ISO 19443 Training

Introduction to Risk-Based Thinking (Products & Processes)

www.tuv-sud.com/nucleartraining
nucleartraining@tuvsud.com

TÜV SÜD Academy UK | ISO 19443 Training 21-23/06/2022

Motivation

▪ Get to know more about Risk-Based Thinking

▪ Learn how risk based thinking enables an organization to
optimize its results
▪ Learn about methods used like preventive controls,
risk analysis etc.

Source: TÜV SÜD

TÜV SÜD Academy UK | ISO 19443 Training 21-23/06/2022 2
 Introduction to Risk-Based Thinking

1 Introduction

2 Risk-Based Thinking

3 Methods of Risk-Based Thinking

4 Risk Analysis

5 Summary

TÜV SÜD Academy UK | ISO 19443 Training 21-23/06/2022 3

Risk-Based Thinking in ISO 9001 / ISO 19443

Risk-Based
Thinking
Preventive action to Analysing any
eliminate potential nonconformity that
nonconformities does occur

Plan and implement

Taking actions to actions to address
prevent recurrence risks and
opportunities

Source: TÜV SÜD ET

TÜV SÜD Academy UK | ISO 19443 Training 21-23/06/2022 4

 Introduction to Risk-Based Thinking

1 Introduction

2 Risk-Based Thinking

3 Methods of Risk-Based Thinking

4 Risk Analysis

5 Summary

TÜV SÜD Academy UK | ISO 19443 Training 21-23/06/2022 5

Risk-Based Thinking
▪ Risk-Based Thinking is generally included in ISO 9001
▪ It is essential for achieving an effective quality management system
▪ Risk-Based Thinking also has a high importance in the Nuclear Supply Chain, since safety regulations and considerations
in this area are especially high.
▪ Risk-Based Thinking can be applied to planning and implementing quality management system processes
▪ key purposes of a quality management system is to act as a preventive tool
▪ the organization shall plan actions to address risks

TÜV SÜD Academy UK | ISO 19443 Training 21-23/06/2022 6

Risk-Based Thinking

Purpose of
Risk-Based
Thinking

Determine factors
that could cause the Make maximum use
QMS to deviate from Put in place of opportunities
planned results preventive controls
to minimize negative
effects

TÜV SÜD Academy UK | ISO 19443 Training 21-23/06/2022 7

 Introduction to Risk-Based Thinking

1 Introduction

2 Risk-Based Thinking

3 Methods of Risk-Based Thinking

4 Risk Analysis

5 Summary

TÜV SÜD Academy UK | ISO 19443 Training 21-23/06/2022 8

Actions to address risks and opportunities

Issues (4.1) 6.1.1

Consider
Requirements (4.2)
When planning for the risks and opportunities
Quality Management 6.1.1
that need to be addressed to:
System, the • give assurance that the quality management system can
organization shall… Determine achieve its intended result(s);
• enhance desirable effects;
Maintain • prevent, or reduce, undesired effects;
and • achieve improvement.
Retain 6.1.2
• actions to address risks and opportunities
. Plan
• how to: integrate and implement actions into its QMS
related documented information.. processes evaluate the effectiveness of these actions.

TÜV SÜD Academy UK | ISO 19443 Training 21-23/06/2022 9

Methods of Risk-Based Thinking
▪ Guidance on ISO 19443:
▪ Gives examples of good practice for actions to address risks and opportunities (6.1.1, 6.1.2)

Goal: Development of a documented risk management method, related to the achievement of applicable requirements,
including:
a. assignment of responsibilities for risk management,
b. definition of risk criteria
c. identification, assessment and communication of risks throughout product realization including supply chain,
d. identification, implementation and management of actions to mitigate risks that exceed the defined risk acceptance
criteria.
e. tolerability of risks remaining after implementation of actions

▪ different types of risk analysis and assessment methods are listed in CEI/ISO 31010

TÜV SÜD Academy UK | ISO 19443 Training 21-23/06/2022 10

CEI/ISO 31010
Risk Management – Risk Assessment Techniques
▪ Guidance on selection and application of risk assessment techniques

Risk assessment techniques:

