Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Next revisionBoth sides next revision
articles:preventive_action_not_equal_to_risks_and_opportunities [2019/11/06 19:55] – [Preventive Action ≠ Risks and Opportunities?] rrandallarticles:preventive_action_not_equal_to_risks_and_opportunities [2020/01/11 14:21] – [Is the use of "Preventive Action" still valid?] rrandall
Line 1: Line 1:
 ====== Preventive Action ≠ Risks and Opportunities? ====== ====== Preventive Action ≠ Risks and Opportunities? ======
  
-While not mentioned in the original ISO 9001:1987, the term “preventive action” was introduced into ISO 9001:1994. Intended to be a simplistic, yet formalized proactive approach toward addressing “risks”, the new term created a great deal of confusion. This was primarily because the term wasn’t defined in the standard and users rarely purchased ISO 8402:1994, “//Quality management and quality assurance–Vocabulary//”. +While not mentioned in the original ISO 9001:1987, the term “preventive action” was introduced into ISO 9001:1994. Intended to be a simplistic, yet formalized proactive approach toward addressing “risks”, the new term created a great deal of confusion. This was primarily because the term wasn’t defined in the standard and users rarely purchased ISO 8402:1994, “//Quality management and quality assurance–Vocabulary//”. 
  
 With the release of ISO 9001:2000, ISO 8402 was renumbered and renamed to ISO 9000:2000, “//Quality management systems–Fundamentals and Vocabulary//”. The definition of “preventive action” is still present in ISO 9000:2015, and has remained unchanged since 1994 as: With the release of ISO 9001:2000, ISO 8402 was renumbered and renamed to ISO 9000:2000, “//Quality management systems–Fundamentals and Vocabulary//”. The definition of “preventive action” is still present in ISO 9000:2015, and has remained unchanged since 1994 as:
Line 11: Line 11:
 Note 2 to entry: Preventive action is taken to prevent occurrence whereas corrective action is taken to prevent recurrence.</blockquote> Note 2 to entry: Preventive action is taken to prevent occurrence whereas corrective action is taken to prevent recurrence.</blockquote>
  
 +Despite repeated and continued efforts by quality professionals (such as shown below), users continued to confuse corrective action (reactive) with preventive action (proactive).
  
-ISO 9001:2015 replaced the concept of “preventive action” with the more expanded “risks and opportunities” (in section 6.1). And a definition for “risk” was added to the ISO 9000:2015, “//Quality management systems–Fundamentals and Vocabulary//” as.+{{ :articles:difference-corrective_action-preventive_action.jpg?nolink |}}
  
-<blockquote>risk \\ 
-effect of uncertainty 
  
-Note 1 to entry: An effect is a deviation from the expected — positive or negative. \\ +Compounding the confusionsome organizations decided to use the same form for both corrective and preventive action (CAPA). 
-Note 2 to entry: Uncertainty is the stateeven partial, of deficiency of information (3.8.2) related to, understanding or knowledge of, an event, its consequence, or likelihood. \\ +
-Note 3 to entry: Risk is often characterized by reference to potential events (as defined in ISO Guide 73:2009, 3.5.1.3) and consequences (as defined in ISO Guide 73:2009, 3.6.1.3), or a combination of these. \\ +
-Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (as defined in ISO Guide 73:2009, 3.6.1.1of occurrence. \\ +
-Note 5 to entry: The word “risk” is sometimes used when there is the possibility of only negative consequences. \\ +
-Note 6 to entry: This constitutes one of the common terms and core definitions for ISO management system standards given in Annex SL of the Consolidated ISO Supplement to the ISO/IEC Directives, Part 1. The original definition has been modified by adding Note 5 to entry. +
-</blockquote>+
  
 +ISO 9001:2015 replaced the concept of “preventive action” with the more expanded “risks and opportunities” (in section 6.1). Upon reading ISO 9001:2015, take note that it repeatedly uses the term “//risks and opportunities//” as __two separate concepts__ (in sections 4.4f, 5.1.2b, 6.1, 9.1.3e, 9.3.2e & 10.2.1e). 
  
