The extent that the “risk based approach” will affect the nature of ISO 9001 certification is a hot discussion topic at the moment. Obviously, with the actual standard still months away (we haven’t yet, at the time of writing, even seen the FDIS) the debates are academic and hypothetical. However lately I have had some exposure to how the risk based approach may impact the QMS in a very practical way, having just started an API Q1 revision 9 project.
Now, for those of you that don’t know, the API Q1 revision 9 standard is based upon ISO 9001. It is assessed and awarded directly by the American Petroleum Institute (i.e. not any approved certification body) and it applies to organisations that provide design and fabrication services within the petroleum industry. An industry specific variation of ISO 9001 in other words. A bit like AS 9100, ISO 13485 or TS 16949. Revision 9 has already integrated the risk based approach and, along with my client, I have been able to have a little play with it.
Obviously there are a few things that are as they are. Document and Records Control, Policy, Objectives and so on, however the API standard has not only ADDED the risk based approach to its standard, it has INTEGRATED it. What I mean by that is that you can’t simply bolt on a “risk management” procedure, or maybe retitle your Preventive Action procedure as “Risk Management” – you have to integrate it.
The authors of that standard have taken care to cross refer the approach WITHIN other requirements – Contract Review, Production and Planning for example. Risk has to be considered at organisational level (matters such as adverse weather, power outage, geopolitical disruption, for example) and also on a more day to day level on specific production runs (considering matters such as supplier reliability, non-availability of key personnel, machine outage).
Moreover there is a more high profile MANAGEMENT OF CHANGE requirement. It has to be done in a more integrated and specific way. Again, this can’t simply be kicked into the long grass with a generic “management of change” procedure – it has to be INTEGRATED. What does this mean? Well, as an example, the assessment of action resulting from a non-conformation must assess whether the corrective action requires a systematic management of change (as opposed to a more mundane correction, update to a document or repair). In the event that an NC requires a system change, the the MoC procedure will define the consideration for assigning responsibility, tracking, verifying close and also for systematic and recorded communication of that change throughout the organisation.
It is a challenging standard to work with because its quite hard to get away with bluffing anything, but I suppose that makes it a GOOD standard. I’ll be interested to see just how much ISO 9001:2015 adopts the model and process. I hope it takes a great deal of it because, at this stage, it feels like a big step in the right direction.
The Risk Based Approach is the new Continual Improvement