1. Install the SoftComply Risk Manager PLUS (from hereon, Risk Manager) from the Atlassian Marketplace to your JIRA Server instance. This step may require JIRA administration permission.
2. After the successful installation, open the “Risk Manager Plus” drop-down menu and start creating a new risk management project from the top navigation bar (see next step).
3. The creation of the new risk management consists of these steps:
3.1. Fill in the name of the project, the project key and the project lead;
3.2. Select a suitable risk management method from the three options – Hazard Analysis; Failure Mode & Effects Analysis (FME(C)A) either with or without Detectability parameter;
3.3. Select the risk calculation and visualization method you want to use – RPN (risk prioritization number) or Risk Matrices with Risk Levels;
3.4. Select a suitable risk matrix size or RPN ranges from the provided templates (these can be customized later, if necessary);
3.5. Decide if you want to start with an empty risk management table or with one that has a few sample risks in it for exemplary purposes;
3.6. For compliant medical device risk management, please leave the default setting where Harm and Severity are linked to each other. You can opt out of it when you want to use the Risk Manager for other risks than medical devices.
3.7. Click “Submit”.
Success! You have just created a new risk management project and you can now start managing risks in your projects.
Here is a short video tutorial guiding you through these steps – SoftComply Risk Manager Quick Start Guide:
1. For a quick start, you can import risks to your newly created risk management project by using all the available import options that Jira provides. For detailed import guide of your existing risks, please look here.
2. You can navigate by using the left panel options: “Risk Management” (the table), “Risk Model” (setting your severity, probability and detectability scales, the risk levels and their range, and the matrices/RPN) and “Reports” (Risk Management Plan and Risk Management Report).
3. First, customize the Risk Model according to your severity, probability levels and/or detectability levels, and assign the risk level values in the matrix cells and/or ranges in the RPN.
4. You can now start identifying your risks by entering them and their related information into the risk management table by filling in the table cells.
5. Link mitigation actions and verification actions by starting to type the Jira issue number or summary into the corresponding cells, and then selecting the required issue.
6. Customize the table (add, remove, edit columns) according to your needs by hovering over the table headers and selecting the options required.
7. Filter and/or export the table content if necessary.
To manage risks you first need to create a special type of project to Jira. This can be done only by using the “New Risk Management project” menu item from the Risk Manager Plus drop-down menu. The SoftComply Risk Manager Plus knows whether it is a risk management project or any other project you have created to your Jira instance. Only risk management projects can have access to the features of the SoftComply Risk Manager. In other words, in order to manage your product risks you first need to create a new risk management project.
After starting the risk management project from the Risk Manager wizard → Create “New Risk Management Project”, follow these steps:
1. The first step requires you to enter the project name, the project key and the project lead. These fields are the Jira standard fields that are required while creating a new project.
2. The second step in the wizard is the selection of a risk management method. You can choose between Hazard Analysis or FME(C)A (Failure Mode and Effects Analysis). In the latter case, you can choose to have FME(C)A with 2 parameters of Severity and Occurrence (“FME(C)A without Detectability”) or with 3 parameters of Severity, Occurrence and Detectability (“FME(C)A with Detectability”).
3. Next, you can choose how risks are calculated and visualized, i.e. either in risk management matrices that have risk levels (“Risk Matrices with Risk Levels”) or in Risk Priority Number (“RPN”).
4. If you chose to use Risk Matrices with Risk Levels, you can choose the risk matrix size next. There are several of the most frequently used matrix layouts to choose from, as a starting point. You can, if you need to, customize your risk matrix after you have finished the project creation. Thus, to accelerate your risk management project setup, choose a matrix layout that is as close to your needs as possible to minimize customization effort later on.
Note that in the matrices for FME(C)A with Detectability, Severity will be on x-axis while the combination of Occurrence and Detectability are on y-axis. An example of a matrix template of FME(C)A with 5 Levels of Severity (on x-axis) and 5 Levels of Occurrence with 5 Levels of Detectability (the multiplication of their values on y-axis) is illustrated below.
