Kevin Beard Risk Management With Customer Focus Introduction To Risk Discuss Risk/QMS Relationship Concepts Introduction to Risk/QMS in AS9100c – Additional & Sanctioned Training to Be Provided By OPMT Case Studies & Audience Participation Introduction To Risk How Do We Currently View Risk In AS9100b – Customer Requirements – Other Parts of Std.??? How Many Have Read AS9100c What Do We See As The Difference – Structure?? – New Individual Requirements?? – Underlying Concept that Applies Across the Standard?? Why Are We Discussing Risk Today – – – – Complex Concept Difficult to Understand Difficult to Explain to Customers Therefore, Difficult to Audit What is Risk? A risk is a potential future event that could result in adverse and unplanned consequences. – A risk is NOT a Problem, an Issue, or a Crisis! Risk is a measure of the potential inability to achieve overall program objectives within defined cost, schedule and technical constraints. (Reference: Risk Mgt Guide for DoD Acquisition, 4th Edition, June 2003) What is Risk? Risk Management Processes Product & Technical Risks Risk Mitigation Behaviors within a process What is Risk? Risk Management Processes Product & Technical Risks Risk Mitigation Behaviors within a process Risk Management Processes Risk Planning – The step of developing and documenting comprehensive and interactive strategies and methods for identifying and tracking risk areas, training, developing risk mitigation plans, performing risk assessments to determine how risks have changed, and planning/obtaining adequate resources. Risk Identification – The step of discovering and defining all risks inherent in your program or project. Risk Assessment – The process of analyzing and prioritizing program and process risks against cost, schedule and/or performance criteria. Risk Handling – The step that identifies, evaluates, selects, and implements actions in order to reduce risk likelihood or consequence to an acceptable level. Risk Monitoring – The step that systematically tracks and evaluates the performance of Risk Handling actions against established metrics throughout the acquisition process. The Risk Management Process - Risk PDCA - Act Plan Check Do What is Risk? Risk Management Processes Product & Technical Risks Risk Mitigation Behaviors within a process Product & Technical Risks Complexity of Design Criticality of Product for End Use New or Unproven Process or Technology Organizational Capability to Design or Build Product – New or Unproven Process to Organization – New Technology to Company Items or Requirements That are Candidates for Risk Management Processes Others?? What is Risk? Risk Management Processes Product & Technical Risks Risk Mitigation Behaviors within a process Risk Based Decisions & Behaviors Identification – Discovering and defining all risks inherent in your program, project, process, or task. Communication – Communicating Risks to all Relevant Individuals and Processes Risk Understanding – Understanding the Risks and How they affect your Function or Process Decision Making (Risk Based) – Making Choices on application of ‘Individual Options’ and ‘Process Options’ Risk Behaviors – Knowledge of Identified Risks – Knowledge of Process Options – Application of Identified Risk Topics to ‘Process Options’ Requirements & Risk Based Decisions How Communicated Operational Options that Need Risk Oriented Decisions associated with Critical Requirements •Design Approach •V&V Approach •Monitor & Insp. Approach •Supplier Oversight Where Identified RFQ What Decisions Proposal Contract Design Manufact. Integrate Product Delivery Monitoring and Inspection Activities Communication of Supplier Requirements -Key Characteristics- Purchasing Suppliers All Requirements are not created equal AS 9100 – 3.1 Terms and Definitions Risk - An undesirable situation or circumstance that has both a likelihood of occurring and a potentially negative consequence. Variable Risk Application Approach Varying Applicability to Different Functions Risk Processes…..‘appropriate to the product and the organization’ (7.1.2) Type Project Production Service Size Large Medium Small Product X X X Process X X X People X X X How Does Risk Approach Vary? – Organizational Application of Risk Can Vary Based on Situation, Customer, Product Line, etc. – Audit Approach & Questioning Will Need to Vary Also. Theory Applied Risk Management Processes Product & Technical Risks Risk Mitigation Behaviors within a process AS 9100 – 7.1.2 Risk Management The organization shall establish, implement and maintain a process for managing risk to the achievement of applicable requirements, that includes as appropriate to the organization and the product Processes Behaviors a) assignment of responsibilities for risk management, b) definition of risk criteria (e.g., likelihood, consequences, risk acceptance), c) identification, assessment and communication of risks throughout product realization, d) identification, implementation and management of actions to mitigate risks that exceed the defined risk acceptance criteria, and e) acceptance of risks remaining after implementation of mitigating actions. Risk Impacts – P.P.P. 7.1.2 Risk Management c) identification, assessment and communication of risks throughout product realization, d) identification, implementation and management of actions to mitigate risks that exceed the defined risk acceptance criteria, Product Consequence & Likelihood Plan, Implement, Control People Capability FMEA Process FMEA Competency Levels Critical Safety Items Process Requirements Evaluation Prod/Proc Proficiency Customer/User Needs Design Critical Items Task Specific Training IPTs Key Characteristics Task Specific OJT Specification & Drawings Mandatory Insp. Points CM Processes Production Planning Supplier Interaction Job Assignments Design Review Config Control Boards Metric Analysis Inspection Approach Process Audits Technical Audits Product Audits Configuration Audits Supplier Oversight Requirements Evaluation Communication Process Supplier Capabilities AS 9100 – 7.1.2 Risk Management 7.2.2 Review of requirements related to the product e) risks (e.g., new technology, short delivery time frame) have been identified (see 7.1.2). 