1. Introduction

1.1. Purpose

The purpose of this manual is to explain the usage and operations of the Ketryx Lifecycle Management system pertaining to Risk items that act in accordance with ISO 14971 and IEC 62304.

1.2. Scope

The scope of this manual concerns the management of risks in Ketryx and Jira, namely the tools, resources, procedures and deliverables related to the risk management of a product in Ketryx.

1.3. Definitions and acronyms

For the purposes of this document, the terms and definitions given in U.S. QSR (21 CFR Part 820), ISO 13485, and IEC 62304:2006-AMD1 apply. Where contradictory, IEC 62304 and ISO 13485 prevail.

1. ALM: Application Lifecycle Management

2. P1: Likelihood of occurrence

3. P2: Likelihood of harm

4. Po: Total ("overall") Probability

2. Overview

The Ketryx Lifecycle Management system implements a risk management procedure that aligns with the principles with ISO 14971. Members can conduct project-level and configuration item-level risk analysis with the focus of identifying potential risks, and limiting the harm resulting from said risks, to the patient.

3. Risk configuration item

Members are expected to perform a product-level risk analysis using methods such as FMEA, and record the results using Risk configuration items for use across the system.

Risk items can be introduced throughout the product lifecycle and in each new version. Moreover, Ketryx allows any risk management methodology to be used, which can be mentioned on the resulting Risk items.

3.1. Introducing risks

It is possible to perform risk analysis on a configuration item level, which can be done for the following item types:

1. Requirement

2. Software Item Spec

3. Hardware Item Spec

4. Change Request

If a configuration item results or is associated with a risk, it is referred to as an item with introduced risks.

3.2. Risk controls

Tooling: Risk Control Measure tracking and system notifications

Risk control measures can be created from Risk configuration items. This includes configuration items of the following types: Requirement, Software Item Specification, Hardware Item Specifications, and Test Case.

Risk controls can also lead to new risks, which are tracked as well.

4. Risk configuration

The risk configuration is a foundational component of the risk management system as it allows certain members to predefine a list of possible values for various Risk item fields, as well as define the framework of how a risk should be evaluated given a set of values (i.e., P1, P2, and Severity).

The risk configuration can be defined on two levels:

• At an organization level (as an organization owner), which will affect the configuration of all projects in said organization

• At a project level (with project management permissions), which will scope the configuration to said project and override any overlapping configuration fields set in its organization

For each level, the configuration may be set on the Advanced Settings page of an organization,

and of a project.

If a configuration field is not provided on either level, the default system values will be used as a fallback.

4.1. Configuration of risk analysis

The Ketryx ALM offers members an automated risk assessment which relies on matrices to perform the evaluation. Said evaluation puts four evaluation matrices at the members disposal for configuration:

• Initial Total Probability matrix

• Initial Risk Evaluation matrix

• Residual Total Probability matrix

• Residual Risk Evaluation matrix

Ketryx provides the option of a strict mode that does not allow members to override any of the derived values from the matrices, when editing a risk. Members may completely customize any of the aforementioned matrices on the Advanced settings page.

4.2. Harm associated severity

The risk configuration provides the possibility to associate an initial severity to a harm. This results in the associated severity being filled in once the corresponding harm has been selected by a member. In strict mode, a member cannot override an associated severity and they must provide a harm value set in the configuration.

4.3. Hazard type associated configuration

Members may provide a risk configuration that is associated with a hazard type value. Consequently, if a member selects a hazard type with an associated configuration, the following risk configuration fields, if available, will be used instead of the regular risk configuration fields:

• Initial and residual total probability matrix

• Initial and residual risk evaluation matrix

• Initial and residual likelihood of occurrence

• Initial and residual likelihood of harm

• Initial and residual severity

• Initial and residual total probability

• Initial and residual risk evaluation

4.4. Non-strict mode (default)

Non-strict mode will enable the following behavior:

1. Members may freely define a harm, even if the harm does not correspond to any default severity. Therefore, it is also not required to configure a pre-defined list of harms.

2. The initial severity field may be selected freely and is not coupled to any harm (but may default to a harm's configured severity).

3. The initial and residual risk evaluation fields as well as overall risk acceptability fields can be manipulated after a calculation.

Additionally, the following synchronization behavior will be active:

1. On a risk configuration change, only empty fields on an uncontrolled Risk item will be modified, if necessary

2. Controlled items will remain in a controlled state following a configuration change

Note: This mode is the default to allow for more flexibility. However, we recommend enabling the various strict modes to always enforce up-to-date Risk items.

4.5. Strict modes

Ketryx provides a multitude of strict enforcements for various aspects of the risk management feature, namely:

1. Requiring the selection of a pre-defined harm value and its associated initial severity value

2. Enforcement of any risk analysis values derived from the default or customized risk matrices

3. Requiring the selection of a pre-defined hazard value

4. Requiring the selection of a pre-defined hazardous situation value

To activate these options, navigate to the project's settings page and enable them under the Risk management section.

By turning on strict mode 1 or 2, the following synchronization behavior will be active:

1. Ketryx will apply the enforced risk configuration to any uncontrolled Risk items and consequently create new records

2. Controlled items will remain in a controlled state and therefore unaffected

4.5.1. Enforced risk configuration

Note: This feature will only be enabled when a Ketryx project is connected to Jira.

