Using the process approach and RBT are hot topics for organizations implementing ISO 9001 for the first time and others transitioning to its revised requirements. There’s nothing new about RBT. In fact, ISO 19011:2011—Guidelines for auditing management systems highlighted the need for organizations to identify risk as associated with QMSs, environmental management systems, and occupational health and safety management. ISO 19011:2011 also included a reference to using risk-based auditing (RBA). RBT is ingrained in product and service planning processes for a majority of organizations. Although it may not be recognized as such, RBT is a natural part of the planning process. It includes the identification of resources such as personnel qualifications, equipment, facilities, manufacturing processes, material suppliers and control of outsourced services needed to meet specified requirements. RBT is integral to the standardization of processes and activities to minimize variation, which lower the risk of nonconformance. In this case, RBT would be evidenced by ensuring the availability of controls—such as procedures or work instructions to address an identified risk. When you consider the QMS in its entirety, RBT is evidenced in the identification of the interrelated processes that comprise the QMS and the risks associated with each of its supporting processes. RBT includes identifying a risk that could prevent an expected output from being achieved. Identified risk could
affect probability of the unavailability of qualified or skilled personnel, materials,
defined manufacturing or product requirements, or specified acceptance criteria.
The higher the level of risk and the lower an organization’s risk appetite, the more controls (procedures) are required to manage the risk. Conversely, the lower the risk and higher the risk appetite, the fewer controls are necessary to address the risk.
Risk-based inspection and RBT: RBT is much more than a trending buzzword. It’s a useful tool that has existed for years. During the early 1990s, for example, risk-based inspections (RBI) were used in the oil and gas industry to establish testing and inspection (T&I) frequencies for process equipment. Equipment inspection results included remaining life and T-min., calculations based
on D-meter, corrosometer or pit gauge measurements used to determine whether process or utility piping systems, pressure vessels, tanks and other equipment continued to be fit for service. RBI and RBT continue to be used to reduce operational downtime by scheduling and focusing T&Is based on identified risks. The higher the risk, the more frequent the T&I intervals. This same method applies to the implementation and maintenance of a QMS. As opposed to inspections, audits are used to assess the health of a QMS and its processes, and to identify a risk that may adversely affect the effectiveness
of a QMS or product quality.
RBT is integral to RBI and RBA: These strategies have performance histories that have proven their value, and effectively using them depends on a practitioner’s familiarity with risks associated with an industry, relevant industry standards, manufacturing processes and the product or service. The new requirements introduced by ISO 9001:2015 should encourage many to rethink what we know about quality management. Quality professionals will need to retool their existing knowledge base to include new approaches for maintaining and auditing management systems.
The complete article was published in the July 2016, issue of ASQ’s QP Magazine.