Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
articles:preventive_action_not_equal_to_risks_and_opportunities [2019/11/06 19:55]
rrandall [Preventive Action ≠ Risks and Opportunities?]
articles:preventive_action_not_equal_to_risks_and_opportunities [2020/01/11 14:23] (current)
rrandall [Is the use of "Preventive Action" still valid?]
Line 1: Line 1:
 ====== Preventive Action ≠ Risks and Opportunities?​ ====== ====== Preventive Action ≠ Risks and Opportunities?​ ======
  
-While not mentioned in the original ISO 9001:1987, the term “preventive action” was introduced into ISO 9001:1994. Intended to be a simplistic, yet formalized proactive approach toward addressing “risks”,​ the new term created a great deal of confusion. This was primarily because the term wasn’t defined in the standard and users rarely purchased ISO 8402:1994, “//​Quality management and quality assurance–Vocabulary//​”. ​+While not mentioned in the original ISO 9001:1987, the term “preventive action” was introduced into ISO 9001:1994. Intended to be a simplistic, yet formalized proactive approach toward addressing “risks”,​ the new term created a great deal of confusion. This was primarily because the term wasn’t defined in the standard ​and users rarely purchased ISO 8402:1994, “//​Quality management and quality assurance–Vocabulary//​”. ​
  
 With the release of ISO 9001:2000, ISO 8402 was renumbered and renamed to ISO 9000:2000, “//​Quality management systems–Fundamentals and Vocabulary//​”. The definition of “preventive action” is still present in ISO 9000:2015, and has remained unchanged since 1994 as: With the release of ISO 9001:2000, ISO 8402 was renumbered and renamed to ISO 9000:2000, “//​Quality management systems–Fundamentals and Vocabulary//​”. The definition of “preventive action” is still present in ISO 9000:2015, and has remained unchanged since 1994 as:
Line 11: Line 11:
 Note 2 to entry: Preventive action is taken to prevent occurrence whereas corrective action is taken to prevent recurrence.</​blockquote>​ Note 2 to entry: Preventive action is taken to prevent occurrence whereas corrective action is taken to prevent recurrence.</​blockquote>​
  
 +Despite repeated and continued efforts by quality professionals (such as shown below), users continued to confuse corrective action (reactive) with preventive action (proactive).
  
-ISO 9001:2015 replaced the concept of “preventive action” with the more expanded “risks and opportunities” (in section 6.1). And a definition for “risk” was added to the ISO 9000:2015, “//​Quality management systems–Fundamentals and Vocabulary//​” as.+{{ :articles:difference-corrective_action-preventive_action.jpg?nolink |}}
  
-<​blockquote>​risk \\ 
-effect of uncertainty 
  
-Note 1 to entry: An effect is a deviation from the expected — positive or negative. \\ +Compounding ​the confusionsome organizations decided ​to use the same form for both corrective ​and preventive action ​(CAPA). 
-Note 2 to entry: Uncertainty is the stateeven partial, of deficiency of information (3.8.2) related ​to, understanding or knowledge of, an event, its consequence,​ or likelihood. \\ +
-Note 3 to entry: Risk is often characterized by reference to potential events (as defined in ISO Guide 73:2009, 3.5.1.3) and consequences (as defined in ISO Guide 73:2009, 3.6.1.3), or a combination of these. \\ +
-Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) ​and the associated likelihood ​(as defined in ISO Guide 73:2009, 3.6.1.1of occurrence. \\ +
-Note 5 to entry: The word “risk” is sometimes used when there is the possibility of only negative consequences. \\ +
-Note 6 to entry: This constitutes one of the common terms and core definitions for ISO management system standards given in Annex SL of the Consolidated ISO Supplement to the ISO/IEC Directives, Part 1. The original definition has been modified by adding Note 5 to entry. +
-</​blockquote>​+
  
 +ISO 9001:2015 replaced the concept of “preventive action” with the more expanded “risks and opportunities” (in section 6.1). Upon reading ISO 9001:2015, take note that it repeatedly uses the term “//risks and opportunities//​” as __two separate concepts__ (in sections 4.4f, 5.1.2b, 6.1, 9.1.3e, 9.3.2e & 10.2.1e). ​
  
