QKC20171208：讀書會_品質管理系統的風險為基思維

hlperng

品質學會品質知識社群 (QKC) 讀書會
專題：品質管理系統的風險為基思維
時間：2017 年 12 月 08 日(星期五) 15:00 - 18:00   
地點：品質學會九樓教室（台北市羅斯福路 2 段 75 號）
主導：黃祖猶會友

hlperng

IATF 16949:2016 以 ISO 9001:2015 的風險為基思維 (risk-based thinking) 為基礎，相關的名詞包括：風險 (risk)、品質風險 (quality risk)、潛在風險 (potential risk)、風險管理 (risk management)、風險評鑑 (risk assessment)、風險識別 (risk identification)、風險分析 (risk analysis)、風險評估 (risk evaluation)、風險緩解 (risk mitigation)、風險對應 (risk commensuration)、設計 FMEA、過程 FMEA。

失效模式與效應分析 (FMEA) 為風險分析方法之一，為可靠度工程領域的失效分析技法 (techniques) 之一，後來應用在安全性管理領域，為風險管理的前提作業。車輛產業將 FMEA 分為 DFMEA 與 PFMEA 兩類，FMEA 是 AIAG 五大核心工具之一。IATF 16949:2016 中多處是以「例如 FMEA」 (such as FMEA) 出現在條文中。但是 AIAG 卻將 FMEA 提升為汽車產業的重要品質管理過程技術 (tehnology)，甚至於超越許多研發活動，例如系統工程過程、安全性管理、風險管理等傳統的典型作法。

0.3.3 Risk-based thinking
See ISO 9001:2015 requirements.

4.4.1.2 Product safety
The organization shall have documented processes for the management of product-safety related products and manufacturing processes, which shall include but not be limited to the following, where applicable:
c) special approvals for design FMEA
f) special approvals of control plans and process FMEA

7.1.3.1 Plant, facility, and equipment planning
The organization shall use a multidisciplinary approach including risk identification and risk mitigation methods for developing and improving plant, facility, and equipment plans.  
...
The organization shall maintain process effectiveness, including periodic re-evalulation relative to risk, ...

7.2.3 Internal auditor competency
Additionally, manufacturing process auditors shall demonstrae technical understanding of the relevant manufacturing process(es) to be audited, including process risk analysis (such as PFMEA) and control plan.

7.2.4 Second-party auditor competency
Second-party auditors shall meet customer specific requirements for auditor qualification and demonstrate the minimum following core competencies, including understanding of:
a) the automotive process approach to auditing, including risk based thinking.
d) applicable manufacturing process(es) to be audited, including PFMEA and control plan;

7.5.3.2.2 Engineering specification
NOTE.  A change in these standards/specifications may require an updated record of customer product part approval when these specifications are referenced on the design record or if they affect documents of the production part approval process, such as control plan, risk analysis (such as FMEAs), etc.

8.3.2.1 Design and development planning - supplementalExamples of areas for using such a multidisciplinary aproach include but are not limited to fhe following:
c) development and review of product design risk analysis (FMEAs), including actions to reduce potential risks;
d) development and reivew of manufacturing process risk analysis (for example, FMEAs, process flows, control plans, and standardizatd work instructions).

8.3.3.1  Product design input
Product design input requirements include but are not limited to the following:
e) assessment of risks with input requirements and the organization's ability to mitigate/manage the risks, including form the feasibility analysis;

8.3.3.2 Manufacturing process design input
The manufacturing process design shall include the use of error-proofing methods to a degree appropriate to the magnigude of the problem(s) and commensurate with the risks encountered.  

8.3.3.3 Special characteristics
The organization shall use a multidisciplinary approach to establish, document, and implement its process(es) to identify special characteristics, including those determined by the customer and the risk analysis performed by the organization, ...
a) documentation of all spcecial characteristics in the drawings (as required), risk analysis (such as FMEA), control plans, ...

8.3.4.1 Monitoring
NOTE.  When appropriate, these measurements may include quality risks, costs, lead times, critical paths, and other measurements.

