RISK005 Hazard Analysis and Critical Control Point Assessment (RiskVal^SM)

A simple method is provided for determining the system risk level based on the consequences of a failure to meet intended uses. The procedure provides a table that maps the severity of impact to the risk level. A second method for determining system risk level takes into account down-stream mitigations that reduce the likelihood that the harm will occur. This procedure is similar to that described by the author of the procedure in Computer System Risk Management and Validation Life Cycle written by the author of this template, Tim Stein, and published by Paton Professional, 2006. See page 65 – 67, the determination of the initial risk level.

This procedure also includes a method for managing the risks associated with computer system failure by adapting and extending the 13 step risk management process described in ISO 134845. This process can be used to manage risks at the intended use level or the requirements level. Scales needed for risk analysis are included: ratings for the severity of impact, the likelihood of failure, and the risk associated with a failure. A form is included for recording risk evaluations. The risk evaluation and mitigation steps are included, as well the assessment and mitigation of residual risk.

The results of the detailed analysis are used for the mitigation of risk and the determination of the level of testing needed for specific requirements.

This process is similar to that described in pages 162 -186 of Computer System Risk Management and Validation Life Cycle written by the author of this template, Tim Stein, and published by Paton Professional, 2006.