ISO 9001:2015 Quality Management System Requirements Risk Management CK Cheung International Lead Evaluator for National Accreditation Body ISO9001 有用吗? 还是它只是一个游戏 视乎企业的态度 系统中所订定的目标的水平 质量管理系统的可执行性 最高层管理的承诺 是一件整体工作人员的工作, 而不是一个个人的工作 ( 质量经理 ) 培训 ISO 9001:2008 Quality Policy Quality Objective Corrective Action Preventive Action Internal Audit Management Review Preventive Action Preventive Action River Thames Flood Barrier in London To Prevent Flooding of London in 1 to 200 year Storm 1
ISO9001:2015 ISO31000:2009 Risk & Opportunity Risk Management Risk Management ISO 31000 Risk Management 2
Risk Management Training of Quality Personnel ISO9001:2015 的介绍 3
4
5
6
质量是甚么? 达到或超越客户所陈述和意味的要求 What is quality? Meet customer requirement Exceed their expectation 中國三峽工程 Three Gorges Dam 中國三峽總工程師 質量就是生命 7
Sichun Earthquake Sichun Earthquake Sichun Earthquake Sichun Earthquake Florida Hurricane Katrina 8
Quality Development Quality Control: 质量控制 : 1980s Quality Assurance : 质量保证 1994 Quality Management : 质量 2000 & 2008 Quality Risk Management : 质量 2015 ISO9001 : Development Background 1959: 英国国防部标准 MIL-Q-9858 1969: 北约标准系列 NATO AQAP Series of Std 1974: BS5179 Guidance 1979: BS5750 A Series of Standards 1987: ISO9001 1994: ISO9001 2000: ISO9001 2008: ISO9001 2015: ISO9001 ISO9001:2008 4 Elements Management Responsibility ( 管理职责 ) Resource Management ( 资源管理 ) Product Realization ( 产品实现 ) Measurement, analysis and improvement ( 量度, 分析和改善 ) ISO9001:2015 7 Elements ISO9001:2015 Context of the organization Leadership Planning for the QMS Support Operation Performance evaluation Improvement 9
求 ) 意 ) 1/19/2016 Plan-Do-Check-Act Cycle CUSTOMER REQUIREMENTS ( 客户要 Act ( 修正 ) Plan ( 企划 ) Check ( 检讨 ) Do ( 执行 ) CONTINUAL IMPROVEMENT ( 持续改善 ) CUSTOMER SATISFACTION ( 客户满 10
New ISO 9001:2015 Users Survey Results 1 - Communication - Time, speed, ability & related aspects - Quality management principles - Alignment with business management practices - Risk based thinking approach - Life cycle management - Plan source, make deliver - Focus on product conformance New ISO 9001:2015 Users Survey Results 2 - Clarification & differentiate of the multiple customers of an organization - (Process) innovation - Maintenance of infrastructure - Process management Knowledge management - Competence - Structure of QMS & related to MMS - Impact on technology & change in information management Quality Management Principles 2008 2015 Customer focus Customer focus Leadership Leadership Involvement of people Engagement of people Process approach System approach to management Process approach Continual improvement Improvement Factual approach to decision making Evidence-based decision making Mutually beneficial supplier relationship Relationship management Terminology Risk effect of uncertainty (on an expected result Documented information information required to be controlled and maintained by an organization and the medium on which it is contained Context of the organization business environment combination of internal and external factors and conditions that can have an effect on an organization s approach to its products, services and investments and interested parties Concept of Exclusions Where a requirement of the ISO 9001:2005 CAN be applied then it SHALL be applied by the organization If any requirement(s) CANNOT be applied, this SHALL NOT affect the organization s ability or responsibility to ENSURE conformity of products & services 11
Where do we meet requirements regarding - Risks - Determination of the processes taking under consideration risks & opportunity(4.4f) - Risks & opportunity that can affect conformity of products & services and the ability to enhance customer satisfaction should be determined & addressed (5.1.2b) - When planning for the QMS, the organization shall determine the risks & opportunity (6.1.1) Where do we meet requirements regarding - Risks (Cont d) - The organization shall plan actions to address risks & opportunity (6.1.2) - Determining type & extent of control of external provision (8.4.2) be careful, it doesn t use the word risk, but meaning is that risk is present Where do we meet requirements regarding - Risks 3 - In determining the extent of post-delivery activities the organization shall consider the risks associated with the products & services (8.5.5a) - The management review shall be planned and carried out taking into