion of 2015 related files, a spreadsheet entitled "ISO 9001:2015 vs. 2008 Matrix" that exact quote which appears to have been from a consultants site on the net. The creation date was 11/21/13, so it could very well be material that is no longer being considered.
 
Elsmar Forum Sponsor

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#13
I agree that the concept of involving risk is not nearly as daunting as some seem to fear. Most companies have always practiced some level of risk mitigation anyway. The ultimate risk mitigation is to no bid a project that a company is not comfortable with.

I do question your thought that there is a requirement for a procedure for process controls. From the last paragraph of 4.4 in the DIS:

"The organization shall maintain documented information to the extent necessary to support the operation of processes and retain documented information to the extent necessary to have confidence that the processes are being carried out as planned."

Documented information is defined in Section 3 of the DIS.

Documented information controls are detailed in 7.5 of the DIS.

In my search of all of this I cannot find where any written procedures are required. Every place that documented information is mentioned appear to require keeping what we now know as records. It appears that documented information may include what we now know as procedures, but at the organizations discretion.

As I see it, 4.4 certainly does not require a written procedure.
These are really good points. I have reviewed the following lines in section A.6 to help clarify my position: 1662 through 1672. Particularly 1668 and 1669, where
1668 Where ISO 9001:2008 would have referred to documented procedures (e.g. to define, control or
1669 support a process) this is now expressed as a requirement to maintain documented information.
Documented information is defined in 3.11.

"Documented information" as associated with operational controls is mentioned in 4.4 with the caveat "to the extent necessary..." in 7.5.1, with the qualifier "...determined by the organization as being necessary..." also in section 8.5.1 without these caveats or qualifiers.

I agree there seems to be a lot of loopholes and weasel words regarding controlled documents, but not in 8.5.1.
:2cents:
 

Big Jim

Trusted Information Resource
#14
These are really good points. I have reviewed the following lines in section A.6 to help clarify my position: 1662 through 1672. Particularly 1668 and 1669, where Documented information is defined in 3.11.

"Documented information" as associated with operational controls is mentioned in 4.4 with the caveat "to the extent necessary..." in 7.5.1, with the qualifier "...determined by the organization as being necessary..." also in section 8.5.1 without these caveats or qualifiers.

I agree there seems to be a lot of loopholes and weasel words regarding controlled documents, but not in 8.5.1.
:2cents:
8.5.1 in the DIS:

a) the availability of documented information that defines the characteristics of the products and services;

b) the availability of documented information that defines the activities to be performed and the results to be achieved;

This looks like what you would include in a traveler and/or the traveler package. That would be routing, work instructions, drawings, specifications, and the like.

I don't see a requirement for a written procedure here.
 

Zearl

Starting to get Involved
#17
Re: Risk Management Implementation for ISO 9001 2015 Standards.

You will no doubt get vastly different opinions, but based on the discussions that I have had with our external auditor (and the feedback from an information session run by our CB on the draft version), they are not expecting that we implement a full Risk Assessment program based on ISO 31000 or FMEA.

Their only expectation is that we can demonstrate that we have considered/addressed risks. So this may be as simple as eg, showing that when implementing a new process (or changing an existing process) that have identified what risks are involved in the change and addressing those that we consider appropriate.

Of course different CB's may have different expectations so start the conversation with your auditor/CB to see what they are expecting.
My initial thoughts on demonstrating consideration of risks were to compare with the
environmental aspects list in ISO 14001. A similar approach could be used for risk in
QMS processes. Show the risks, rate the risks, show the controls. Re-evaluate periodically.
Any comments?
 

chasf

Quite Involved in Discussions
#18
In discussion with the auditor from our registrar we talked about risk management. He said what we used to call preventive action is very much the idea behind risk management and that it does not require the FMEA type approach. In one example he said that the documentation could be in the form of meeting notes. How to document this is where it will take some creative thinking.
 