If you chose to go with RPN in the previous step, you can choose the number of Risk Levels and the FME(C)A scale next. Again, you can customize both of them after you have created the project but its most time-efficient to choose options that are closest to your risk model. You are provided a choice between four or three risk levels and a combination of Severity, Occurrence and Detectability.
5. The final step of creating a new risk management project is the confirmation of the risk management method you chose. Here you can also choose whether you wish to see sample data in the risk management table right away or would you rather start with an empty table.
Finally, there is an option to “Enable strict Harm and Severity mapping”. This feature is related to the requirement of ISO 14971 for medical device risk management where one harm is always having strictly the same Severity throughout one risk project (the mapping is enabled by default). Now, if you would like to use SoftComply Risk Management Plus to manage other types of risks (e.g. project risks, cybersecurity risks, etc) in your other risk projects, you may want to change the Severity of risks that have the same Harm (disable the mapping). Note that this feature cannot be changed during one risk project.
NOTE: Be aware that the columns that are provided in the default risk management table cannot be deleted later. You can, however, change the column titles or hide them. Only columns that you add can be removed by you. This feature is there in order to ensure compliance in medical device risk management with SoftComply Risk Manager Plus.
Also, you can only add columns with text values at the moment, i.e. you cannot add columns for links at the moment.
We would recommend you always start your risk project by configuring the Risk Model, i.e. before adding risks into the Risk Management table. Risk Model holds your risk project settings, i.e. scales for Severity, Occurrence/Probability and Detectability. It will also have RPN scale range settings and/or matrix settings. All settings are fully customizable.
You can see “Risk Model” on the left side menu, highlighted in the image below:
You can customise your Risk Model in RPN/FME(C)A by:
a) Adding/Removing severity levels and their descriptions (click on “Add risk classifier” below the Value column on Severity tab);
b) Adding/Removing occurrence levels and their descriptions (click on “Add risk classifier” below the Value column on Occurrence tab);
c) Adding/Removing risk class ranges (by “+” on top of the “Range” column);
d) Changing risk levels of the RPN scale.
You can customize your Risk Levels within your Risk Matrix by adding or removing severity and probability levels and their descriptions. To edit risk classes within a Risk Matrix, just hover over the risk class fields in the matrix and you will see the floating menu with available action buttons. It is important to be aware that if you remove a severity or a probability value, the risks that had the value assigned to them will automatically get the value of “unassigned”. Thus, you have to re-evaluate those risks later on. In order to avoid this, it is best to configure your model and matrix before filling in your data in the risk management table!
Have a look at the short video tutorial below for Risk Matrix customization options:
To access the previously mentioned actions just hover over severity, probability or risk class fields and you should see the hover menu with available action buttons. It is important to be aware that if you remove a severity or a probability value, the risks that had the value assigned to them will automatically get the value of “unassigned”. Thus, you have to re-evaluate those risks later on. In order to avoid this, it is best to configure your matrix before filling in your data to the risk management table!
Configuring the risk table is the most important part of setting up your risk management project properly. Since each person responsible for risk management has their own way to approach risk management, it is best to use the risk terminology that is accepted and used in your company. The predefined templates are also a good option to start with if you have not yet created your own tailored approach. The columns/terms that are used are same as in ISO 14971. In other words, it is highly recommended to use one of our templates especially when you are working in a medical domain.
Below is a short video tutorial on SoftComply Risk Manager table customization options:
In order to change the table layout you have the following options:
1. Rename the column names and descriptions. This applies to all columns;
2. Add/Remove new columns. Only free text columns can be created. Note!: You cannot delete a column that is created by the default template, you can remove only columns that you have added yourself. This is to ensure your risk management table is compliant with risk management standards. You can, however, rename the column titles to what you need or hide them;
3. Hide columns. All columns of the table can be hidden to give a better overview of the table according to your needs.
4. Change the column order. You can change the order of the columns in your risk management table by clicking on the right/left arrows in the floating menu that appears when you hover over the column header.
5. Resize the column width. You can easily resize the width of each column by dragging the triangles on the headers of the column to expand or decrease the column width.
You can access those actions by clicking on the menu that opens while hovering over the table header.
