Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
articles:preventive_action_not_equal_to_risks_and_opportunities [2019/11/06 19:55]
rrandall [Preventive Action ≠ Risks and Opportunities?]
articles:preventive_action_not_equal_to_risks_and_opportunities [2019/11/15 17:24] (current)
rrandall [Conclusion]
Line 11: Line 11:
 Note 2 to entry: Preventive action is taken to prevent occurrence whereas corrective action is taken to prevent recurrence.</​blockquote>​ Note 2 to entry: Preventive action is taken to prevent occurrence whereas corrective action is taken to prevent recurrence.</​blockquote>​
  
 +Despite repeated and continued efforts by quality professionals (such as shown below), users continued to confuse corrective action (reactive) with preventive action (proactive).
  
-ISO 9001:2015 replaced the concept of “preventive action” with the more expanded “risks and opportunities” (in section 6.1). And a definition for “risk” was added to the ISO 9000:2015, “//​Quality management systems–Fundamentals and Vocabulary//​” as.+{{ :articles:difference-corrective_action-preventive_action.jpg?nolink |}}
  
-<​blockquote>​risk \\ 
-effect of uncertainty 
  
-Note 1 to entry: An effect is a deviation from the expected — positive or negative. \\ +Compounding ​the confusionsomeone decided ​to use the same form for both corrective ​and preventive action ​(CAPA). 
-Note 2 to entry: Uncertainty is the stateeven partial, of deficiency of information (3.8.2) related ​to, understanding or knowledge of, an event, its consequence,​ or likelihood. \\ +
-Note 3 to entry: Risk is often characterized by reference to potential events (as defined in ISO Guide 73:2009, 3.5.1.3) and consequences (as defined in ISO Guide 73:2009, 3.6.1.3), or a combination of these. \\ +
-Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) ​and the associated likelihood ​(as defined in ISO Guide 73:2009, 3.6.1.1of occurrence. \\ +
-Note 5 to entry: The word “risk” is sometimes used when there is the possibility of only negative consequences. \\ +
-Note 6 to entry: This constitutes one of the common terms and core definitions for ISO management system standards given in Annex SL of the Consolidated ISO Supplement to the ISO/IEC Directives, Part 1. The original definition has been modified by adding Note 5 to entry. +
-</​blockquote>​+
  
 +ISO 9001:2015 replaced the concept of “preventive action” with the more expanded “risks and opportunities” (in section 6.1). And a definition for “risk” was added to the ISO 9000:2015, “//​Quality management systems–Fundamentals and Vocabulary//​”. Unfortunately,​ ISO struggles with properly defining the word "​risk"​ (Ref.: [[articles:​a_matter_of_risk|A Matter of "​Risk"​]]). So, for the sake of simplicity, let's use the definition contained in [[https://​www.monogramwebstore.org/​publications/​item.cgi?​7a832d46-1fb0-4650-a57e-963108b9f71d|API Spec Q1, "​Specification for Quality Management System Requirements for Manufacturing Organizations for the Petroleum and Natural Gas Industry"​ (Ninth Edition, June 2013)]], published by the [[https://​www.api.org|American Petroleum Institute (API)]]. ​
  
-{{ :​articles:​two-sides-of-risk-coin-graphic-900x600.png?​nolink&​400|The two sides of the Risk coin}} +<​blockquote>​**API Spec Q1** \\ 
-ISO 9000:2015, “//​Quality management systems–Fundamentals and Vocabulary//​”,​ "​Note ​1" states that risks can be positive or negative (i.e., “opportunities" ​or "​threats”);​ effectively establishing ​that “opportunities ​and threats” are two sides of the same “risk” coin. However, "Note 5" states that the word “risk” is "​sometimes"​ used when there is the //​possibility//​ of only negative ​consequences (i.e., a "​positive" ​consequence ​is impossible). Since "Note 1" covers all possibilities,​ addressing both positive and negative risks, then "Note 5" serves absolutely no purpose; other than to acknowledge that there are those who disagree with the definition of "​risk"​ including "​positive"​ risks (i.e., opportunities).+3.1.19 risk \\ 
 +Situation ​or circumstance ​that has both a likelihood of occurring ​and a potentially ​negative consequence.</​blockquote>​
  