7.4.1 Purchasing process f) determine and manage the risk when selecting and using suppliers (see 7.1.2). 8.5.3 Preventive action NOTE Examples of preventive action opportunities include risk management, error proofing, failure mode and effect analysis (FMEA), and information on product problems reported by external sources. 8.2.4 When the organization uses sampling inspection as a means of product acceptance, the sampling plan shall be justified on the basis of recognized statistical principles and appropriate for use (i.e., matching the sampling plan to the criticality of the product and to the process capability). AS 9100 – 7.1.2 Risk Management Does Risk Apply in Other Parts of the AS9100 Standard – Explicit? – Implied? How does this apply throughout the AS9100 standard – – – – – – – Processes? Decisions/Behaviors? 4.1 General Management System Requirements 7.1 Product Realization Planning 7.3 Design & Development Lifecycle Processes 7.5 Production & Service Provision 8.1 Measurement, Analysis & Improvement Potential Impacts – Large Companies Varying Applicability to Different Functions Risk Processes…..‘appropriate to the product and the organization’ (7.1.2) Prog/ Proj Eng. Supplier Mgmt S&MA Individual Tasks Risk Resp. Assignment X X X X Risk Definition X X X X ID, Assess, Comm. X X X X Implement & Management X X X X X Acceptance X X X X X Others How Do Risk Responsibilities Vary? – – – – – Program – Cost, Schedule, Technical Engineering – Design, Technology Capability, Others Supplier Management – Supplier Capability, Cust/Supplier Interface, Others S&MA – Independent Oversight (Processes, Suppliers, Etc.), Others Individuals – Application of Risk to Option Decisions Potential Impacts – Small Companies Varying Applicability to Different Functions Risk Processes…..‘appropriate to the product and the organization’ (7.1.2) Sales, Contracts Prod. Planner Purch Manuf Inspector Risk Resp. Assignment X X X X X Risk Definition X X ID, Assess, Comm. X X X Implement & Management X X X X X Acceptance X X X X X Other How Do Risk Responsibilities Vary? – Sales & Contracts – Understanding of User Needs/Requirements & Comparison of User Needs To Organizational Capabilities – Production Planner – Applying “Appropriate” Methods Associated with Risk to Meeting User Needs & Requirements – Purchasing – Vendor Capability, Risk/Criticality Communication, Others – Manufacturing – Applying “Appropriate” Methods – Inspector – Independent Verification – Individuals – Application of Risk to Option Decisions Risk Case Studies What Have We Covered? – General Discussion on Risk Theories – Relationship to AS9100c Standard Time to put your Auditor Hats Back On Case Studies – Risk Associated With Product – Risk Associated With Processes – Risk Associated With People Product Risk in Lower Tier Organizations Product Process People What Are Risks & Impacts?? What Are Risks & Impacts?? What Are Risks & Impacts?? In Your Pre-Audit Planning, You Find that the Organization’s Customer provided the Organization with a PO on a very challenging task that includes providing a product that is more complicated than other products previously manufactured. •What Additional Questions Would You Pursue in Pre-Audit Discussions •Who Has Risk Management Responsibility for this Scenario (7.1.2 a&b) •Area Where Risks Might Be Identified (7.1.2 c) •Create an Audit Plan. (What Are the Areas of Focus, Including Customer Risk Expectations) How Are Risks Communicated (7.1.2 c) What Risk Mitigation/Decisions are Made (How Documented) (7.1.2 d) •Onsite Audit •Types of Questions You Would Pursue •Types of Issues/Findings That May Develop Process Risk in Lower Tier Organizations Product Process People What Are Risks & Impacts?? What Are Risks & Impacts?? What Are Risks & Impacts?? In Your Pre-Audit Planning, You Find that the Organization’s Customer provides the organization with a PO that includes a task that you do not have the capability for. You outsource this task to a vendor that you have never used before. •What Additional Questions Would You Pursue in Pre-Audit Discussions •Who Has Risk Management Responsibility for this Scenario (7.1.2 a&b) •Area Where Risks Might Be Identified (7.1.2 c) •Create an Audit Plan. (What Are the Areas of Focus, Including Customer Risk Expectations) How Are Risks Communicated (7.1.2 c) What Risk Mitigation/Decisions are Made (How Documented) (7.1.2 d) •Onsite Audit •Types of Questions You Would Pursue •Types of Issues/Findings That May Develop People Risk in Lower Tier Organizations Product Process People What Are Risks & Impacts?? What Are Risks & Impacts?? What Are Risks & Impacts?? In Your Pre-Audit Planning, You Find that the Organization’s Customer transferred a large contract to this organization. The