Journal:Identifying risk management challenges in laboratories

This article should be considered a work in progress and incomplete. Consider this article incomplete until this notice is removed.

Abstract

Over the years, risk management has gained significant importance in laboratories of every kind. The safety of workers, the accuracy and reliability of laboratory results, issues of financial sustainability, and protection of the environment play an important role in decision-making in both industry and service-based labs. In order for a laboratory to be considered reliable and safe, and therefore competitive, it is recommended to comply with the requirements of international standards and other regulatory documents, as well as use tools and risk management procedures.

In this paper, information is summarized concerning the terms “risk” and “risk management,” which are then approached through the latest ISO 9001, ISO/IEC 17025, and ISO 14001 standards. The process of risk management based on the ISO 31000 standard is described, and the options for treatment and the techniques that can be applied in the risk management process based on the latest ISO 31010 standard are grouped and indicated. Additionally, a literature review examines the reasons that have led laboratories to integrate risk management techniques into their quality management systems, the most common mistakes that occur in the various phases of laboratory tests, their causes, and their consequences, as well as the proposed treatments. The aim of this work is to highlight significant challenges concerning the need to implement management procedures in the daily routine, while warning, raising awareness of, and informing about existing risk management methods that can be implemented, methodologically and technically, to laboratories, under internationally recognized and updated standards.

Keywords: risk-based thinking, risk management, risk assessment techniques, laboratories, control measures

Introduction

The issue of risk management has existed for thousands of years. [1] The first noted practice of risk management is in the Tigris-Euphrates valley in 3200 BC by the Ašipu, who are considered to be, among others, an early example of risk management consultants. [2, 3]. The Asipu carried out risk analysis for each alternative action related to the risky event to be studied, and after the completion of the analysis they proposed the most favorable alternative. The last step was to issue a final report engraved on a clay tablet that was given to the customer. [4]

The difference between modern risk analysts and the Ašipu of ancient Babylon is that the former express their results as mathematical probabilities and intervals of confidence, while the latter with certainty, confidence, and power. However, to determine the causal relationship between cause and effect, both the ancient ancestors and current researchers rely on observational methods. [2]. After World War II, large companies with diversified portfolios of physical assets began to develop self-insurance, which covered the financial consequences of an adverse event or accidental losses. [5, 6] Modern risk management was implemented after 1955 and was first applied in the insurance industry. [7]

The English term “risk” comes from the Greek word “rhiza,” which refers to the dangers of sailing around a cliff. [2] According to Kumamoto and Henley [8], the term “risk” is defined as a combination of five factors: probability, outcome, significance, causal scenario, and affected population. As far as a laboratory is concerned, “risk” is the probability of a laboratory error which may have adverse consequences [9], as it includes factors that threaten health and safety of staff, environment, organization's facilities, organization's financial sustainability, operational productivity, and service quality. [10] Therefore, for testing laboratories, as risk can be considered the inability to meet customer needs, the provision of incorrect analytical results and failure to meet accreditation requirements damage laboratory's reputation. [11]

Plebani [12] defines risk management as the process by which risk is assessed and strategies are developed to manage it. The goal of any risk management process is to identify, evaluate, address, and reduce the risk to an acceptable level. [13] According to Dikmen et al. [14], risk management involves identifying sources of uncertainty (risk identification) and assessing the consequences of uncertain events/conditions (risk analysis), thus creating response strategies based on expected results and, finally, based on the feedback received from the actual results and the emerging risk, the steps of identification, analysis and repetitive response events are performed throughout the life cycle of a project to ensure that the project objectives are achieved. Kang et al. [15] define risk management as an act of classification, analysis, and response to unforeseen risks, which are involved during the implementation of a project. Risk management involves maximizing the opportunity and impact of positive events and reducing the likelihood and impact of negative events to achieve the project objectives.

The concept of risk is already known to laboratories as it was indirectly included and in previous versions of ISO 9001 and, mainly via preventive measures to eliminate possible non-compliances and prevent their recurrence (i.e., ISO 9001:2008 [16], ISO/IEC 17025:2005 [17]). In the new versions of ISO 9001:2015 [18] and ISO/IEC 17025:2017 [19], however, the presence of risk-based thinking is more pronounced and imperative.

As the revised version of ISO/IEC 17025 is in line with ISO 9001 in terms of management requirements, a laboratory should examine the impact of threats as well as seize opportunities to increase management system efficiency to achieve improved results and to avoid negative effects. [20] There is no longer a separate clause on preventive measures, and the concept of preventive action is expressed through the application of the risk and opportunities approach. The concept of risk is implied in each paragraph of the standard related to the factors that affect the validity of the results. Such factors are staff, facilities, environmental conditions, equipment, metrological traceability, technical records, etc. In addition, the creation of a formal risk management system is not a requirement of the standard, but each laboratory can choose the approach which is satisfactory and can be implemented for its needs. [19, 20]

The revised ISO 14001 [20] is also in line with ISO 9001. Risk-based thinking provides a structured approach to managing environmental issues that are likely to affect the organization. Identifying environmental risks and potential opportunities is vital to an organization's success.