8.3.5.1 Design and development outputs - supplemental
The product design oupus shall include but is not limited to the following, as applicable:
a) design risk analysis (FMEA);

8.3.5.2 Manufacturing process design output
The manufacturing process design input shall include but is not limited to the following:
g) manufacturing process FMEA;

8.4.2.4.1 Second-party audits
Second-party audits may be used for the following:
a) supplier risk assessment;
Based on a risk analysis, includng product safety/regulatory requirements, performance of the supplier, and QMS certification level, at a minimum, the organization shall document the criteria for determining the need, type, frequency, and scope of second-party audits.

8.4.2.5 Supplier development
Determination inputs shall include but are not limited to the following:
d) risk analysis.

8.5.1.1 Control plan
The organization shall have a control plan for pre-launch and production that shows linkage and incorporates information from the design risk analysis (if provided by the customer), process flow diagram, and manufacturing process risk analysis outputs (such as FMEA).
The organization shall review control plans, and update as required, for any of following:
g) when any change occurs affecting product, manufacturing process, measurement, logistics, supply sources, production volume changes, or risk analysis (FMEA) (see Annex A);
i) at a set frequence based on a risk analysis.

8.5.2.1 Identification and traceability - supplemental
The organization shall conduct an anallysis of internal, customr, and requlatory traceability requirements for all automotive products, including developing and documenting traceability plans, based on the levels of risk or failure severity for employee, cutomers, and consumers.

8.7.1.4 Control of reworked product
The organization shall utilize risk analysis (such as FMEA) methodology to assess risks in the rework process prior to a decision to rework the product.

8.7.1.5 Control of repaired product
The organization shall utilize risk analysis (such as FMEA) methodology to assess risks in the repair process prior to a decision to repair the product.

9.1.1.1 Monitoring and measurement of manufacturing processes
The organization shall verify that the process flow diagram, PFMEA, and control plan are implemented, ...

9.1.1.2 Identification of statistical tools
The organization shall verify that appropriate statistical tools are inlcuded as part of the advanced product quality planning (or equivalent) process and included in the design risk analysis (such as DFMEA) (where applicable), the process risk analysis (such as PFMEA), and the control plan.

9.2.2.1 Internal audit programme
The audit programme shall be priorilized based upon risk, internal and external performance trends, and criticality of the process(es).

9.2.2.3 Manufacturing process audit
The manufacturing process audit shall include an audit of the effective implementation of the process risk analysis (such as PFMEA), control plan, and associated documents.

9.3.2.1 Management review inputs - supplementa
Input to management review shall include:
j) identification of potential field failures identified through risk analysis (such as FMEA);

10.2.3 Problem solving
The organization shall have a documented process(es) for problem solving includeing:
f) reviewing and, where necessary, updating the appropriate documented information (e.g. PFMEA, control plan).

10.2.4 Error-proofing
The organization shall have a documented process to determine the use of appropriate error-proofing methodologies.  Details of this method used shall be documented in the process risk analysis (such as PFMEA) and test frequencies shall be documented in the control plan.  

10.3.1 Continual improvement - supplemental
The organization shall have a documented process for continual improvement.  The organization shall include in this process the following:
c) risk analysis (such as FMEA).

hlperng

ISO/IEC Directives, Part 1 Consolidated ISO Supplement - Procedures specific to ISO, Annex SL, Appendix 2 (Normative)，High level structure, identical core text, common terms and core definitions

ISO 9001:2015, Quality management systems - Requirements
Annex SL Appendix 2 與 ISO 9001:2015 關於 風險分析 (risk analysis) 的規定敘述在第 6.1 節「強調風險與機會之行動」(6.1 Actions to address risks and opportunities)，其內容引述比較如下表：

