Get 4 FREE months of Conformio to implement ISO 27001

How Risk Prevention and Continual Improvement are Related in AS9100 Rev D

Effectively using simple risk management tools prevents process defects and achieves continual improvement of the quality management system.

It may be obvious to readers that AS9100 Rev D no longer explicitly requires organizations to have a preventive action system. While this is technically true, risk-based thinking – a preventive concept – is not only required, but expanded to include key product or service realization. Further, AS9100D, paragraph 0.3.1 General, encourages organizations to adopt a process approach when, among other activities, improving the effectiveness of the quality management system.

Through the effective management of process risk, this article explains how to link defect prevention to the requirement of continual improvement. Let’s begin by looking at the constituent parts of all processes.

The Anatomy of Processes

Quality literature is replete with diagrams illustrating the basic component parts of all processes. No matter which diagram one chooses, they are likely some variation on the following:

How Risk Prevention and Continual Improvement are Related in AS9100 Rev D - 9100AcademyFigure 1 – Process Requirements

Successful processes will be supplied on time, from internal and/or external suppliers, with conforming inputs. Each process will supply a conforming output on-time to internal and/or external customers.

After an organization has documented the sequence and interaction of its QMS processes, they can look at the threats to the expected results of output conformity and on-time delivery.

Operational Risk Management

The risk management required in AS9100 Rev D 8.1.1 involves identifying and controlling threats to the successful completion of operational processes. The occurrence of threats is uncertain, and it is the assessment of this uncertainty that is at the heart of risk management. Learn more about risk management in the article 5 key elements of risk management in AS9100 Rev D.

Five Elements of Risk Management

Some useful tools begin by applying the Five Elements of Risk Management shown below. By using a Stop Light Matrix (Figure 2) with a Failure Modes and Effects Analysis (FMEA) organizations will see a clear path to continual improvement.

Element Description
1. Identify the risks Brainstorm the risks to the process output requirements.
2. Analyze the risks Use the Stop Light Matrix in Figure 2 to assign the likely impact and probability of each risk.
3. Evaluate or rank the risks For each yellow or red risk, use an FMEA to further define the most serious risks.
4. Mitigate the risk Implement plans to mitigate the risks above an agreed Risk Priority Number (RPN).
5. Monitor and review the risk Did the risk mitigation plans work? If not adjust as needed.

Table 1 – The Five Elements of Risk Management

How Risk Prevention and Continual Improvement are Related in AS9100 Rev D - 9100AcademyFigure 2 – Stop Light Matrix


An FMEA is a well-known tool used by a team of process owners and subject matter experts to assess the likely risk of a design or process failure. In our context, the team reviews each identified risk to the successful completion of the process under consideration. Among others, the risks can be specifically related to one or more inputs to the process being inadequate and/or not on-time. These result in the process itself being subject to unacceptable variation.

For each risk on the FMEA, the team assigns a number from 1-10 that captures:

  1. The relative seriousness or severity of the impact if the risk is not mitigated
  2. The inherent likelihood of the risk occurring if not mitigated
  3. The likelihood of detecting the occurrence of the risk

The resulting three numbers are then multiplied to create an RPN.  The higher the resulting RPN, the more significant the risk.

The Link to Continual Improvement

Steps 4 and 5 of the Elements of Risk Management in Table 1 are where the possibility of preventing costly errors moves to the forefront.

Having clearly determined the most serious risks to a process delivering its required outputs on time, the team develops strategies to address any and all variables in the FMEA’s RPN values for each risk. The table below provides some examples of how to decrease severity, likelihood of occurrence and increase the likelihood of detection and preventing possible process failures.

RPN Variable Actions to address the RPN variable
Severity of risk (SEV)
  • Break the existing process into smaller, more manageable steps
  • Redesign the existing process
Likelihood of occurrence (OCC)
  • Implement mistake-proofing techniques
  • Implement additional verification steps
  • Examine the effectiveness of training
  • Upgrade equipment/software
  • Increase frequency of feedback to suppliers
Likelihood of detection (DET)
  • Increase process inspection
  • Automate process

Table 2 – Reducing FMEA Risk Priority Variables

Optimizing the process by reducing the risks to successful execution should maximize on-time delivery of conforming outputs to internal and external customers.  A well-designed and adequately monitored set of process metrics will provide process owners with meaningful indicators of how well a process is operating and how effectively the identified risks are being managed.

Proactively eliminating the risks to the sequence and interaction of the processes will improve the QMS. Work will become less wasteful and more effective.

Constant change

Beginning with an insightful understanding of the sequence and interaction of its QMS processes, an organization’s process owners and subject matter experts identify the likely risks to the successful completion of those process. With the use of a few simple, proven tools, risks to the successful completion of those processes can be appropriately managed and mitigated. As a result, costly errors will be prevented.

However, it’s important to remember that process risk management is not a “one-and-done” action. As the philosopher Heraclitus observed, “The only thing that is constant is change.” Changes in global markets, the workforce and technology constantly exert pressure on organizations to adapt.

Continual improvement means learning new techniques and updating processes to leverage new information and skills.

Use this free Clause-by-clause explanation of AS9100 Rev D to understand requirements for risk prevention and continual improvement.