MAN-08 Risk Management
Manual for risk management using the Ketryx Lifecycle Management
1. Introduction
1.1. Purpose
The purpose of this manual is to explain the usage and operations of the Ketryx Lifecycle Management system pertaining to Risk items that act in accordance with ISO 14971 and IEC 62304.
1.2. Scope
The scope of this manual concerns the management of risks in Ketryx and Jira, namely the tools, resources, procedures and deliverables related to the risk management of a product in Ketryx.
1.3. Definitions and acronyms
For the purposes of this document, the terms and definitions given in U.S. QSR (21 CFR Part 820), ISO 13485, and IEC 62304:2006-AMD1 apply. Where contradictory, IEC 62304 and ISO 13485 prevail.
ALM: Application Lifecycle Management
P1: Likelihood of occurrence
P2: Likelihood of harm
Po: Total ("overall") Probability
2. Overview
The Ketryx Lifecycle Management system implements a risk management procedure that aligns with the principles with ISO 14971. Members can conduct project-level and configuration item-level risk analysis with the focus of identifying potential risks, and limiting the harm resulting from said risks, to the patient.
3. Risk configuration item
Members are expected to perform a product-level risk analysis using methods such as FMEA, and record the results using Risk configuration items for use across the system.
Risk items can be introduced throughout the product lifecycle and in each new version. Moreover, Ketryx allows any risk management methodology to be used, which can be mentioned on the resulting Risk items.
3.1. Introducing risks
It is possible to perform risk analysis on a configuration item level, which can be done for the following item types:
Requirement
Software Item Spec
Hardware Item Spec
Change Request
If a configuration item results or is associated with a risk, it is referred to as an item with introduced risks.
3.2. Risk controls
Tooling: Risk Control Measure tracking and system notifications
Risk control measures can be created from Risk configuration items. This includes configuration items of the following types: Requirement, Software Item Specification, Hardware Item Specifications, and Test Case.
Risk controls can also lead to new risks, which are tracked as well.
4. Risk configuration
The risk configuration is a foundational component of the risk management system as it allows certain members to predefine a list of possible values for various Risk item fields, as well as define the framework of how a risk should be evaluated given a set of values (i.e., P1, P2, and Severity).
The risk configuration can be defined on two levels:
At an organization level (as an organization owner), which will affect the configuration of all projects in said organization
At a project level (with project management permissions), which will scope the configuration to said project and override any overlapping configuration fields set in its organization
For each level, the configuration may be set on the Advanced Settings page of an organization,
and of a project.
If a configuration field is not provided on either level, the default system values will be used as a fallback.
4.1. Configuration of risk analysis
The Ketryx ALM offers members an automated risk assessment which relies on matrices to perform the evaluation. Said evaluation puts four evaluation matrices at the members disposal for configuration:
Initial Total Probability matrix
Initial Risk Evaluation matrix
Residual Total Probability matrix
Residual Risk Evaluation matrix
Ketryx provides the option of a strict mode that does not allow members to override any of the derived values from the matrices, when editing a risk. Members may completely customize any of the aforementioned matrices on the Advanced settings page.
4.2. Harm associated severity
The risk configuration provides the possibility to associate an initial severity to a harm. This results in the associated severity being filled in once the corresponding harm has been selected by a member. In strict mode, a member cannot override an associated severity and they must provide a harm value set in the configuration.
4.3. Hazard type associated configuration
Members may provide a risk configuration that is associated with a hazard type value. Consequently, if a member selects a hazard type with an associated configuration, the following risk configuration fields, if available, will be used instead of the regular risk configuration fields:
Initial and residual total probability matrix
Initial and residual risk evaluation matrix
Initial and residual likelihood of occurrence
Initial and residual likelihood of harm
Initial and residual severity
Initial and residual total probability
Initial and residual risk evaluation
4.4. Non-strict mode (default)
Non-strict mode will enable the following behavior:
Members may freely define a harm, even if the harm does not correspond to any default severity. Therefore, it is also not required to configure a pre-defined list of harms.
