6.1.2 Risk Analysis / 6.1.2.2 Preventive Action

Afternoon all,

If I have already identified all internal and external issues and interested parties in 4.1 - 4.2 and assigned them risk levels and then also created an entire Contingency Plan for 6.1.2.3 to counteract all possible issues from floods to machine breakdowns to banks going bust..... what exactly am I doing for 6.1.2 and and 6.1.2.2?

These two sections seems to float between what I have already done, my Risk Analysis is my risk score in 4.1 - 4.2 and my preventive action is what I detail in my contingency plan as I put notes in saying what I do currently and what I will do if the incident happens? Do I really need another set of documents?

 

Preventive action is more process related and is separate from your contingency plans. Although, with IATF it's pretty much been replaced with risk analysis, it's part of your nonconformance and corrective action process, but in this case you're trying to prevent a nonconformance within the production process by determining where there might be an increased risk for potential nonconformity.

 

AH, so the PFMEA process we follow and the Control Plan we produce for products via APQP really covers this?

 

Exactly!

 

Nothing special on the risk score, 5 x 5 Impact on Business to deliver good product x Probability of Occurrence? So very much strategic level.

 

We keep it quite up to date, so at the moment the highest risk is the incredibly tight labour market and overall skills of employees to support correct operation of the business processes. We are implementing an apprentice scheme and internally cross training employees far more than before.

Brexit was obviously a big one before and the changing nature of our customers to Automotive ones has been a huge risk as we have new requirements we need to achieve.

 

Good day @Charles Stanley-Grey ;
You've received a lot of spot on wise counsel from @qmr1976 and @Andy Nichols .

Please allow me to add these additional considerations...

4.1~4.2 :
Generally quite static. (no need to "score", but IF it benefits your organization then by all means...do so. Remember to be selfish...do ONLY what provides benefit to your organization [while meeting requirements] ).
To help people grasp this oft confusing portion of the standard, I paraphrase this section as...
- WHO are we?
- WHAT do we do?
- WHO cares ?
- WHAT do they care about?

Answer those questions and you'll address the clauses. The REASON for addressing these (COTO), is that that it provides something to consider/weigh risk and opportunities against when we get to risks and opportunities...(6.1)

6.1 :
Should be considered VERY dynamic . , ...unlike 4.1~4.2 . (for example...8 months ago, fuel costs may not have been
considered a risk, to those 'things' identified back in 4.1~4.2 but likely is NOW. For an ISO 9001 certified domestic (USA) small oil company, those same high fuel costs ($110/barrel) have SUDDENLY made it again profitable to restart small wells, so for them, this current environment is an opportunity in regard to those 'things' identified in 4.1~4.2.

6.1.2.2 :
As already mentioned....'preventive action' is likely already a widespread consideration throughout the organization, via numerous methods (fmea being one)
Side note: ALL ISO standards have removed the term 'preventive action' as result of adding the term 'risk based thinking'. IATF seems to be simply adding redundancy/confusion.

6.1.2.3:
Generally quite static. Unlike addressing 'risks and opportunities' which can appear/disappear at a moment's notice, contingency is determining (well in advance) what can cause DISRUPTION to supply of product (i.e. loss of manpower, loss of power, loss of water pressure, fire, etc..etc..) and PRE-planning work arounds in the event any occur.

Don't overthink these or get caught up in simply 'adding documentation', that is hard to manage and provides no benefit to the organization. As I stated...be selfish.

Hope this helps.
Be well.

 

Yes! Can't emphasize John's comment above enough!!! I've seen SO many companies (including our own) who in the infancy of implementing TS and IATF, thought you had to create several documents/ procedures, or a lot of what was put in place was due to scare tactics from previous auditors. They suggest something, so they ran with it whether it made sense for the company or not. There are two problems with this: 1)Cumbersome to maintain and 2)More often than not you will find yourself with findings because you're in violation of your own procedure that says you're going to maintain copious amounts of documentation that may or may not even be part of the standard. It took me awhile to realize that as long as you're meeting the requirements of the standard, the auditor really doesn't have any place to dispute how your managing your system. Obviously, they can suggest ways to make improvements, but should never site a finding if you're well within the requirements of the standard. A lot of people (including myself at one time), when not familiar with the standard will take the auditor's word as 'Gospel' and for fear of failing the audit will not/cannot challenge them. I've had to read the standard many times to be comfortable enough to stand up for ourselves during audits.