Software validation typically also has a risk assessment that follows the URS/FRS process in a logical, traceable way.

THE MOST RECOGNIZED STANDARDS RELATED TO RISK MANAGEMENT ARE:

ISO 31000:2018, Risk Management – Principles and Guidelines

It helps organizations to establish a risk management strategy to define and mitigate risks, enhancing the likelihood of achieving their objectives, and increasing the protection of their assets.

It can be used by any organization regardless of its size, activity, or sector.

httpss://www.iso.org/iso-31000-risk-management.html

ISO 14971:2019, Medical devices — Application of risk management to medical devices

— Application of risk management to medical devices

The acceptance criteria and risk levels can be established using the risk management methodologies of ISO 14971.

httpss://www.iso.org/standard/72704.html

ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements

It establishes the requirements to implement, maintain, and improve a management system to protect against, reduce the likelihood of the occurrence of, prepare for, respond to, and recover from disruptions when they arise.

httpss://www.iso.org/standard/75106.html

httpss://www.iso.org/news/2012/06/Ref1602.html

Please, do not confuse risk management with a risk assessment document.

Since a risk management system can contain and handle many risk assessment documents.

 RISK ASSESSMENT DEFINITION:

The risk assessment is a document that contains and describes the potential business and compliance risks associated with a system failure or malfunction consistent with ICH Q9 and ISO 31000, Risk Management — Principles and Guidelines.  It shall establish the strategies and actions that will be used to mitigate those risks. Risk assessments justify the allocation of validation efforts and resources. Moreover, it can streamline the testing process.

The most relevant key terms are:

• Harm: Damage to health, including the damage that can occur from loss of product quality or availability.
• Hazard: The potential source of harm.
• Risk: The combination of the probability of occurrence of harm and the severity of that harm.
• Severity: A measure that indicates the possible consequences of a hazard.
• Occurrence: A measure that indicates the probability that the event will actually occur sometime during the system’s life. Also, called Likelihood or the chance that something might happen.
• Detectability: A measure that indicates the probability that a risk event is detected, via other system or manual activities, prior to the time that the risk event causes an impact, that detection likelihood reduces the risk.
• Priority Number (RPN) An standardized risk value calculated by multiplying three (3) risk level values described before.

RPN = Severity Risk Number x Occurrence Risk Number x Detectability Risk Number

What is Risk Assessment?

According to the FDA Guidance for industry: ICH Q9 Quality Risk Management,

 “a Risk assessment is a systematic process of organizing information to support a risk decision to be made within a risk management process.” The risk assessment is an evaluation done and documented at one specific moment of time, not continuous throughout the lifecycle of a product.  httpss://www.fda.gov/media/94339/download

According to ISO 31000, the risk is the

“effect of uncertainty on objectives” and an effect is a positive or negative deviation from what is expected

When use a Risk Assessment?

The risk assessment is most commonly used as part of:

• CSV Computerized System Validation projects.
• Change Control Evaluation
• CAPA Investigations, Out Of Specifications analysis, Non-conformance incidents, etc.
• Audit Assessment
• Complaint Evaluation
• BCP – Business Continuity Plan
• Other quality-related projects.

How to prepare a risk assessment document

The risk assessment document could contain (but not limited to) the following sections and parts.

• Approval
• Revision History
• Purpose
• Scope
• Background
• Roles and Responsibilities
• Definitions and Abbreviations
• Applicable Documents/References
• Regulatory and Standard related requirements
• Equipment / System / Process Description and Intended Use
• Inclusions / Exclusions
• Risk Analysis Determination
• Describe any potential health risk severity and Likelihood/ Probability:
• Describe any potential regulatory compliance risk severity and Likelihood/ Probability:
• Describe any potential business risk severity and Likelihood/ Probability:
• Electronic Records/Electronic Signatures Impact Assessment
• QSR and GxP Impact Assessment
• Detectability
• Risk Assessment Calculations
• Conclusion and Recommendations – mitigations
• Attachments and Appendixes

Please, do not confuse risk assessment with risk analysis.

Since a risk assessment can contain and handle many risk analyses.

Please not confuse a risk assessment with a risk analysis.