The initial severity field may be selected freely and is not coupled to any harm (but may default to a harm's configured severity).
The initial and residual risk evaluation fields as well as overall risk acceptability fields can be manipulated after a calculation.
Additionally, the following synchronization behavior will be active:
On a risk configuration change, only empty fields on an uncontrolled Risk item will be modified, if necessary
Controlled items will remain in a controlled state following a configuration change
Note: This mode is the default to allow for more flexibility. However, we recommend enabling the various strict modes to always enforce up-to-date Risk items.
4.5. Strict modes
Ketryx provides a multitude of strict enforcements for various aspects of the risk management feature, namely:
Requiring the selection of a pre-defined harm value and its associated initial severity value
Enforcement of any risk analysis values derived from the default or customized risk matrices
Requiring the selection of a pre-defined hazard value
Requiring the selection of a pre-defined hazardous situation value
To activate these options, navigate to the project's settings page and enable them under the Risk management section.
By turning on strict mode 1 or 2, the following synchronization behavior will be active:
Ketryx will apply the enforced risk configuration to any uncontrolled Risk items and consequently create new records
Controlled items will remain in a controlled state and therefore unaffected
4.5.1. Enforced risk configuration
Note: This feature will only be enabled when a Ketryx project is connected to Jira.
In strict mode 1 and 2, whenever the risk configuration has been changed, either on the organization or project level, Ketryx will create a new record for all relevant Risk items to reflect the most recent configuration.
If a Risk item complies to a P1, P2 or severity value that doesn't exist in the new configuration (e.g. the new matrices don't have an entry for the P1/P2 pair), the value will be unset, ultimately removing all the other values that are based on the relevant lookup table.
4.5.2. Enforced field values
Given the appropriate setting, the system ensures that the entered harm, hazard or hazardous situation of a Risk item corresponds to a harm, hazard or hazardous situation from the risk configuration, respectively. If the entered value were to not correspond to a pre-defined value, members will not be able to approve the Risk item once its in a resolved state.
5. Creating and editing risks
Risks may be created either in Ketryx or Jira, with the former being recommended and the latter being subject to certain restrictions. The risk form is available through the risks page, by click on the Add risk button.
To edit an existing risk, an Edit risk button can be found on an individual item in the risks page.
For detailed instructions on the workflow of a risk, see WI-10 Risk.
5.1. Editing in Jira
For the best user experience, we recommend managing your risk analysis in Ketryx. However, if you opt to manage Risk items in Jira, there are some caveats and formatting limitations to pay to attention to, which will be described in detail in the following sections.
5.1.1. Jira rich-text formatting
Jira provides extensive rich-text formatting capabilities out of the box, which also apply to all the relevant Risk item fields. However, not all formatting capabilities map seamlessly to Ketryx.
As a guideline, it is highly recommended to only use the following formatting functionality within a rich-text field on Risk items:
Paragraphs
Ordered / Unordered lists
Basic inline formatting such as bold, italic, or inline code
The following formatting options are not supported and will cause undesired formatting on Ketryx's side when synchronizing items with Jira:
Tables
Inline images and other attachments
Font colors
Strikethrough
Code blocks
Title headers
Info/warning/error boxes
@
mentions for users and Jira ticketsEmojis
Dates
States
… and other similar complex constructs that go beyond the recommended list
The following behavior may occur when handling Risk items using unsupported formatting within Ketryx:
The Ketryx Risk management page and risk editing form may show malformed text or omit particular information. After saving, the data as seen on Ketryx will still be stored in the record as-is.
When editing and saving a dataset containing unsupported formatting, particular styling / information may be removed upon save and will be synchronized to Jira (to re-align with Ketryx's formatting standards).
5.1.2. Omitted risk analysis fields
A Risk item in Jira does not possess any editable initial and residual risk analysis fields (e.g. P1, Severity). Instead, it offers a read only widget to view the values of these fields, which can be set in Ketryx. The values are rendered using risk calculation boxes.
