Traditionally companies have been performing risk analysis to identify hazards, categorize the risk, and find methods for mitigating those risks. This approach has only been focused on the finished product with a limited view during design controls, not on how product is actually used. The risk analysis has been done as part of design and development with the development team themselves identifying the risks and hazards. What we are seeing over the last few years is that risk analysis or risk assessment is just a part of the entire picture. Organizations are realizing that a total risk management system must be implemented for their quality system to gain the full advantage. This article will discuss how companies can integrate risk management philosophies and techniques into their quality system processes.
In this article, the term "risk management" is used to encompass the traditional risk analysis methods and risk assessment that have been performed. The definition of risk management can be found in several standards, notably ISO 310001 and ISO 149712. Risk management is conducted for a myriad of reasons, though mainly for the identification of hazards and control of those hazards at an acceptable level. Conducting risk analysis only through Failure Modes and Effect Analysis (FMEA) or Fault Tree Analysis (FTA) typically does not include the entire lifecycle of the product. By performing only FMEA/FTA, aspects of risk management are lost, including the product lifecycle, processes within the quality system affecting the product, and understanding the application of the product once launched. Implementing a total risk management for the quality system allows the organization to identify hazards related specifically to the product and spot other processes that may impact the company's product, as well.
Moving risk management from a product-focused view to a total lifecycle view requires several steps. The first step is to understand the application of risk management and how to apply this concept to the quality system. Surprisingly, many individuals have not read the standards previously cited! Reading and applying the standard may not be enough; formal training in the application of the standards may be needed.
The application of risk management is an active process requiring review of the risks and hazards throughout the product lifecycle. These include reviewing the risks when a significant process change or a change to a significant supplier is made.
Customer feedback may also impact the product lifecycle. A company should continually ask if the manufacturing process has serious failures or if a serious adverse event has occurred with the customer base that impacts the risk management.
Applying Risk Management to the Quality Management System (QMS)
The next step to integrating a total risk management system is to identify those processes or services in the company where risk management should be applied. This is going beyond the traditional FMEA/FTA design that may be limited in scope. The company must understand all of the stakeholders in the risk management process, not only the end customer. Take into consideration all of the quality system processes, including outsourcing to suppliers, manufacturing activities, testing activities, and any changes to these that occur after product launch. Each of these processes may present hazards or risks further along in the product lifecycle. Organizations that have not gone through this exercise often discover product failures that, unfortunately, have been revealed the hard way. For example, a company that does not consider a second tier supplier as critical may have to conduct a product recall based on changes made by the second tier supplier. The important thing to consider when evaluating quality system processes is that the total life cycle of the product must be realized from birth to death.
The application of total risk management for the quality system can be taken in a step-by-step approach (see image below). This is particularly necessary if this is a new concept to an organization that has traditionally only performed risk analysis. Note: risk evaluation is usually different applied to quality system processes than when applied to a finished product. The concept of risk evaluation requires the severity levels and probability of occurrence levels to be established for either the entire quality system or individual processes in the quality system. As an example, the severity level of an event encountered with a supplier may be different than a severity level of an event in the manufacturing process. Establishing the risk evaluation allows the generation of an acceptability matrix to determine if the hazard introduced with the process is acceptable.
If the hazard identified in the quality system process is not acceptable, then the company can implement a series of risk controls to minimize the risk. For example, when we look at supplier hazards, increased inspection might be needed or periodic supplier audits required. Other risk controls might include the introduction of a new test or inspection at the final step to assure the hazard identified in the manufacturing process is avoided. The quality system process must be continuously monitored to assure the risk assessment stays within the estimated severity and probability of occurrence.
Controlling risk once it has been identified is also an issue. A company must decide if the identified risk is acceptable to itself, its customers and to all of the stakeholders involved. The company may decide that some risks are just unacceptable, like using sole-source suppliers that may have a significant impact on hazards introduced during the product lifecycle.
With this information as an overview, let's look at a specific example that demonstrates how we can apply risk management to one quality system process. In today's quality system, many companies outsource component manufacturing or servicing needs. The risk management process discussed previously can be applied to initial supplier qualification and ongoing supplier evaluation. This helps the company to understand those hazards or risks that would impact their own manufacturing (purchasing components), the finished product (contract manufacturers), or how their customer calls are handled (call centers). The identification of these risks allows companies to clearly communicate their expectations or establish the requirements needed for high quality products or service. Applying risk management to supplier controls also assures that risk controls are implemented, such as increased inspection activities or assuring a secondary supplier is available. The risks should be monitored continuously by the organization to assure the risk assessment is still applicable. By monitoring the risk assessment, the organization verifies during the supplier evaluation that the severity or occurrence has not changed. In effect, the risk management process can be applied to many quality system processes including customer feedback, nonconforming material, supplier controls, process validations, or internal audits.
Risk Requiring Supplier Controls