-Providing a similar definition consistent with ISO 9001:​2015 ​"Note 1", ISO 31000:2018, “//Risk Management–Guidelines//” also promotes ​the concept of "​risk"​ being positive and/or negative ​(i.e., inclusive of “opportunities"​ and/or "​threats”):   +Upon reading ​ISO 9001:​2015, ​take note that it repeatedly uses the term “//risks and opportunities//” as __two separate concepts__ throughout ​the standard ​(in sections 4.4f, 5.1.2b6.1, 9.1.3e, 9.3.2e & 10.2.1e)
-  +
-<​blockquote>​risk \\ +
-effect of uncertainty on objectives \\+
  
-Note 1 to entryAn effect is a deviation from the expected. It can be positive, negative ​or both, and can address, create or result in opportunities ​and threats. \\ +While not defined in ISO 9000:2015 or ISO 9001:2015the term "//​risks ​and opportunities/​/" ​is defined ​in ISO 14001:2015"//​Environmental ​management ​systems — Requirements ​with guidance for use//"​.
-Note 2 to entry: Objectives can have different aspects and categories, and can be applied at different levels. \\ +
-Note 3 to entry: Risk is usually expressed in terms of risk sources, potential events, their consequences and their likelihood.<​/blockquote>​ +
-The definition provided in ISO 31000:​2018 ​is identical to the definition provided ​in ISO Guide 73:2009“Risk ​management–Vocabulary” (which was reviewed and confirmed in 2016), ​with slightly different notes to provide clarification (of their opinion)+
  
-As we can see, there are differences between ​ISO 9000:2015, ISO Annex SL, ISO 31000:2018 & ISO Guide 73:2009 regarding the concept of "​risk";​ whether it be through the definitions or clarification notes provided. +<​blockquote>​**ISO 14001:2015** \\ 
-===== The Conundrum ===== +3.2.11 risks and opportunities ​\\ 
-{{ :​articles:​confused_thoughts.png?​nolink&​400|}} +potential adverse effects ​(threats) and potential beneficial effects (opportunities
-If the authors of ISO 9001:2015 had subscribed to the views expressed in ISO 9000:2015, "Note 1", then they would simply have used the word "​risk"​ rather than repeatedly stating “risks and opportunities” as two separate concepts throughout the standard ​(in sections 4.4f, 5.1.2b, 6.1, 9.1.3e, 9.3.2e & 10.2.1e). For those who subscribe to the interpretation provided in "Note 1", “risks ​and opportunities” is an incongruous term. Therefore, it appears that the authors subscribed to the views expressed in ISO 9000:2015, "Note 5"; and that "Note 5" was added in protest to ISO Annex SL.+</​blockquote>​
  
-Consequently,​ this strongly //implied// preference for ISO 9000:​2015 ​"Note 5" ​over "Note 1" has created a conundrum for users over how to properly address "​risk"​.+===== Is the use of "Preventive Action" ​still valid? =====
  
-Compounding ​the issue, neither ISO 9001:2015, ISO 9000:2015, ISO 31000:2018 nor ISO Guide 73:2009 define the words opportunity” and “threat”. Furthermore,​ the user must ignore the other official ISO documents containing different definitions for “risk”, along with the various industry definitions,​ some of which __only__ recognize ​“negative” risks (e.g., ​ISO 13485:2016).+While many organizations continue to use the term preventive action” to address ​“negative risks"/​threats ​(e.g., ​because it was embedded into their corrective action forms, databases, etc.), it fails to address "​positive risks" and "​opportunities"​.
  
-==== Is the use of "Preventive Action" ​still valid? ====+Even though ​use of “preventive action” is still permitted to address “negative risks"/threats, many ISO 9001 and AS9100:2016 registrars are //​encouraging//​ their clients to eliminate use of the term “preventive action” and adopt the term “risks and opportunities” to ensure that "positive risks" and “opportunities” are also addressed within their QMS.
  
-While many organizations continue to use the term preventive action” to address “negative risks"/​threats (e.g., because it was embedded into their corrective action forms, databases, etc.), it fails to address ​"​opportunities" ​(i.e., positive risks).+A reason for this preference can be found in ISO JTCG N359, "JTCG Frequently Asked Questions in support of Annex SL" (dated 2013-12-03),​ explaining why the concept of Preventive Action” was replaced with "risks and opportunities"​.
  