-{{ :articles:two-sides-of-risk-coin-graphic-900x600.png?nolink&400|The two sides of the Risk coin}} +While not defined in ISO 9000:2015 or ISO 9001:2015, the term "//risks and opportunities//" is defined in ISO 14001:2015, "//Environmental management systems — Requirements with guidance for use//".
-ISO 9000:2015, //Quality management systems–Fundamentals and Vocabulary//”, "Note 1" states that risks can be positive or negative (i.e.“opportunitiesor "threats”); effectively establishing that “opportunities and threats” are two sides of the same “risk” coin. However, "Note 5" states that the word “risk” is "sometimes" used when there is the //possibility// of only negative consequences (i.e., a "positive" consequence is impossible). Since "Note 1" covers all possibilities, addressing both positive and negative risks, then "Note 5" serves absolutely no purpose; other than to acknowledge that there are those who disagree with the definition of "risk" including "positive" risks (i.e., opportunities).+
  
-Providing a similar definition consistent with ISO 9001:2015 "Note 1", ISO 31000:2018, “//Risk Management–Guidelines//” also promotes the concept of "risk" being positive and/or negative (i.e., inclusive of “opportunities" and/or "threats):   +<blockquote>**ISO 14001:2015** \\ 
-  +3.2.11 risks and opportunities \\ 
-<blockquote>risk \\ +potential adverse effects (threats) and potential beneficial effects (opportunities) 
-effect of uncertainty on objectives \\+</blockquote>
  
-Note 1 to entry: An effect is deviation from the expected. It can be positive, negative or both, and can addresscreate or result in opportunities and threats\\ +Interestingly, while definition for “risk” was added to the ISO 9000:2015“//Quality management systems–Fundamentals and Vocabulary//ISO chose not to include a definition for "opportunities"Perhaps this is because ISO struggles with properly defining the word "risk" (Ref.: [[articles:a_matter_of_risk|A Matter of "Risk"]]). Regardless of how ISO 9000:2015 defines "risk", ISO 14001:2015 makes it clear that "risks" are "threats". So, for the sake of simplicity, let's use the much better (more clear) definition contained in [[https://www.monogramwebstore.org/publications/item.cgi?7a832d46-1fb0-4650-a57e-963108b9f71d|API Spec Q1"Specification for Quality Management System Requirements for Manufacturing Organizations for the Petroleum and Natural Gas Industry" (Ninth Edition, June 2013)]]published by the [[https://www.api.org|American Petroleum Institute (API)]]. 
-Note 2 to entry: Objectives can have different aspects and categories, and can be applied at different levels\\ +
-Note 3 to entry: Risk is usually expressed in terms of risk sourcespotential events, their consequences and their likelihood.</blockquote> +
-The definition provided in ISO 31000:2018 is identical to the definition provided in ISO Guide 73:2009“Risk management–Vocabulary” (which was reviewed and confirmed in 2016), with slightly different notes to provide clarification (of their opinion)+
  
-As we can see, there are differences between ISO 9000:2015, ISO Annex SL, ISO 31000:2018 & ISO Guide 73:2009 regarding the concept of "risk"; whether it be through the definitions or clarification notes provided. +<blockquote>**API Spec Q1** \\ 
-===== The Conundrum ===== +3.1.19 risk \\ 
-{{ :articles:confused_thoughts.png?nolink&400|}} +Situation or circumstance that has both a likelihood of occurring and a potentially negative consequence.</blockquote>
-If the authors of ISO 9001:2015 had subscribed to the views expressed in ISO 9000:2015, "Note 1", then they would simply have used the word "risk" rather than repeatedly stating “risks and opportunities” as two separate concepts throughout the standard (in sections 4.4f, 5.1.2b, 6.1, 9.1.3e, 9.3.2e & 10.2.1e). For those who subscribe to the interpretation provided in "Note 1", “risks and opportunities” is an incongruous termTherefore, it appears that the authors subscribed to the views expressed in ISO 9000:2015, "Note 5"; and that "Note 5" was added in protest to ISO Annex SL.+
  
-Consequently, this strongly //implied// preference for ISO 9000:2015 "Note 5over "Note 1" has created a conundrum for users over how to properly address "risk".+===== Is the use of "Preventive Actionstill valid? =====
  
-Compounding the issue, neither ISO 9001:2015, ISO 9000:2015, ISO 31000:2018 nor ISO Guide 73:2009 define the words opportunity” and “threat”. Furthermore, the user must ignore the other official ISO documents containing different definitions for “risk”, along with the various industry definitions, some of which __only__ recognize “negative” risks (e.g., ISO 13485:2016).+While many organizations continue to use the term preventive action” to address “negative risks"/threats (e.g., because it was embedded into their corrective action forms, databases, etc.), it fails to address "positive risks" and "opportunities".
  
