Risk Management With Customer Focus Kevin Beard. Introduction To Risk Discuss Risk/QMS Relationship Concepts Introduction to Risk/QMS in AS9100c –Additional

Risk Management With Risk Management With Customer FocusCustomer Focus

Kevin Beard

Introduction To Risk Introduction To Risk

Discuss Risk/QMS Relationship Concepts

Introduction to Risk/QMS in AS9100c– Additional & Sanctioned Training to Be Provided

By OPMT

Case Studies & Audience Participation

Introduction To RiskIntroduction To Risk

How Do We Currently View Risk In AS9100b– Customer Requirements– Other Parts of Std.???

How Many Have Read AS9100c

What Do We See As The Difference– Structure??– New Individual Requirements??– Underlying Concept that Applies Across the Standard??

Why Are We Discussing Risk Today– Complex Concept– Difficult to Understand– Difficult to Explain to Customers– Therefore, Difficult to Audit

A risk is a potential future event that could result in adverse and unplanned consequences.– A risk is NOT a Problem, an Issue, or a Crisis!

Risk is a measure of the potential inability to achieve overall program objectives within defined cost, schedule and technical constraints.

(Reference: Risk Mgt Guide for DoD Acquisition, 4th Edition, June 2003)

What is Risk?What is Risk?

Risk Management Processes


Risk Mitigation Behaviors within

a process

Product & Technical

Risks




a process

Product & Technical

Risks

Risk Planning – The step of developing and documenting comprehensive and interactive

strategies and methods for identifying and tracking risk areas, training, developing risk mitigation plans, performing risk assessments to determine how risks have changed, and planning/obtaining adequate resources.

Risk Identification– The step of discovering and defining all risks inherent in your program or

project.

Risk Assessment– The process of analyzing and prioritizing program and process risks against

cost, schedule and/or performance criteria.

Risk Handling– The step that identifies, evaluates, selects, and implements actions in order

to reduce risk likelihood or consequence to an acceptable level.

Risk Monitoring– The step that systematically tracks and evaluates the performance of Risk

Handling actions against established metrics throughout the acquisition process.

Risk Management ProcessesRisk Management Processes

The Risk Management The Risk Management ProcessProcess

- Risk PDCA -- Risk PDCA -




a process

Product & Technical

Risks

Product & Technical RisksProduct & Technical Risks

Complexity of Design

Criticality of Product for End Use

New or Unproven Process or Technology

Organizational Capability to Design or Build Product– New or Unproven Process to Organization– New Technology to Company

Items or Requirements That are Candidates for Risk Management Processes

Others??




a process

Product & Technical

Risks

Identification– Discovering and defining all risks inherent in your program, project,

process, or task.

Communication– Communicating Risks to all Relevant Individuals and Processes

Risk Understanding– Understanding the Risks and How they affect your Function or

Process

Decision Making (Risk Based) – Making Choices on application of ‘Individual Options’ and

‘Process Options’

Risk Behaviors– Knowledge of Identified Risks

– Knowledge of Process Options

– Application of Identified Risk Topics to ‘Process Options’

Risk Based Decisions & BehaviorsRisk Based Decisions & Behaviors

Proposal Contract Design Manufact.ProductDelivery

Integrate

Purchasing

All Requirements are not created equal

Monitoring and Inspection Activities

Operational Options that Need Risk Oriented Decisions associated with Critical Requirements

•Design Approach

•V&V Approach

•Monitor & Insp. Approach

•Supplier Oversight

RFQ

Suppliers

Communication of Supplier Requirements-Key Characteristics-

Requirements & Risk Based Requirements & Risk Based DecisionsDecisions

Where Identified

How Communicated

What Decisions

AS 9100 – 3.1 Terms and DefinitionsAS 9100 – 3.1 Terms and Definitions

Risk - An undesirable situation or circumstance that has both a likelihood of occurring and a potentially negative consequence.

