Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
articles:preventive_action_not_equal_to_risks_and_opportunities [2019/11/24 13:16]
rrandall [Preventive Action ≠ Risks and Opportunities?]
articles:preventive_action_not_equal_to_risks_and_opportunities [2020/01/11 14:23] (current)
rrandall [Is the use of "Preventive Action" still valid?]
Line 1: Line 1:
 ====== Preventive Action ≠ Risks and Opportunities?​ ====== ====== Preventive Action ≠ Risks and Opportunities?​ ======
  
-While not mentioned in the original ISO 9001:1987, the term “preventive action” was introduced into ISO 9001:1994. Intended to be a simplistic, yet formalized proactive approach toward addressing “risks”,​ the new term created a great deal of confusion. This was primarily because the term wasn’t defined in the standard and users rarely purchased ISO 8402:1994, “//​Quality management and quality assurance–Vocabulary//​”. ​+While not mentioned in the original ISO 9001:1987, the term “preventive action” was introduced into ISO 9001:1994. Intended to be a simplistic, yet formalized proactive approach toward addressing “risks”,​ the new term created a great deal of confusion. This was primarily because the term wasn’t defined in the standard ​and users rarely purchased ISO 8402:1994, “//​Quality management and quality assurance–Vocabulary//​”. ​
  
 With the release of ISO 9001:2000, ISO 8402 was renumbered and renamed to ISO 9000:2000, “//​Quality management systems–Fundamentals and Vocabulary//​”. The definition of “preventive action” is still present in ISO 9000:2015, and has remained unchanged since 1994 as: With the release of ISO 9001:2000, ISO 8402 was renumbered and renamed to ISO 9000:2000, “//​Quality management systems–Fundamentals and Vocabulary//​”. The definition of “preventive action” is still present in ISO 9000:2015, and has remained unchanged since 1994 as:
Line 16: Line 16:
  
  
-Compounding the confusion, ​someone ​decided to use the same form for both corrective and preventive action (CAPA). ​+Compounding the confusion, ​some organizations ​decided to use the same form for both corrective and preventive action (CAPA). ​
  
-ISO 9001:2015 replaced the concept of “preventive action” with the more expanded “risks and opportunities” (in section 6.1). Upon reading ISO 9001:2015, take note that it repeatedly uses the term “//risks and opportunities//​” as __two separate concepts__ ​throughout the standard ​(in sections 4.4f, 5.1.2b, 6.1, 9.1.3e, 9.3.2e & 10.2.1e). ​+ISO 9001:2015 replaced the concept of “preventive action” with the more expanded “risks and opportunities” (in section 6.1). Upon reading ISO 9001:2015, take note that it repeatedly uses the term “//risks and opportunities//​” as __two separate concepts__ (in sections 4.4f, 5.1.2b, 6.1, 9.1.3e, 9.3.2e & 10.2.1e). ​
  
 While not defined in ISO 9000:2015 or ISO 9001:2015, the term "//​risks and opportunities//"​ is defined in ISO 14001:2015, "//​Environmental management systems — Requirements with guidance for use//"​. While not defined in ISO 9000:2015 or ISO 9001:2015, the term "//​risks and opportunities//"​ is defined in ISO 14001:2015, "//​Environmental management systems — Requirements with guidance for use//"​.
Line 27: Line 27:
 </​blockquote>​ </​blockquote>​
  
-Interestingly,​ while a definition for “risk” was added to the ISO 9000:2015, “//​Quality management systems–Fundamentals and Vocabulary//​”. Unfortunately, ISO struggles with properly defining the word "​risk"​ (Ref.: [[articles:​a_matter_of_risk|A Matter of "​Risk"​]]). Regardless of how ISO 9000:2015 defines "​risk",​ ISO 14001:2015 makes it clear that "​risks"​ are "​threats"​. So, for the sake of simplicity, let's use the definition contained in [[https://​www.monogramwebstore.org/​publications/​item.cgi?​7a832d46-1fb0-4650-a57e-963108b9f71d|API Spec Q1, "​Specification for Quality Management System Requirements for Manufacturing Organizations for the Petroleum and Natural Gas Industry"​ (Ninth Edition, June 2013)]], published by the [[https://​www.api.org|American Petroleum Institute (API)]]. ​+Interestingly,​ while a definition for “risk” was added to the ISO 9000:2015, “//​Quality management systems–Fundamentals and Vocabulary//​”, ​ISO chose not to include a definition for "​opportunities"​. Perhaps this is because ​ISO struggles with properly defining the word "​risk"​ (Ref.: [[articles:​a_matter_of_risk|A Matter of "​Risk"​]]). Regardless of how ISO 9000:2015 defines "​risk",​ ISO 14001:2015 makes it clear that "​risks"​ are "​threats"​. So, for the sake of simplicity, let's use the much better (more clear) ​definition contained in [[https://​www.monogramwebstore.org/​publications/​item.cgi?​7a832d46-1fb0-4650-a57e-963108b9f71d|API Spec Q1, "​Specification for Quality Management System Requirements for Manufacturing Organizations for the Petroleum and Natural Gas Industry"​ (Ninth Edition, June 2013)]], published by the [[https://​www.api.org|American Petroleum Institute (API)]]. ​
  
 <​blockquote>​**API Spec Q1** \\ <​blockquote>​**API Spec Q1** \\
Line 37: Line 37:
 While many organizations continue to use the term “preventive action” to address “negative risks"/​threats (e.g., because it was embedded into their corrective action forms, databases, etc.), it fails to address "​positive risks" and "​opportunities"​. While many organizations continue to use the term “preventive action” to address “negative risks"/​threats (e.g., because it was embedded into their corrective action forms, databases, etc.), it fails to address "​positive risks" and "​opportunities"​.
  