-{{ :​articles:​two-sides-of-risk-coin-graphic-900x600.png?​nolink&​400|The two sides of the Risk coin}} +While not defined in ISO 9000:2015 or ISO 9001:​2015, ​the term "//risks and opportunities//" ​is defined in ISO 14001:2015, "//Environmental management systems — Requirements with guidance for use//".
-ISO 9000:​2015, ​//Quality management systems–Fundamentals ​and Vocabulary//”, "Note 1" states that risks can be positive or negative (i.e.“opportunities" ​or "​threats”);​ effectively establishing that “opportunities and threats” are two sides of the same “risk” coin. However, "Note 5" states that the word “risk” is "​sometimes"​ used when there is the //possibility// of only negative consequences (i.e., a "positive"​ consequence is impossible). Since "Note 1" covers all possibilities,​ addressing both positive and negative risks, then "Note 5" serves absolutely no purpose; other than to acknowledge that there are those who disagree with the definition of "​risk"​ including "​positive"​ risks (i.e., opportunities).+
  
-Providing a similar definition consistent with ISO 9001:2015 "Note 1", ISO 31000:2018, “//Risk Management–Guidelines//​” also promotes the concept of "​risk"​ being positive and/or negative (i.e., inclusive of “opportunities" and/or "threats):   +<​blockquote>​**ISO 14001:2015** \\ 
-  +3.2.11 risks and opportunities ​\\ 
-<​blockquote>​risk \\ +potential adverse effects (threats) ​and potential beneficial effects (opportunities) 
-effect of uncertainty on objectives \\+</blockquote>​
  
-Note 1 to entry: An effect is deviation from the expected. It can be positive, negative or both, and can addresscreate or result in opportunities ​and threats\\ +Interestingly,​ while definition for “risk” was added to the ISO 9000:2015“//​Quality management systems–Fundamentals ​and Vocabulary//​”ISO chose not to include a definition for "opportunities"Perhaps this is because ISO struggles with properly defining the word "​risk"​ (Ref.: [[articles:​a_matter_of_risk|A Matter of "Risk"]]). Regardless ​of how ISO 9000:2015 defines "risk", ISO 14001:2015 makes it clear that "​risks"​ are "​threats"​. So, for the sake of simplicity, let's use the much better (more clear) ​definition ​contained ​in [[https://​www.monogramwebstore.org/​publications/​item.cgi?​7a832d46-1fb0-4650-a57e-963108b9f71d|API Spec Q1"​Specification for Quality Management System Requirements for Manufacturing Organizations for the Petroleum ​and Natural Gas Industry"​ (Ninth Edition, June 2013)]]published by the [[https://​www.api.org|American Petroleum Institute ​(API)]]. 
-Note 2 to entry: Objectives can have different aspects and categories, and can be applied at different levels\\ +
-Note 3 to entry: Risk is usually expressed in terms of risk sourcespotential events, their consequences and their likelihood.</​blockquote>​ +
-The definition provided in ISO 31000:2018 is identical to the definition ​provided ​in ISO Guide 73:2009“Risk management–Vocabulary” (which was reviewed ​and confirmed in 2016), with slightly different notes to provide clarification ​(of their opinion)+
  
-As we can see, there are differences between ISO 9000:2015, ISO Annex SL, ISO 31000:2018 & ISO Guide 73:2009 regarding the concept of "​risk";​ whether it be through the definitions or clarification notes provided. +<​blockquote>​**API Spec Q1** \\ 
-===== The Conundrum ===== +3.1.19 risk \\ 
-{{ :​articles:​confused_thoughts.png?​nolink&​400|}} +Situation or circumstance ​that has both a likelihood of occurring ​and a potentially negative consequence.</​blockquote>​
-If the authors of ISO 9001:2015 had subscribed to the views expressed in ISO 9000:2015, "Note 1", then they would simply have used the word "​risk"​ rather than repeatedly stating “risks and opportunities” as two separate concepts throughout the standard (in sections 4.4f, 5.1.2b, 6.1, 9.1.3e, 9.3.2e & 10.2.1e). For those who subscribe to the interpretation provided in "​Note ​1", “risks and opportunities” is an incongruous termTherefore, it appears ​that the authors subscribed to the views expressed in ISO 9000:2015, "Note 5"; ​and that "Note 5" was added in protest to ISO Annex SL.+
  
-Consequently,​ this strongly //implied// preference for ISO 9000:​2015 ​"Note 5" ​over "Note 1" has created a conundrum for users over how to properly address "​risk"​.+===== Is the use of "Preventive Action" ​still valid? =====
  
-Compounding ​the issue, neither ISO 9001:2015, ISO 9000:2015, ISO 31000:2018 nor ISO Guide 73:2009 define the words opportunity” and “threat”. Furthermore,​ the user must ignore the other official ISO documents containing different definitions for “risk”, along with the various industry definitions,​ some of which __only__ recognize ​“negative” risks (e.g., ​ISO 13485:2016).+While many organizations continue to use the term preventive action” to address ​“negative risks"/​threats ​(e.g., ​because it was embedded into their corrective action forms, databases, etc.), it fails to address "​positive risks" and "​opportunities"​.
  
