risk management and iso 17025:2017 - mfrpa.org · outline of sections • introduction of anab •...
TRANSCRIPT
RISK MANAGEMENT and ISO 17025:2017
Dr. Bill HirtGlobal Technical Advisor
ANAB / ANSI-ASQ National Accreditation Board
January 31, 2018
Outline of Sections
• Introduction of ANAB• Risk management consistency in ISO stds• General understanding of Risk-based Mgmt
and Tools• Resources of ISO 31000 Guidelines Document• Elements in new 17025 standard for RISK• How RISK is challenge both for labs and AB’s
ANSI-ASQ National Accreditation Board / ANAB
• Non-profit accreditation body; now 25 years in the industry
• Offer ISO programs and sector specific ISO-based programs
• 60 full time employees, 185 technical assessors, 4 office locations
• Accredited customers in 58 countries, over 2,000 total accr’ns
• Signatory to 4 int’l MRAs/MLAs (ILAC, IAF, IAAC, APLAC)
4
ANSI-ASQ National Accreditation Board / ANAB
LABORATORY-RELATED Laboratories
ISO/IEC 17025 Inspection Bodies
ISO/IEC 17020 RMP
ISO 17034 PT Providers
ISO/IEC 17043 Product Certifiers –
ISO 17065 (w/ANSI) Government Programs:
DoD ELAP, EPA Energy Star, CPSC Toy Safety, NRC, NST IPV6, US Navy
Training
FORENSIC Accreditation for
ISO/IEC 17025 forensic test laboratories and
ISO/IEC 17020 forensic agenciesTraining
MANAGEMENT SYSTEMS Certification Bodies
ISO/IEC 17021 Accreditation for Management System Certification Bodies:
ISO 9001 (QMS) ISO 14001 (EMS)ISO 22001 (Food) TS 16949 (US Automotive) etc.
Training
55
© EAGLE Certification Group 2017 – Confidential – Do Not Reproduce
Risk Terminology & The Four Elements of Risk
Role of Standards In Changing Perceptions of Risk
Process vs Product Risk and Existing Controls
Metrics and Tools – Converting Unknown to Known
Risk components to cover
66
© EAGLE Certification Group 2017 – Confidential – Do Not Reproduce
What is Risk?
A risk is a potential future event that could result in adverse and unplanned consequences• A risk may not be a problem, an issue or a crisis! With Mitigation
Risk is also a measure of the potential inability to achieve overall program objectives within defined cost, schedule and technical constraints*
*Reference: Risk Mgt Guide for DoD Acquisition, 4th Edition, June 2003
THE EFFECT OF UNCERTAINTYUPON OBJECTIVES
Source: ANSI Z690.1-2011
77
© EAGLE Certification Group 2017 – Confidential – Do Not Reproduce
Risk Implementation • Used throughout your organizational processes• Risk-based thinking for QMS (business) - Clause 6.1 Identify and prioritize Plans to address the risk (PLAN) Implement the plan (DO) Check for effectiveness (CHECK) Learn from experience (ACT)
Risk Based Thinking
88
© EAGLE Certification Group 2017 – Confidential – Do Not Reproduce
Outcome – Prevention (Replacing P/A)• Risk to the Customer• Minimize risk to the organization! Staff Equipment Product/Service
Be eliminated or mitigated risk
Risk Based Thinking
• Uncertainty: The state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.
• Risk: Characterized by reference to potential events and consequences or a combination of these and expressed in terms of a combination of the consequences of an event and the associated likelihood of occurrence.
Risk Management Terminology*
*All Definitions are ©2011 American National Standards Institute and published in ANSI/ASSE Z690.1-2011 the “National Adoption of ISO Guide 73-2009”
• Risk Management: Coordinated activities to direct and control an organization with regard to risk.
• Risk Management Framework: Set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing, and continually improving risk management throughout the organization.
*All Definitions are ©2011 American National Standards Institute and published in ANSI/ASSE Z690.1-2011 the “National Adoption of ISO Guide 73-2009”
Risk Management Terminology*
• Likelihood: the chance of something happening
• Exposure: the extent to which an organization is subject to an event
• Consequence: outcome of an event affecting objectives
Risk Management Terminology
• Probability: the chance of occurrence (0-1)
• Frequency: number of events per unit of time
• Vulnerability: intrinsic properties of something resulting in susceptibility to a risk source that can lead to an event with consequence
Risk Management Terminology
• Documented Information: Written procedures& Records
• Maintain: Documented Procedures
• Retain: Records
New ISO 9001 and 17025 Terminology
Identification
Mitigation
Prioritization
Each applies equally to the QMS system, PROCESS and PRODUCT associated risks!
All phases of product realization AND all aspects of company operations!
Measurement & Feedback
Risk Management encompasses:
Four Elements of Risk Management
All management system standards now specify risk management activities: TOTAL System
– AS 9100, AS 9110, AS 9120 (aerospace)
– ISO 13485 (medical devices)
– ISO 22000 & SQF
– IATF 16949
– ISO 9001
– ISO/IEC 17025
While all address risk, each has a unique twist. Until the Annex SL
was created, standards focused on risks associated with the product
only and not all areas of the organization
Risk and Standards
• The standards require the identification and reduction of process-based risks.
