Using Assessments (QMS)

In addition to Risk Management functionality using the Risk Register and Risk Event model, Vault supports creating and performing other types of risk assessment, including Process Failure Mode and Effects Analysis (pFMEA) risk assessments and others. Assessments contain Assessment Risks, which represent unique combinations of failure mode, effect, cause, and control. You can tag specific Assessment Risks with more general risk categories for trending and reporting. These Assessment Risks are scored with pre- and post-assessment fields to capture Severity, probability of Occurrence, and Detectability scores, combined in an overall Risk Priority Number for the event. Assessments make use of the Risk Matrix, Risk Matrix Setup and Risk Level functions of Vault’s Quality Risk Management (QRM) tools.

Assessment Types

The QRM tool set includes support for multiple risk assessment methodologies:

Failure Mode & Effects Analysis (FMEA)

pFMEA

A pFMEA Risk Assessment is performed against a business process, and thus the first step is identifying a process that requires assessment and creating a Business Process record to uniquely identify and track it. For example, “Batch Manufacturing of Cholecap at Veevaville, CA”.

dFMEA

Design Failure Mode and Effects Analysis applies to systems still in design to analyze the failure mechanisms and lower level functional failures. A dFMEA is a detailed analysis, used to identify any possible failure mode.

uFMEA

Use Failure Mode and Effects Analysis applies to user interaction and the possible failures involved. This analysis seeks to discover where such failures may occur and the possible consequences.

Generic

Generic risk assessments contain applicable templatized information but have not yet been applied to a specific site, process, or product.

What-if

A risk assessment which determines the potential consequences of failures that may occur, then judging the likelihood of those consequences. The analysis can become the basis of a recommended course of action.

Hazard & Operability Analysis (HAZOP)

Hazard and Operability (HAZOP) analysis is an approach to finding possible problems by reviewing designs, existing processes, and operations.

Hazard Analysis Critical Control Point (HACCP)

A risk management system based on analysis and control of hazards from raw material production, supply, and handling, then to manufacturing, distribution, and consumption of the finished product.

Hazard - Harm

Hazard - Harm is a systematic process for identifying hazards, assessing the risks they pose, and taking steps to control those risks. The steps involved in Hazard - Harm typically include:

  • Hazard identification: This involves identifying all the hazards that are present in a particular situation.
  • Hazard assessment: This involves evaluating the severity of the harm that each hazard could cause and the probability of that harm happening.

Creating & Performing a Risk Assessment

You can start a risk assessment from scratch, or copy a previously completed Assessment record using the Copy FMEA Risk Assessment record action, if configured. These steps may differ depending on your assessment type, Vault configuration, and your organization’s processes.

The following example steps guide you through creating a new, original pFMEA risk assessment:

  1. Create an Risk Assessment record of the pFMEA Risk Assessment object type from a custom tab or from Business Admin.
  2. Select a Business Process record.
  3. Optional: Add a process diagram for this assessment in the Process Flow Document document reference field. We recommend this step as a best practice for Vaults with QualityDocs configurations to allow users to get a high level view of the specific pFMEA assessment process. For Vaults without QualityDocs functionality, use the Attachments section of the object record instead of this field.
  4. Select an existing Risk Matrix in the Assessment Scoring Matrix field. The selected matrix must have values for Severity, Occurrence and Detectability to work properly with the pFMEA process. This matrix scores the steps within the assessment.
  5. Create and define FMEA Process Steps for this assessment’s process in the FMEA Process Step section of the Risk Assessment. Define a Name, Step Order, and optionally a Description for the step. Step Orders are unique integer numbers; no letters or decimals are allowed. Note that once you have finalized a set of steps defining your process, you cannot change those steps without potentially changing information on any events already identified in your assessment. Best practice configurations prohibit altering the order of steps in a pFMEA after beginning the assessment.
  6. Add Assessment Risks for each process step, following your organization’s specific risk identification workflow. If configured by an Admin, you can perform the Create Risk from Template action on the pFMEA Risk Assessment record to automate Assessment Risk creation, or use the Risk Builder tool for rapid data entry. If these options are not available:
    1. At a minimum, you must define a Name, select a Scoring Matrix and a Process Step for each Assessment Risk. Your process may also include identifying the FMEA Failure Cause, Controls, Mode, or Effect at this step, or in a subsequent lifecycle state.
    2. In the Assessment Risk, define the Initial RPN values for the relevant factors, such as Severity, Occurrence, and Detectability. Your Initial RPN field will not populate until the event has been scored for each of Severity, Occurrence and Detectability. Follow your organization’s process for analysis and scoring of Assessment Risks.
  7. Select a Risk Response based on your organization’s workflow. Your configuration may include custom values for how your organization addresses risks. For example, the Mitigate response may require that you add a Mitigation Action Set, while the Accept, Avoid, and Transfer responses may not.
  8. Define the final post-response or post-mitigation RPN values for the Assessment Risk. You must provide all three values for Severity, Occurrence, and Detectability, scoring those attributes of the risk post-mitigation before Vault populates your Final RPN field.
  9. Continue creating Assessment Risks until all FMEA Process Steps are covered.
  10. Complete the Risk Assessment by your organization’s process.

