Risk-Based Thinking in ISO 15189 Compliance: Building an Effective Risk Register for Clinical Physiology Departments
Risk-based thinking is a core requirement of ISO 15189:2022, the international standard governing quality management systems and competence in medical laboratories. For clinical physiology departments, including respiratory and sleep labs, this means proactively identifying, assessing, and controlling risks before they affect patient outcomes or accreditation status. Building a structured risk register is the practical tool that makes this requirement operational, turning a compliance obligation into a genuine quality improvement process.
TL;DR
ISO 15189:2022 significantly strengthened risk management requirements for medical laboratories, making a formal risk register essential, not optional.
A risk register translates abstract risk-based thinking into documented, auditable actions that satisfy NATA accreditation requirements.
Clinical physiology departments face unique risks across testing workflows, equipment, and reporting that a general laboratory risk assessment template may not capture.
Effective ISO 15189 document control and quality control methods are inseparable from a functioning risk management framework.
Purpose-built software can embed risk management into daily lab operations, reducing the administrative burden of compliance.
About the Author: This article is published by Rezibase, a cloud-based respiratory and sleep reporting platform built by respiratory scientists and trusted by over 35 sites across Australia and the UK, including NHS and NSW Health facilities. Rezibase's accreditation module is specifically designed to meet ISO 15189 and TSANZ/NATA standards for clinical physiology departments.
What Is Risk-Based Thinking in the Context of ISO 15189?
Risk-based thinking is a structured, proactive mindset embedded throughout ISO 15189:2022 that requires laboratories to consider what could go wrong, assess the likelihood and impact, and implement controls before problems occur.
According to research published via KnE Open (Thomas, 2025), the updated ISO 15189:2022 standard placed a significantly greater emphasis on risk management in the clinical laboratory compared to its predecessor. This shift moves risk from being an implicit background consideration to an explicit, documented, and reviewable process.
As noted by Vanstapel et al. (2023) in Clinical Chemistry and Laboratory Medicine, both the EU IVDR 2017/746 and ISO 15189 are guided by system thinking and risk-based measures to confirm fitness for purpose. This alignment signals that risk-based thinking is not just a compliance checkbox but a foundational principle of modern laboratory quality.
Key characteristics of risk-based thinking in ISO 15189:
It is preventive, not reactive
It applies across the entire testing process: pre-analytical, analytical, and post-analytical
It must be documented and reviewed regularly
It connects directly to corrective and preventive action (CAPA) processes
Why Does ISO 15189:2022 Require a Formal Risk Register?
A risk register is a structured document that records identified risks, their likelihood and consequence ratings, assigned owners, and the controls in place or planned.
ISO 15189:2022 does not prescribe a specific format, but it does require laboratories to demonstrate that risks have been identified, evaluated, and addressed. A risk register is the most widely accepted method for meeting this requirement in a way that is auditable during an ISO 15189 gap analysis or NATA accreditation requirements review.
According to QMII (2025), ISO standards recognise a variety of risk assessment tools including brainstorming, checklists, fault tree analysis, and bowtie analysis. For most clinical physiology departments, a well-structured risk register using a standardised rating matrix is both sufficient and practical.
What a compliant risk register must include:
Element | Description |
|---|---|
Risk ID | Unique identifier for tracking |
Risk Description | Clear statement of what could go wrong |
Risk Category | Pre-analytical, analytical, post-analytical, or operational |
Likelihood Rating | Scored on a defined scale (e.g., 1-5) |
Consequence Rating | Scored on a defined scale (e.g., 1-5) |
Risk Score | Likelihood x Consequence |
Current Controls | Existing mitigations already in place |
Additional Actions | Further controls required |
Owner | Person responsible for the risk |
Review Date | When the risk will be reassessed |
What Risks Are Unique to Respiratory and Sleep Labs?
Clinical physiology departments have a distinct risk profile that a generic laboratory risk assessment template will not fully address. The combination of complex equipment, patient-facing testing, and specialised reporting creates risk categories not always present in pathology or other laboratory settings.
Common risk categories specific to respiratory and sleep labs:
Equipment calibration drift: Spirometers, body plethysmographs, and polysomnography systems require regular biological and technical quality control. Failures here directly affect diagnostic accuracy.
Normal values misapplication: Using outdated or incorrect reference equations (e.g., applying the wrong GLI equations for a patient population) can result in systematic misclassification.
Manual data transcription errors: Double data entry between devices and reporting systems is a well-recognised source of error that increases clinical risk.
Sleep lab accreditation requirements: Sleep studies involve additional complexity around scoring rules, technician competency, and equipment maintenance that must be captured in the risk register separately from respiratory testing.
Reporting turnaround times: Delays in report delivery represent both a clinical risk and a patient experience risk.
Staff competency gaps: Particularly relevant in departments with high staff turnover or those onboarding new graduates.
Identifying these department-specific risks is the starting point. The next step is rating and controlling them within a laboratory quality management system that links risks to actions and evidence.
How Do You Build a Risk Register Step by Step?
Building a risk register for ISO 15189 compliance does not need to be complicated. The following process is practical for most clinical physiology departments.
Step 1: Assemble a cross-functional team
Include senior scientists, the quality manager, and where relevant, medical staff. Risk identification improves significantly when multiple perspectives are included.
Step 2: Map your processes
Walk through each stage of the patient journey: referral, booking, pre-test preparation, testing, data capture, reporting, and result delivery. Each handoff point is a potential risk location.
