Using Process FMEA Risk Assessments (QMS)

In addition to Risk Management functionality using the Risk Register and Risk Event model, Vault supports creating and performing Process Failure Mode and Effects Analysis (pFMEA) risk assessments. Processes require a set of steps to be identified, such that the events within a pFMEA assessment are tied to individual steps, supporting a procedural approach to risk identification, analysis, and mitigation. Risk Assessments (pFMEA) contain Assessment Risks, which represent unique combinations of failure mode, effect, cause, and control within a step of a process. You can tag specific Assessment Risks with more general risk categories for trending and reporting. These Assessment Risks are scored with pre- and post-assessment fields to capture Severity, probability of Occurrence, and Detectability scores, combined in an overall Risk Priority Number for the event. Risk Assessments (pFMEA) make use of the Risk Matrix, Risk Matrix Setup and Risk Level functions of Vault’s Quality Risk Management tools.

About Business Processes

A pFMEA Risk Assessment is performed against a business process, and thus the first step is identifying a process that requires assessment and creating a Business Process record to uniquely identify and track it. For example, “Batch Manufacturing of Cholecap at Veevaville, CA”.

Creating & Performing a New pFMEA Risk Assessment

You can start a risk assessment from scratch, or copy a previously completed Risk Assessment (pFMEA) record using the Copy FMEA Risk Assessment record action, if configured.

The following steps guide you through creating a new, original pFMEA risk assessment:

  1. Create an Risk Assessment record of the pFMEA Risk Assessment object type from a custom tab or from Admin > Business Admin.
  2. Select a Business Process record.
  3. Optional: Add a process diagram for this assessment in the Process Flow Document document reference field. We recommend this step as a best practice for Vaults with QualityDocs configurations to allow users to get a high level view of the specific pFMEA assessment process. For Vaults without QualityDocs functionality, use the Attachments section of the object record instead of this field.
  4. Select an existing Risk Matrix in the Assessment Scoring Matrix field. The selected matrix must have values for Severity, Occurrence and Detectability to work properly with the pFMEA process. This matrix scores the steps within the assessment.
  5. Create and define FMEA Process Steps for this assessment’s process in the FMEA Process Step section of the Risk Assessment. Define a Name, Step Order, and optionally a Description for the step. Step Orders are unique integer numbers; no letters or decimals are allowed. Note that once you have finalized a set of steps defining your process, you cannot change those steps without potentially changing information on any events already identified in your assessment. Best practice configurations prohibit altering the order of steps in a pFMEA after beginning the assessment.
  6. Add Assessment Risks for each process step, following your organization’s specific risk identification workflow. If configured by an Admin, you can perform the Create Risk from Template action on the pFMEA Risk Assessment record to automate Assessment Risk creation. If this action is not available:
    1. At a minimum, you must define a Name, select a Scoring Matrix and a Process Step for each Assessment Risk. Your process may also include identifying the FMEA Failure Cause, Controls, Mode, or Effect at this step, or in a subsequent lifecycle state.
    2. In the Assessment Risk, define the Initial RPN values for the relevant factors, such as Severity, Occurrence, and Detectability. Your Initial RPN field will not populate until the event has been scored for each of Severity, Occurrence and Detectability. Follow your organization’s process for analysis and scoring of Assessment Risks.
  7. Select a Risk Response based on your organization’s workflow. Your configuration may include custom values for how your organization addresses risks. For example, the Mitigate response may require that you add a Mitigation Action Set, while the Accept, Avoid, and Transfer responses may not.
  8. Define the final post-response or post-mitigation RPN values for the Assessment Risk. You must provide all three values for Severity, Occurrence, and Detectability, scoring those attributes of the risk post-mitigation before Vault populates your Final RPN field.
  9. Continue creating Assessment Risks until all FMEA Process Steps are covered.
  10. Complete the Risk Assessment by your organization’s process.

Re-assessments can be started from scratch as described above, or by creating from a previously completed assessment.

Creating a pFMEA Risk Assessment From an Existing Assessment

If the process to be analyzed has been previously assessed, you can save effort and time by starting a new assessment by copying much of the information from a previous one.

Use the record action Copy FMEA Risk Assessment on a Risk Assessment object record to perform this copy. Note that this is a special version of the native Copy Record function within your Vault; it is purpose-built to copy the hierarchy of an assessment, restart the lifecycles of associated records, and link those records to their originating records. This action clones the Risk Assessment, FMEA Process Steps, Assessment Risks and FMEA Mitigation Action Set records and their field data into a new set of records, then restarts the lifecycles for those records.

The Copy FMEA Risk Assessment record action copies records according to the following rules:

  • Records not using system-managed object record names, but which require Name to be unique, are auto-named upon copying.
  • When a record is copied via this action, all field data for the record is also copied over, respecting Do not copy this field in Copy Record configurations, excluding inbound relationships to that record. FMEA Risk Category values for Assessment Risks are preserved and copied.
  • When Vault copies a record via this action, the lifecycle of that record is reset to the initial state of the lifecycle in the new record.
  • When Vault copies a record via this action for the governed object types, a field is populated linking the copy to the record from which it was copied for traceability purposes.

Promoting Risks to Risk Registers

During or after your risk assessment processes, you may have Assessment Risks to add to one or more existing Risk Registers. If configured by an Admin, you can use the Promote Risks to Registers user action to accomplish this:

  1. From the Risk Assessment record, select Promote Risks to Registers in the Actions menu. This action may have a different label in your Vault.
  2. In the dialog, select the Assessment Risks that you want to add to the intended Risk Register.
  3. Click Next.
  4. Select up to five (5) Risk Register records. 
  5. Click Save.

Vault creates new Risk records on the selected Risk Register, transferring the information from the Assessment Risk and linking the two together.