− Categorization of techniques according to their primary application in assessing risks
− Elicting views from stakeholders and experts
Risk Identification
− Identifying risk
− Determining sources, causes and drivers of risk
− Analysing existing controls
Risk Analysis
− Understanding consequences and likelihood
− Analysing dependencies and interations
− Providing measures of risk
− Evaluating the significance of risk
− Selecting between options Risk Evaluation
− Recording and reporting

TÜV SÜD Academy UK | ISO 19443 Training 21-23/06/2022 11

 Introduction to Risk-Based Thinking

1 Introduction

2 Risk-Based Thinking

3 Methods of Risk-Based Thinking

4 Risk Analysis

5 Summary

TÜV SÜD Academy UK | ISO 19443 Training 21-23/06/2022 12

Risk Analysis
▪ Suppliers within the nuclear industry have to conduct a risk analysis. The organizations have to identify the
impact of failures or malfunctions of their products or activities with respect to nuclear safety. One particular
challenge can be the consideration of items and activities, which have been provided by external sub-suppliers.

▪ Determination of ITNS items and activities: base for the graded approach to the application of quality requirements.

▪ Annex B ISO/TR 4450:2020‐05 gives an example how to conduct a risk analysis

TÜV SÜD Academy UK | ISO 19443 Training 21-23/06/2022 13

Teamwork: How to perform a risk analysis
(1) Identification of the dangerous situations

(2) Risk assessment

(3) Hierarchical organization of risks

(4) Mitigation of risks

(5) Record of risk management, data, steps

and results

Source: ISO/TR 4450

TÜV SÜD Academy UK | ISO 19443 Training 21-23/06/2022 14

Step 1: Identification of dangerous situations

▪ Chose one topic and identify possible dangerous situations concerning the topic

(1) Financial
(2) Contractual
(3) Purchasing
(4) Project Management
(5) Technical and Realization
(6) Human aspects

TÜV SÜD Academy UK | ISO 19443 Training 21-23/06/2022 15

Step 1 – Exemplary Answers
TOPIC Examples
(1) Financial Unrealistic cost esimates
Variation of unfavourable exchange rate
Too low profitability of the project/order

TOPIC Examples
(2) Contractual Poor understanding of customer needs or specifications
Difficult to meet contractual obligations in the project or order
Poor analysis of the impact of changes
Poor analysis of requirements for quality assurance
Poor analysis of the impact of documentary constraints
Constraints imposed for unrealistic calendar or without margins
Source: ISO/TR 4450

TÜV SÜD Academy UK | ISO 19443 Training 21-23/06/2022 16

Step 1 – Exemplary Answers

TOPIC Examples
(3) Purchasing Unavailability of materials/components
Purchase price of materials/components incompatible with the budget
Poor transmission of contractual requirements to subcontractors
Suppliers are imposed or not permitted by the customer
Unfavourable political developments in the country of the subcontractor
Supply „single source“
Misunderstanding of the projects needs by subcontractors
Insufficient ability of the supplier as part of projects requirements or order

Source: ISO/TR 4450

TÜV SÜD Academy UK | ISO 19443 Training 21-23/06/2022 17

Step 1 – Exemplary Answers
TOPIC Examples
(4) Project Management Industrial organization unclear or inadequate
Restructuring, planned or expected
Organizational functions non-existent or inadequate
Inconsistent schedules of different stakeholders
Loss of knowledge and know-how
Safety culture of the company (incl. questioning attitude toward the
customer) not addressed
Method and communication tools not addressed
Insufficient or unavailable human or technical resources

Source: ISO/TR 4450

TÜV SÜD Academy UK | ISO 19443 Training 21-23/06/2022 18
Step 1 – Exemplary Answers
TOPIC Examples
(5) Technical and Realization Inadequate industrial base
Production logistics difficult to implement
The technologies considered are immature or poorly controlled
Principles or concepts proposed are not validated (by the owner, the
customer, the authorities, etc.)
Production process inappropriate against constraints on nuclear safety
False or incomplete input data
Not sufficient or inappropriate computing resources
Test facilities unsuitable or absent
Simulation models or tests not validated for condition of use