I

in_cr_ove

#19
The new ISO 9001 2015 standards place much emphasis on risk based thinking and risk management See below:

4.4.2 - Process approach
?The organization shall:
d) determine the risks to conformity of goods and services and customer satisfaction if unintended outputs are delivered or process interaction is ineffective;?

5.1.2 - Leadership and commitment with respect to the needs and expectations of customers
?Top management shall demonstrate leadership and commitment with respect to customer focus by ensuring that:
a) the risks which can affect conformity of goods and services and customer satisfaction are identified and addressed;

Right now I am concerned with operational changes my organization will have to implement be compliant with the new standards. From what I understand our company will essentially have to draft a Process Failure Modes and Effect Analysis for all of our processes.

We will have three years to get our organization up to date. I have never gone through an ISO revision process before. I am interested to find out from more experienced quality people what new types of procedures/policies will be necessary to meet the new risk management requirements. Any input would be a great help.
The standard does not suggest to use a specific Risk management method, in the spirit of providing more flexibility to an organisation.
Logically the following choices exist:
1. analyse risk on case to case basis
since we are talking about standardised work processes, this choice goes against the basic tenets of the standard
2. devise your own method
will need expertise in-house and will need validation before being put to use
3. use a proven method like FMEA
common sense dictates this to be a good choice.
FMEA has evolved to address risks in all type of business processes. It not only identifies the risk, it analyses, prioritises, helps find the right action & check effectiveness of action.
FMEA is a proven method & it offers flexibility for customisation, thereby a good choice.
 

Mike S.

Happy to be Alive
Trusted Information Resource
#20
The standard does not suggest to use a specific Risk management method, in the spirit of providing more flexibility to an organisation.
Logically the following choices exist:
1. analyse risk on case to case basis
since we are talking about standardised work processes, this choice goes against the basic tenets of the standard
2. devise your own method
will need expertise in-house and will need validation before being put to use
3. use a proven method like FMEA
common sense dictates this to be a good choice.
FMEA has evolved to address risks in all type of business processes. It not only identifies the risk, it analyses, prioritises, helps find the right action & check effectiveness of action.
FMEA is a proven method & it offers flexibility for customisation, thereby a good choice.
I respectfully disagree.

FMEA is a great tool in some cases, in other cases it is like using a sledgehammer when a claw hammer, or a screwdriver, is the better tool for the job.

Case-by-case risk analysis does not go against the basic tenants of the standard. As the IAQG says, risk-based thinking is not always a formal analysis, sometimes it is “something that we all do automatically and often sub-consciously” and “continuously”. Those words are certainly not describing FMEA or other formal risk analysis methods.

JMO.
 
