Risk Management - To what extent is Risk Management required by AS9100?

[Big Jim]

Do the production documents include what was determined to mitigate the risk? In other words, when risk was identified at the quote stage, did that get translated into specific things the workers are told to do that would mitigate risk?

After risk assessment, did someone figure out what was necessary to control the risk throughout product realization, and did that result in specifications or instructions being modified?

If that is happening, I would agree with your management that the workers need not worry about risk, as someone before them did and included what was needed into production planning.

If you are saying that nothing is being done about risk other than identifying it, I would agree with you that it is inadequate.

 

[dwend]

Hello,

I was going to open up a new thread on this forum but see that it would be helpful to just jump in on this one as I believe my questions/comments will be useful to the OP.
We just went through our AS9100C Stage 2 (we are B now) and received a NCR for failure to implement risk throughout product realization (not totally surprised about this by the way). During the audit our CB said they have written up 9 out of the 10 companies they have done a 9100C in the past year. We had a pretty decent form/process setup for risk management on quoting/planning/contact etc but lacked implementation in other areas of the product realization process. He specifically cited "organization" as part of the 7.1.2. We had a decent approach but not to the overall organization as it effected product (includes HR, purchasing, etc.) He pointed to the SCMH handbook on IAQG as an example of proper risk management. I had used the slides extensively in our prep but our organization was a little reluctant to get into more risk details but this result will propel us forward. I raise all of this for the following:
1) To let others know that one or two flow maps or a blurb in a Quality Manual might not be sufficient for some CB's, particularly as time moves on. This requirement will only get more involved as people look around and see what is required.
2) Ping the community to see what others are experiencing in their 9100C registration audits.

I suspect that our CB was a little more discriminating on this subject than some but we welcomed the opportunity for improvement and I was sort of glad to see it identified so we can get everyone else on board. It really helps the business side to identify, assess, and mitigate risks in all facets of the organization.

 

[Rickser]

We focused on the product and those things that could go wrong with it. We also do a risk analysis and mitigation when replying to a request for proposal. Our basic approach is: if it doesn't apply to the product, it then falls into some other area outside of AS9100 requirements. We will see how this works as as our first audit is within two months.

 

[dbaca0903]

We focused on the product and those things that could go wrong with it. We also do a risk analysis and mitigation when replying to a request for proposal. Our basic approach is: if it doesn't apply to the product, it then falls into some other area outside of AS9100 requirements. We will see how this works as as our first audit is within two months.

Rickser,
How did your approach pan out? At my company, we try to take that approach with the whole standard. Our auditor doesn't seem to like our ways too much.

 

[Jan T]

We just had our stage 2 certification audit. The auditor dinged us for not having risk management (FMEA) for ALL QMS processes. I.e. receiving, QC etc. We had done them for the production (plating) of parts and calibration, doc control, CAPA, etc.

 

[AndyN]

We just had our stage 2 certification audit. The auditor dinged us for not having risk management (FMEA) for ALL QMS processes. I.e. receiving, QC etc. We had done them for the production (plating) of parts and calibration, doc control, CAPA, etc.

Did you SAY (in your qms) you would have an FMEA for all processes?

 

[Big Jim]

We just had our stage 2 certification audit. The auditor dinged us for not having risk management (FMEA) for ALL QMS processes. I.e. receiving, QC etc. We had done them for the production (plating) of parts and calibration, doc control, CAPA, etc.

Unless you said you would, the auditor is making up his own rules and you should hold him accountable.

 

[Joy]

"The organization shall establish, implement and maintain a process for managing risk to the achievement of applicable requirements, that includes as appropriate to the organization and the product"

So for meeting applicable requirements, if these processes have any risk then you need to have a process to manage those risks.The standard does not say that it need to be FMEA.As my friends have already mentioned that if you mentioned that you will establish FMEA for all processes, you need to respect that.Else the auditor will have onus to establish and convince the probable risks from those processes for meeting applicable requirements to raise NCR.