The International Organization for Standardization is rolling out ISO 9001:2015, its first revision to the universally practiced quality management standard in seven years. The new revision to ISO 9001 places a pervasive influence on risk management in an organization's quality management system (QMS).
The value of risk management in product design has garnered heightened attention as products become more complex and companies accelerate development time frames. In industries like medical device manufacturing, defects can cause physical harm or even loss of life, exposing a company to devastating financial losses and regulatory penalties.
“Risk management and quality management are closely aligned,” wrote Ron Makar in a paper presented at the 2014 World Conference on Quality and Improvement, organized by the American Society for Quality (ASQ). “In fact,” Makar continued, “if you take a good look at all of the elements of a typical quality management system, you will find that most of them are subject to some degree of risk, that is, something can go wrong, if left uncontrolled.”
Makar, who now runs a quality consultancy for medical device and biotech companies, was global quality manager for industrial biosciences at DuPont, helping identify high-priority risks up front in development efforts.
ISO 9001 sets out the requirements for a company to fulfill ISO 9000. The organization reviews its standards every five years and produces revisions if needed.
Among the higher-level changes in ISO 9001:2015, there is heightened importance to risk-based thinking, although the revised standard does not require formal risk assessments. ISO defines “risk” as “the effect of uncertainty,” whether it is positive or negative. An organization should seek ways to assess its quality-related risk by understanding the likelihood and consequences of a given event.
ISO says that “the concept of risk has always been implicit in ISO 9001,” but that the new revision “makes it more explicit and builds it into the whole management system.” Various clauses in ISO 9001:2015 require executive management to promote awareness of risk-based thinking and implement processes to determine and address risks and opportunities that could affect QMS performance.
Some quality professionals have expressed concern that the new standard de-emphasizes prevention in quality management, but ISO insists that risk-based thinking, in fact, “makes preventive action part of strategic and operational planning” and helps establish “a proactive culture of improvement” in an organization. Previous editions of ISO 9001 placed preventive action in a separate clause, whereas the new risk-based thinking integrates prevention across the QMS.
Barrett Craner, until recently vice president for quality assurance and regulatory affairs at medical device development firm Stellartech Research Corp., told Design News that risk-based thinking is crucial. Craner recently retired and now consults for medical device manufacturers and teaches quality assurance at the University of California Santa Cruz graduate extension and at California State University Dominguez Hills.
“The key to reducing risk is definitely prevention,” Craner stressed. In the medical device industry, the stakes are obviously higher. “If a DVD player fails, no one gets hurt,” he said, “but in medical devices, you can have a high level of risk. Some failures you just can't accept, or if there is a failure, the device has to fail-safe.”
Craner believes that risk-based thinking is achievable for design teams, even in high-stakes industries such as his. For example, a solid process for hazard analysis “can help you look at the potential hazards in a product and the causes of those hazards, whether direct or indirect,” giving the team “a pictoral description of those causes” in a form that he describes as like “a tree with the hazard at the top.” Such tools can help quality and design professionals work together to reduce risks in product development.
ISO standards aren't always as detailed as one might expect, and quality management systems don't always have to specify every step in order to be effective, Craner told Design News. “A lot of these standards don't tell you that you have to do certain things,” he said. “They just want to make sure you do risk evaluation, analysis, control, and monitoring.”
An auditor or inspector won't likely mandate any particular method or tool, “but they may want to see what you have done and look at the tools you did use,” he said. Their objective will be to look for signs of due diligence, “to see that your risk process is a good one.”
Craner said that a certifier or inspector will often “want to look at an FMEA, (failure modes and effects analysis). Or maybe your risk management plan.” He thinks the scrutiny could increase over time, though: “I believe as auditors become savvy, they will dig deeper into the risk analyses you do use.”
Like Craner, Makar has worked extensively in the development of medical devices. In his 2014 ASQ presentation, he said DuPont’s product development and commercialization framework imposes a stage-gated process requiring that certain risk management activities take place at each stage before a product can move from the concept/feasibility phase to the development phase to the validation/regulatory phase to commercialization.
Hazards and failure modes “are analyzed in terms of their impact on the system and then evaluated to determine the likelihood of occurrence and probability of harm,” Makar pointed out.
Even at the design stage, for example, checklists and worksheets are used to identify potential design risks and hazards, such as “energy hazards, biological hazards, environmental hazards, hazards resulting from incorrect output of energy or material, hazards related to the use of the medical device, and hazards arising from functional failure, maintenance, and aging,” according to Makar.
The ISO 9001 revision is being carried out by ISO Technical Committee 176 (TC 176), one of whose objectives has been to better align quality management standards with other systems such as environmental management (ISO 14001) and information security management (ISO 27001). Besides risk-based thinking, the 2015 requirements include an emphasis on stakeholder involvement in QMS development, management responsibility and accountability for quality, a process approach to quality management, and greater flexibility in the management of quality-related documents and records.
Advisera, which runs the 9001Academy, an online consultation center on ISO 9001, has released information on the revised standard via an infographic:
Al Bredenberg is a writer, analyst, consultant, and communicator. He writes about technology, design, innovation, management, and sustainable business, and specializes in investigating and explaining complex topics. He holds a master's degree in organization and management from Antioch University New England. He has served as an editor for print and online content and currently serves as senior analyst at the Institute for Innovation in Large Organizations.