Variable Risk Application ApproachVariable Risk Application Approach

Varying Applicability to Different Functions

Risk Processes…..‘appropriate to the product and the organization’ (7.1.2)

Type Project Production Service

Size Large Medium Small

Product X X X

Process X X X

People X X X

How Does Risk Approach Vary?– Organizational Application of Risk Can Vary Based on Situation, Customer,

Product Line, etc.

– Audit Approach & Questioning Will Need to Vary Also.


Theory AppliedTheory Applied


a process

Product & Technical

Risks

AS 9100 – 7.1.2 Risk ManagementAS 9100 – 7.1.2 Risk Management

The organization shall establish, implement and maintain a process for managing risk to the achievement of applicable requirements, that includes as appropriate to the organization and the product

a) assignment of responsibilities for risk management,

b) definition of risk criteria (e.g., likelihood, consequences, risk acceptance),

c) identification, assessment and communication of risks throughout product realization,

d) identification, implementation and management of actions to mitigate risks that exceed the defined risk acceptance criteria, and

e) acceptance of risks remaining after implementation of mitigating actions.

Processes

Behaviors

Risk Impacts – P.P.P.Risk Impacts – P.P.P.

7.1.2 Risk Managementc) identification, assessment and communication of risks throughout product

realization,d) identification, implementation and management of actions to mitigate risks

that exceed the defined risk acceptance criteria,

Product Process People Capability

Consequence & Likelihood

FMEA

Critical Safety Items

Requirements Evaluation

Process FMEA

Process Requirements Evaluation

Competency Levels

Prod/Proc Proficiency

Supplier Capabilities

Communication Customer/User Needs

IPTs

Specification & Drawings

Design Critical Items

Key Characteristics

CM Processes

Task Specific Training

Task Specific OJT

Supplier Interaction

Plan, Implement, Control

Mandatory Insp. Points

Design Review

Inspection Approach

Product Audits

Production Planning

Config Control Boards

Process Audits

Configuration Audits

Job Assignments

Metric Analysis

Technical Audits

Supplier Oversight


7.2.2 Review of requirements related to the producte) risks (e.g., new technology, short delivery time frame) have been identified

(see 7.1.2).

7.4.1 Purchasing processf) determine and manage the risk when selecting and using

suppliers (see 7.1.2).

8.5.3 Preventive actionNOTE Examples of preventive action opportunities include risk management, error proofing, failure mode and effect analysis (FMEA), and information on product problems reported by external sources.

8.2.4When the organization uses sampling inspection as a means of product acceptance, the sampling plan shall be justified on the basis of recognized statistical principles and appropriate for use (i.e., matching the sampling plan to the criticality of the product and to the process capability).


Does Risk Apply in Other Parts of the AS9100 Standard– Explicit?

– Implied?

How does this apply throughout the AS9100 standard– Processes?

– Decisions/Behaviors?

– 4.1 General Management System Requirements

– 7.1 Product Realization Planning

– 7.3 Design & Development Lifecycle Processes

– 7.5 Production & Service Provision

– 8.1 Measurement, Analysis & Improvement

Potential Impacts – Large CompaniesPotential Impacts – Large Companies



Prog/Proj

Eng. Supplier Mgmt

S&MA Individual Tasks

Others

Risk Resp. Assignment X X X X

Risk Definition X X X X

ID, Assess, Comm. X X X X

Implement & Management

X X X X X

Acceptance X X X X X

How Do Risk Responsibilities Vary?– Program – Cost, Schedule, Technical

– Engineering – Design, Technology Capability, Others

– Supplier Management – Supplier Capability, Cust/Supplier Interface, Others

– S&MA – Independent Oversight (Processes, Suppliers, Etc.), Others

– Individuals – Application of Risk to Option Decisions

Potential Impacts – Small CompaniesPotential Impacts – Small Companies



Sales, Contracts

Prod. Planner

Purch Manuf Inspector Other

Risk Resp. Assignment X X X X X

Risk Definition X X

ID, Assess, Comm. X X X

Implement & Management X X X X X

Acceptance X X X X X

How Do Risk Responsibilities Vary?– Sales & Contracts – Understanding of User Needs/Requirements &