Step 3: Identify risks at each step
Use structured techniques such as brainstorming or checklist reviews. NQA (2019) notes that risk-based thinking throughout ISO standards focuses on reducing and managing risks across a number of critical areas, and that a disciplined identification step is foundational.
Step 4: Rate each risk
Apply a likelihood and consequence matrix. Keep the scale simple and consistent. A 3x3 or 5x5 matrix both work well.
Step 5: Assign controls and owners
Every risk above your acceptable threshold must have a named owner and a documented control. Unowned risks are the most common audit finding.
Step 6: Link to ISO 15189 document control
Controls often reference SOPs, training records, or quality control logs. These links should be explicit in the register so that auditors can trace from risk to evidence.
Step 7: Schedule reviews
A risk register that is not reviewed is not compliant. Set a minimum annual review cycle, with triggered reviews after incidents or significant process changes.
How Does Software Support Risk Management in Clinical Physiology?
Managing a risk register manually in spreadsheets creates its own risks: version control failures, lost action items, and disconnected quality records. A purpose-built laboratory quality management system resolves these issues by centralising risk, document, and audit management in one place.
Rezibase's accreditation module is designed specifically for respiratory and sleep departments working toward ISO 15189 compliance and NATA accreditation requirements. It brings together management of Documents, Training, Non-conformances, Action Plans, Audits, and Quality Control (including Westgard methods) in a single cloud-based platform. This means that when a risk control references an SOP or a training record, that link is live and auditable, not a note in a spreadsheet cell.
For departments looking to move away from fragmented systems, the transition to Rezibase is straightforward. Data migration is handled as part of the onboarding process, and the platform is configured to reflect your department's existing workflows rather than requiring you to adapt to the software.
Frequently Asked Questions
What is a risk register in ISO 15189?
A risk register is a structured document that records all identified laboratory risks, their ratings, assigned owners, and the controls used to manage them. It is the primary tool for demonstrating compliance with ISO 15189:2022 risk management requirements.
Is a risk register mandatory for NATA accreditation?
NATA accreditation requirements align with ISO 15189, which requires documented evidence of risk management. While NATA does not mandate a specific format, a risk register is the standard method used to demonstrate compliance during assessments.
Where can I find a laboratory risk assessment template or risk register template download?
Many accreditation bodies and quality consultancies provide templates. However, a generic template should always be customised to reflect the specific processes and risks of your department. Rezibase's accreditation module provides a structured framework built around respiratory and sleep lab workflows.
What are sleep lab accreditation requirements for risk management?
Sleep labs operating under ISO 15189 must apply risk-based thinking to their specific processes, including polysomnography equipment maintenance, technician competency, scoring rule adherence, and reporting workflows. These risks should be documented separately from general respiratory testing risks.
How does ISO 15189 document control relate to the risk register?
Document control and risk management are directly linked. Controls identified in the risk register typically reference SOPs, work instructions, or training records. ISO 15189 document control requirements ensure these documents are current, approved, and accessible, which is what gives the risk register its practical effect.
What laboratory quality control methods are relevant to risk management?
Westgard rules are widely used in clinical laboratories for internal quality control. Applying these methods systematically and documenting results provides evidence that analytical risks are being actively monitored and controlled.
How do I start an ISO 15189 gap analysis for my department?
Begin by mapping your current processes against the requirements of ISO 15189:2022. Identify where documentation, risk assessment, or competency records are absent or incomplete. The gap analysis output then becomes the input for your risk register and improvement plan.
About Rezibase
Rezibase is Australia's most advanced cloud-based respiratory and sleep reporting platform, founded by respiratory scientists and now trusted by over 35 sites including NHS facilities in the UK and NSW Health in Australia. Built on 37 years of clinical physiology expertise and backed by Cardiobase, Rezibase offers a fully vendor-neutral, manufacturer-agnostic solution that covers everything from patient referrals and bookings through to ISO 15189-compliant accreditation management. The platform's accreditation module is purpose-built to support respiratory and sleep departments in meeting TSANZ/NATA standards, with integrated document control, non-conformance management, audit tools, and Westgard-based quality control, all in one place.
Ready to simplify your ISO 15189 compliance? Explore how Rezibase can support your department's risk management and accreditation journey at rezibase.com.
References
KnE Open. Risk Management in Clinical Laboratories under ISO 15189:2022. https://kneopen.com/dmj/article/view/20496/34703/
De Gruyter. ISO 15189 is a sufficient instrument to guarantee high-quality laboratory medicine. https://www.degruyterbrill.com/document/doi/10.1515/cclm-2023-0045/html?srsltid=AfmBOorAdVjxYGnZS0_t2g4rYPV6Dghq-KllhdhlChq3dbj4cKJ57cFc
QMII. What Is Risk-Based Thinking in ISO Standards? https://www.qmii.com/risk-based-thinking-in-iso-standards/
NQA. ISO Risk-Based Thinking: Implementation for Part 2. https://www.nqa.com/en-us/resources/blog/april-2019/as-series-risk
Qualio. What is ISO 15189? A complete overview. https://www.qualio.com/blog/iso-15189
Roche Diagnostics. Insights on updated accreditation guidelines ISO 15189:2022. https://diagnostics.roche.com/global/en/lab-leaders/article/iso-15189-updated-accreditation-guidelines.html