Source: ISO/TR 4450

TÜV SÜD Academy UK | ISO 19443 Training 21-23/06/2022 19
Step 1 – Exemplary Answers
TOPIC
(6) Human aspects
TÜV SÜD Academy UK | ISO 19443 Training
Examples
Cultural differences which may cause misunderstandings
Poor control of the contractual language
Poor communication within the company (needs, data, information)
Trainings in safety culture insufficient or absent
Training time required for the project or order is too large relative to the
constraints of schedule completion
Poor management of skills and/or qualifications
Source: ISO/TR 4450
21-23/06/2022 20
Step 2 – Assessment of the risk occurrence

Assessment
Occurrence Qualitative Quantitative
Level (P=likelihood)
1 Low P < 20%
2 Medium 20% ≤ P < 40%
3 High 40% ≤ P < 60%
4 Critical P > 60%

Source: ISO/TR 4450

TÜV SÜD Academy UK | ISO 19443 Training 21-23/06/2022 21

Step 2 – Assessment of the severity of the impact of risks

Impact on
Severity Safety Conformity Performance Delivery Planning (D) Costs
Level (C)
1 Low Low D < 5% C < 2%
2 Medium Medium 5% ≤ D < 10% 2% ≤ C < 5%
unacceptable
3 High High 10% ≤ D < 20% 5% ≤ C < 10%
4 Critical Critical D > 20% C > 10%

Source: ISO/TR 4450

TÜV SÜD Academy UK | ISO 19443 Training 21-23/06/2022 22

Step 3 – Hirarchical organization of risks
Severity Level
Occurrence 1 2 3 4
Level
1
2
3
4

Source: ISO/TR 4450

TÜV SÜD Academy UK | ISO 19443 Training 21-23/06/2022 23

Step 4 – Mitigation of risks

The risks have not to be mitigated but should be kept in mind.

The risks should be examined again for reduction action (by

acting on the occurrence or severity) = moving from orange to
yellow or placed under observation in case of impossibility of
reduction
The risks should be addressed and a solution should be found
to eliminate them = moving from red to orange

Source: ISO/TR 4450

TÜV SÜD Academy UK | ISO 19443 Training 21-23/06/2022 24

Step 5 – Record of risk management data, steps and results
Risk Initial risk assessment Mitigation action Final risk assessment
identified Occurrence Severity Criticality What Who When Occurrence Severity Criticality

#1: …
#2: …

Source: ISO/TR 4450

TÜV SÜD Academy UK | ISO 19443 Training 21-23/06/2022 25

 Introduction to Risk-Based Thinking

1 Introduction

2 Risk-Based Thinking

3 Methods of Risk-Based Thinking

4 Risk Analysis

5 Summary

TÜV SÜD Academy UK | ISO 19443 Training 21-23/06/2022 26

Summary
▪ Risk-Based Thinking is generally included in the ISO 9001: it enables an organization to determine the factors that could
cause its processes and results to deviate. Preventive controls have to be installed to eliminate potential nonconformities,
analyzing any nonconformity that occurs, and taking action to prevent reoccurrence.
▪ Suppliers within the nuclear industry have to conduct a risk analysis. The organizations have to identify the
impact of failures or malfunctions of their products or activities with respect to nuclear safety. One particular
challenge can be the consideration of items and activities, which have been provided by external sub-suppliers.
▪ As part of the ITNS determination, this risk analysis has to demonstrate whether the item or activity is important
to nuclear safety or not (ITNS or non-ITNS).

TÜV SÜD Academy UK | ISO 19443 Training 21-23/06/2022 27

Copyright

‘‘ The contents of the training materials are protected by copyright.

TÜV SÜD Energietechnik GmbH Baden-Württemberg reserves all rights resulting
thereof, especially with regard to reprinting, publication by photomechanical
reproduction or other means, and storage in data processing systems (in whole
or in part).

This document and any information it contains shall not be used for any other
purpose than the one for which they were provided.

’’
Stock photos and ClipArt's: Licensed by TÜV SÜD.com Image Database.

TÜV SÜD Academy UK | ISO 19443 Training 21-23/06/2022 28