Comparison of User Needs To Organizational Capabilities– Production Planner – Applying “Appropriate” Methods Associated with Risk

to Meeting User Needs & Requirements– Purchasing – Vendor Capability, Risk/Criticality Communication, Others– Manufacturing – Applying “Appropriate” Methods – Inspector – Independent Verification– Individuals – Application of Risk to Option Decisions

Risk Case StudiesRisk Case Studies

What Have We Covered?– General Discussion on Risk Theories

– Relationship to AS9100c Standard

Time to put your Auditor Hats Back On

Case Studies– Risk Associated With Product

– Risk Associated With Processes

– Risk Associated With People

Product Risk in Lower Tier Product Risk in Lower Tier OrganizationsOrganizations

In Your Pre-Audit Planning, You Find that the Organization’s Customer provided the Organization with a PO on a very challenging task that includes providing a product that is more complicated than other products previously manufactured.

•What Additional Questions Would You Pursue in Pre-Audit Discussions•Who Has Risk Management Responsibility for this Scenario (7.1.2 a&b)•Area Where Risks Might Be Identified (7.1.2 c)

•Create an Audit Plan. (What Are the Areas of Focus, Including Customer Risk Expectations)How Are Risks Communicated (7.1.2 c)What Risk Mitigation/Decisions are Made (How Documented) (7.1.2 d)

•Onsite Audit

•Types of Questions You Would Pursue

•Types of Issues/Findings That May Develop

Product Process People

What Are Risks & Impacts?? What Are Risks & Impacts?? What Are Risks & Impacts??

ProcessProcess Risk in Lower Tier Risk in Lower Tier OrganizationsOrganizations



In Your Pre-Audit Planning, You Find that the Organization’s Customer provides the organization with a PO that includes a task that you do not have the capability for. You outsource this task to a vendor that you have never used before.



•Onsite Audit



People Risk in Lower Tier People Risk in Lower Tier OrganizationsOrganizations



In Your Pre-Audit Planning, You Find that the Organization’s Customer transferred a large contract to this organization. The organization had to increase your workforce by 20% and add shift work. In your last audit your recall that the Organization was Working at/near capacity.



•Onsite Audit




Theory AppliedTheory Applied


a process

Product & Technical

Risks

Special What???Special What???

Critical

Key

Special

Characteristic

Requirement

Items

3 Terms and Definitions3 Terms and Definitions

3.2 Special requirements

Those requirements identified by the customer,

or determined by the organization, which have high risks to being achieved thus, requiring their inclusion in the risk management process. Factors used in the determination of special requirements include product or process complexity, past experience and product or process maturity. Examples of special requirements include performance requirements imposed by the customer that are at the limit of the industry’s capability, or requirements determined by the organization to be at the limit of their technical or process capabilities.


3.3 Critical items

Those items (e.g., functions, parts, software,

characteristics, processes) having significant effect on the product realization and use of the product; including safety, performance, form, fit, function, producibility, service life, etc.; that require specific actions to ensure they are adequately managed. Examples of critical items include safety critical items, fracture critical items, mission critical items, key characteristics, etc.


3.4 Key characteristic

An attribute or feature whose variation has a significant effect on product fit, form, function, performance, service life or producibility, that requires specific actions for the purpose of controlling variation.

NOTE Special requirements and critical items are new terms and, along with key characteristics, are interrelated. – Special requirements are identified when determining

requirements related to the product (see 7.2.1). – Special requirements may then require the identification of

critical items. – Design output (see 7.3.3) may then include identification of

critical items that require specific actions to ensure they are adequately managed.

– Some critical items will be further classified as key characteristics because their variation needs to be controlled.