Thread starter Similar threads Forum Replies Date
P Risk Management Verification Activities for Implementation and Efficiency ISO 14971 - Medical Device Risk Management 3
Y ISO 31004 - Risk Management Implementation Guidance Risk Management Principles and Generic Guidelines 2
V Factors Influencing Implementation of Risk Management Policies ISO 13485:2016 - Medical Device Quality Management Systems 3
A Implementation of Risk Management for NO DESIGN Aerospace Company AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 31
Antonio Vieira ISO 31000 Guidelines for Principles and Implementation of Risk Management information Risk Management Principles and Generic Guidelines 3
M ISO 13485 training - Understanding of intent and implementation of risk management Training - Internal, External, Online and Distance Learning 1
N Device Labeling - Medtronic Ventilator Files (Risk Management documents) Coffee Break and Water Cooler Discussions 2
T How do you define your Hazards? <a Risk Management discussion> ISO 14971 - Medical Device Risk Management 16
adir88 MDR requirement: Risk Management Plan for "each device" ISO 14971 - Medical Device Risk Management 5
D Risk Analysis & Technical File - What detail goes in the Risk Management Report ISO 14971 - Medical Device Risk Management 5
C AS9100 Rev D 8.1.1 & APQP - Operational risk management process AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 0
B ATP 5-19 "Risk Management" Misc. Quality Assurance and Business Systems Related Topics 2
N Risk Management besides mandated FDA requirements 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
M Identifying Hazards - Risk management process ISO 14971 - Medical Device Risk Management 6
R Risk Management in the Medical Device Industry ISO 14971 - Medical Device Risk Management 4
F Linking an ISO 31000 Risk management SOP to ISO 17025 ISO 17025 related Discussions 2
Ronen E The unbearable insensitivity of risk management language Other Medical Device and Orthopedic Related Topics 1
S ISO 14971 Risk Management - Questions for Hazard identification ISO 14971 - Medical Device Risk Management 2
M Risk/Benefit vs. benefit-risk - Revising an SOP covering Risk Management with the MDR in mind EU Medical Device Regulations 10
A Defining Expected Service Life in Risk Management File Reliability Analysis - Predictions, Testing and Standards 5
R Linking the Processes of Continual Improvement, Change Management, Risk Management, Action Planning, etc? Preventive Action and Continuous Improvement 5
D Risk management according to ISO 14971 - When to document risk controls? ISO 14971 - Medical Device Risk Management 10
J Software for Techfiles and Risk management ISO 14971 - Medical Device Risk Management 1
M Informational ISO TC 210 IEC SC 62A JWG 1 Medical device risk management – São Paulo meeting 2019 Medical Device and FDA Regulations and Standards News 6
M Medical Device News ISO TC 210 IEC SC 62A JWG 1 Medical device risk management – São Paulo meeting 2019 Medical Device and FDA Regulations and Standards News 0
D Where does FMEA fit in your ISO 14971 Risk Management process? ISO 14971 - Medical Device Risk Management 13
M Informational ISO TC 210 JWG 1 meeting in São Paulo – Revision of ISO 14971 and ISO TR 24971 – Medical Device Risk Management Medical Device and FDA Regulations and Standards News 0
T Risk Management Report as per MDR Requirements EU Medical Device Regulations 4
S Medical Device Cybersecurity Risk Management File ISO 14971 - Medical Device Risk Management 2
M Medical Device News Health Canada Notice of intent: Strengthening the post-market surveillance and risk management Canada Medical Device Regulations 1
Q Evidence of precautions (clinical evaluation report, risk management report) EU Medical Device Regulations 6
Q Risk / benefit Analysis in Risk Management Report CE Marking (Conformité Européene) / CB Scheme 12
A How to view supplier APQP timeline and do risk management APQP and PPAP 4
O Medical Device EMC Risk Management CE Marking (Conformité Européene) / CB Scheme 4
S ISO 13485:2016 - How I can integrate a risk management approach in our SOPs ISO 13485:2016 - Medical Device Quality Management Systems 1
B Time necessary for all Risk Management activities ISO 14971 - Medical Device Risk Management 2
W Virtual Manufacturer and Risk Management ISO 14971 - Medical Device Risk Management 3
O CQE Handbook - Missing Section VII - Risk Management Misc. Quality Assurance and Business Systems Related Topics 1
F Medical Device HACCP (Hazard Analysis and Critical Control Point) Risk Management ISO 14971 - Medical Device Risk Management 2
J Differences between a Risk Management Plan vs. Production Part Approval Process AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 3
M Free Risk Management Webinar - Design for Quality - May 2017 Risk Management Principles and Generic Guidelines 1
J Will this fulfill the AS9100D Risk Management Requirement AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 7
A Including all Processes in Risk Management - ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 8
F Risk Management vs. FMEA ISO 14971 - Medical Device Risk Management 11
T Using Risk Management in ISO 10993 - Medical Device Accessory 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
Q Risk Management - Additional Process in ISO 9001:2015? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
alonFAI How to define a Risk Based Approach for Supplier Management per ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 1
J What ever happened to Medical Device Risk Management, anyway? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 17
M AAMI draft report - Postmarket Risk Management ISO 14971 - Medical Device Risk Management 2
L Risk Management in an IVD, ISO 13485 certified company ISO 14971 - Medical Device Risk Management 2
Similar threads


















































Top Bottom