Managing Process Risk
• Contract Review
• Product Development (Design)
• Purchasing
• Planning / Production / Service
• Change Control / CA / PA– Modify your forms to mandate risk analysis
• Testing for accredited work
• Test report issuing
Process Risk Examples
• BRAINSTORMING• FMEA• HACCP• Cause / Effect Diagram• 5 Whys• Preliminary Hazard Analysis• Fault Tree Analysis• Internal & External Audits
Common Risk Identification Tools
• Pay LESS attention to the actual NUMBERS,– FOCUS attention on the TRENDS
• Trends provide the CONTEXT for the numbers –good or bad, trending up or down, above target or below target.
Show Me The Data
• The process of analyzing– Prioritizing– Process risks against impact
• Product• Schedule • Performance criteria• Cost
Copyright 2017 DB Performance Solutions, LLC and ISTI, LLC
Risk Prioritization
• FMEA (Severity, Detection, Occurrence, RPN)
• HACCP
• Impact / Effort Matrix
• Pareto Analysis
Copyright 2017 DB Performance Solutions, LLC and ISTI, LLC
Common Risk Prioritization Tools
23
© EAGLE Certification Group 2017 – Confidential – Do Not Reproduce
1 – 2 Incorporate the change3 – 4 Additional analysis should be conducted prior to making the
decision6 -- 9 Do not incorporate the change
Note: ‘*3 - high impact x high benefits’ - No change allowed, but we need to record details of proposed change, to provide input into future revisions .
Impact Benefits
1 2 3
High Medium Low
1 Low 1 2 3
2 Medium 2 4 6
3 High * 3 6 9
Impact Analysis
• Strategic Planning (Management)• Control Plans• Team Based Problem Solving (8-D)• Poke-Yoke (Error-Proofing)• Training / Awareness• On Site Audits, Internal, Customer, Third Party • Design for:
– Reliability / Maintainability / Manufacturability
Common Risk Mitigation Tools
• Contingency Plans
• Emergency Response Plans
• Succession Planning
• Strategic Planning
• Reviews
System-Level Mitigation Tools
• Established metrics
• Systematically tracking and evaluating performance
• Ensure that Lessons Learned feedback into future risk identification activities.
• Changes need to current mitigation?
Risk Monitoring & Feedback
• CAPA System
• Internal Audit
• Returns / Warranties / Complaints
• Review of Internal Failures
• Management Reviews
Evaluating Risk Effectiveness
Feedback Make certain that RISK IDENTIFICATION includes past
experience from related products:
• Things Gone Wrong / Things Gone Right
• Feasibility Reviews
• Design Reviews
• Adverse Event Reports
• Previous Complaints
• Customer Feedback
• Varying Applicability to Different Functions
• Risk Processes…..appropriate to the product and the organization
Risk vs Company Size
Supplier Management: Supplier capability, interface, etc.
Purchasing: Vendor capability, Critical material / part / detail, lead times, special process
Manufacturing: Applying “appropriate” methods, special processes
Inspection: Independent verification, Critical requirements
Individuals: Application decisions, injury
Risk vs Company Size
[Management] review shall include assessing opportunities for improvement and the need for changes to the quality management system…
How is this linked to the expectations of Risk Management?
Risk Management Review
What are the results of the Key Metrics?
What risks have been reduced due to Internal Audits?
What risks were identified in External Audits?
What risks were detected by our CAPA System?
Risk Management Review
What risks escaped detection and caused complaints / rework / warranty?
Have the risk management plans been updated accordingly?
What external changes can impact our risk?
What additional or transferred resources are required to minimize or eliminate risks?
Risk Management Review
• Review example scorecard provided
• Red / Yellow / Green Stoplights for immediate impact of problem areas
• Based upon defined metrics and objectives covering defined functions in the organization
• Higher level concerns “Bubble-Up” to the next layer of the organization.
RMS Scorecard
Summary• Many ways to manage Risk
• Many ways to document methods for Risk
• Many tools for Risk Management
• Some Standards / Customer-required Methods
Risk categories – general business
• Product properties• Business impact• Customer-related• Development environment• Process issues• Staff size / experience• Technical issues• Technology / Other
ISO 17025 / ANSI-Z-540 Risk
• Primarily for calibration laboratories following ANSI-NCSL-Z-540.3 in addition to 17025
• Required measurement and review to determine probabilities of RISK for decisions.
Class exercise
• In your tables or groups of 4 to 8 if possible…
Spend 3 or 4 minutes • thinking about your lab / organization • think of at least 3 or 4 risks, take notes • then share with your group
Risk elements in ISO 17025:2017
• Introduction – paragraph 2• 4.1.4 -- impartiality• 4.1.5 -- lab to demo how it minimizes it• 7.8.6.1 – reporting statements of conformity• 7.10 b -- non-conforming work• 8.5 -- Actions to address Risks & Opp’s
– 8.5.1 / 8.5.2 / 8.5.3 plan actions proportional
Risk elements in ISO 17025:2017 (2)
• 8.6.1 -- Note only in Improvement• 8.7.1 e -- update risk piece of CAR’s
• 8.9.2 m -- management review – results ofrisk identification
• Bibliography references ISO 31000 guidelines• Includes when evidence / records required
How will AB’s assess Risks & Opp’s
• New to the ISO 17025 world, though not 9001
• All AB’s now challenged to develop policies– Need customer lab inputs and examples– Likely to wrestle with this for the 3-year implm’tn– Assessors have similar learning curve as labs
Contact Information
Dr. Bill Hirt
Global Technical Advisor
ANAB / ANSI-ASQ National Accreditation Board
Email: [email protected] / [email protected]
[email protected] and Training [email protected]