-==== Is the use of "Preventive Actionstill valid? ====+Even though use of “preventive action” is still permitted to address “negative risks"/threats, many ISO 9001 and AS9100:2016 registrars are //encouraging// their clients to eliminate use of the term “preventive action” and adopt the term “risks and opportunities” to ensure (or at least give the appearance) that "positive risks" and “opportunities” are also addressed within their QMS.
  
-While many organizations continue to use the term preventive action” to address “negative risks"/threats (e.g., because it was embedded into their corrective action forms, databases, etc.), it fails to address "opportunities" (i.e., positive risks).+A reason for this preference can be found in ISO JTCG N359, "JTCG Frequently Asked Questions in support of Annex SL" (dated 2013-12-03), explaining why the concept of Preventive Action” was replaced with "risks and opportunities".
  
-Even though use of “preventive action” is still permitted to address “negative risks"/threats, many ISO 9001 and AS9100:2016 registrars are //encouraging// their clients to eliminate use of the term preventive action” and adopt the term “risks and opportunities” to ensure that both “threats” and “opportunities” are addressed within their QMS. +<blockquote>**"JTCG Frequently Asked Questions in support of Annex SL"** \\ 
- +10. Why does the common text not include a specific clause on Preventive Action? \\ 
-However, this presents challenges because other industry standards, such as ISO 13485:2016, “//Medical Devices — Quality management systems — Requirements for regulatory purposes//”, ISO 17020:2012, “//Conformity Assessment — Requirements for the operation of various types of bodies performing inspection//” (Option A) and AAR M-1003:2019, Section J, "//Specification for Quality Assurance//” all specifically require “preventive action” to be included in the QMS. +The high level structure and identical text does not include a clause giving specific requirements for “preventive action”. This is because one of the key purposes of a formal management system is to act as a preventive toolConsequently, a MSS requires an assessment of the organization’s “external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s)” in clause 4.1, and to determine the risks and opportunities that need to be addressed toassure the XXX management system can achieve its intended outcome(s); preventor reduceundesired effects; achieve continual improvement.” in clause 6.1These two sets of requirements are considered to cover the concept of “preventive action”, and also to take a wider view that looks at risks and opportunities.</blockquote>
- +
-===== Records ===== +
- +
-The only "record" regarding “risks and opportunities” is specified in ISO 9001:2015, sec. 9.3, "Management Review". This includes: +
-<blockquote>//9.3.2 Management review inputs \\ +
-The management review shall be planned and carried out taking into consideration: \\ +
-e. the effectiveness of actions taken to address risks and opportunities (see 6.1); \\ +
-f. opportunities for improvement.// </blockquote> +
- +
-Here again we see where ISO 9001:2015 is consistent with ISO 9000:2015, "Note 5" in considering "risks" as only "threats" by addressing "opportunities" separately (in 9.3.2e). And then specifically requiring the organization to consider "//opportunities for improvement//" (in 9.3.2f), as if they were somehow excluded from the opportunities identified in 9.3.2e! +
- +
-Due to the ambiguous/vague nature of the requirementthe "Management Review Meeting Minutes" could include statement as simple as: "//All of the actions taken to address risks and opportunities were determined by management to be effective.//" +
- +
-<note tip> +
-Many ISO 9001:2015 consultants recommend the creation of a SWOT Analysis. While limited in their usefulness, a SWOT Analysis can provide:  +
-  * some great talking points relating to "//external and internal issues//" (ISO 9001:2015, sec. 4.1), +
-  * useful information to help to "//determine the risks and opportunities that need to be addressed//" (ISO 9001:2015, sec. 6.1.1), +
-  * evidence that management has "considered" 9.3.2b, "//changes in external and internal issues that are relevant to the quality management system//" (when incorporated into the management review meeting minutes). \\ +
-{{ :articles:swot_analysis_table_551x422.png?nolink&400 |}} +
-</note> +
- +
-FurtherISO 9001:2015sec9.3.3 "Management Review Outputs" states (with an additional requirement added to AS 9100:2016, shown in **BOLD** below): +
-<blockquote>//9.3.3 Management Review Outputs \\ +
-The outputs of the management review shall include decisions and actions related to: \\ +
-a. opportunities for improvement; \\ +
-b. any need for changes to the quality management system; \\ +
-c. resource needs; \\ +
-**d. risks identified.**// \\ +
- \\ +
-The organization shall retain documented information as evidence of the results of management reviews.</blockquote> +
- +
-It is critical to note that sec. 9.3.3 is not simply a management review agenda topic. This section specifically requires the inclusion of any "//decisions and actions//" taken (or initiated) by management. Howeverit is interesting to note that the "//decisions and actions related to opportunities for improvement//" is limited in ONLY addressing opportunities related to "__improvement__", specifically excluding "//decisions and actions related to//" other opportunities"+
- +
-AS 9100:2016 expanded the requirement through adding 9.3.3d, which requires organizations to also address "//decisions and actions related to risks identified//". Without knowing whether the authors of AS 9100:2016 subscribe to ISO 9000:2015 "Note 1" or "Note 5", we cannot definitively interpret 9.3.3d as including "//...decisions and actions related to//" ALL of the “opportunities and threats” identified (as per "Note 1"); or as the "//...decisions and actions related to//" ONLY the “threats” identified (as per "Note 5").+
  
