/
Introduction to Risk

Introduction to Risk

Owned by Jean Marie Schiraldi
May 19, 2025

QbDVision Risk Assessment Model

QbDVision enables users to create well-defined RMPs using a risk assessment model that seeks to rationalize the various definitions of risk into a standardized approach that can be applied to any product development scenario, including drugs, medical devices, diagnostics, and others. The risk assessment model aligns with recommendations set forth by internationally recognised guidelines (e.g., ICH Q9 (R1) Quality Risk Management guideline) and complies with international standards such as ISO 14971. Defining and using an RMP is required for any Project created within QbDVision. New RMP features have been added to enable smarter risk assessments and increase efficiency in updating Projects to reflect RMP changes that occur as the Project progresses. Additionally, users can generate an RMP report and export this document to PDF, Word, or Excel for review.

The presence of risk is associated with a hazardous situation that has the potential to cause harm to the patient/end user. Users can select to assess this risk quantitatively (using a Preliminary Hazard Analysis or Risk Ranking approach) or qualitatively with Risk Classification.

Quantitative Risk Assessments

The first layer of risk assessment begins with Criticality, which is the product of the severity of the harm (Impact) and the Uncertainty of the harm. In our Risk Assessment model, Impact is conceptually equivalent to the severity of harm. Similarly, Uncertainty is conceptually the same as the Likelihood of harm. Thus, in the context of ISO 14971, Criticality is the product of the severity of harm and the Likelihood of harm, even though this definition is not immediately apparent in the standard.

The second layer of risk involves the Capability Risk, which is conceptually equivalent to the Occurrence of measured data outside the acceptable range. If measured data are frequently outside of the acceptable range, the Occurrence is high. Put another way, the risk related to the process capability is high. The product of Criticality and Occurrence provides a measure of Process Risk, which matches the definition of risk in ISO 14971. In other words, the product of Impact (severity) and probability of occurrence (Likelihood of harm * Occurrence) is equal to the product of Criticality and Occurrence. Although the ISO 14971 standard does not explicitly discuss detectability in its risk assessment, this final layer of risk is also considered in the comparison to determine the Risk Priority Number (RPN), a measure of overall risk.

It is essential to note that Criticality is driven by Impact (severity) and Uncertainty (Likelihood) and is not improved by a reduction in Capability Risk (Occurrence) or Detectability Risk. Better process capability, which reduces the probability of an attribute or parameter being outside of the acceptable range, as demonstrated by manufacturing data, will reduce Process Risk. Similarly, earlier or more sensitive detection capability will reduce Detectability Risk and drive lower overall risk. With this structure, an attribute or parameter can be Critical but have a low overall risk due to robust process capability and control. This methodology is used to define your design space, where these attributes and parameters can vary within predefined limits without impacting critical quality attributes (CQAs).

Qualitative Risk Assessments

When Classification Risk is selected, users can directly set a Risk Label based on the Risk Management Plan defined Criticality Risk Labels. The Risk Management Plan provides a definition field for each Risk Label. No Risk Management Plan-defined numbers will be displayed, as a qualitative risk assessment does not rely on numbers. Subsequently, all calculations that are performed during risk ranking are no longer displayed in the record (Uncertainty, Criticality %, Criticality (Raw), Capability, Process Risk (Raw), Process Risk %, Detectability, Risk Priority Number (Raw), and Risk Priority Number %), along with the fields to justify Capability and Detectability. A new Risk Label Justification field is available for users to explain why they have selected a label, e.g., no attribute is linked. This could be due to regulatory requirements or a non-critical designation where no impact was found for any quality or performance attribute. Additionally, users can link attributes to the criticality assessment; however, unlike in a risk ranking assessment, individual risk labels are not available for selection. For more information about Qualitative (Classification) Risk Assessments, click here.

According to ICHQ9, ‘the output of a risk assessment is either a quantitative estimate of risk or a qualitative description of a range of risk. […] Risk can be expressed using qualitative descriptors, such as “high”, “medium”, or “low”, which should be defined in as much detail as possible (ICH Q9 (R1) Quality Risk Management guideline). Users can use classification instead of risk ranking for each product type and process-related record within a project to support qualitative risk assessments. Once selected, the record types will enable users to set a Risk Label and provide a Justification.