How to Validate Ketryx

Let’s Talk About Validation

If you work in a regulated space (medical devices, diagnostics, pharma, digital health), you know that validation is a fact of life. You need to show that your tools and systems do what they say they do. And while the intent behind validation is noble (we all want safe and effective products), the actual process can feel heavy. 

We get it. At Ketryx, we’re not just building software for compliance—we’re living it too. Our entire platform is built under a quality system that aligns with the standards you already follow (ISO 13485, IEC 62304, ISO 14971). We went through an audit process and earned certification by UL, one of the most trusted notified bodies in the industry. That means a third party has reviewed and approved our processes for how we build, test, and maintain the Ketryx platform. So when you receive a validation package from us, you’re not just getting documentation. You’re getting artifacts from a system that’s been externally audited and certified to the same standards you’re expected to meet. That’s why our validation is shareable, auditable, and useful. 

That means you don’t have to validate Ketryx from scratch. You just need to figure out what’s right for your team, your product, and your level of risk tolerance.

Most of our customers land on one of two options. I’ve also provided a third option that no one has (thankfully) chosen. 

Option 1: Accept Ketryx’s Validation (Most Popular and Easiest)

This is the go-to route for most of our customers, and here’s why: you already trust suppliers through supplier evaluations and audits to follow standards, and Ketryx is no different.

Why it works

Ketryx is:

• Built under an ISO 13485-certified quality system
  
• Developed according to IEC 62304 (medical software lifecycle)
  
• Designed with ISO 14971 (risk management) principles in mind
  

We’re also actively using our own platform to track requirements, risk controls, and test cases, so we practice what we preach. That means our internal validation process is complete, documented, and auditable.

Instead of duplicating all that work on your end, you can simply accept our validation as part of your supplier qualification process.

What you do

1. Store our certs. You can request our ISO 13485, IEC 62304, and ISO 14971 certificates and place them in your EDMS or wherever you track your validated tools and suppliers.
   
   
2. Request our validation docs. We’ll send you:
   
   
   • A full Requirements Traceability Matrix (RTM)
     
   • Software Requirements Specification (SRS)
     
   • Versioned test reports (for both major and minor releases)
     
     
3. Review the documentation that’s been sent over
   
   
   • Review the use cases identified in the SRS, how they are traced in the RTM, and how they are tested in the test report.
     
   • Assess that it’s representative of your intended use of Ketryx
     
   • Conclude that you can accept Ketryx’s validation package and that you don’t need to do any of your own validation testing in addition to that
     
     
4. Write a short internal assessment. This is your “why” - your rationale for accepting Ketryx’s validation. Something like:
   
   
   • “We’ve reviewed Ketryx’s validation evidence and certification to applicable standards.”
     
   • “Our users still review and approve all outputs generated in Ketryx before release.”
     
   • “Given this, we consider the risk of using Ketryx low, and their validation is sufficient for our needs.”
     
     
5. Set a review schedule. Depending on your internal SOPs, you might:
   
   
   • Request updated validation docs from Ketryx at every major/minor release
     
   • Or just conduct an annual review of all tools and suppliers, including Ketryx
     

Why this is enough

This approach is widely accepted because:

• You’re documenting your rationale
  
• You’re showing due diligence in supplier management
  
• You’re not revalidating a system that's already been validated and is externally certified
  
• You’re leveraging supplier documentation to the fullest extent possible, as recommended by GAMP
  

It checks all the boxes without wasting time on duplicative work.

Option 2: Light Internal Validation Using Your Own Use Cases

Sometimes, teams want an extra layer of assurance, especially if your internal policies or risk profile call for some amount of hands-on testing.

This hybrid approach still uses Ketryx’s validation as the foundation, but adds a small layer of internal validation tailored to how you actually use the platform.

Why it works

You’re not trying to revalidate the entire system, just showing that it behaves as expected for your real-world use cases.

For example:

• You might use Ketryx to manage software requirements and risk traceability across multiple projects.
  
• You might lean heavily on integrations with Jira, GitHub, or Jama.
  
• You might have specific templates implemented by the Ketryx Client Operations team.
  

In this case, it makes sense to do some lightweight testing to confirm those workflows function as expected in your environment.

What you do

1. Document key use cases. These don’t need to be formal user stories — just high-level notes like:
   
   
   • “Users want to trace software requirements to test cases and risk controls.”
     
   • “Users want to generate validation documents for release.”
     
   • “Users want to configure approval workflows and assign reviewers.”
     
     
2. Run hands-on tests. Log into your configured Ketryx instance and walk through those use cases. Verify the outcomes match expectations: screenshots or short notes are enough.
   
   
3. Write a short summary. In your validation report, note:
   
   
   • That you’ve received validation documentation from Ketryx (see Option 1)
     
   • That you’ve performed internal tests based on real-world use
     
   • That this combination is sufficient for your intended use of the platform
     

Why this is a good middle ground

• You’re showing traceability between intended use and testing.
  
• You’re validating your configuration, which can be helpful when using complex integrations or custom workflows.
  
• You’re not trying to prove that every feature in Ketryx works, just the ones you rely on.
  

This is great for teams that want to be extra cautious but still move fast.