Special Requirements, Critical Items Special Requirements, Critical Items & Key Characteristics& Key Characteristics

Key Characteristics Simplified– Communication of Criticality Between Engineering &

Production

– In House Production or Outsourced Production

Special Requirements & Critical Items Simplified– Communication of Criticality Between

Customer & Organization (SR)Engineering & Engineering (CI)

– In House Engineering or Outsourced Engineering

Common Expectations– Consideration for Use of More Rigorous Controls in Process

– Risk Based Approach to Identification, Analysis and Communication of Customer and Product Requirements

Proposal Contract Design Manufact.ProductDelivery

Integrate

Purchasing

All Requirements are not created equal

Monitoring and Inspection Activities

•Communication & Understanding of Risks•Risk Based Decisions and Actions in Individual Processes

Operational Options that Need Risk Oriented Decisions associated with Special Requirements

•Design Approach

•V&V Approach

•Monitor & Insp. Approach

•Supplier Oversight

RFQ

Suppliers

Communication of Supplier Requirements-Key Characteristics-

Special Requirements, Special Requirements, Critical Items & Key Critical Items & Key

CharacteristicsCharacteristics

Identification of Special Requirements

Identification of Critical Items & Key Characteristics

7.1 Planning of Product Realization7.1 Planning of Product Realization

7.1 Planning of product realization

The organization shall plan and develop the processes needed for product realization. Planning of product realization shall be consistent with the requirements of the other processes of the quality management system (see 4.1). In planning product realization, the organization shall determine the following, as appropriate:

a) quality objectives and requirements for the product;

NOTE Quality objectives and NOTE Quality objectives and requirementsrequirements for the product include consideration for the product include consideration of aspects such asof aspects such as

− − product and personal safety,product and personal safety,

− − reliability, availability and maintainability,reliability, availability and maintainability,

− − producibility and inspectability,producibility and inspectability,

− − suitability of parts and materials used in the product,suitability of parts and materials used in the product,

− − selection and development of the software that contributes to the function of the selection and development of the software that contributes to the function of the product, andproduct, and

− − recycling or final disposal of the product at the end of its life.recycling or final disposal of the product at the end of its life.

f) configuration management appropriate to the product, its context and environment;

g) the identification of resources to support the use and maintenance of product.

The output of this planning shall be in a form suitable for the organization's method of operations.

Identification & Communication

7.2.2 Review of Requirements Related to Product7.2.2 Review of Requirements Related to Product

7.2.1 Determination of requirements related to the productThe organization shall determinea) requirements specified by the customer…….b) requirements not stated by the customer but necessary for specified or

intended use, where known,c) statutory and regulatory requirements applicable to the product, andd) any additional requirements considered necessary by the organization.

NOTE Requirements related to the product can include Special NOTE Requirements related to the product can include Special RequirementsRequirements

7.2.2 Review of requirements related to the productThe organization shall review the requirements related to the product. This review shall be conducted prior to the organization's commitment to supply a product to the customer …… and shall ensure thata) product requirements are defined,c) the organization has the ability to meet the defined requirements,d) special requirements of the product are determined, andd) special requirements of the product are determined, ande) risks (e.g., new technology, short delivery time frame) have been e) risks (e.g., new technology, short delivery time frame) have been

identified (see 7.1.2).identified (see 7.1.2).

Under- standing


7.3.1 Design and Development Planning7.3.1 Design and Development Planning

7.3.1 Design and development planning

Where appropriate, the organization shall divide the design and development effort into distinct activities and, for each activity, define the tasks, necessary resources, responsibilities, design content, input and output data and planning constraints.

The different design and development tasks to be carried out shall

be based on the safety and functional objectivessafety and functional objectives of of the product in accordance with the product in accordance with customer, customer, statutory and regulatorystatutory and regulatory requirements. requirements.

Under- standing

Design and Development Outputs & Design and Development Outputs & Verification/ValidationVerification/Validation

7.3.3 Design and development outputs

The outputs of design and development shall be in a form suitable for verification against the design and development input and shall be approved prior to release.

Design and development outputs shall

e) specify, as applicable, any critical itemsspecify, as applicable, any critical items, including any key characteristics, and specific actions to be taken for these items.

7.3.6 Design and development validation

Design and development validation shall be performed in accordance with planned arrangements (see 7.3.1) to ensure that the resulting product is capable of meeting the requirements for the specified application or intended use, where known.