-Even though use of “preventive action” is still permitted to address “negative risks"/​threats,​ many ISO 9001 and AS9100:2016 registrars are //​encouraging//​ their clients to eliminate use of the term “preventive action” and adopt the term “risks and opportunities” to ensure that "​positive risks" and “opportunities” are also addressed within their QMS.+Even though use of “preventive action” is still permitted to address “negative risks"/​threats,​ many ISO 9001 and AS9100:2016 registrars are //​encouraging//​ their clients to eliminate use of the term “preventive action” and adopt the term “risks and opportunities” to ensure ​(or at least give the appearance) ​that "​positive risks" and “opportunities” are also addressed within their QMS.
  
 A reason for this preference can be found in ISO JTCG N359, "JTCG Frequently Asked Questions in support of Annex SL" (dated 2013-12-03),​ explaining why the concept of “Preventive Action” was replaced with "risks and opportunities"​. A reason for this preference can be found in ISO JTCG N359, "JTCG Frequently Asked Questions in support of Annex SL" (dated 2013-12-03),​ explaining why the concept of “Preventive Action” was replaced with "risks and opportunities"​.
Line 45: Line 45:
 The high level structure and identical text does not include a clause giving specific requirements for “preventive action”. This is because one of the key purposes of a formal management system is to act as a preventive tool. Consequently,​ a MSS requires an assessment of the organization’s “external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s)” in clause 4.1, and to “determine the risks and opportunities that need to be addressed to: assure the XXX management system can achieve its intended outcome(s); prevent, or reduce, undesired effects; achieve continual improvement.” in clause 6.1. These two sets of requirements are considered to cover the concept of “preventive action”, and also to take a wider view that looks at risks and opportunities.</​blockquote>​ The high level structure and identical text does not include a clause giving specific requirements for “preventive action”. This is because one of the key purposes of a formal management system is to act as a preventive tool. Consequently,​ a MSS requires an assessment of the organization’s “external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s)” in clause 4.1, and to “determine the risks and opportunities that need to be addressed to: assure the XXX management system can achieve its intended outcome(s); prevent, or reduce, undesired effects; achieve continual improvement.” in clause 6.1. These two sets of requirements are considered to cover the concept of “preventive action”, and also to take a wider view that looks at risks and opportunities.</​blockquote>​
  
-However, this presents challenges because other industry standards, such as ISO 13485:2016, “//​Medical Devices — Quality management systems — Requirements for regulatory purposes//​”ISO 17020:2012, “//​Conformity Assessment — Requirements for the operation of various types of bodies performing inspection//​” (Option A) and AAR M-1003:​2019,​ Section J, "//​Specification for Quality Assurance//​”, and [[https://​www.monogramwebstore.org/​publications/​item.cgi?​7a832d46-1fb0-4650-a57e-963108b9f71d|API Spec Q1, "​Specification for Quality Management System Requirements for Manufacturing Organizations for the Petroleum and Natural Gas Industry"​ (Ninth Edition, June 2013)]], all specifically require “preventive action” to be included in the QMS.+However, this presents challenges because ​several ​other industry-specific ​standards ​specifically require “preventive action” to be included in the QMS. For example: 
 +  * ISO 13485:2016, “//​Medical Devices — Quality management systems — Requirements for regulatory purposes//​” 
 +  * ISO 17020:2012, “//​Conformity Assessment — Requirements for the operation of various types of bodies performing inspection//​” (Option A) 
 +  * AAR M-1003:​2019,​ Section J, "//​Specification for Quality Assurance//​” 
 +  * [[https://​www.monogramwebstore.org/​publications/​item.cgi?​7a832d46-1fb0-4650-a57e-963108b9f71d|API Spec Q1, "​Specification for Quality Management System Requirements for Manufacturing Organizations for the Petroleum and Natural Gas Industry"​ (Ninth Edition, June 2013)]]
 ===== Conclusion ===== ===== Conclusion =====
 An organization can certainly continue to use “preventive actions” as a methodology within its QMS for addressing “negative risks"/​threats PROVIDED that the organization also has a separate methodology of addressing “positive risks" and opportunities. An organization can certainly continue to use “preventive actions” as a methodology within its QMS for addressing “negative risks"/​threats PROVIDED that the organization also has a separate methodology of addressing “positive risks" and opportunities.