5.1.3. Harm associated severity
Due to technical limitations, the harm field in Jira is a free-form text field. When the risk configuration of the connected Ketryx project has strict mode activated, and the entered harm does not correspond to any harm in the risk configuration, the Initial severity field remains unchanged in the widget and will not map to its pre-configured harm <--> initial severity value.
5.1.4. Hazard and hazardous situation
Similar to the harm field, both the hazard and hazardous situation fields in Jira are free-form text fields, and don't provide pre-configured dropdowns based on the Ketryx project's risk configuration. Consequently, when the risk configuration's strict modes are enabled, members are required to enter the precise value of a configured hazard/hazardous situation, otherwise the approval of the risk may be potentially blocked.
5.1.5. Sequence of events content
The Ketryx ALM expects a numbered list in the Foreseeable sequence of events field. If a member fails provide content in this format, Ketryx shall do its best to transform the provided content into a numbered list in Ketryx.
Each entry in the list denotes an individual event within the sequence, with the specified order being of significance.
5.1.6. Risk calculation boxes
In the risk form and risk management Jira widget, Ketryx offers a visual container that provides an understanding of how certain risk analysis fields were derived. Members can visually toggle, in the container, any of the matrices that were used in the calculations.
Derived values that are based on the matrices will be visually marked as "recommended" values by the form. However, users retain the flexibility to override these recommendations. If they do, their action will be made explicit with an asterisk in the container, or even with a completely separate container as is the case with the overall risk acceptability.
6. Risk management page
Members can review risks using the risk table in the Risk management page. Items in the table can be grouped by Harm or Hazard, sorted by various Risk item fields and filtered by acceptability.
Each Risk item row will feature an overview of the risk acceptability, of any missing approvals and if the benefit-risk analysis is set. Furthermore, risk controls of a risk will have their test cases and corresponding results listed. Metadata-related details, including the ticket state, current owner, and pertinent versions, are also visible.
Members should document their risk analysis review in the risk management file.
7. Risk controls page
Members can review risk controls using the risk table in the Risk controls page. For each risk control, the following columns can be seen:
The risk being controlled
A hazard analysis of the risk
Any risks introduced by the risk control
Any test cases covering the risk control
The item status of the risk control
Hazard analysis
The hazard analysis gives an overview of the following fields originating from the controlled risk:
Hazard (Rich-text field)
Hazardous situation (Rich-text field)
Sequence of events (Rich-text field)
Harm (Rich-text field)
Residual risk (Dropdown value)
Risk acceptability (Acceptable or Not acceptable)
Benefit-risk analysis (Rich-text field)
For the hazard analysis to show up green, the following conditions must be met: the first four rich-text fields must be filled out and the risk acceptability must be acceptable. If the latter is not acceptable, then a benefit-risk analysis must be provided. If any of the fields (except for benefit-risk analysis) are missing, then the status pill will show an exclamation icon. If the risk acceptability is not acceptable and no benefit-risk analysis is provided, then an error icon will be displayed.
Controlled risk & Arising risks
The controlled risk and arising risks (if any) status indicate whether the relevant risks are in a controlled state.
Tests
The tests column indicates whether a Test Case has been assigned to the risk control. Furthermore, it informs the user whether the Test Case is in a controlled state and if a corresponding controlled Test Execution exists. If a failing Test Execution exists, then the status pill will show up with an error icon.
8. Release documents
Ketryx offers four built-in release documents related to risks:
Risk Management File
Risk Matrix
Risk Control Matrix
Testing Report
Custom documents may be generated based on document templates.
8.1. Risk matrix customizations
Columns in the risk matrix release document may be renamed or omitted. See the Risk matrix field under Document configuration on the Advanced project settings page.
8.2. Risk management file customizations
By default, the Risk Management File includes a section about the latest configured risk evaluation matrices. A member may omit this section by configuring the Risk Management File field under Document configuration on the Advanced project settings page.
Last updated