# Risk Assessment ## Overview Proactive risk identification and evaluation are foundational to operating safe, compliant, and high-quality laboratories. The [Risk Assessment](https://www.labii.com/products/risk-assessment) application built on Labii provides a structured, traceable environment for conducting formal risk assessments across laboratory operations, experimental procedures, equipment, and processes. The application supports widely used risk management frameworks including ISO 14971 (medical devices), ICH Q9 (pharmaceuticals), and ISO 31000 (general risk management). By organizing risk data across six dedicated tables—risk assessments, individual risks, risk controls, standards, components, and verification tests—Labii enables teams to systematically identify hazards, evaluate their likelihood and severity, implement controls, and confirm residual risk acceptability through documented testing. {% hint style="info" %} This application is well suited for organizations operating under ISO 14971, ICH Q9, FDA guidance on risk management, or any quality framework requiring documented risk justification and traceability. {% endhint %} ## Use Cases ### Medical Device Development * Conduct product-level risk assessments per ISO 14971 * Link hazards and hazardous situations to specific device components * Document risk controls (design changes, protective measures, labeling) with traceability to risks * Verify control effectiveness through documented risk tests * Maintain a risk management file across the product lifecycle ### Pharmaceutical Process Risk Management * Perform ICH Q9-aligned risk assessments for manufacturing processes and analytical methods * Identify critical quality attributes (CQAs) and critical process parameters (CPPs) * Document risk ranking using FMEA, HACCP, or fault tree analysis * Track control measures applied to high-risk process steps * Support regulatory submissions with a complete risk management record ### Laboratory Safety and Operations * Assess chemical, biological, and physical hazards in laboratory procedures * Document engineering controls, administrative controls, and PPE requirements * Evaluate risks associated with new equipment introductions or process changes * Maintain safety risk registers aligned with institutional EHS requirements * Support laboratory accreditation with documented risk management practices ### Clinical and Diagnostic Laboratories * Assess pre-analytical, analytical, and post-analytical risks in testing workflows * Document control measures for high-risk assay steps * Track risk reduction over time as controls are implemented and validated * Support CAP, ISO 15189, and CLIA accreditation requirements * Integrate risk assessments with non-conformance and CAPA processes ### Software and Systems Risk Assessment * Evaluate risks associated with laboratory information system implementations * Document software hazards, failure modes, and mitigations per IEC 62304 * Track verification tests confirming software risk controls are effective * Manage risk assessments across software versions and updates ## Getting Started {% stepper %} {% step %} Navigate to **Settings → Applications** from the main menu {% endstep %} {% step %} Click **Add application** and select **Add from a template** {% endstep %} {% step %} Choose **Risk Assessment** from the template list {% hint style="warning" %} If Risk Assessment is not listed, it may already be installed. Check the side menu for the risk assessment tables. {% endhint %} {% endstep %} {% step %} Wait for installation to complete. The system will automatically create six tables: * **risk\_assessment** — Top-level risk assessment records * **risk** — Individual risk items and their evaluations * **risk\_control** — Controls and mitigations applied to risks * **risk\_standard** — Risk acceptability criteria and standards * **risk\_component** — Components or items being assessed * **risk\_test** — Verification tests confirming control effectiveness {% endstep %} {% step %} Begin by configuring your **risk\_standard** and **risk\_component** tables with the relevant standards and components for your assessments before creating risk assessment records {% endstep %} {% endstepper %} ## Application Structure ### Risk Assessment Table The **risk\_assessment** table holds the top-level record for each formal risk assessment conducted. **Purpose**: Document the scope, objectives, methodology, and overall conclusions of a risk assessment activity **Typical Use**: Product risk management files, process FMEAs, facility hazard assessments, change-related risk assessments *** ### Risk Table The **risk** table captures individual risk items identified within a risk assessment, including hazard identification, probability, severity, and risk priority evaluation. **Purpose**: Record discrete risks with quantified or qualitative evaluations, linked to their parent risk assessment **Typical Use**: Individual FMEA failure modes, ISO 14971 hazards, HACCP hazard entries, process risk items *** ### Risk Control Table The **risk\_control** table documents the controls, mitigations, and countermeasures applied to reduce identified risks. **Purpose**: Track what actions are taken to reduce risk probability or severity, and the resulting residual risk level **Typical Use**: Design controls, process controls, protective measures, warning labels, administrative controls, PPE requirements *** ### Risk Standard Table The **risk\_standard** table stores the risk