7.3.6.2 Design and/or development verification and validation documentation

At the completion of design and/or development, the organization At the completion of design and/or development, the organization shall ensure that reports, calculations, test results, etc., shall ensure that reports, calculations, test results, etc., demonstrate that the product definition meets the specification demonstrate that the product definition meets the specification requirements for all identified operational conditions. requirements for all identified operational conditions.

(7.1.2.e – Acceptance of Risk)(7.1.2.e – Acceptance of Risk)

Decision

Decision


7.5.1 Control of Production and Service Provision7.5.1 Control of Production and Service Provision

7.4.2 Purchasing informationPurchasing information shall describe the product to be purchased, including where appropriate

e) requirements for design, test, inspection, verification, use of statistical techniques for product acceptance, and related instructions for acceptance by the organization, and as applicable and as applicable critical items including key characteristicscritical items including key characteristics,,

7.5.1 Control of production and service provisionPlanning shall consider, as appropriate

− establishing, implementing and maintaining appropriate processes establishing, implementing and maintaining appropriate processes to to manage critical items, including process controls where key manage critical items, including process controls where key characteristicscharacteristics have been identified, have been identified,

8.2.4 Monitoring and measurement of product

When critical items, including key characteristicsWhen critical items, including key characteristics, have been , have been identified the organization shall ensure they are controlled and identified the organization shall ensure they are controlled and monitored in accordance with the established processes.monitored in accordance with the established processes.

Decision


Decision

SR/CI Case StudiesSR/CI Case Studies

What Have We Covered?– General Discussion on SR/CI Theories

– Relationship to AS9100c Standard

Time to put your Auditor Hats Back On

Case Study– SR/CI - Space

Products Product Meets Requirements Reliability program requirements Critical items control & management Mission/Product Assurance Processing induced hazards

RiskRiskRiskRisk

Behaviors

Risk Identification

Analysis & Prioritization

Elevation of risk (communication)

Mitigation Decision Making

Human factors skill / training

Processes

Program plans

Structured Independence Processes

Mission Assurance Plan (MAP)

Defining of risk controls

AS9100 Standard

Realization Process Risk Planning

Contracts

Design

Procurement

Manufacturing

Inspection

Why do we think this change to the standard was made?

Risk Management ProcessesRisk Management Processes

– To Much QMS Focus on

Compliance To QMS RequirementsCost & Schedule

– Need Additional Focus on Risk & Risk Based DecisionsProcessProduct

Potential Impacts To OrganizationsPotential Impacts To Organizations

Processes– Program Management– Engineering– Purchasing– Supplier Management– S&MA– Others

Procedures– Project & Design Lifecycles– Procurement– S&MA, SR&QA, Product Assurance, Etc.

People– Identification and Communication of Risk– Understanding Options Within Processes, and

Associated Decision Options – Application of Risk in Decision Making Process

Challenges (i.e. Implementation Risks)Challenges (i.e. Implementation Risks)

CBs & Auditors– Understanding the Varied Potential Applications of Risk in a QMS,

Process, or Product lifecycle– Educate Yourselves on the Broadness of Risk Applicability in a QMS– Develop Sensible But Meaningful Approaches to Auditing Risk– Plan for a Successful Role out of a Risk Audit Approach– Communicate with Audit Staff & Other Affected Parties– Communicate with Your Customers on

Applicability of Risk within their QMSBalanced Application of Cost, Schedule & Risk within an

Organizations QMS.Ensuring Processes Identify and Communicate Risks &

Appropriated Decisions are Made to Ensure that Risks are Handled

– Ensure Consistency to Mitigate Confusion

Not Covered in This Presentation– Risk & Project Management– Risk & Configuration Management

Questions ??Questions ??

Critical

Key

Special

Characteristic

Requirement

Items

Risk

Documents

Risk Management With Customer Focus Kevin Beard. Introduction To Risk Discuss Risk/QMS Relationship Concepts Introduction to Risk/QMS in AS9100c –Additional