-==== Is the use of "Preventive Action" ​still valid? ====+Even though ​use of “preventive action” is still permitted to address “negative risks"/threats, many ISO 9001 and AS9100:2016 registrars are //​encouraging//​ their clients to eliminate use of the term “preventive action” and adopt the term “risks and opportunities” to ensure (or at least give the appearance) that "positive risks" and “opportunities” are also addressed within their QMS.
  
-While many organizations continue to use the term preventive action” to address “negative risks"/​threats (e.g., because it was embedded into their corrective action forms, databases, etc.), it fails to address ​"​opportunities" ​(i.e., positive risks).+A reason for this preference can be found in ISO JTCG N359, "JTCG Frequently Asked Questions in support of Annex SL" (dated 2013-12-03),​ explaining why the concept of Preventive Action” was replaced with "risks and opportunities"​.
  
-Even though use of “preventive action” is still permitted to address “negative risks"/threats, many ISO 9001 and AS9100:2016 registrars are //​encouraging//​ their clients to eliminate use of the term preventive action” and adopt the term “risks and opportunities” to ensure that both “threats” and “opportunities” are addressed within their QMS. +<​blockquote>​**"​JTCG Frequently Asked Questions in support ​of Annex SL"** \\ 
- +10. Why does the common text not include a specific clause on Preventive Action? \\ 
-However, this presents challenges because other industry standards, such as ISO 13485:2016, “//​Medical Devices — Quality management systems — Requirements for regulatory purposes//​”,​ ISO 17020:2012, “//​Conformity Assessment — Requirements for the operation of various types of bodies performing inspection//​” (Option A) and AAR M-1003:​2019,​ Section J, "//​Specification ​for Quality Assurance//​” all specifically require ​“preventive action” ​to be included in the QMS. +The high level structure ​and identical text does not include a clause giving specific requirements ​for “preventive action”. ​This is because one of the key purposes ​of a formal management system ​is to act as a preventive toolConsequently, a MSS requires an assessment ​of the organization’s “external and internal issues that are relevant ​to its purpose ​and that affect its ability ​to achieve ​the intended outcome(s)” ​in clause ​4.1, and to determine the risks and opportunities that need to be addressed ​toassure ​the XXX management system ​can achieve its intended outcome(s); preventor reduceundesired effects; achieve continual improvement.” in clause 6.1These two sets of requirements are considered ​to cover the concept ​of “preventive action”, and also to take a wider view that looks at risks and opportunities.</blockquote>​
- +
-===== Records ===== +
- +
-The only "​record"​ regarding “risks and opportunities” ​is specified in ISO 9001:2015, sec. 9.3, "​Management Review"​. This includes: +
-<​blockquote>//​9.3.2 Management review inputs \\ +
-The management review shall be planned and carried out taking into consideration:​ \\ +
-e. the effectiveness ​of actions taken to address risks and opportunities (see 6.1); \\ +
-f. opportunities for improvement.//​ </​blockquote>​ +
- +
-Here again we see where ISO 9001:​2015 ​is consistent with ISO 9000:2015, "Note 5" in considering "​risks"​ as only "​threats"​ by addressing "​opportunities"​ separately (in 9.3.2e). And then specifically requiring the organization ​to consider "//​opportunities for improvement//"​ (in 9.3.2f), ​as if they were somehow excluded from the opportunities identified in 9.3.2e! +
- +
-Due to the ambiguous/​vague nature of the requirementthe "​Management Review Meeting Minutes"​ could include ​statement as simple as: "//​All ​of the actions taken to address risks and opportunities were determined by management ​to be effective.//"​ +
- +
-<note tip> +
-Many ISO 9001:2015 consultants recommend ​the creation of a SWOT Analysis. While limited ​in their usefulness, a SWOT Analysis can provide:  +
-  * some great talking points relating to "//​external and internal issues//"​ (ISO 9001:2015, sec. 4.1), +
-  * useful information ​to help to "//determine the risks and opportunities that need to be addressed//" (ISO 9001:2015, sec. 6.1.1), +
-  * evidence that management has "​considered"​ 9.3.2b, "//​changes in external and internal issues that are relevant to the quality ​management system//" ​(when incorporated into the management review meeting minutes). \\ +
-{{ :​articles:​swot_analysis_table_551x422.png?​nolink&​400 |}} +
-</​note>​ +
- +
-FurtherISO 9001:2015sec9.3.3 "​Management Review Outputs"​ states (with an additional requirement added to AS 9100:2016, shown in **BOLD** below): +
-<​blockquote>//​9.3.3 Management Review Outputs \\ +
-The outputs ​of the management review shall include decisions and actions related to: \\ +
-a. opportunities for improvement;​ \\ +
-b. any need for changes ​to the quality management system; \\ +
-c. resource needs; \\ +
-**d. risks identified.**//​ \\ +
- \\ +
-The organization shall retain documented information as evidence ​of the results of management reviews.</​blockquote>​ +
- +
-It is critical to note that sec. 9.3.3 is not simply a management review agenda topic. This section specifically requires the inclusion of any "//​decisions and actions//"​ taken (or initiated) by management. Howeverit is interesting to note that the "//​decisions ​and actions related to opportunities for improvement//"​ is limited in ONLY addressing opportunities related to "​__improvement__",​ specifically excluding "//​decisions and actions related to//" other opportunities"​. +
- +
-AS 9100:2016 expanded the requirement through adding 9.3.3d, which requires organizations to also address "//​decisions and actions related ​to risks identified//"​. Without knowing whether the authors of AS 9100:2016 subscribe to ISO 9000:2015 "Note 1" or "Note 5", we cannot definitively interpret 9.3.3d as including "//​...decisions ​and actions related to//" ALL of the “opportunities ​and threats” identified (as per "Note 1"); or as the "//...decisions and actions related to//" ONLY the “threats” identified (as per "Note 5").+
  
