Mark Hammar
May 15, 2017
With the latest release of ISO 9001:2015, upon which AS9100 Rev D is based, the concept of risk-based thinking has been introduced into the Quality Management System (QMS) of companies around the world. However, managing risk has always been part of the aerospace industry, and these requirements were not enough. That is why there are additional requirements in AS9100 Rev D to ensure that the risks due to the operations of the organization are managed.
The new concept of risk-based thinking is intended to get organizations to think about what risks they face at certain points in time: during strategic planning, during planning for product and service conformity, during management review, and when taking corrective action. This idea wants you, as an organization, to identify the risk, decide if you will take action, and then take action. But, it does not ask you to track the risk as the project progresses to determine whether actions have indeed addressed the risk, or need to be updated.
Risk management, on the other hand, is a process for identifying the risks, deciding on actions to mitigate those risks, tracking those actions, and then accepting any risk left over after actions are complete (or taking further actions). This process involves not just thinking about risk at certain stages in the provision of products and services, but also having a process to track these risks until they are addressed or are past the time of potential occurrence.
To start with what is not required – there is a note specifying that while clause 6.1 (actions to address risks and opportunities) addresses the risks and opportunities for the QMS, this clause (8.1.1, Operational risk management) is only limited to risks that are associated with operational processes that your organization needs to provide for your products and services. So, while you may identify a QMS risk that your current big product might soon have a rival product with which to compete, this is not a risk that needs to be tracked according to the risk management requirements, as it is not an operational risk.
So, there are five requirements that an organization needs to ensure are included when they plan, implement, and control their operational risk management process. These requirements are to:
In fact, the main body of the requirements has remained greatly unchanged since the past revision. The risk management process requirements were already included in AS9100 Rev C as risk management, and the five requirements have remained basically as they were. The only real change is the clarification that these requirements only applied to operational risk, hence the name change in the clause. The other change from Rev C is the addition of the two notes to clarify how these requirements are separate from risk-based thinking and to make it clear that risk in aerospace is a combination of likelihood and severity. If you are already compliant with AS9100 Rev C, then your current risk management process should most likely remain unchanged.
In the aerospace industry, we are fortunate that we do not need to struggle with including risk assessment in our Quality Management System, because it has always been there. We understand how risk management works, and why it is important to manage and control risk when lives are at stake. So, how can this help with the changeover to AS9100 Rev D?
Because you already have a process in place for risk assessment and management, why not use this same process and procedure for understanding and managing any new risks that you may identify when you comply with the new requirements on assessing risks and opportunities? While other industries are struggling to understand this, we can be one step ahead and ensure that the actions we determine are necessary for all of the risks in the organization, not just those for operational risk, are identified and tracked to completion. If you have a good thing going, why not use it for more?
Use this free downloadable AS9100 Rev D Implementation Diagram to manage implementation of AS9100 Rev D.