The SoftComply Risk Manager Plus is a tool to make risk management process easy to implement in your organization. Risk management is done by simply managing your risks in a table. Adding, removing, and linking risks to provide full traceability is now easier than ever!
The main tool for successful risk management is the risk management table. In the following sections you will learn how to get most out of its features.
To add a new risk(s) there are three options:
1. Manually add risks by using the table’s first row; or
2. Clone risks from previous row; or
3. Import risks from another system or project.
To add new risks click on “+ Add Risk” button above the table. This creates a top row of the table with empty values. Fill in the necessary column values and click on “Confirm” button that is found on the floating menu or press “Enter” on keyboard to save the risk.
In order to add new risks the only mandatory field is “Hazard” in Hazard Analysis or “ID” in FME(C)A. All other fields can be left empty if you are not yet sure what to enter there.
Risk Cloning is a useful feature if you have more than one risk with the same Hazard, Hazardous Situation, etc. Often one Hazard can occur in different Hazardous Situations and can thereafter cause different Harms. Thus, by entering risks to the table, it would be convenient to copy all the values up to a certain cell, and then start filling in the rest of the necessary fields.
In order to do this, use the “Clone” feature. You can access the “Clone” feature from the floating menu. Be aware that it is important to select the “Clone” feature from the correct cell – the cell where you choose the “Clone” feature will be the last of the copied cells in the new risk management row that is created!
To edit a risk in the table, you have two options:
1. First, by clicking a row that you would like to edit, makes the risk editable. Another click somewhere else in a table saves the changes you made and makes another risk (row) editable. If you have finished making changes, select “Confirm” on the floating menu;
2. Second, by selecting “Edit” action from the floating menu.
You can also use keyboard shortcuts in the risk management table: to edit a risk, click on the cell you wish to edit. To save entered text in a cell, press “Enter”; to delete entered text in a cell that you added, press “Escape”. For saving a selected “Severity” or “Probability”, double-click “Enter” after selecting the desired level.
To delete or remove a risk from the table, select the correct risk from the table by hovering on it with a cursor. Then click on the “Delete” button of the floating menu. The risk itself will not be deleted! It will be changed from “Open” status of JIRA issue workflow to the “Done” state. Thus, there is always an option to undo the delete action by opening the JIRA issue view and manually changing the issue status back to “Open”.
In addition to manually entering risks to a table, you can also import risks from another system. If you have not yet added any risks to your project, then quick links to risk/issue import are available. If you choose to import risks from other systems (e.g. csv file, excel, other issue management systems) follow the instructions for this that JIRA provides. You can also follow our detailed guidelines to import your existing risks to the SoftComply Risk Manager Plus.
2.6.1. Risk Matrices & Risk Classes
Assignment of risk classes (e.g. High, Medium, Low, TBD) is done automatically according to the risk matrix configuration after you have defined the values of severity and probability of the risk under assessment. The risk class of each risk under investigation will be assigned to each risk automatically based on the value of severity and probability of that risk. Risk class is defined in the risk matrix. Risk class cannot be assigned automatically to risks prior to defining the risk classes by setting the values of severity and probability. Until that time, the value of a risk class will remain “TBD” (To Be Determined).
According to the risk management process, each risk has two values of risk class assigned: initial risk class, and the final (residual) risk class after the mitigation has been completed. Thus, there are two values of severity and probability and two values of risk class columns on the risk management table corresponding to initial and residual risks.
The first column of the risk management table is called “Risk” and it provides a visual indicator of the initial and residual risk class values. E.g. if your initial risk class was High and you mitigated it to Low, then you should see a Red dot and a Green dot. This field provides a quick visualization of the risk mitigation results. The uncolored dot depicts a risk to which a risk class has not yet been assigned.
2.6.2. Risk Levels and RPN (Risk Prioritization Number)
Assigning of the risk ranges and risk levels for FME(C)A RPN are automatically done in the risk table according to the risk model configuration where you have defined the values of severity, occurrence and detectability together with risk ranges and levels for RPN calculation and visualization. RPN is calculated automatically based on the value of severity, occurrence and detectability you have assigned to the risk in the risk table. RPN value is “TBD” (To Be Determined) until you chose the values of severity, occurrence and detectability.