Option 3: Perform a Full Validation of the Ketryx Platform (Not Recommended)

We occasionally hear from teams who are wondering: “Should we just perform a full validation of Ketryx ourselves, end-to-end?”‍

Our short answer? No… please don’t.

Why this is not recommended

Ketryx is a large, complex platform with hundreds of interconnected features and validation scenarios. We’ve already done the work of fully validating the system, and we mean fully:

• We maintain a validated state across all major and minor releases
  
• Our validation artifacts include traceability matrices, requirements, specs, test protocols, executed results, and system configurations
  
• The resulting documentation spans thousands of pages, all developed under our ISO 13485-certified QMS
  

Unless you're using Ketryx as a component inside your own software product (you’re not), there is no regulatory requirement to re-validate the entire platform. In fact, trying to do so can lead to:

• Redundant time and effort that doesn’t reduce risk
  
• Missed functionality or incomplete coverage due to lack of internal visibility
  
• Unnecessary delays during implementation
  

When teams try to do this, it backfires

We’ve experienced customers thinking about going down this road early on, spinning up large internal validation projects for Ketryx. Almost all of them eventually pivoted to one of the lighter-weight approaches described above. Why?

Because they realized:

• They didn’t have access to the internal system behavior or logic required to test every component.
  
• Their validation effort would end up duplicating work already done and certified by Ketryx.
  
• It would be impossible to keep up with ongoing updates.
  

What to do instead

Use our validation. It’s detailed, structured, and built to be shared. Whether you accept it directly or add a layer of your own use-case-based testing, you’ll be in a better place than trying to re-create the wheel.

Wrapping It All Up

Validating your tools shouldn’t be more painful than validating your product. With Ketryx, you have flexibility and support. Whether you choose to fully accept our validation or layer in a little of your own, we’re here to provide the evidence and guidance you need.

We’ll meet you wherever you are on the compliance maturity curve, whether you're just getting your QMS up and running or preparing for your twentieth annual audit.

Need help choosing an approach?

We’re happy to hop on a call, share more about our approach, or walk you through our validation package. Just reach out—we can guide you through it.

[hide-start title="Frequently asked questions"]

Can Ketryx help us perform our internal validation of the Ketryx Platform?

We can, and we do—it is something we scope as separate professional services. One important thing to keep in mind: you will own the validation documents. Ketryx can provide guidance, templates, or even help with executions, but at the end of the day, you will be responsible for defending them in an audit or any other review. With that said, auditors will typically be more interested in how you validated your own Product and Process than in how you validated your use of Ketryx. 

However, if your team wants help building a validation plan, writing internal test cases, or running tests according to your own SOPs, we’re happy to jump in. Just keep in mind: this level of hands-on support usually isn’t included in the base platform subscription. 

Here’s how it typically works:

• You loop in your Ketryx account executive
  
• We figure out what level of support you need (a little guidance, or a full-on validation engagement)
  
• If it makes sense, we’ll put together a professional services proposal and help you get it done 

We want you to succeed with validation, whether that means using what we’ve already done or getting help tailored to your setup. 

Can I use Ketryx’s validation documentation as-is in an FDA or Notified Body audit?

Yes. All of our validation artifacts are built under our certified QMS and can be presented directly as supplier documentation. You may still want to supplement them with a brief internal rationale or assessment showing how you’ve adopted them (e.g., added to your supplier file).

How often does Ketryx update its validation documentation?

We update validation documentation with every major and minor release. You can request these updates on a cadence that fits your internal SOPs — monthly, quarterly, or annually. Additional or custom validation support documentation should be discussed with your Ketryx account executive, as this usually isn’t included in the base platform subscription.

Can I see a sample of your validation package before committing?

Absolutely. We’re happy to share sanitized sample documents (RTM, SRS, test reports, etc.) so you can review our structure and quality before onboarding.

What if my auditor asks how we validated Ketryx?

You can point them to your internal supplier assessment (Option 1 or 2) and show the validation package from Ketryx. Most auditors are familiar with this approach and will accept it as long as it’s documented.

Do I need to validate Ketryx differently if I integrate it with tools like Jira, Jama, or GitHub?

Possibly. We recommend you test your specific integrations and include those workflows in your internal use-case validation (Option 2), since your configuration may differ from others.

What happens if I find a bug in Ketryx — does that invalidate your testing?

No. Like any software, bugs can occur. If you discover something, report it to us, and we’ll track, resolve, and revalidate as needed. Our validation package is version-controlled, and patches are documented with updated test results.

Can I reference Ketryx’s ISO certifications in our supplier list or QMS?

Yes. Many customers list Ketryx as a validated software supplier and store our ISO 13485, IEC 62304, and ISO 14971 certs in their supplier files.

What kind of access controls or audit trails are validated in Ketryx?

Our validation covers role-based access controls, user activity tracking, and audit logs. These features are all tested to ensure they behave as required in a regulated environment.

If we configure Ketryx in a unique way, do we need to revalidate?

Not the entire platform — but you should document how you've configured it and test any custom workflows (especially if you're using APIs or advanced integrations). This can be part of your light internal validation (Option 2).

[hide-end]