Risk assessment - Contingency plan- Managment of change

[유문종]

Risk Assessment

API Spec. Q1 9th Edition addresses the subject of risk in Clause 5.3, Risk Assessment and Management. It is important to understand that risk assessment as addressed in this section only applies to impact upon:

• Delivery of product
• Product quality

The organization is responsible for implementing these requirements in order to conform to a Q1 quality management system. While Q1 outlines the high-level requirements for this subject, it does not provide details about “how” to implement it.

In order to better understand your journey to implementation, it is important to understand the circular nature of Q1. For example, the following Q1 clauses are directly or indirectly related to the subject of risk assessment, whether or not they have been specified in Clause 5.3:

3.1.19	Definition of Risk
4.5	Control of Records
5.2 (d)	Planning
5.4.2 (g)	Design and Development Inputs
5.5	Contingency Planning
5.7.8 (note)	Preventive Maintenance
5.10.1	Delivery of Nonconforming Product
5.11	Management of Change
6.5.2 (f)	[Management Review] Input Requirements
Bibliography	ISO 31000, Risk management—Principles and guidelines

As referenced in the Bibliography, it is important to have a copy of ISO 31000, Risk management—Principles and guidelines (1). While ISO 31000 identifies generic requirements for the implementation of a risk management system that could apply to most risk-based situations, its contents are relevant for understanding how to apply a risk assessment culture that is related to Clause 5.3’s intent (i.e., delivery of product and product quality).

Shown below, Figure 1 outlines the basic principles for a risk management system. This structure provides a simplistic and understandable format for content that should be included in a procedure in order to meet the requirements of Clause 5.3.

Figure 1
Excerpt from ISO 31000 (1)

Concurrently, it is important to understand the references to risk from other sections in Q1. Shown below are excerpts from two other Q1 clauses related to risk assessment.

5.5 Contingency Planning

5.5.1 General

The organization shall maintain a documented procedure for contingency planning needed to address risk associated with impact on delivery and quality of product.

Contingency planning shall be based on assessed risks (see 5.3), and output shall be documented and communicated to the relevant personnel and updated as required.

5.5.2 Planning Output

The contingency plan shall include, at a minimum:

a) actions required in response to significant risk scenarios to mitigate effects of disruptive incidents;

5.11 Management of Change

5.11.3 MOC Notification

The organization shall notify relevant personnel, including the customer when required by contract, of the change and residual or new risk due to changes that have either been initiated by the organization or requested by the customer.

While Clauses 5.5 and 5.11 both contain requirements related to risk, their requirements are not explicitly and holistically mentioned in Clause 5.3.

The “note” contained in Clause 5.3 as quoted below is important in understanding how to implement a risk assessment and management procedure:

“NOTE Risk assessment can include consideration of severity, detection methods, and probability of occurrence.”

Depending on your organization’s vernacular, the words “severity” and “probability” could be synonymous with the words “consequence” (2.18) (1) and “likelihood” (2.19) (1) respectively.

ISO 31000 specifies the definitions for consequence and likelihood, as well as numerous other definitions associated with risk management.

These words help identify the boundaries of a risk event, the degree to which risk could be disruptive to your organization.

In part of the risk assessment process, typically, organizations create arisk matrix that illustrates consequence on one axis and likelihood on the other axis, which generates a risk number that is associated with the degree of significance of a risk event.

The note in Clause 5.3 also addresses “detection methods.

” While they appear to be self-explanatory, detection methods may be found in other sections of Q1 and could be used to identify how or where risk was initially identified, for example:

• Control of Nonconforming Product (e.g., a product nonconformance documenting a material problem)
• Inspection and Testing (e.g., visual characteristics that considerably deviate from acceptance criteria)
• Corrective Action (e.g., a documented supplier nonconformity on a cracked fastener)
• Preventive Action (e.g., a process change that requires new and different process equipment)
• Design Input (e.g., a design change due to a field failure)
• Planning (e.g., a customer order requiring the use of materials not used before)
• Preventive Maintenance (e.g., repetitive equipment failures for equipment used in a critical process)

Once you gain an understanding of how the interrelatedness of other sections in Q1 provide input to the risk assessment and management process, the documentation and implementation of the process should not be so daunting. In short, always consider:

• How Q1 clauses interrelate with other Q1 clauses
• How the integration of a bibliographic reference can facilitate conformity to Q1

1. International Organization for Standardization; ISO 31000, Risk management — Principles and guidelines