In the ISO 9001:2013 (Committee Draft) the word risk appears 30 times, which appears to follow the revisions to the AS9100C Standard for Aerospace Quality Management.

In recent years we have published Excel workbooks with the type of risk assessments used Failure Mode Effects Analysis (FMEA), whereas the Risk Priority Number (RPN) of the impact is calculated by multiplying the Probability times the Severity times the Detection or [RPN = (P * S * D)].

These Excel tools along with recent additions to QMSCAPA, our quality management software, provide a complete tool kit for compiling the data of various aspects of risk from processes and assessing their impacts.

The FMEA style of risk assessment included in QMSCAPA version 1.7, consist of:

1. Table of Risk Assessments (current and historical assessments);
2. A sub-table of specific aspects of the risk assessments;
3. A look-up table of the risk impact values with regard to the evaluated aspect.

ISO 9001:213 indicates a requirement to determine the risks to conformity of goods and services and customer satisfaction if unintended outputs.  And in Clause 4.4.2 Process Approach:

Top management shall demonstrate leadership and commitment with respect to customer focus by ensuring that

1. the risks which can affect conformity of goods and services and customer satisfaction are identified and addressed;

In Clause 6 Planning

6.1 Actions to address risks and opportunities;

When planning for the quality management system, the organization shall consider the issues referred to in paragraph 4.2 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to

a) assure the quality management system can achieve its intended outcome(s),  

b) assure that the organization can consistently achieve conformity of goods and services and customer satisfaction, 

c) prevent, or reduce, undesired effects, and d) achieve continual improvement.

Furthermore

The organization shall plan:

a) actions to address these risks and opportunities, and b) how to integrate and implement the actions into its quality management system processes (see 4.4), and 2) evaluate the effectiveness of these actions.

Notes include,

Any actions taken to address risks and opportunities shall be proportionate to the potential effects on conformity of goods and services and customer satisfaction. The organization shall undertake change in a planned and systematic manner, identifying risks and opportunities and reviewing the potential consequences of change.

In Clause 8.3 for Operational planning process …

In preparing for the realization of goods and services, the organization shall implement a process to determine the following, as appropriate, 

a) requirements for the goods and services taking into consideration relevant quality objectives; b) actions to identify and address risks related to achieving conformity of goods and services to requirements;

… the risks identified and the potential impacts, …

e) the determined risks and opportunities associated with the development activities with respect to the nature of the goods and services to be developed and potential consequences of failure, 

2) the level of control expected of the development process by customers and other relevant interested parties, and 

3) the potential impact on the organization’s ability to consistently meet customer requirements and enhance customer satisfaction.

Also Clause 8.6.5 Post delivery activities …

Where applicable, the organization shall determine and meet requirements for post delivery activities associated with the nature and intended lifetime of the goods and services. The extent of post delivery activities that are required shall take account of 

a) the risks associated with the goods and services …

In Clause 9.1.1 General

The organization shall determine take into consideration the determined risks and opportunities and shall:

a) determine what needs to be monitored and measured in order to:

The organization shall: 

a) plan, establish, implement and maintain an audit program(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit program(s) shall take into consideration the quality objectives, the importance of the processes concerned, the related risks, and the results of previous audits;

In FMEA, failures are prioritized according to how serious their consequences are, how frequently they occur and how easily they can be detected. An FMEA also documents current knowledge and actions about the risks of failures for use in continual improvement. FMEA is used during design, planning and production stages with an aim to avoid future failures and sometimes called preventive actions. Very often it is used for process control, before and during ongoing operation of the process. Ideally, FMEA begins during the earliest conceptual stages of design and continues throughout product or service realization.

The outcomes of an FMEA development are actions to prevent or reduce the severity or likelihood of failures, starting with the highest-priority ones. Also, it may be used to evaluate risk, develop priorities for risk management and mitigating known threat vulnerabilities. Lastly, FMEA helps determine the appropriate selection for remedial actions that reduce cumulative impacts of life-cycle consequences (risks) from a systems failure (fault).

Definitions typically used in Failure Mode Effects Analysis (FMEA)

1. Failure: The loss under stated conditions.
2. Failure mode: The specific manner or way by which a failure occurs in terms of failure of the item (being a part or (sub) system) function under investigation; it may generally describe the way the failure occurs. It shall at least clearly describe a (end) failure state of the item (or function in case of a Functional FMEA) under consideration. It is the result of the failure mechanism (cause of the failure mode). For example; a fully fractured axle, a deformed axle or a fully open or fully closed electrical contact are each a separate failure mode.
3. Failure cause and/or mechanism: Defects in requirements, design, process, quality control, handling or part application, which are the underlying cause or sequence of causes that initiate a process (mechanism) that leads to a failure mode over a certain time. A failure mode may have more causes. For example; “fatigue or corrosion of a structural beam” or “fretting corrosion in an electrical contact” is a failure mechanism and in itself (likely) not a failure mode. The related failure mode (end state) is a “full fracture of structural beam” or “an open electrical contact”. The initial Cause might have been “Improper application of corrosion protection layer (paint)” and /or “(abnormal) vibration input from another (possible failed) system”.
4. Failure effect: Immediate consequences of a failure on operation, function or functionality, or status of some item.
5. Indenture levels (bill of material or functional breakdown): An identifier for system level and thereby item complexity. Complexity increases as levels are closer to one.
6. Local effect: The failure effect as it applies to the item under analysis.
7. Next higher level effect: The failure effect as it applies at the next higher indenture level.
8. End effect: The failure effect at the highest indenture level or total system.
9. Detection: The means of detection of the failure mode by maintainer, operator or built in detection system, including estimated dormancy period (if applicable)
10. Risk Priority Number (RPN): Cost (of the event) * Probability (of the event occurring) * Detection (Probability that the event would not be detected before the user was aware of it)
11. Severity: The consequences of a failure mode. Severity considers the worst potential consequence of a failure, determined by the degree of injury, property damage, system damage and/or time lost to repair the failure.
12. Remarks / mitigation / actions: Additional info, including the proposed mitigation or actions used to lower a risk or justify a risk level or scenario.

QMSCAPA, quality management software, is published by Access Business Communications, Inc. QMSCAPA is licensed Free for single users.