Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
articles:preventive_action_not_equal_to_risks_and_opportunities [2019/11/06 19:55] – [Preventive Action ≠ Risks and Opportunities?] rrandallarticles:preventive_action_not_equal_to_risks_and_opportunities [2021/12/19 19:19] (current) – [Conclusion] rrandall
Line 1: Line 1:
 ====== Preventive Action ≠ Risks and Opportunities? ====== ====== Preventive Action ≠ Risks and Opportunities? ======
  
-While not mentioned in the original ISO 9001:1987, the term “preventive action” was introduced into ISO 9001:1994. Intended to be a simplistic, yet formalized proactive approach toward addressing “risks”, the new term created a great deal of confusion. This was primarily because the term wasn’t defined in the standard and users rarely purchased ISO 8402:1994, “//Quality management and quality assurance–Vocabulary//”. +While not mentioned in the original ISO 9001:1987, the term “preventive action” was introduced into ISO 9001:1994. Intended to be a simplistic, yet formalized proactive approach toward addressing “risks”, the new term created a great deal of confusion. This was primarily because the term wasn’t defined in the standard and users rarely purchased ISO 8402:1994, “//Quality management and quality assurance–Vocabulary//”. 
  
 +**__The Definition__** \\
 With the release of ISO 9001:2000, ISO 8402 was renumbered and renamed to ISO 9000:2000, “//Quality management systems–Fundamentals and Vocabulary//”. The definition of “preventive action” is still present in ISO 9000:2015, and has remained unchanged since 1994 as: With the release of ISO 9001:2000, ISO 8402 was renumbered and renamed to ISO 9000:2000, “//Quality management systems–Fundamentals and Vocabulary//”. The definition of “preventive action” is still present in ISO 9000:2015, and has remained unchanged since 1994 as:
  
-<blockquote>preventive action \\ +<blockquote>action to eliminate the cause of a potential nonconformity or other potential undesirable situation \\
-action to eliminate the cause of a potential nonconformity or other potential undesirable situation \\+
  \\  \\
 Note 1 to entry: There can be more than one cause for a potential nonconformity. \\ Note 1 to entry: There can be more than one cause for a potential nonconformity. \\
 Note 2 to entry: Preventive action is taken to prevent occurrence whereas corrective action is taken to prevent recurrence.</blockquote> Note 2 to entry: Preventive action is taken to prevent occurrence whereas corrective action is taken to prevent recurrence.</blockquote>
  
 +Despite repeated and continued efforts by quality professionals (such as shown below), users continued to confuse corrective action (reactive) with preventive action (proactive).
  
-ISO 9001:2015 replaced the concept of “preventive action” with the more expanded “risks and opportunities” (in section 6.1). And a definition for “risk” was added to the ISO 9000:2015, “//Quality management systems–Fundamentals and Vocabulary//” as.+{{ :articles:difference-corrective_action-preventive_action.jpg?nolink |}}
  
-<blockquote>risk \\ 
-effect of uncertainty 
  
-Note 1 to entry: An effect is a deviation from the expected — positive or negative. \\ +Compounding the confusionsome organizations decided to use the same form for both corrective and preventive action (CAPA). 
-Note 2 to entry: Uncertainty is the stateeven partial, of deficiency of information (3.8.2) related to, understanding or knowledge of, an event, its consequence, or likelihood. \\ +
-Note 3 to entry: Risk is often characterized by reference to potential events (as defined in ISO Guide 73:2009, 3.5.1.3) and consequences (as defined in ISO Guide 73:2009, 3.6.1.3), or a combination of these. \\ +
-Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (as defined in ISO Guide 73:2009, 3.6.1.1of occurrence. \\ +
-Note 5 to entry: The word “risk” is sometimes used when there is the possibility of only negative consequences. \\ +
-Note 6 to entry: This constitutes one of the common terms and core definitions for ISO management system standards given in Annex SL of the Consolidated ISO Supplement to the ISO/IEC Directives, Part 1. The original definition has been modified by adding Note 5 to entry. +
-</blockquote>+
  
 +In ISO 9001:2015 the requirement for “preventive action” had been removed. And many people __incorrectly__ viewed the concept as having been replaced with the more expanded of “risks and opportunities” (in section 6.1). Instead, “//risks and opportunities//” were to be considered during the planning. This becomes obvious when reading the requirement:
  