 +However, this presents challenges because several other industry-specific standards specifically require “preventive action” to be included in the QMS. For example:
 +  * ISO 13485:2016, “//​Medical Devices — Quality management systems — Requirements for regulatory purposes//​”
 +  * ISO 17020:2012, “//​Conformity Assessment — Requirements for the operation of various types of bodies performing inspection//​” (Option A)
 +  * AAR M-1003:​2019,​ Section J, "//​Specification for Quality Assurance//​”
 +  * [[https://​www.monogramwebstore.org/​publications/​item.cgi?​7a832d46-1fb0-4650-a57e-963108b9f71d|API Spec Q1, "​Specification for Quality Management System Requirements for Manufacturing Organizations for the Petroleum and Natural Gas Industry"​ (Ninth Edition, June 2013)]]
 ===== Conclusion ===== ===== Conclusion =====
- +An organization can certainly continue to use “preventive actions” as a methodology within its QMS for addressing “negative risks"/​threats PROVIDED that the organization also has a separate methodology of addressing “positive risks" ​and opportunities.
-An organization can certainly continue to use “preventive actions” as a methodology within its QMS for addressing “negative risks"/​threats PROVIDED that the organization also has a separate methodology of addressing “positive risks"/opportunities.+
  
 Supporting this, there is nothing stated in either the "​[[https://​committee.iso.org/​files/​live/​sites/​tc176sc2/​files/​documents/​Interpretations/​ISO9001_2015_Approved_Interpretations.doc|ISO/​TC 176/SC 2 Listing of Approved Interpretations against ISO 9001:​2015]]"​ or "​[[https://​asq.org/​quality-resources/​iso-9001/​us-tc176|US TC 176 - TG22 - Interpretations]]"​ forbidding or restricting use of the "​preventive action"​ methodology. And ISO 9000:2015 continues to recognize "​preventive action"​ as a legitimate methodology (Ref. ISO 9000:2015, sec. 3.12.1). ​ Supporting this, there is nothing stated in either the "​[[https://​committee.iso.org/​files/​live/​sites/​tc176sc2/​files/​documents/​Interpretations/​ISO9001_2015_Approved_Interpretations.doc|ISO/​TC 176/SC 2 Listing of Approved Interpretations against ISO 9001:​2015]]"​ or "​[[https://​asq.org/​quality-resources/​iso-9001/​us-tc176|US TC 176 - TG22 - Interpretations]]"​ forbidding or restricting use of the "​preventive action"​ methodology. And ISO 9000:2015 continues to recognize "​preventive action"​ as a legitimate methodology (Ref. ISO 9000:2015, sec. 3.12.1). ​
 +
 +HOWEVER, I recommend eliminating the use of this confusing term because it is so widely misunderstood. A MUCH better way to approach this topic is through the implementation of actual //risk management tools// (which is what ISO 9001:1994 //should// have required) incorporating the use of [[https://​asq.org/​quality-resources/​fmea|FMEAs (Failure Modes and Effects Analysis]]. A FMEA should be completed for each process (aka **PFMEA** - "​Process Failure Modes and Effects Analysis"​) and design (aka **DFMEA** - "​Design Failure Modes and Effects Analysis"​).