acceptability criteria and scoring matrices used to evaluate risks consistently across assessments. **Purpose**: Define and maintain risk scoring scales (probability, severity, detectability), risk priority thresholds, and applicable regulatory standards **Typical Use**: Risk scoring matrices (e.g., 1–5 severity × 1–5 probability), RPN thresholds, ISO 14971 risk acceptability criteria, ICH Q9 risk ranking criteria *** ### Risk Component Table The **risk\_component** table catalogs the components, subsystems, materials, or process steps that are subjects of risk evaluation. **Purpose**: Maintain a reusable library of assessed components or process elements that can be referenced across multiple risk assessments **Typical Use**: Device subsystems, raw material categories, process unit operations, software modules, equipment types *** ### Risk Test Table The **risk\_test** table documents verification activities that confirm risk controls are effective and residual risks are acceptable. **Purpose**: Record test plans, test results, and pass/fail determinations for risk control verification **Typical Use**: Design verification tests, process validation studies, safety testing, analytical method verification tests ## Setting Up Risk Standards Before creating risk assessments, configure your risk scoring criteria in the **risk\_standard** table. {% stepper %} {% step %} Navigate to the **risk\_standard** table from the side menu {% endstep %} {% step %} Click **+ Add** to create a new standard record {% endstep %} {% step %} Define the standard details: * **Name**: Standard title (e.g., "ISO 14971 Risk Matrix" or "Process FMEA Criteria") * **Applicable regulation**: ISO 14971, ICH Q9, ISO 31000, internal procedure, etc. * **Severity scale**: Define severity levels (e.g., 1 = Negligible, 2 = Minor, 3 = Serious, 4 = Critical, 5 = Catastrophic) * **Probability scale**: Define probability levels (e.g., 1 = Improbable, 2 = Remote, 3 = Occasional, 4 = Probable, 5 = Frequent) * **Acceptability criteria**: Define what constitutes acceptable, ALARP, and unacceptable risk levels {% endstep %} {% step %} Save the standard. It will be available to reference when creating individual risk records {% endstep %} {% endstepper %} {% hint style="info" %} Establishing consistent risk standards before conducting assessments ensures that risk evaluations are comparable across products, processes, and time periods. {% endhint %} ## Creating a Risk Assessment {% stepper %} {% step %} Navigate to the **risk\_assessment** table from the side menu {% endstep %} {% step %} Click **+ Add** to create a new risk assessment record {% endstep %} {% step %} Enter the assessment details: * **Name**: Descriptive title (e.g., "FMEA – Centrifuge Operation v1.0") * **Assessment type**: Product, process, facility, software, or change-based * **Scope**: What is included and excluded from this assessment * **Methodology**: FMEA, HACCP, Fault Tree Analysis, Bow-tie, or other method * **Applicable standard**: Link to the relevant **risk\_standard** record * **Team members**: Assigned owner and participating reviewers * **Assessment date**: When the assessment is being conducted {% endstep %} {% step %} Document any background information, reference documents, or design inputs in the record's sections {% endstep %} {% step %} Begin adding individual risk items by creating records in the **risk** table linked to this assessment {% endstep %} {% endstepper %} ## Identifying and Evaluating Risks {% stepper %} {% step %} Navigate to the **risk** table from the side menu {% endstep %} {% step %} Click **+ Add** to record a new risk item {% endstep %} {% step %} Document the risk: * **Name**: Concise description of the risk or failure mode * **Parent assessment**: Link to the **risk\_assessment** record this risk belongs to * **Component**: Link to the relevant **risk\_component** record (if applicable) * **Hazard**: The source of potential harm (e.g., electrical hazard, chemical exposure, software error) * **Hazardous situation**: The circumstances that expose someone or something to the hazard * **Harm**: The potential injury, damage, or adverse outcome {% endstep %} {% step %} Assign initial (pre-control) risk scores: * **Severity**: How serious is the potential harm? * **Probability**: How likely is the hazardous situation to occur? * **Detectability** (if using FMEA): How likely is the failure to be detected before harm occurs? * The system calculates the **Risk Priority Number (RPN)** or **Risk Level** based on your standard's formula {% endstep %} {% step %} Determine if the initial risk is acceptable per your **risk\_standard** criteria. If not, proceed to define risk controls in the **risk\_control** table {% endstep %} {% endstepper %} ## Defining Risk Controls {% stepper %} {% step %} Navigate to the **risk\_control** table from the side menu {% endstep %} {% step %} Click **+ Add** to create a new risk control record {% endstep %} {% step %} Document the control: * **Name**: Description of the control measure * **Linked risk**: Reference the **risk** record this control addresses * **Control type**: Design control, process control, protective measure, warning/labeling, or administrative control * **Control description**: Detailed explanation of what the control does and how it reduces risk * **Responsible owner**: Who is accountable for implementing and maintaining this control {% endstep %} {% step %} After the control is implemented, update the **risk** record with the residual risk