<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=489233&amp;fmt=gif">

5 Risk Assessment tools used by Life Sciences Companies


Quality risk management is a non-negotiable requirement to comply with ISO 13485 and 21 CFR 820. Yet, every year, Life Sciences companies face warnings from regulatory bodies, such as the FDA in the U.S., the EMA in Europe and MHRA in the U.K. Warnings can lead to import alerts, and that’s when products and medicines get pulled off the shelves or never even reach them, ultimately depriving those that need them most.

To prevent such a scenario from unfolding, bottlenecks of non-conformities need to be addressed as soon as possible. To resolve them, regulatory agencies unite before the ICH (The International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use) to work together in following common guidelines (e.g.  Q7,Q8(R2), Q9 and Q10 ). Despite their best efforts though, non-conformities just keep accumulating. 

The cause? Failures in the quality management processes of organizations. And the main reason underpinning that is poor risk assessment and management.

In order to improve their risk management strategy, life science organizations around the world, especially those in healthcare, turn to several different risk assessment tools. This helps them to uncover the underlying chain of events (or causes) that result in their non-conformities.



The 5 Tools used by Life Sciences Companies in Risk Assessment

The five most common risk assessment methods used by Life Sciences companies for their quality issues include Cause and Effect Analysis, the ‘Five Whys’, Fault Tree Analysis, Failure Mode Effect Analysis (FMEA) and Risk Ranking. Below is a brief summary and real case examples of each of these five risk assessment tools.


1. Cause and Effect Analysis (Fishbone Diagram)

    • Popularly known as an Ishikawa Diagram, Fishbone diagram, herringbone diagram, Fishikawa diagram, or cause-and-effect diagram It is a visual diagram that breaks down a problem into smaller, more manageable pieces, : the causes of events.causes of an event. It’s often used in manufacturing and product development to lay out the different key characteristics, key process parameters, steps in a process, demonstrate where quality control issues might arise, and determine which resources are needed at certain times.

    • It is used for identifying the potential causes and effects of a problem or risk in Risk Assessment. 

    • It is also useful for brainstorming sessions to identify potential causes of a problem, deviation or nonconformity.

    • The diagram resembles the skeleton of a fish, with the final outcome or problem at the fish head and the potential causal factors represented by the fishbones. Each bone belongs to a category. 

    • Causes are grouped in broad categories such as the 5 Ms: Manpower, Materials, Machine, Methods, and Measurement.Sometimes a Miscellaneous category can be included so as to cover all possible origins of the issue.

A practical example of Fishbone Diagram:


Product defects in pharmaceutical manufacturing process

Possible causes in 5Ms categories:

    • Manpower:
      • Insufficient training of operators
      • Inadequate staffing levels
      • Poor communication between operators and responsible persons
    • Materials:
      • Poor quality raw materials
      • Incorrect storage conditions
      • Supply chain issues causing variations in the manufacturing process.
    • Machine:
      • Equipment malfunction
      • Poorly maintained machinery
      • Inaccurate calibration
      • Inadequate automation
    • Methods:
      • Inadequate process documentation
      • Inefficient process design
      • Lack of process monitoring
    • Measurement:
      • Inaccurate testing procedures
      • Insufficient quality control checks
      • Quality control and testing non-compliant with regulatory standards



By analyzing possible causes within each category, organizations can identify specific areas where improvements can be made to mitigate the risk of product defects. This allows them to implement targeted measures to minimize the occurrence of defects and ensure product quality and patient safety.


Ishikawa (fishbone) diagram example as the first risk assessment tool proposed by Scilife

An Ishikawa (Fishbone) diagram is a type of cause and effect analysis used in Risk Assessment.


2. The Five Whys

    • The Five Whys technique is a simple, iterative, and team-driven process that aims to uncover the root cause of a problem or defect by interrogating the issue through asking ‘Why?’ at least five times.