organization had to increase your workforce by 20% and add shift work. In your last audit your recall that the Organization was Working at/near capacity. •What Additional Questions Would You Pursue in Pre-Audit Discussions •Who Has Risk Management Responsibility for this Scenario (7.1.2 a&b) •Area Where Risks Might Be Identified (7.1.2 c) •Create an Audit Plan. (What Are the Areas of Focus, Including Customer Risk Expectations) How Are Risks Communicated (7.1.2 c) What Risk Mitigation/Decisions are Made (How Documented) (7.1.2 d) •Onsite Audit •Types of Questions You Would Pursue •Types of Issues/Findings That May Develop Theory Applied Risk Management Processes Product & Technical Risks Risk Mitigation Behaviors within a process Special What??? Characteristi c Critical Items Key Requirement Special 3 Terms and Definitions 3.2 Special requirements Those requirements identified by the customer, or determined by the organization, which have high risks to being achieved thus, requiring their inclusion in the risk management process. Factors used in the determination of special requirements include product or process complexity, past experience and product or process maturity. Examples of special requirements include performance requirements imposed by the customer that are at the limit of the industry’s capability, or requirements determined by the organization to be at the limit of their technical or process capabilities. 3 Terms and Definitions 3.3 Critical items Those items (e.g., functions, parts, software, characteristics, processes) having significant effect on the product realization and use of the product; including safety, performance, form, fit, function, producibility, service life, etc.; that require specific actions to ensure they are adequately managed. Examples of critical items include safety critical items, fracture critical items, mission critical items, key characteristics, etc. 3 Terms and Definitions 3.4 Key characteristic An attribute or feature whose variation has a significant effect on product fit, form, function, performance, service life or producibility, that requires specific actions for the purpose of controlling variation. NOTE Special requirements and critical items are new terms and, along with key characteristics, are interrelated. – Special requirements are identified when determining requirements related to the product (see 7.2.1). – Special requirements may then require the identification of critical items. – Design output (see 7.3.3) may then include identification of critical items that require specific actions to ensure they are adequately managed. – Some critical items will be further classified as key characteristics because their variation needs to be controlled. Special Requirements, Critical Items & Key Characteristics Key Characteristics Simplified – Communication of Criticality Between Engineering & Production – In House Production or Outsourced Production Special Requirements & Critical Items Simplified – Communication of Criticality Between Customer & Organization (SR) Engineering & Engineering (CI) – In House Engineering or Outsourced Engineering Common Expectations – Consideration for Use of More Rigorous Controls in Process – Risk Based Approach to Identification, Analysis and Communication of Customer and Product Requirements Special Requirements, Critical Items & Key Characteristics •Communication & Understanding of Risks •Risk Based Decisions and Actions in Individual Processes Identification of Special Requirements RFQ Proposal Operational Options that Need Risk Oriented Decisions associated with Special Requirements •Design Approach •V&V Approach •Monitor & Insp. Approach •Supplier Oversight Identification of Critical Items & Key Characteristics Contract Design Manufact. Integrate Product Delivery Monitoring and Inspection Activities Communication of Supplier Requirements -Key Characteristics- Purchasing Suppliers All Requirements are not created equal 7.1 Planning of Product Realization 7.1 Planning of product realization The organization shall plan and develop the processes needed for product realization. Planning of product realization shall be consistent with the requirements of the other processes of the quality management system (see 4.1). In planning product realization, the organization shall determine the following, as appropriate: a) quality objectives and requirements for the product; Identification & Communication NOTE Quality objectives and requirements for the product include consideration of aspects such as − product and personal safety, − reliability, availability and maintainability, − producibility and inspectability, − suitability of parts and materials used in the product, − selection and development of the software that contributes to the function of the product, and − recycling or final disposal of the product at the end of its life. f) configuration management appropriate to the product, its context and environment; g) the identification of resources to support the use and maintenance of product. The output of this planning shall be in a form suitable for the organization's method of operations. 