Similarly to Hazard Analysis, FME(C)A RPN has two values – an initial and a residual value where the initial RPN is that of the identified risk and the residual RPN is that of the risk after mitigation. In the risk table, you will therefore see the values of initial severity, occurrence and detectability first and the values for residual severity, occurrence and detectability once you have mitigated the risk. Similarly to Hazard Analysis, the first column of the risk table of your FME(C)A provides a quick visualization of the risk mitigation results, i.e. where the first dot illustrates the initial and the second dot the residual risk level.
Risk mitigation can be done by assigning mitigation actions to your risks. The mitigation actions can be activities or procedures that mitigate the risk and lower the risk class. There are 2 columns that describe the mitigation actions:
1. Mitigation Action (free text field), and
2. Mitigation Links (link to another (external) issue/software item).
Mitigation actions can be defined either by entering a description to the column “Mitigation Action” or by linking another issue to the risk. Mitigation actions can be issues from other projects, thus you can link requirements or other development issues to the risk under mitigation. To link issues, start typing either an Issue key or Summary of the issue you would like to link to. The autocomplete text field will suggest you the issues it finds based on the text that you entered.
NB!: The recommended use of mitigation actions is as follows:
1. There should be at least 2 separate projects: one for the risk management and another where you manage other product development issues (like development tasks, requirements and alike that might be mitigation actions).
2. Link the mitigation action from the development project to your risk via “Mitigation Links” column.
If you have no mitigation action defined yet, but you would like to create it during risk management project, then use “+” button in the Mitigation Links column. This will open a “Create new issue” popup window in JIRA and you can create a new mitigation action to any project you have access to. After creating an issue by using this feature, the SoftComply Risk Manager Plus automatically adds a link between the issue you created and the risk you were processing at that moment. Thus, you can add new risk mitigation actions and move on with your risk management from the same place you were at before.
NB!: In the risk management table you can see the mitigation action issue key, issue summary and issue status. In this way, it is easy to assess at a glance if actions are done, in progress, or still on the to do list.
Verifying mitigation actions is similar to mitigating risks with regard to the features of the SoftComply Risk Manager Plus. There is always an option to add verification actions manually as a free text to column called “Verification Action” and linking the verification actions to the risk mitigation action (to verify that the risk mitigation action works as intended).
Linking verification actions (e.g. testing activities from another JIRA project) is similar to linking mitigation actions. It is best to start by typing the issue key or summary to autocomplete the text field and then pick the issue from the drop-down list of suggested issues.
By clicking on a “+” button on the right side of the “Verification Action” column, it is possible to create a new verification action in the risk management project. The created verification action will then automatically be linked to the risk.
NB!: In the risk management table you can see the verification action issue key, the issue summary and the issue status. In this way, it is easy to assess if the verification actions are done, in progress, or still on the to do list.
After mitigating risks, the final risk assessment should be conducted by assigning final severity, probability/occurrence and detectability values. Thereafter, the final risk will be calculated and it is possible to see the residual risk value in the risk management table. To see the initial and the residual risks click on the “Risk Model” icon on the left menu. You will see the Risk Matrix view for Hazard Analysis or the RPN view for FME(C)A. In the Initial Risk Matrix you will see the identified risks and their risk classes.
The matrices and/or the RPN table can be exported or printed by selecting the suitable action from the top-right corner of the page. It is possible to export the matrices to DOCX and PNG format. After exporting the matrices or RPN table, you can save the file as a snapshot of that moment in time.
It is also easy to visualize the effectiveness of your risk mitigation actions by looking at the first column of your risk management table. The coloured dots depict the values of the initial and the residual risk class of each risk. Thus, in a perfect world you wish to see primarily green dots on the right of the small arrow.
The SoftComply Risk Manager Plus provides two report templates (Risk Management Plan and Risk Management Report) in addition to the export feature for both the risk management table and the matrices.
The Risk Management Plan is based on the requirements of ISO 14971 giving an overview of all the planned activities of risk management. The Risk Management Report is a document that describes the results of the Risk Management activities. Both reports can be accessed either from the Risk Manager Plus drop down menu or from the “Reports” section of JIRA sidebar.