    • Each answer forms the basis of the next question, and the final ‘why?’ should lead to root cause.

A practical example of Five Whys:


Out-of-specification results in the Quality Control department.

Five Whys process: 

1. Why did the test results show an out-of-specification (OOS) result?

Because the concentration of a specific ingredient is higher than the specified limit.

2. Why was the concentration of the ingredient higher than the specified limit?

Because an incorrect formulation was used during the manufacturing process.

3. Why was an incorrect formulation used?

Because there was an error in the batch formula provided to the manufacturing team.

4. Why was there an error in the documentation?

Because the person responsible for preparing the documentation did not have access to the most up-to-date specifications and was not included in the change control process.

5. Why didn't the person responsible have access to the most up-to-date specifications and was not included in the change control process?

Because there was a lack of communication in the change control process between the Quality Control department, Regulatory Affairs department, Manufacturing department, and the documentation team.



By applying the Five whys technique, the root cause of the out-of-specification results is a  lack of communication in the change control process  between the different stakeholders. To address this issue, minimize the occurrence of out-of-specification results, improve product quality, and reduce the risk of non-compliance with regulatory requirements, several CAPAs can be implemented:

    • Implement a standardized and efficient change control process

    • Provide clear channels of communication and establish regular meetings or checkpoints to ensure accurate and up-to-date information exchange.

    • Improve documentation control procedures to ensure the most recent specifications are readily accessible to the relevant personnel.

The "5 Whys" diagram example as the second risk assessment tool proposed by Scilife

Asking the ‘5 Whys’ is useful in determining the root cause of an issue during Risk Assessment.


3. Fault Tree Analysis (FTA)

    • A graphical tool to explore the causes of system level failures.

    • A top-down, deductive failure analysis. 
    • It uses Boolean Logic to combine a series of lower (component) level events to find out the cause of a top level event (such as system level failure.)

    • Consists of two elements “events” and “logic gates” which connect the events to identify the cause of the top undesired event.

    • Easier method than FMEA since it incorporates all possible system failures of an undesired top event. FMEA, in contrast, conducts analysis to find all possible system failure modes irrespective of their severity.


A practical example of Fault Tree Analysis:


Risk of microbial contamination in the drug product

Fault tree analysis process: 

The fault tree diagram shows that microbial contamination in the drug product can occur if there are contaminated raw materials (Cause 1 OR Cause 2 OR Cause 3) AND inadequate sanitation practices (Cause 4 OR Cause 5) AND human error (Cause 6 OR Cause 7) AND environmental factors (Cause 8 OR Cause 9 OR Cause 10) AND inadequate quality control (Cause 11 OR Cause 12 OR Cause 13).


By analyzing contributing events and potential causes , we can create a fault tree diagram to visually represent the risk using logical gates such as AND and OR. The fault tree diagram shows the top event at the top and branches representing the contributing events and causes leading to the top event.

By using the fault tree analysis, pharmaceutical companies can identify critical risk pathways and focus their risk mitigation efforts on specific causes and events. This enables them to implement appropriate preventive measures such as rigorous raw material testing, robust sanitation procedures, proper training and hygiene practices, effective environmental monitoring, and comprehensive quality control protocols to reduce the likelihood of microbial contamination in the drug product and ensure patient safety.


Fault Tree Analysis example as one of the main tools for Risk Assessment | Scilife

A Fault Tree Analysis example.


4. Failure Mode Effect Analysis (FMEA)

    • Failures are prioritized according to how serious their consequences are, how frequently they occur, and how easily they can be detected.

    • It also documents current knowledge and actions about the risks of failures, for use in continuous improvement.
    • It uses clear assignments of responsibilities and timeline for each action.