consideration the effectiveness of actions taken to address risks & opportunities (9.3.1d) Risk-based thinking (1) carrying out preventive action to eliminate potential nonconformities, analysing any NCs that do occur, and taking action to prevent recurrence that is appropriate for the effects of the NC needs to plan & implement actions to address risks and opportunities establishes a basis for increasing the effectiveness of the QMS, achieving improved results and preventing negative effects Risk-based thinking (2) Risk Opportunities can arise as a result of a situation favourable to achieving an intended result, Example, a set of circumstances that allow the organization to attract customers, develop new products and services, reduce waste or improve productivity. Actions to address opportunities can also include consideration of associated risks. Risk is the effect of uncertainty and any such uncertainty can have positive or negative effects. A positive deviation arising from a risk can provide an opportunity, but not all positive effects of risk result in opportunities. 12
Documentation requirements 1 - QMS Scope (4.3) - The org shall maintain documented information to the extent necessary to support the operation of processes and to have confidence that the process are being carried out as planned (4.4) - Quality policy (5.2.2a) - Quality objectives (6..2.1) - Evidence of fitness for purpose of monitoring & measurement resource (7.1.5) - The basis used for calibration or verification where no international/national standards exist (7.1.5) - Evidence of competence (7.2d) Documentation requirements 2 - Confirmation of conformity of processes & products/services (8.1e) - Results of review of requirements for the products & services (8.2.3) - Confirmation that D & D requirements have been met (8.3.2g) - Results of D & D process (8.3.5) - D & D changes (8.3.6) Documentation requirements 3 - Results of evaluation, monitoring of the performance & re-evaluation of the external providers (8.4.1) - Characteristics of the products & services (8.5.1a) - Activities to be performed during production service provision & the results to be achieved (8.5.1b) - Documented information necessary to maintain traceability (8.5.2) Documentation requirements 4 - Results of the review of changes, of products/services, the personnel authorizing the change, and any necessary actions (8.5.6) - Traceability to the person authorizing release of products & services for delivery to the customers (8.6) - Actions taken on NC process outputs, products & services (8.7) - Results of monitoring & measuring activities (9.1.1) - Evidence of implementation of the audit programme & the audit results (9.2.2f) - Results of management review (9.3.2) - Nature of the NCs, action taken, results of action taken (10.2.2) ISO9001 Document Hierarchy 文件等级 手册 QM 程序文件 SOP 作业指导书 WI 记录 Record 会做到甚么 怎样去做 详细解释个别工序的做法 记录已做的工作过程和结果 13
Change in requirements 1 New requirements - 4.1 Understanding the organization & its context - 6.1 Actions to address risk & opportunities - 7.1.6 Organization knowledge - 8.5.5 Post-delivery activities Change in requirements 2 Main changes - 4.2 Understanding the needs & expectations of interested parties - 4.3 Determining the scope of the QMS - 5.3 Organization roles, responsibilities & activities - 6.2 Quality objectives & planning to achieve them - 8.5.3 Property belonging to customers or external providers - 9.1.3 Analysis & evaluation Change in requirements 3 Eliminated requirements - Quality Manual (4.2.2 of ISO 9001:2008) - Management representatives (5.5.2 of ISO 9001:2008) (as a position management representative is not existing anymore, but responsibilities are present see 5.3) - Preventive actions (8.5.3 of ISO 9001:2008) Major Difference in Terminology Total Quality Management - TQM TQM is a new paradigm of management IQM is both a philosophy & methodology for managing orgs TQM includes a set of principles, tools, and procedures that provide guidance in the practical affairs of running an org TQM involves all members of the org in controlling and continuously improving how work is done Orgs that use TQM agree that it is fundamentally different from traditional management TQM Model Risk Management 14