Both the Risk Management Plan and the Risk Management Report include guidelines on how to fill in your project specific data. The Risk Management Plan automatically includes the data that you defined at the start of your risk management project, including the risk classes and their acceptance criteria; risk matrix or RPN configuration; the severity; detectability and the probability values. The Risk Management Report automatically includes the initial and the residual risk matrices and/or RPN table.
Depending on the risk management table template, there are at most 3 columns that have links to other issues:
1. Mitigation Links;
2. Verification Links;
The “Mitigation Links” and the “Verification Links” columns can be used to assign a link of an issue (mitigation action or verification action) to each risk or to create a link to a new issue (new mitigation action or new verification action).
The “Traceability” column provides an overview of all the links that are connected to each risk, including the links to other risks that the mitigation action(s) may have introduced.
Thus, the “Traceability” column provides an overview of all the links while the “Mitigation Links” and the “Verification Links” columns can be used to link other issues to a risk.
In the “Traceability” column you can see all the links related to one risk, including the following Risk Manager link types:
a. “is mitigated by” – link type describes connection between a mitigation action and a risk, e.g. risk is mitigated by some software development project issue;
b. “is verified by” – link type describes connection between a verification action and a mitigation action, e.g. a mitigation action is verified by some verification action or test case;
c. “is caused by” – link type describes that this Hazard has been caused by another issue, e.g. some mitigation actions can cause new hazards to appear in the project;
d. all other available JIRA link types that can be used as needed, e.g. link types like “is blocked” , “duplicate” , etc.
You can create a new mitigation action or a verification issue while describing a new risk. To do that, just use “+” button on the right edge of the “Mitigation Links” or the “Verification Links” column in edit mode.
Clicking the “+” button will open a “Create new issue” window. After submitting the new issue, the link between issue and risk will be automatically added and it will be visible in the table as well. In this way, you can continue managing risks and post some new issues to other projects at the same time.
The content of the risk management table can be filtered to allow an overview of any particular set of data. Each column that allows filtering has a small filter icon just below the column title. If the filter is applied, a corresponding icon becomes visible. To remove the filter, just click on the remove filter icon.
NB!: If you apply filters and try to export the risk management table, then only the visible content will be exported. Thus, if you need to export the entire table, you must first remove all the filters.
The risk management table can be customized as follows:
1. Rename column titles that were assigned by the template;
2. Add or remove new custom columns (only free text columns);
3. Hide any column;
4. Columns that were assigned by the template cannot be deleted. They can only be renamed.
All actions that were described above can be performed by hovering the cursor over the table header and selecting the required action from the floating menu.
The risk management matrix can be customized as follows:
1. Edit Severity or Probability values.
1.1. Add a new value;
1.2. Edit the existing value name and description;
1.3. Remove a value.
2. Add or Remove Risk Classes
2.1. Add a new Risk Class;
2.2. Edit the name of a Risk Class;
2.3. Remove a Risk Class.
3. Assign risk classes to specific Severity-Probability combination in the Risk Matrix
3.1. Each cell in the Risk Matrix must have a Risk Class value assigned to it.
All the listed actions can be found in the floating menus that appear if the cursor is hovered over the Severity or Probability values in the matrix.
In order to demonstrate a compliant risk management process, you may have to report as required by regulations. These reports are provided by the SoftComply Risk Manager Plus:
1. Risk Management Plan, and
2. Risk Management Report.
Reports can be accessed from the top navigation bar menu item “Risk Manager Plus” → “Risk Management Plan” or “Risk Management Report”. They are also available from the “Reports” section of JIRA left sidebar.
Both reports are pre-filled templates with guidelines and available data configuration or risk project data contained in them. You can export these reports and edit their content as needed in your organization.
NB!: The blue coloured text provides the guidelines and should be removed from the final version of your document. The square brackets [ ] display the suggested content that you should input. The red coloured text provides you with additional information in the case where you want to comply with IEC 62304 requirements.
NB!: Reports are project specific.
To import existing risks into the SoftComply Risk Manager Plus, please review the importing guidelines.