A practical example of FMEA:


Risk of deviations in electronic management systems

FMEA process: 

    • Define the scope and purpose of FMEA
    • Determine potential issues 
    • Determine core components of FMEA: potential failure modes, potential failure effects, potential causes of failures, etc.
    • Grade severity (consequence), likelihood of occurrence (probability) and detectability, using matrixes
    • Rank each failure effect based on severity, likelihood of occurrence (probability). Detectability can be included if applicable.
    • Calculate Risk Priority Number (RPN): Severity x Probability x Detectability
    • Prioritize each potential issue
    • Determine how to mitigate critical risks/hazards to acceptable levels.
    • Revise risk levels as needed.

FMEA Process Example

Potential Failure Modes

Potential Failure effects

Potential Causes of failure

Severity (S)

Probability (P)

Risk Priority Number (RPN)=SxP

Data corruption

Inaccurate or incomplete data records

Insufficient user access controls


Unauthorized access

Compromised data integrity and security

Inadequate system backups and recovery procedures


System crash or downtime

Disruption of critical operations and delays

Lack of regular system maintenance and updates



Level of severity and its meaning



High (3)

Compromises patient safety or regulatory non-compliance

Medium (2)

Delays in manufacturing or quality investigations

Low (1)

Minor errors or inconvenience


Level of probability and its meaning



Very likely (3)

Frequent occurrence due to poor practices or neglect

Likely (2)

Occasional occurrence due to gaps in system maintenance

Unlikely (1)

Rare occurrence due to established protocols






Risk Ranking Example



Low -1

Medium - 2

High - 3

Low -1




Medium - 2




High - 3






Based on the FMEA analysis, an organization can proactively identify and address potential deviations in electronic management systems, reducing the risk of data integrity issues, regulatory non-compliance, and operational disruptions. This helps maintain the reliability, accuracy, and security of critical electronic systems. For example:

    • Implementing robust access controls and user management systems to prevent unauthorized access.
    • Establishing regular backup and recovery procedures to safeguard data integrity and minimize the impact of system crashes or data loss.
    • Enforcing routine system maintenance and updates to address vulnerabilities and prevent deviations.
    • Conducting periodic audits and reviews of electronic management systems to identify and rectify any potential deviations.
    • Enhancing monitoring and detection mechanisms to promptly identify and mitigate any deviations or errors.


5. Risk Ranking

    • Identified risks are assessed either quantitatively or qualitatively, to ascertain which ones have the highest likelihood of occurrence and which ones have the greatest severity (consequence) of occurrence, this ranks the risks in overall order of importance.


A practical example of Risk Ranking:


Streamlining Risk Assessment in Pharmaceutical Manufacturing

Risk Ranking process: 

    • Identify potential risks/hazards in manufacturing that could impact product quality or patient safety: equipment failures, contamination issues, etc.
    • Grade criteria: severity (consequence) of potential harm, likelihood of occurrence (probability), detectability, regulatory impact, etc.
    • Rank each potential risk/hazard based on Grade severity (consequence) of potential harm, likelihood of occurrence (probability), detectability, regulatory impact, etc.
    • Calculate Risk Priority Number (RPN) with above criteria
    • Prioritize each potential risk/hazard
    • Plan mitigation actions 
    • Revise risk levels as needed.
    • Monitor continuously and reassess frequently


A risk ranking tool is an invaluable asset in Life Sciences. It enables systematic risk assessment, prioritization, and mitigation planning, ensuring that critical risks are addressed proactively. By streamlining the risk management process, organizations can enhance product quality, safeguard patient safety, and maintain regulatory compliance in a dynamic and ever-evolving industry.

Failure Mode Risk Ranking table example as the last risk assessment tool proposed by Scilife

Risk Ranking, taking into account probability and consequence of each potential risk.



Why organizations fail at Risk Assessment, and why it matters

Despite being quick to adopt the tools we’ve just described for risk assessment, many organizations fail miserably in extrapolating the results and actually using them in product life cycle management. Why is that?