-{{ :articles:two-sides-of-risk-coin-graphic-900x600.png?nolink&400|The two sides of the Risk coin}} +<blockquote>**6.1 Actions to address risks and opportunities** \\ 
-ISO 9000:2015, “//Quality management systems–Fundamentals and Vocabulary//”, "Note 1" states that risks can be positive or negative (i.e., “opportunities" or "threats”); effectively establishing that “opportunities and threats” are two sides of the same “risk” coin. However"Note 5" states that the word “risk” is "sometimes" used when there is the //possibility// of only negative consequences (i.e., a "positive" consequence is impossible). Since "Note 1" covers all possibilities, addressing both positive and negative risks, then "Note 5" serves absolutely no purpose; other than to acknowledge that there are those who disagree with the definition of "risk" including "positive" risks (i.e.opportunities).+**6.1.1** When __planning__ for the quality management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: \\ 
 +a) give assurance that the quality management system can achieve its intended result(s); \\ 
 +b) enhance desirable effects; \\ 
 +c) preventor reduce, undesired effects; \\ 
 +dachieve improvement.</blockquote>
  
-Providing a similar definition consistent with ISO 9001:2015 "Note 1", ISO 31000:2018, “//Risk Management–Guidelines//” also promotes the concept of "risk" being positive and/or negative (i.e., inclusive of “opportunities" and/or "threats”):   +Upon reading ISO 9001:2015, take note that it repeatedly uses the term “//risks and opportunities//” as __two separate concepts__ (in sections 4.4f, 5.1.2b6.1, 9.1.3e, 9.3.2e & 10.2.1e)
-  +
-<blockquote>risk \\ +
-effect of uncertainty on objectives \\+
  
-Note 1 to entryAn effect is a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats. \\ +While not defined in ISO 9000:2015 or ISO 9001:2015the term "//risks and opportunities//" is defined in ISO 14001:2015"//Environmental management systems — Requirements with guidance for use//".
-Note 2 to entry: Objectives can have different aspects and categories, and can be applied at different levels. \\ +
-Note 3 to entry: Risk is usually expressed in terms of risk sources, potential events, their consequences and their likelihood.</blockquote> +
-The definition provided in ISO 31000:2018 is identical to the definition provided in ISO Guide 73:2009“Risk management–Vocabulary” (which was reviewed and confirmed in 2016), with slightly different notes to provide clarification (of their opinion)+
  
-As we can see, there are differences between ISO 9000:2015, ISO Annex SL, ISO 31000:2018 & ISO Guide 73:2009 regarding the concept of "risk"; whether it be through the definitions or clarification notes provided. +<blockquote>**ISO 14001:2015** \\ 
-===== The Conundrum ===== +3.2.11 risks and opportunities \\ 
-{{ :articles:confused_thoughts.png?nolink&400|}} +potential adverse effects (threats) and potential beneficial effects (opportunities
-If the authors of ISO 9001:2015 had subscribed to the views expressed in ISO 9000:2015, "Note 1", then they would simply have used the word "risk" rather than repeatedly stating “risks and opportunities” as two separate concepts throughout the standard (in sections 4.4f, 5.1.2b, 6.1, 9.1.3e, 9.3.2e & 10.2.1e). For those who subscribe to the interpretation provided in "Note 1", “risks and opportunities” is an incongruous term. Therefore, it appears that the authors subscribed to the views expressed in ISO 9000:2015, "Note 5"; and that "Note 5" was added in protest to ISO Annex SL.+</blockquote>
  
-Consequentlythis strongly //implied// preference for ISO 9000:2015 "Note 5over "Note 1has created a conundrum for users over how to properly address "risk".+Interestinglywhile a definition for “risk” was added to the ISO 9000:2015, “//Quality management systems–Fundamentals and Vocabulary//”, ISO chose not to include a definition for "opportunities". Perhaps this is because ISO struggles with properly defining the word "risk" (Ref.: [[articles:a_matter_of_risk|A Matter of "Risk"]]). Regardless of how ISO 9000:2015 defines "risk", ISO 14001:2015 makes it clear that "risksare "threats" (consistent with the etymology of the word). So, for the sake of simplicity, let's use the much better (more clear) definition contained in [[https://www.monogramwebstore.org/publications/item.cgi?7a832d46-1fb0-4650-a57e-963108b9f71d|API Spec Q1, "Specification for Quality Management System Requirements for Manufacturing Organizations for the Petroleum and Natural Gas Industry(Ninth Edition, June 2013)]], published by the [[https://www.api.org|American Petroleum Institute (API)]]
  