 +However, this presents challenges because other industry-specific standards, such as ISO 13485:2016, “//Medical Devices — Quality management systems — Requirements for regulatory purposes//”, ISO 17020:2012, “//Conformity Assessment — Requirements for the operation of various types of bodies performing inspection//” (Option A), AAR M-1003:2019, Section J, "//Specification for Quality Assurance//”, and [[https://www.monogramwebstore.org/publications/item.cgi?7a832d46-1fb0-4650-a57e-963108b9f71d|API Spec Q1, "Specification for Quality Management System Requirements for Manufacturing Organizations for the Petroleum and Natural Gas Industry" (Ninth Edition, June 2013)]], all specifically require “preventive action” to be included in the QMS.
 ===== Conclusion ===== ===== Conclusion =====
- +An organization can certainly continue to use “preventive actions” as a methodology within its QMS for addressing “negative risks"/threats PROVIDED that the organization also has a separate methodology of addressing “positive risks" and opportunities.
-An organization can certainly continue to use “preventive actions” as a methodology within its QMS for addressing “negative risks"/threats PROVIDED that the organization also has a separate methodology of addressing “positive risks"/opportunities.+
  
 Supporting this, there is nothing stated in either the "[[https://committee.iso.org/files/live/sites/tc176sc2/files/documents/Interpretations/ISO9001_2015_Approved_Interpretations.doc|ISO/TC 176/SC 2 Listing of Approved Interpretations against ISO 9001:2015]]" or "[[https://asq.org/quality-resources/iso-9001/us-tc176|US TC 176 - TG22 - Interpretations]]" forbidding or restricting use of the "preventive action" methodology. And ISO 9000:2015 continues to recognize "preventive action" as a legitimate methodology (Ref. ISO 9000:2015, sec. 3.12.1).  Supporting this, there is nothing stated in either the "[[https://committee.iso.org/files/live/sites/tc176sc2/files/documents/Interpretations/ISO9001_2015_Approved_Interpretations.doc|ISO/TC 176/SC 2 Listing of Approved Interpretations against ISO 9001:2015]]" or "[[https://asq.org/quality-resources/iso-9001/us-tc176|US TC 176 - TG22 - Interpretations]]" forbidding or restricting use of the "preventive action" methodology. And ISO 9000:2015 continues to recognize "preventive action" as a legitimate methodology (Ref. ISO 9000:2015, sec. 3.12.1). 
 +
 +HOWEVER, I recommend eliminating the use of this confusing term because it is so widely misunderstood. A MUCH better way to approach this topic is through the implementation of actual //risk management tools// (which is what ISO 9001:1994 //should// have required) incorporating the use of [[https://asq.org/quality-resources/fmea|FMEAs (Failure Modes and Effects Analysis]]. A FMEA should be completed for each process (aka **PFMEA** - "Process Failure Modes and Effects Analysis") and design (aka **DFMEA** - "Design Failure Modes and Effects Analysis").