scores: * **Residual severity**: Severity after the control is applied * **Residual probability**: Likelihood after the control is applied * **Residual RPN / Residual risk level**: Recalculated risk level {% endstep %} {% step %} Verify that the residual risk is acceptable per the applicable **risk\_standard**. If still unacceptable, add additional controls and repeat {% endstep %} {% endstepper %} {% hint style="warning" %} Document the rationale for accepting any residual risk, especially for risks evaluated as ALARP (As Low As Reasonably Practicable). Undocumented risk acceptance is a common finding during regulatory audits. {% endhint %} ## Verifying Risk Control Effectiveness {% stepper %} {% step %} Navigate to the **risk\_test** table from the side menu {% endstep %} {% step %} Click **+ Add** to create a verification test record {% endstep %} {% step %} Define the test: * **Name**: Test title or test case ID * **Linked control**: Reference the **risk\_control** record being verified * **Test method**: How the test will be performed (bench test, simulation, inspection, analysis) * **Acceptance criteria**: What constitutes a passing result * **Tester**: Person responsible for executing the test * **Planned test date**: When the test is scheduled {% endstep %} {% step %} After executing the test, record the results: * **Test result**: Pass or Fail * **Actual result**: Observed outcome with supporting data * **Test date**: When the test was performed * Attach test data, reports, or raw data files using the **Files** section {% endstep %} {% step %} If the test passes, update the linked **risk\_control** record status to **Verified**. If the test fails, revise the control and retest {% endstep %} {% endstepper %} ## Advanced Features ### Risk Traceability Matrix Labii's linked records create an end-to-end traceability chain: **Risk Assessment → Risk → Risk Control → Risk Test** This full traceability is critical for regulatory submissions and audits, allowing reviewers to follow every identified risk through its control and verification evidence. {% hint style="info" %} Use the **Record Link** column widget to navigate between linked risk records across tables, or use filtered table views to see all risks, controls, and tests associated with a specific assessment. {% endhint %} ### Residual Risk Summary and Benefit-Risk Analysis Use Labii's dashboard and reporting features to generate a residual risk summary across all risks in an assessment: * Count of risks by residual risk level (Acceptable, ALARP, Unacceptable) * Distribution of risks before and after controls * Overall risk acceptability conclusion supporting a benefit-risk determination ### Reusing Components and Standards The **risk\_component** and **risk\_standard** tables serve as reusable libraries. Once defined, components and standards can be referenced across multiple risk assessments, ensuring consistency and reducing setup time for subsequent assessments. ### Integration with QMS Workflows Risk assessments can be linked to related quality records in the QMS application: * Connect a risk assessment to a **Change Control** record to document the risk evaluation supporting a proposed change * Link risk findings to **Non-Conformance** or **CAPA** records when a quality event reveals a previously unidentified risk * Reference risk assessments in controlled **Documents** as supporting evidence ## Troubleshooting ### Issue: Risk scores or RPN are not calculating automatically **Symptoms**: After entering severity and probability values, the calculated risk level or RPN field remains empty **Solution**: {% stepper %} {% step %} Verify that the **risk\_standard** record linked to the risk assessment has the scoring scale and formula correctly configured {% endstep %} {% step %} Check that the severity and probability values entered match the scale defined in the linked standard (e.g., values must be numeric integers within the defined range) {% endstep %} {% step %} Contact your Labii administrator to confirm that the RPN or risk level column formula is correctly configured in the table settings {% endstep %} {% endstepper %} ### Issue: Cannot link a risk to a specific risk assessment **Symptoms**: The parent assessment field in the risk table does not show the expected assessment record **Solution**: {% stepper %} {% step %} Confirm the **risk\_assessment** record has been saved and is not in a draft or archived state {% endstep %} {% step %} Check your project permissions—you must have access to the project containing the risk assessment record to link to it {% endstep %} {% step %} Use the search function within the link field to search by the exact assessment name or record ID {% endstep %} {% endstepper %} ### Issue: Risk test record is not updating the linked control status **Symptoms**: After recording a passing test result, the linked risk control status does not automatically update to "Verified" **Solution**: {% stepper %} {% step %} Manually update the **risk\_control** record status to **Verified** — status transitions based on test outcomes may require manual updates depending on your configuration {% endstep %} {% step %} Attach the completed test report to the risk test record and note the test record ID in the risk control record's notes for traceability {% endstep %} {% endstepper %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.labii.com/applications/quality-management-system-qms/risk-assessment.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.