-Compounding the issue, neither ISO 9001:2015, ISO 9000:2015, ISO 31000:2018 nor ISO Guide 73:2009 define the words “opportunity” and “threat”Furthermore, the user must ignore the other official ISO documents containing different definitions for “risk”, along with the various industry definitions, some of which __only__ recognize “negative” risks (e.g., ISO 13485:2016).+<blockquote>**API Spec Q1** \\ 
 +3.1.19 risk \\ 
 +Situation or circumstance that has both a likelihood of occurring and a potentially negative consequence.</blockquote>
  
-==== Is the use of "Preventive Action" still valid? ====+**__Application of "Preventive Action"__** \\ 
 +The second issue with "preventive action" was its application. MANY users fail to understand that, just as “corrective actions” are only applicable to nonconformities that have resulted from “assignable (special) cause variations”, “preventive actions” are ONLY applicable to “assignable (special) cause variations” that have NOT yet occurred. For example, if a company utilizes Statistical Control Charts (SPC), and identifies an unstable process with a trend toward a nonconforming condition, the company may be able to identify the “assignable (special) cause" and implement a proper "preventive action".
  
-While many organizations continue to use the term preventive action” to address “negative risks"/threats (e.g.because it was embedded into their corrective action forms, databases, etc.), it fails to address "opportunities" (i.e., positive risks).+Alternatively, if a risk is identified along with a known (perhaps obvious) assignable (special) cause", then the action taken to ELIMINATE the cause would be a proper "preventive action" (i.e., through reducing either the likelihood/probability OR impact/consequences of the risk to zero). 
  
-Even though use of “preventive action” is still permitted to address “negative risks"/threats, many ISO 9001 and AS9100:2016 registrars are //encouraging// their clients to eliminate use of the term “preventive action” and adopt the term “risks and opportunities” to ensure that both “threats” and “opportunities” are addressed within their QMS.+While ISO JTCG (Joint Technical Coordination Group) N359, attempted to explain why the concept of “Preventive Action” was removed from ISO 9001 (in"JTCG Frequently Asked Questions in support of Annex SL" (dated 2013-12-03)), many users still found their explanation unclear.
  
-However, this presents challenges because other industry standards, such as ISO 13485:2016, “//Medical Devices — Quality management systems — Requirements for regulatory purposes//”, ISO 17020:2012, “//Conformity Assessment — Requirements for the operation of various types of bodies performing inspection//” (Option A) and AAR M-1003:2019, Section J, "//Specification for Quality Assurance//” all specifically require “preventive action” to be included in the QMS. +<blockquote>**"JTCG Frequently Asked Questions in support of Annex SL"** \\ 
- +10Why does the common text not include a specific clause on “Preventive Action”? \\ 
-===== Records ===== +The high level structure and identical text does not include a clause giving specific requirements for “preventive action”This is because one of the key purposes of a formal management system is to act as preventive toolConsequently, a MSS requires an assessment of the organization’s “external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s)” in clause 4.1, and to determine the risks and opportunities that need to be addressed toassure the XXX management system can achieve its intended outcome(s); __prevent__or __reduce__undesired effects; achieve continual improvement.” in clause 6.1These two sets of requirements are considered to cover the concept of “preventive action”, and also to take wider view that looks at risks and opportunities.</blockquote>
- +
-The only "record" regarding “risks and opportunities” is specified in ISO 9001:2015, sec. 9.3, "Management Review". This includes: +
-<blockquote>//9.3.2 Management review inputs \\ +
-The management review shall be planned and carried out taking into consideration: \\ +
-e. the effectiveness of actions taken to address risks and opportunities (see 6.1); \\ +
-f. opportunities for improvement.// </blockquote> +
- +
-Here again we see where ISO 9001:2015 is consistent with ISO 9000:2015, "Note 5" in considering "risks" as only "threats" by addressing "opportunities" separately (in 9.3.2e). And then specifically requiring the organization to consider "//opportunities for improvement//" (in 9.3.2f), as if they were somehow excluded from the opportunities identified in 9.3.2e! +
- +
-Due to the ambiguous/vague nature of the requirement, the "Management Review Meeting Minutes" could include statement as simple as: "//All of the actions taken to address risks and opportunities were determined by management to be effective.//" +
- +
-<note tip> +
-Many ISO 9001:2015 consultants recommend the creation of SWOT AnalysisWhile limited in their usefulness, a SWOT Analysis can provide:  +
-  * some great talking points relating to "//external and internal issues//" (ISO 9001:2015, sec. 4.1), +
-  * useful information to help to "//determine the risks and opportunities that need to be addressed//" (ISO 9001:2015, sec. 6.1.1), +
-  * evidence that management has "considered" 9.3.2b, "//changes in external and internal issues that are relevant to the quality management system//" (when incorporated into the management review meeting minutes). \\ +
-{{ :articles:swot_analysis_table_551x422.png?nolink&400 |}} +
-</note> +
- +
-FurtherISO 9001:2015sec9.3.3 "Management Review Outputs" states (with an additional requirement added to AS 9100:2016, shown in **BOLD** below): +
-<blockquote>//9.3.3 Management Review Outputs \\ +
-The outputs of the management review shall include decisions and actions related to: \\ +
-aopportunities for improvement; \\ +
-b. any need for changes to the quality management system; \\ +
-c. resource needs; \\ +
-**d. risks identified.**// \\ +
- \\ +
-The organization shall retain documented information as evidence of the results of management reviews.</blockquote>+
  