Crisis Management Definitions Crisis Characteristics Crisis In Chinese wei-ji = danger & opportunity Decisive moment, Crucial time, Turning point for better or worse An unstable time or state of affairs in which a decisive change is impeding Crisis Management Is the art of removing much of the risk & uncertainty from a crisis Escalating in intensity Falling under close media or government scrutiny Interfering with the normal operations of business Jeopardizing the positive public image presently enjoyed by a company and its officers Damaging a company s bottom line in any way Crisis Management Crisis Management Plan - What is Crisis - Phases of a Crisis - Crisis prognosis & prodromal symptoms - Crisis management team - Contingency planning - Continuity management - Risk analysis - Management system auditing techniques Crisis Management & Communication - Strategy - Uniform objectives & message - Media used on first announcement - Second news round, Long term crisis - Crisis resolution - Internal communication - Communication with special audiences Defining Crisis Risk is defined as an uncertain situation or an action taken during a prevailing uncertainty when the circumstances or the results of such a situation are unsure of. Risks are the occurrence likelihood and occurrence consequences of an event Risk is an effect of uncertainty on objectives (ISO 31000) Defining Risk Assessment Risk Assessment It is defined as set of techniques and methods on the system level to predict future events and their consequences. 15
Risk Assessment Defining Risk Management Risk Management = Risk Assessment + Risk Control Risk identification Risk Management Planning Risk Analysis Risk Resolution Risk Prioritizing Risk Monitoring Major Risks Data from Europe National Legislations 82% Environmental Issues 76% Health & Safety at work 72% New Technologies 64% European Legislation 50% Political Changes 50% Society 36% Special Issues 35% Financial 30% Legal 27% Major Risks Data from USA Health & Safety at work 82% Environmental Issues 76% Strikes 72% Products Recall 64% Ownership changes 50% Control of Corporate Management 50% Leakage to Mass Media 36% State Intervention 35% Terrorism 30% Financial Scandals 27% 16
More Risks Terminology More about Risk Definition Hazard is an act or a phenomenon posing potential harm to some person or thing and its potential consequences Reliability can be defined for a system or a component as its ability to fulfill its design functions under designated operating environmental conditions for a specific time period Reliability = 1 Failure Probability Event Consequences can be defined as the degree of damage or loss from some failure Risks are the occurrence likelihood and occurrence consequences of an event Risk = [ (P1, C1), (P2, C2),.(Pn, Cn) ] Where: Pi = the occurrence probability of an outcome of the event and Ci = the occurrence consequence of outcomes of the event More about Risk Definition RISK = Likelihood x Impact Risk (Consequence/Time) = Likelihood (Event/Time) x Impact (Consequence/Event) Note: 1. Likelihood can be expressed as a probability 2. This equation presents risk as an expected value of loss or an average loss Composite risk index Composite Risk Index = Impact of risk event X Probability of occurrence The impact of the risk event is commonly assessed on a scale of 1 to 5, where 1 and 5 represent the minimum and maximum possible impact of an occurrence of a risk The probability of occurrence is likewise commonly assessed on a scale from 1 to 5, where 1 represents a very low probability of the risk event actually occurring while 5 represents a very high probability of occurrence. The composite risk index thus can take values ranging from 1 through 25 Risk options Risk mitigation measures are usually formulated according to one or more of the following major risk options, which are: Design a new business process with adequate built-in risk control and containment measures from the start. Periodically re-assess risks that are accepted in ongoing processes as a normal feature of business operations and modify mitigation measures. Transfer risks to an external agency (e.g. an insurance company) Avoid risks altogether (e.g. by closing down a particular high-risk business area) 17
Project Management & Construction of a High Speed Railway Train Determine the Consequence Grading from 1 to 5 Determine of Likelihood Grading from 1 to 5 Determine the Risk Rating Grading from 1 to 25 18
Fire in a Ship in the Ocean End of Talk 19