7.2.2 Review of Requirements Related to Product 7.2.1 Determination of requirements related to the product Understanding The organization shall determine a) requirements specified by the customer……. b) requirements not stated by the customer but necessary for specified or intended use, where known, c) statutory and regulatory requirements applicable to the product, and d) any additional requirements considered necessary by the organization. NOTE Requirements related to the product can include Special Requirements 7.2.2 Review of requirements related to the product The organization shall review the requirements related to the product. This review shall be conducted prior to the organization's commitment to supply a product to the customer …… and shall ensure that a) product requirements are defined, Identification & Communication c) the organization has the ability to meet the defined requirements, d) special requirements of the product are determined, and e) risks (e.g., new technology, short delivery time frame) have been identified (see 7.1.2). 7.3.1 Design and Development Planning 7.3.1 Design and development planning Where appropriate, the organization shall divide the design and development effort into distinct activities and, for each activity, define the tasks, necessary resources, responsibilities, design content, input and output data and planning constraints. Understanding The different design and development tasks to be carried out shall be based on the safety and functional objectives of the product in accordance with customer, statutory and regulatory requirements. Design and Development Outputs & Verification/Validation 7.3.3 Design and development outputs The outputs of design and development shall be in a form suitable for verification against the design and development input and shall be approved prior to release. Identification & Design and development outputs shall Communication e) specify, as applicable, any critical items, including any key characteristics, and specific actions to be taken for these items. 7.3.6 Design and development validation Decision Design and development validation shall be performed in accordance with planned arrangements (see 7.3.1) to ensure that the resulting product is capable of meeting the requirements for the specified application or intended use, where known. 7.3.6.2 Design and/or development verification and validation documentation Decision At the completion of design and/or development, the organization shall ensure that reports, calculations, test results, etc., demonstrate that the product definition meets the specification requirements for all identified operational conditions. (7.1.2.e – Acceptance of Risk) 7.5.1 Control of Production and Service Provision 7.4.2 Purchasing information Purchasing information shall describe the product to be purchased, including where appropriate Identification & Communication e) requirements for design, test, inspection, verification, use of statistical techniques for product acceptance, and related instructions for acceptance by the organization, and as applicable critical items including key characteristics, 7.5.1 Control of production and service provision Decision Planning shall consider, as appropriate − establishing, implementing and maintaining appropriate processes to manage critical items, including process controls where key characteristics have been identified, 8.2.4 Monitoring and measurement of product Decision When critical items, including key characteristics, have been identified the organization shall ensure they are controlled and monitored in accordance with the established processes. SR/CI Case Studies What Have We Covered? – General Discussion on SR/CI Theories – Relationship to AS9100c Standard Time to put your Auditor Hats Back On Case Study – SR/CI - Space Risk Products Processes Product Meets Requirements Program plans Reliability program requirements Structured Independence Processes Critical items control & management Mission/Product Assurance Processing induced hazards Mission Assurance Plan (MAP) Defining of risk controls Behaviors AS9100 Standard Risk Identification Realization Process Risk Planning Analysis & Prioritization Contracts Elevation of risk (communication) Design Mitigation Decision Making Procurement Human factors skill / training Manufacturing Inspection Risk Management Processes Why do we think this change to the standard was made? – To Much QMS Focus on Compliance To QMS Requirements Cost & Schedule – Need Additional Focus on Risk & Risk Based Decisions Process Product Potential Impacts To Organizations Processes – – – – – – Program Management Engineering Purchasing Supplier Management S&MA Others Procedures – Project & Design Lifecycles – Procurement – S&MA, SR&QA, Product Assurance, Etc. People – Identification and Communication of Risk – Understanding Options Within Processes, and Associated Decision Options – Application of Risk in Decision Making Process Challenges (i.e. Implementation Risks) CBs & Auditors – Understanding the Varied Potential Applications of Risk in a QMS, Process, or Product lifecycle – Educate Yourselves on the Broadness of Risk Applicability in a QMS – Develop Sensible But Meaningful Approaches to Auditing Risk – Plan for a Successful Role out of a Risk Audit Approach – Communicate with Audit Staff & Other Affected Parties – Communicate with Your Customers on Applicability of Risk within their QMS Balanced Application of Cost, Schedule & Risk within an Organizations QMS. Ensuring Processes Identify and Communicate Risks & Appropriated Decisions are Made to Ensure that Risks are Handled – Ensure Consistency to Mitigate Confusion Not Covered in This Presentation – Risk & Project Management – Risk & Configuration Management Questions ?? Characteristi c Key Critical Requirement Items Special Risk