Is it possible to have different types of risk assessments with severity, probability, and likelihood to detect?
Yes, when you define a risk assessment type, you can define a unique ID, so a prefix to generate the ID and name it your own way. So, you can also define these different columns that you want to add to calculate this risk factor.
You can click on ‘add scoring' and ‘add different labels’, for instance you can add the first severity, then you can add a second one for probability, and then a third one for detectability. You can add as many columns as you wish.
So in this case, we would add detectability (likelihood to detect). If you want this automated scoring, you can click on ‘automated scoring’ and even add options with numerical values, for example: very critical (5), medium (3), not relevant (1).
So, you can go for an automated way, and people will see the explanation. In some other cases, you might just use manual scoring and just come up with a number. If you have this manual scoring option and you don't define the values, then what you want to do is in the column of severities you can add the range of values that people should work with, e.g. Severity (5-0).
Can we link the risk assessment to a specific project, a customer or audit?
Yes. When creating a risk assessment, you have two options.You can do a standalone risk assessment, and that is when, for instance, you want to go through this risk assessment exercise every six months. But you can also create a Linked Risk Assessment and you can link it to any other item that you have in Scilife: a project, a nonconformity, a supplier, etc. or any other element that you have in the platform.
You can apply risk assessments, not only when you have a failure. So this could be a reactive risk assessment, so you can apply it to a CAPA, but it’s also important to apply risk assessments when you are defining your processes just to detect your gaps. So this is what we call the preventive risk assessment. And I think it's very nice that you can show to an auditor proactively that you have evaluated your processes and you have applied risk assessments. Using Scilife you can get rid of complex metrics in Excel spreadsheets by linking them to other solutions that we have and filtering them.
It's quite nice to use this system and if you show that electronically, to an auditor. And you also ensure that the system is complying with 21 part 11 and with annex 11 from EU GMP. And the system also has audit trails, complying with data integrity and regulations. So I think it's nice to show that proactively to an auditor.
Assessing severity of a risk assessment seems to be quite subjective. How do you ensure consistent assessments across different users?
Regulations do not specify how you're going to score and which are the numbers you will score in your risk assessment, so it will depend on you. So the best ways to have a procedure of how you are going to manage risk assessments, you need an SOP that explains specifically what type of risk assessments, what tools and what scoring you can use. So your personnel that are preparing risk assessments can use these criteria, and these criteria will depend on every organization.
Can you link product, service and project, for example, which is in the CAPA model, also in the risk model?
Not specifically. So you have to do that through the CAPA, through the event.
But at the moment it's not possible to link products / service / project with the risk module. For that you need to do it through any of our CAPA or the actual event. But it's a nice suggestion. I think that is something that we can also consider for the future.
Can all types of users define and update their CV and competencies?
Yes. Good question as well. You have different types of user roles. For instance:
- Administrator
- Manager
- Regular User
- Read-Only User
So they have different levels of permissions. Of course, Administrators, Manager and Regular fall under the category of full permissions.
Any role can create and they can sign on workflows, they can participate in any workflow. But they have different levels of configurability. Admins can create users and delete users. But the regular will not. And the manager can also define types, but the regular cannot. But then we have the read-only. They only have options to see information. But all different types of users can fill in their own CV and all types of users can also update their matrix of competencies. The admins define how the structure of the CV should be in your organization. This is completely customizable because you can create your own categories and you can create your fields, make them mandatory or not, add dates, add text fields, add numbers, like years of experience. That could be a number, it could be a date, etc. There are the options to save as draft, and update and approve. A CV can be filled in by a read only user, but that read only user cannot approve its own cv.
So for that, you will need to be appointed in the system in the Scilife settings > permissions settings > competences. And then here is where you define who are the competence coordinators in order to be able to approve the updates.
Another interesting thing is that you have different versions, and also categories such as languages or years of experience. And if we check the ones that we have that are relevant for this Showcase, which is testing competencies, you have microbiological testing, last date of practice, years of practical experience, and you could make that required. And you are able to compare the different versions of one CV and see what the progress of a user is. There is also the option to add competence files, like certificates.
Can you export your risk assessment or do any reporting?
You can do reporting on any of the Scilife tools because we are entering data in this web interface. Everything is categorized data that you can then extract as a report. So what we have in the first place that is relevant to know is that in Document Types, you will create your different template reports. So whatever sort of report you want to obtain for the risk assessment, you will create your own template and you will use your variables for that.
All that metadata that you have the option to enter in a risk assessment, you will just copy, paste it into your template for the report, and then use it in the actual risk assessment and for instance download as a pdf. You might have different reports for the same CAPA and risk assessment, like one more extended and one less extended.The report includes all the risk assessment information, like the title, the ID, creation date, date, the signatures by the relevant people, the contents.
You can also export the actual FMEA in an Excel sheet if you want to work with that and add other sorts of reporting. You can also use different filters to do extended reporting.
How does the system distribute versions of a document?
In document control you will always have the assurance that a document will not be shown in a version that is not relevant for everyone in the company. So we have a history of versions just to show how it works. If we have already published version 1.0 there’s the option Substitute because we have a 2.0, sometimes we might only have the version 1.0.
This would be the published version. That would be the version that everyone would see whenever we come up with a revision for whatever the reason This will be put into draft and we will obtain two versions at the same time, a working copy, 1.1, just accessible for author, reviewer, and approver.
For instance, the effective coverage version 1.0 is the only one that people will be able to see until these people come up with version 2.0. That moment, training triggers when people sign on to it and it is published effectively, this one will be published and substituted, and that will become the only distributed version across the whole company.
Can risk assessment be sent for periodic review?
Yes. You can choose two types: linked or standalone. If you choose standalone, you can set up this periodic revision for from one month to 60 months.