Annex SL, Appendix 2	ISO 9001:2015
6.1 Actions to address risks and opportunities	6.1 Actions to address risks and opportunities
When planning for the XXX management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to - assure the XXX management system can achieve its intended outcome(s) - prevent, or reduce, undesired effects - achieve continual improvement	6.1.1 When planning for the quality management system, the orgranization shall consider the issues referred in 4.1 and the requirements referred in 4.2 and determine the risks and opportunities that need to be addresses to: a) give assurance that the quality management system can achieve its intended result(s); b) enhance desirable effects; c) prevent, or reduce, undesired effects; d) achieve improvement
The organization shall plen: a) actions to address these risks and opportunities, and b) how to     - integratre and implement the actions into its XXX management system processes     - evaluate the effectiveness of these actions	6.1.2 The organization shall plan: a) actions to address these risks and opportunities; b) how to:     1) integrate and implement the actions into its quality management system processes (see 4.4);     2) evaluate the effectiveness of these actions.
	Actions taken to address risks and opportunities shall be proportionate to the potenital impact on the conformity of products and services.
	NOTE 1:  Options to address risk can include avoiding risk, taking risk in order to pursue an opportunities, eliminating the risk source, chancing the likelihood or consequences, sharing the risk, or retaining risk by informed decision.
	NOTE 2:  Opportunities lead to the adoption of new practices, launching new products, opening new markets, addressing new clients, building partnerships, using new technology and other desirable and viable possibilities to address the organization's or its customer's needs.
	IATF 16949:2017 6.1.2.1 Risk analysis The organization shall include in its risk analysis, at a minimum, lessons learned from product recalls, product audits, field returns and repair, complaints, scrap, and rework. The organization shall retain documented information as evidence of the results of risk analysis.
	IATf 16949:2017 6.1.2.2 Preventive action The organization shall determine and implement action(s) to eliminate the causes of potential non-conformities in order to prevent their occurrence.  Preventive actions shall be approrprate to the severity of the potential issues. The organization shall establish a process to lessen the impact of netive effectos of risk including the following: a) determining potential nonconformities and their causes; b) evaluatiing the need for action to prevent occurrence on nonconformities; c) determining and implementing action needed; d) documented information of action taken; e) reviewing the effectiveness of the preventive action taken; f) utilizing lessons learned to prevent recurrence in similar processes (see ISO 9001, Section 7.1.6)
	IATF 16949:2017 6.1.2.3 Contingency plans

ISO 9001:2015, 6.1 節強調當規劃品質管理系統時須考量風險與機會。提出 6.1.1 和 6.1.2 兩項條文規定。
6.1.1 & 6.1.2 (no title)
組織規劃品質管理系統時，須考慮與「組織及其情境」 (ISO 9001:2015, 4.1)和「有興趣團體的需要和期望」 (ISO 9001:2015, 4.2) 相關的風險與機會，使得品質管理系統可以達到「預期的結果」，例如：目的，和改進。風險分析的定義出現在 ISO 31000:2009〈風險管理 - 原則與指導綱要〉。

IATF 16949:2016 補充 6.1.2.1 風險分析 (Risk analysis)、6.1.2.2 預防行動 (Preventive actions)、和 6.1.2.3 應變計畫 (Contingency plans) 三個小節：
6.1.2.1 風險分析 (Risk analysis)
此節要求組織風險分析的兩個重點，第一是風險分析的對象包括從產品召回、產品稽核、現場退回與修理、抱怨、報廢和重工得到的經驗學習結果，第二是：保存建檔資訊作為風險分析結果的證據。
6.1.2.2 預防行動 (Preventive actions)
6.1.2.3 應變計畫 (Contingency plans)


ISO Guide 73:2009,
3.6.1 分險分析 (risk analysis)
Process to comprehend the nature of risk and to determine the level of risk.
NOTE 1 to entry: Risk analysis provides the basis for risk evalution and decision abour risk treatment.
NOTE 2 to entry: Risk analysis includes risk estimation.



本論壇風險相關資料：

• 風險定義的發展脈絡
• 風險管理
• 風險管理與價值管理整合
• 風險管理相關標準文件
• 風險分析的內容
  

參考資料：

• R. Dan Reld (2017), Standard Outlook: Keys to IATF 16949:2016, Quality Progress.