In part, it’s due to the fact that risk assessment is somewhat subjective. Often, risk assessment tasks are assigned to a single individual as they are time consuming, which invites biases. Then, there's the possibility of over-optimistic risk assessment, in order to push a project further to meet certain timelines and please stakeholders. The intention is not to waste time and to get products to those who need them fast, but in the end the resulting non-compliance causes problems that then eat up much, much more time than doing a thorough initial risk assessment. It can even end up in patients missing out on the medication they need. Saying this is an undesirable outcome is an understatement!


Use Risk Assessment tools in combination for better results

Using several of these risk assessment tools in combination instead of just one is helpful. For example, using the Ishikawa Diagram to arrive at various causes of a deviation occurrence, and then making it more effective by narrowing down to the root cause using the Five Whys. The Five Whys technique is useful to arrive at the root cause by clearly differentiating it from its associated symptoms. These symptoms can go on to be listed as ‘failure modes’ and causes can be listed as ‘causes’ in FMEA. The understanding from Fault Tree Analysis can then be used for calculating Risk Prioritization Number (RPN) in FMEA. Finally, risk ranking can be performed using the RPN to avoid subjectivity. In the end, all risk assessment tools can be used to strengthen each other. Ultimately, you benefit from cross-functional teamwork and eliminate the risk of subjectivity and over optimistic assessment that can lead to audit failures.


Continuous Risk Assessment is fundamental

Another reason why a risk management strategy may fail is because risk assessment is believed to be a one-time activity assuming non-conformity to be a one-time instance. A more effective risk management strategy considers risk assessment as a proactive approach to avoid future non-conformities. 

Generally, risk assessment is triggered by a non-conformity or quality issue and then the whole process begins. In an effective risk management strategy, you would use multiple risk assessment tools to identify causes, then take action to eliminate these causes and prevent the recurrence of a nonconforming product, process or other quality problem. This is known as a Corrective and Preventive Action (CAPA). You would then undertake Change Control, which involves evaluating, documenting, approving, and implementing changes that could affect the validated status of facilities, equipment and processes. Finally, continuous re-assessment of the risk is the last but most important (and most commonly forgotten) step.

In order to implement a more successful risk management strategy, the above process needs to be continued throughout the product life cycle, not just once!

Often, organizations stop at the second step, thinking that merely using risk assessment tools is ‘managing risk’. For compliance reasons, it’s essential to document clear CAPAs, implement correct Change Control and review and reassess risks periodically. Documents need to be standardized and follow good documentation practices; which means specifying the title, authors, cross-functional teams involved, concerned stakeholders, date of preparation, version number, page number and signatures of those involved wherever applicable. 

Once every aspect of good and thorough risk management is solidified as a routine, everything gets much easier, we promise!


Scilife for robust Risk Assessment and continual Risk Management

If it sounds like a lot, Scilife has an intuitive Risk Assessment module that provides handy standardized and pre-filled configurable risk management templates, lets you program periodic reviews with automatic notifications to the right people at the right time to take the right actions, and links to powerful CAPA management and Change Control modules all right within the Scilife platform. It takes care of every aspect of Risk Assessment, requiring the least input from your side.


To Sum it Up

Prioritizing risk assessment is all-important, plain and simple. Without it, identifying and solving quality issues becomes a real mess, and could in the worst case even lead to dire consequences to patients. Those fundamental and initial steps are needed to begin digging up the underlying causes of manufacturing issues and then to actually take action to fix them. 

Risk assessment should also be a continuous and ongoing process. Since this is an area that can easily get overwhelming, it’s essential to rank and prioritize risks in order to take quick action where it's needed most urgently. Discovering what these risks are can be done by using the right risk assessment tools. Once those priority risks are identified, it forms the solid basis of a good risk management action plan.

Good documentation practices, a clear action plan, and cross-functional input with the help of correct tools paves the way for more streamlined and successful company processes, not simply audit success. 

Discover how Scilife Smart QMS can help you implement Risk Assessment methodologies.