Finally, in ISO 31000:2018 [21], risk management is considered to be the coordinated activities carried out for the management and control of an organization in relation to risk. Therefore, in order for a laboratory to comply with the new versions of the standards, it is important to understand the risk-based thinking and to examine the functions, procedures, and activities related to risks and opportunities. To address the concern, this paper aims to explore the implementation of a risk-based thinking framework in testing or calibration laboratories and highlight the challenges that arise as part of that implementation.

The risk management process

The risk management process can be applied at all levels of an organization, from strategy to project implementation. In addition, it must be an integral part of management and decision making and integrated into the structure, functions, and processes of the organization. [9] The integrated risk management process relies on a well-structured risk-based thinking which encompasses the whole quality management system (QMS).

In this context, the risk assessment stage consists of three sub-stages: risk identification, risk analysis, and risk evaluation. The purpose of risk identification is to find, recognize, and describe the risks that positively or negatively affect the achievement of the objectives of the organization, even those whose sources are not under its control. [9] According to Elkington and Smallman [22], risk identification is the most important phase of risk analysis, and emphasis is given in the fact that potential risks should be identified at each stage. Hallikas et al. [23] also state that the identification phase is fundamental to implement risk management, as by recognizing sources of risk, future uncertainties can be identified, and preventive measures can be taken. During risk analysis, the impact of a risk is assessed while during risk evaluation any additional action is determined.

After completing the risk assessment stage, the risk is addressed by avoiding risk, taking or increasing risk to pursue an opportunity, removing the risk source, changing the likelihood, changing the consequences, sharing the risk (e.g., through contracts, insurance), or maintaining the risk with a documented decision. All the above steps should be monitored and reviewed to ensure and improve the Quality (business) quality and effectiveness of risk management. The results of the process should be recorded and reported throughout the organization to provide information for decision making, for the improvement of risk management activities and for the interaction with stakeholders [9].

Risk assessment techniques

Risk assessment—which is often expressed in relation to sources, possible events, consequences, and likelihood—can be a very difficult process, especially when these relationships are complex. A variety of risk assessment techniques is depicted in Table 1. Though the choice of techniques is not random, some factors must be first taken into account, such as the purpose of the assessment, the needs of stakeholders, any legal, regulatory and contractual requirements, the operating environment and the scenario, how much important is the decision to be made, any defined decision criteria and their form, the time available before a decision is made, the given information and expertise, and the complexity of the situation. [24]

The most used techniques for identifying risk are the failure modes and effects analysis (FMEA), as well as the failure modes, effects, and criticality analysis (FMECA). FMEA/FMECA can be applied at all levels of an organization and performed at any level of analysis of a system, from block diagrams to detailed elements of a system or steps of a process. [25] This fact leads to several sub-types of FMEA such as system FMEA, design FMEA, process FMEA, and service delivery FMEA. As defined by its name, FMEA is a systematic method designed to identify potential failure modes for a product or process before it occurs and to assess the risk. In FMEA, the system or process under consideration is broken down into individual components. For each element, the ways in which it may fail, the causes and effects of failure are examined. FMECA is a FMEA followed by criticality analysis, which means that for each failure its importance is also assessed. The calculation of the risk in FMEA method includes the multiplication of the three risk parameters severity (S), occurrence (O), and detection (D) in order to produce a risk priority number (RPN, RPN = S × O × D). However, in FMECA, failure modes are classified by their criticality. [26] A quantitative measure of criticality can be derived from actual failure rates and a quantitative measure of consequences, if known. FMEA can be used to provide information for analysis to other techniques such as fault tree analysis (FTA). FTA is a commonly used technique for understanding consequences and likelihood of risk. It is a logic diagram that represents the relationships between an adverse event, which is typically a system failure, and the causes of the event which are the component of failure. It uses logic gates and events to model the above-mentioned relationships. FTA can be used both qualitatively to identify the potential causes and pathways to the peak event and quantitatively to calculate the probability that the peak event will occur. [27, 28]

Another technique which is commonly used in organizations is failure reporting, analysis and corrective action system (FRACAS). It is a technique for identifying and correcting identfied deficiencies in a system or a product and, thus, prevent further occurrence of them. [29] It is based upon the systematic reporting and analysis of failures, making maintenance of historical data a crucial issue. It is also necessary for the organization to have a database management system. The database is established to store all the required data, which include records on all reported failures, failure analyses, and corrective actions. [30]

Risk identification and treatment in laboratories

Risk identification is the first and most important phase of risk management. [22] In the identification phase, the possible sources of risk which concern the entire activity of the laboratory are recorded. [31]

To identify potential sources of risk associated with the testing process, laboratories should create a process map outlining the steps in the testing process from generating the request for test to reporting the testing result. This map should include all stages of the pre-analytical, analytical, and post-analytical process. [10] An example of such a map is given in Fig. 1.

According to the research of both Plebani and Carraro [32] and Plebani [13], most errors occur during the pre-analytical stages, ranging between 46 to 68%, followed by post-analytical errors, ranging from 19 to 47%, while during the analytical stage the fewest errors occur, ranging from 7 to 13%. Table 2 outlines the main sources of risk in each of these three stages.

References

Notes

This presentation is faithful to the original, with changes to presentation, spelling, and grammar as needed. The PMCID and DOI were added when they were missing from the original reference.