Re-assessments can be started from scratch as described above, or by creating from a previously completed assessment.

Creating a FMEA Risk Assessment From an Existing Assessment

If the process to be analyzed has been previously assessed, you can save effort and time by starting a new assessment by copying much of the information from a previous one.

Use the record action Copy FMEA Risk Assessment on a Assessment object record to perform this copy. This is a special version of the native Copy Record function within your Vault; it is purpose-built to copy the hierarchy of an assessment, restart the lifecycles of associated records, and link those records to their originating records. This action clones the Risk Assessment, FMEA Process Steps, Assessment Risks and FMEA Mitigation Action Set records and their field data into a new set of records, then restarts the lifecycles for those records.

The Copy FMEA Risk Assessment record action copies records according to the following rules:

  • Records not using system-managed object record names, but which require Name to be unique, are auto-named upon copying.
  • When a record is copied via this action, all field data for the record is also copied over, respecting Do not copy this field in Copy Record configurations, excluding inbound relationships to that record. FMEA Risk Category values for Assessment Risks are preserved and copied.
  • When Vault copies a record via this action, the lifecycle of that record is reset to the initial state of the lifecycle in the new record.
  • When Vault copies a record via this action for the governed object types, a field is populated linking the copy to the record from which it was copied for traceability purposes.

Promoting Risks to Risk Registers

During or after your risk assessment processes, you may have Assessment Risks to add to one or more existing Risk Registers. If configured by an Admin, you can use the Promote Risks to Registers user action to accomplish this:

  1. From the Assessment record, select Promote Risks to Registers in the Actions menu. This action may have a different label in your Vault.
  2. In the dialog, select the Assessment Risks that you want to add to the intended Risk Register.
  3. Click Next.
  4. Select up to five (5) Risk Register records.
  5. Click Save.

Vault creates new Risk records on the selected Risk Register, transferring the information from the Assessment Risk and linking the two together.

Rebalancing a Risk Matrix

Organizations using QRM prior to 22R2 may have Risk Assessments that do not populate Initial and Residual Risk Scores fields from the associated Risk Matrix. Additionally, Assessments created before the 23R3 release do not populate Criticality Scores and Levels defined in the Risk Matrix. Risk assessment heatmaps rely on these field values.

To address this issue, your Admin can configure a user action on Risk Matrix lifecycle states. Execute the Rebalance Risk Matrix action on a Risk Matrix record to asynchronously update Risk and Criticality fields in a Risk Matrix, and all the Assessment Risk records within Risk Assessments where the Risk Matrix is used. The user action recalculates Risk Scores and Risk Levels, populating Assessment Risk records’ Risk Score and Risk Level fields based on the Risk Scores and Risk Levels defined in the applicable Risk Matrix. In addition, this action recalculates the Criticality Scores and Criticality Levels, populating Assessment Risk records’ Criticality Score and Criticality Level fields based on the Criticality Scores and Criticality Levels defined in the applicable Risk Matrix.

The user who performed the action will receive an email with a link to the job log with additional details about which records were updated.