-Even though use of “preventive action” is still permitted to address “negative risks"/threats, many ISO 9001 and AS9100:2016 registrars are //​encouraging//​ their clients to eliminate use of the term preventive action” and adopt the term “risks and opportunities” to ensure that both “threats” and “opportunities” are addressed within their QMS. +<​blockquote>​**"​JTCG Frequently Asked Questions in support ​of Annex SL"** \\ 
- +10. Why does the common text not include a specific clause on Preventive Action? \\ 
-However, this presents challenges because other industry standards, such as ISO 13485:2016, “//​Medical Devices — Quality management systems — Requirements for regulatory purposes//​”,​ ISO 17020:2012, “//​Conformity Assessment — Requirements for the operation of various types of bodies performing inspection//​” (Option A) and AAR M-1003:​2019,​ Section J, "//​Specification ​for Quality Assurance//​” all specifically require ​“preventive action” ​to be included in the QMS. +The high level structure ​and identical text does not include a clause giving specific requirements ​for “preventive action”. ​This is because one of the key purposes ​of a formal management system ​is to act as a preventive toolConsequently, a MSS requires an assessment ​of the organization’s “external and internal issues that are relevant ​to its purpose ​and that affect its ability ​to achieve ​the intended outcome(s)” ​in clause ​4.1, and to determine the risks and opportunities that need to be addressed ​toassure ​the XXX management system ​can achieve its intended outcome(s); preventor reduceundesired effects; achieve continual improvement.” in clause 6.1These two sets of requirements are considered ​to cover the concept ​of “preventive action”, and also to take a wider view that looks at risks and opportunities.</blockquote>​
- +
-===== Records ===== +
- +
-The only "​record"​ regarding “risks and opportunities” ​is specified in ISO 9001:2015, sec. 9.3, "​Management Review"​. This includes: +
-<​blockquote>//​9.3.2 Management review inputs \\ +
-The management review shall be planned and carried out taking into consideration:​ \\ +
-e. the effectiveness ​of actions taken to address risks and opportunities (see 6.1); \\ +
-f. opportunities for improvement.//​ </​blockquote>​ +
- +
-Here again we see where ISO 9001:​2015 ​is consistent with ISO 9000:2015, "Note 5" in considering "​risks"​ as only "​threats"​ by addressing "​opportunities"​ separately (in 9.3.2e). And then specifically requiring the organization ​to consider "//​opportunities for improvement//"​ (in 9.3.2f), ​as if they were somehow excluded from the opportunities identified in 9.3.2e! +
- +
-Due to the ambiguous/​vague nature of the requirementthe "​Management Review Meeting Minutes"​ could include ​statement as simple as: "//​All ​of the actions taken to address risks and opportunities were determined by management ​to be effective.//"​ +
- +
-<note tip> +
-Many ISO 9001:2015 consultants recommend ​the creation of a SWOT Analysis. While limited ​in their usefulness, a SWOT Analysis can provide:  +
-  * some great talking points relating to "//​external and internal issues//"​ (ISO 9001:2015, sec. 4.1), +
-  * useful information ​to help to "//determine the risks and opportunities that need to be addressed//" (ISO 9001:2015, sec. 6.1.1), +
-  * evidence that management has "​considered"​ 9.3.2b, "//​changes in external and internal issues that are relevant to the quality ​management system//" ​(when incorporated into the management review meeting minutes). \\ +
-{{ :​articles:​swot_analysis_table_551x422.png?​nolink&​400 |}} +
-</​note>​ +
- +
-FurtherISO 9001:2015sec9.3.3 "​Management Review Outputs"​ states (with an additional requirement added to AS 9100:2016, shown in **BOLD** below): +
-<​blockquote>//​9.3.3 Management Review Outputs \\ +
-The outputs ​of the management review shall include decisions and actions related to: \\ +
-a. opportunities for improvement;​ \\ +
-b. any need for changes ​to the quality management system; \\ +
-c. resource needs; \\ +
-**d. risks identified.**//​ \\ +
- \\ +
-The organization shall retain documented information as evidence ​of the results of management reviews.</​blockquote>​ +
- +
-It is critical to note that sec. 9.3.3 is not simply a management review agenda topic. This section specifically requires the inclusion of any "//​decisions and actions//"​ taken (or initiated) by management. Howeverit is interesting to note that the "//​decisions ​and actions related to opportunities for improvement//"​ is limited in ONLY addressing opportunities related to "​__improvement__",​ specifically excluding "//​decisions and actions related to//" other opportunities"​. +
- +
-AS 9100:2016 expanded the requirement through adding 9.3.3d, which requires organizations to also address "//​decisions and actions related ​to risks identified//"​. Without knowing whether the authors of AS 9100:2016 subscribe to ISO 9000:2015 "Note 1" or "Note 5", we cannot definitively interpret 9.3.3d as including "//​...decisions ​and actions related to//" ALL of the “opportunities ​and threats” identified (as per "Note 1"); or as the "//...decisions and actions related to//" ONLY the “threats” identified (as per "Note 5").+
  