-It is critical to note that sec. 9.3.3 is not simply a management review agenda topic. This section specifically requires the inclusion of any "//decisions and actions//" taken (or initiated) by management. However, it is interesting to note that the "//decisions and actions related to opportunities for improvement//" is limited in ONLY addressing opportunities related to "__improvement__", specifically excluding "//decisions and actions related to//other opportunities".+When reading the above paragraph, be sure to recognize that when the word "//prevent//" appears, it is referring to "preventive action". And when the word "reduceappears, it is referring to the application of "risk mitigationcontrols. 
 +===== Is the use of "Preventive Actionstill valid? =====
  
-AS 9100:2016 expanded the requirement through adding 9.3.3dwhich requires organizations to also address "//decisions and actions related to risks identified//". Without knowing whether the authors of AS 9100:2016 subscribe to ISO 9000:2015 "Note 1" or "Note 5", we cannot definitively interpret 9.3.3d as including "//...decisions and actions related to//" ALL of the “opportunities and threats” identified (as per "Note 1"); or as the "//...decisions and actions related to//" ONLY the “threats” identified (as per "Note 5").+Technically, the answer is yesHoweverdue to its widespread misuse, many ISO 9001 and AS9100:2016 Certification Bodies (registrarsare //encouraging// their clients to eliminate use of the term preventive action”.
  
 +However, this presents challenges because several other industry-specific standards specifically require “preventive action” to be included in the QMS. For example:
 +  * ISO 13485:2016, “//Medical Devices — Quality management systems — Requirements for regulatory purposes//
 +  * ISO 17020:2012, “//Conformity Assessment — Requirements for the operation of various types of bodies performing inspection//” (Option A)
 +  * AAR M-1003:2019, Section J, "//Specification for Quality Assurance//
 +  * [[https://www.monogramwebstore.org/publications/item.cgi?7a832d46-1fb0-4650-a57e-963108b9f71d|API Spec Q1, "Specification for Quality Management System Requirements for Manufacturing Organizations for the Petroleum and Natural Gas Industry" (Ninth Edition, June 2013)]]
 ===== Conclusion ===== ===== Conclusion =====
 +An organization can certainly continue to use “preventive actions” as a methodology within its ISO 9001:2015 or AS9100:2016 QMS. 
  
-An organization can certainly continue to use preventive actions” as a methodology within its QMS for addressing “negative risks"/threats PROVIDED that the organization also has separate methodology of addressing “positive risks"/opportunities.+Supporting this, there is nothing stated in either the "[[https://committee.iso.org/files/live/sites/tc176sc2/files/documents/Interpretations/ISO9001_2015_Approved_Interpretations.doc|ISO/TC 176/SC 2 Listing of Approved Interpretations against ISO 9001:2015]]" or "[[https://asq.org/quality-resources/iso-9001/us-tc176|US TC 176 - TG22 - Interpretations]]" forbidding or restricting use of the "preventive action" methodology. And ISO 9000:2015 continues to recognize "preventive action" as legitimate methodology (Ref. ISO 9000:2015, sec. 3.12.1).
  
-Supporting thisthere is nothing stated in either the "[[https://committee.iso.org/files/live/sites/tc176sc2/files/documents/Interpretations/ISO9001_2015_Approved_Interpretations.doc|ISO/TC 176/SC 2 Listing of Approved Interpretations against ISO 9001:2015]]or "[[https://asq.org/quality-resources/iso-9001/us-tc176|US TC 176 - TG22 - Interpretations]]forbidding or restricting use of the "preventive action" methodology. And ISO 9000:2015 continues to recognize "preventive action" as a legitimate methodology (Ref. ISO 9000:2015, sec. 3.12.1)+However, the most common practical application of “preventive actions” would be for addressing "//assignable (special) cause variations//" identified in Statistical Control Charts