In the SoftComply Risk Manager Plus each row of the risk table is a separate issue in the project. Thus, if you try to import new risks by using JIRA import features, this constraint should be considered. During import, please note one important aspect – the Summary field in JIRA is mandatory. If you enter a new risk manually to the risk management table, then the ‘Summary’ field will be the same as the ‘Hazard’. If you choose to import, you can import any value to the ‘Summary’ field, but it will not be displayed in the table. In order to successfully import your data to the table, please import ‘Hazard’ value to the ‘Summary’ field and also to the ‘Hazard’ field.
The risk management table cannot be sorted by the user. Sorting is done automatically. The sorting algorithm starts from the “Hazard” column, which it sorts alphabetically. Next, each hazard value is sorted alphabetically based on the “Hazardous Situation”. Thereafter, each “Hazardous Situation” is sorted by the “Harm” and so on. In this way, it provides an easy to read structure for the risk management table. Identical content in subsequent rows is displayed in light gray, indicating grouped items. This approach hides repetitive information and emphasizes the unique information. In order to limit the number of rows in the table, you can always use filtering.
Each market sector has its own rules and best practices for risk management. The SoftComply Risk Manager Plus is based on the ISO 14971 – risk management for Medical Devices.
Regardless of the sector you are in, the approach described in ISO 14971 can be applied to any safety critical domain. In addition, the SoftComply Risk Manager provides many customization features to enable the user to modify the risk management table to other safety critical domains and risk assessment approaches.
Typically there are two approaches to risk management: “bottom-up” and “top-down”, generally referred to as “xFMEA”/”xFMECA” and “Hazards Analysis”, respectively. They are intended to be complementary, not exclusive.
Using both approaches increases the probability that you will capture all potential risks associated to your system. It is important to remember that the different approaches need to be aligned and consistent, e.g. the same harm should have the same severity level, etc.
“FMEA” stands for Failure Mode and Effects Analysis. The “x” is a placeholder that is replaced by a letter that indicates the area of the product the FMEA is applied to, e.g. DFMEA for Design, PFMEA for Process (manufacturing process), HFMEA for Human Factors, etc.
The “bottom-up” approach refers to the fact that typically on the left side of the table, where the analysis starts, you list components and sub-components of your system, what their function is and how they can fail.
Example: your system contains a bolt; its function is to keep two components together. The “failure mode” of this bolt is that it fails to keep these two components together; the two components can become loose or even fall apart. The effect will depend on the actual purpose of your device. The cause could be that the bolt is under designed or that it is not tightened, or other causes. Risk mitigation actions could be to use a safety factor when you design your bolt and/or to define a minimum tightening torque during assembly.
Hazards Analysis is a “top-down” approach, meaning that you start (on the left side of the table) with high level, system wide hazards that can be posed by your device. ISO 14971 provides a list of example Hazards that you can use as a starting point. You can also perform a functional analysis of your device and determine how it can fail to provide its functions.
Example: pick “Heat”. The Hazard is that some surfaces of your device can overheat (or in case they can get too cold then freezing is the hazard). One Hazardous Situation is that someone can get in contact with these surfaces, resulting in burns (harm) of different severity. Potential causes could be that some internal electrical or mechanical components overheat. Risk mitigation actions will depend on the actual architecture of the system.
We recommend having separate projects for software development and risk management. If necessary there can be a separate project also for verification activities and testing.
The following set up allows your risk management table to be used to group mitigation actions from the development project(s) and verification actions from the verification projects. Different actions that link to risks provide the necessary division and flexibility in the projects and in the reporting that you may need later. If you prefer to group all issues from different projects together, use JIRA Agile boards or queries.
In the case where you need a snapshot of the risk management table or of the risk matrices, use the export feature and store the exported files to your file storage or Confluence.
It is possible to get a full audit trail of the Risk project and its risks from JIRA by exporting issues and their Activity Logs. Follow the JIRA documentation to do this.
It is possible to import new risks to risk projects from other systems. If you have not yet added any issue to your project, then quick links to risk/issue import are available. If you choose to import risks from other systems (e.g. csv file, excel, other issue management systems), please follow the instructions outlined here.