In strict mode 1 and 2, whenever the risk configuration has been changed, either on the organization or project level, Ketryx will create a new record for all relevant Risk items to reflect the most recent configuration.

If a Risk item complies to a P1, P2 or severity value that doesn't exist in the new configuration (e.g. the new matrices don't have an entry for the P1/P2 pair), the value will be unset, ultimately removing all the other values that are based on the relevant lookup table.

4.5.2. Enforced field values

Given the appropriate setting, the system ensures that the entered harm, hazard or hazardous situation of a Risk item corresponds to a harm, hazard or hazardous situation from the risk configuration, respectively. If the entered value were to not correspond to a pre-defined value, members will not be able to approve the Risk item once its in a resolved state.

5. Creating and editing risks

Risks may be created either in Ketryx or Jira, with the former being recommended and the latter being subject to certain restrictions. The risk form is available through the risks page, by click on the Add risk button.

To edit an existing risk, an Edit risk button can be found on an individual item in the risks page.

For detailed instructions on the workflow of a risk, see WI-10 Risk.

5.1. Editing in Jira

For the best user experience, we recommend managing your risk analysis in Ketryx. However, if you opt to manage the risk in Jira, there are a number of caveats to pay to attention to.

5.1.1. Omitted risk analysis fields

A Risk item in Jira does not possess any editable initial and residual risk analysis fields (e.g. P1, Severity). Instead, it offers a read only widget to view the values of these fields, which can be set in Ketryx. The values are rendered using risk calculation boxes.

5.1.2. Harm associated severity

The harm field in Jira lacks a dropdown list of predefined harm values. When its strict mode is activated and the entered harm does not correspond to any harm in the risk configuration, the Initial severity field remains unchanged in the widget.

5.1.3 Hazard and hazardous situation

Similar to the harm field, both the hazard and hazardous situation fields in Jira lack a dropdown list of pre-defined values. Consequently, when their strict modes are enabled, members need to be mindful of precisely entering the permitted values. Failure to do so will result in the approval of the risk being blocked.

5.1.4. Sequence of events content

The Ketryx ALM expects a numbered list in the Foreseeable sequence of events field. If a member fails provide content in this format, Ketryx shall do its best to transform the provided content into a numbered list in Ketryx.

Each entry in the list denotes an individual event within the sequence, with the specified order being of significance.

5.1.5 Risk calculation boxes

In the risk form and risk management Jira widget, Ketryx offers a visual container that provides an understanding of how certain risk analysis fields were derived. Members can visually toggle, in the container, any of the matrices that were used in the calculations.

Derived values that are based on the matrices will be visually marked as "recommended" values by the form. However, users retain the flexibility to override these recommendations. If they do, their action will be made explicit with an asterisk in the container, or even with a completely separate container as is the case with the overall risk acceptability.

6. Risk management page

Members can review risks using the risk table in the Risk management page. Items in the table can be grouped by Harm or Hazard, sorted by various Risk item fields and filtered by acceptability.

Each Risk item row will feature an overview of the risk acceptability, of any missing approvals and if the benefit-risk analysis is set. Furthermore, risk controls of a risk will have their test cases and corresponding results listed. Metadata-related details, including the ticket state, current owner, and pertinent versions, are also visible.

Members should document their risk analysis review in the risk management file.

7. Risk controls page

Members can review risk controls using the risk table in the Risk controls page. For each risk control, the following columns can be seen:

• The risk being controlled

• A hazard analysis of the risk

• Any risks introduced by the risk control

• Any test cases covering the risk control

• The item status of the risk control

Hazard analysis

The hazard analysis gives an overview of the following fields originating from the controlled risk:

• Hazard (Rich-text field)

• Hazardous situation (Rich-text field)

• Sequence of events (Rich-text field)

• Harm (Rich-text field)

• Residual risk (Dropdown value)

• Risk acceptability (Acceptable or Not acceptable)

• Benefit-risk analysis (Rich-text field)

For the hazard analysis to show up green, the following conditions must be met: the first four rich-text fields must be filled out and the risk acceptability must be acceptable. If the latter is not acceptable, then a benefit-risk analysis must be provided. If any of the fields (except for benefit-risk analysis) are missing, then the status pill will show an exclamation icon. If the risk acceptability is not acceptable and no benefit-risk analysis is provided, then an error icon will be displayed.

Controlled risk & Arising risks

The controlled risk and arising risks (if any) status indicate whether the relevant risks are in a controlled state.

Tests

The tests column indicates whether a Test Case has been assigned to the risk control. Furthermore, it informs the user whether the Test Case is in a controlled state and if a corresponding controlled Test Execution exists. If a failing Test Execution exists, then the status pill will show up with an error icon.

8. Release documents

Ketryx offers four built-in release documents related to risks:

• Risk Management File

• Risk Matrix

• Risk Control Matrix

• Testing Report

Custom documents may be generated based on document templates.

8.1. Risk matrix customizations

Columns in the risk matrix release document may be renamed or omitted. See the Risk matrix field under Document configuration on the Advanced project settings page.

8.2. Risk management file customizations

By default, the Risk Management File includes a section about the latest configured risk evaluation matrices. A member may omit this section by configuring the Risk Management File field under Document configuration on the Advanced project settings page.