 +However, this presents challenges because other industry standards, such as ISO 13485:2016, “//​Medical Devices — Quality management systems — Requirements for regulatory purposes//​”,​ ISO 17020:2012, “//​Conformity Assessment — Requirements for the operation of various types of bodies performing inspection//​” (Option A) and AAR M-1003:​2019,​ Section J, "//​Specification for Quality Assurance//​”,​ and [[https://​www.monogramwebstore.org/​publications/​item.cgi?​7a832d46-1fb0-4650-a57e-963108b9f71d|API Spec Q1, "​Specification for Quality Management System Requirements for Manufacturing Organizations for the Petroleum and Natural Gas Industry"​ (Ninth Edition, June 2013)]], all specifically require “preventive action” to be included in the QMS.
 ===== Conclusion ===== ===== Conclusion =====
- +An organization can certainly continue to use “preventive actions” as a methodology within its QMS for addressing “negative risks"/​threats PROVIDED that the organization also has a separate methodology of addressing “positive risks" ​and opportunities.
-An organization can certainly continue to use “preventive actions” as a methodology within its QMS for addressing “negative risks"/​threats PROVIDED that the organization also has a separate methodology of addressing “positive risks"/opportunities.+
  
 Supporting this, there is nothing stated in either the "​[[https://​committee.iso.org/​files/​live/​sites/​tc176sc2/​files/​documents/​Interpretations/​ISO9001_2015_Approved_Interpretations.doc|ISO/​TC 176/SC 2 Listing of Approved Interpretations against ISO 9001:​2015]]"​ or "​[[https://​asq.org/​quality-resources/​iso-9001/​us-tc176|US TC 176 - TG22 - Interpretations]]"​ forbidding or restricting use of the "​preventive action"​ methodology. And ISO 9000:2015 continues to recognize "​preventive action"​ as a legitimate methodology (Ref. ISO 9000:2015, sec. 3.12.1). ​ Supporting this, there is nothing stated in either the "​[[https://​committee.iso.org/​files/​live/​sites/​tc176sc2/​files/​documents/​Interpretations/​ISO9001_2015_Approved_Interpretations.doc|ISO/​TC 176/SC 2 Listing of Approved Interpretations against ISO 9001:​2015]]"​ or "​[[https://​asq.org/​quality-resources/​iso-9001/​us-tc176|US TC 176 - TG22 - Interpretations]]"​ forbidding or restricting use of the "​preventive action"​ methodology. And ISO 9000:2015 continues to recognize "​preventive action"​ as a legitimate methodology (Ref. ISO 9000:2015, sec. 3.12.1). ​
 +
 +HOWEVER, I recommend eliminating the use of this confusing term because it is so widely misunderstood. A MUCH better way to approach this topic is through the implementation of actual //risk management tools// (which is what ISO 9001:1994 //should// have required) incorporating the use of [[https://​asq.org/​quality-resources/​fmea|FMEAs (Failure Modes and Effects Analysis]]. A FMEA should be completed for each process (aka **PFMEA** - "​Process Failure Modes and Effects Analysis"​) and design (aka **DFMEA** - "​Design Failure Modes and Effects Analysis"​).