Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

How To Set Up a Jira / Confluence QMS For Medical Device Compliance

Oliver Eidel
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
June 6, 2024

Hey, I thought I'd share some of my learnings about setting up a QMS in Jira and Confluence as many companies have asked me about this in the past. It took me quite some time to write this, so I hope it's useful for someone here!

I'm a consultant for medical device compliance and have worked with 150+ companies, quite a few have passed audits with a Confluence and/or Jira - based QMS.

So how would you go about setting up a QMS in Confluence?

Generally speaking, you actually have three options:

  1. Set up everything yourself
  2. Choose a QMS plugin for Jira / Confluence
  3. Choose another software entirely.

Let's go through those in detail!

 

1. Set Up Your Jira QMS Yourself

If you're set on using Jira / Confluence for your QMS (more on that below), this is likely the cheapest option. However, it's also the one which will take the longest and carry the most risk regarding not passing your audit.

Here's how you'd do it: You'd essentially have to go through all the regulatory requirements by yourself. So, for EU MDR medical device compliance, you'd download the ISO 13485 which is a PDF listing the requirements for quality management systems.

(Quick note: There's a small "hack" here of downloading the ISO 13485 through the Estonian website which saves you a lot of money.)

And then you'd go through each section and create custom ticket types for everything. E.g. for customer complaints, the ISO 13485 requires you to classify them as serious or not, so you'd add a dropdown selector for "seriousness" to your ticket type for customer complaints.

With that, I think, you already see the main drawbacks of the approach: Firstly, it's a ton of work, and secondly, there's no guarantee that your interpretation of the ISO 13485 in your Confluence / Jira QMS setup actually matches the interpretation of your auditor. So you might run into the situation that you've actually set up a QMS which doesn't pass an audit.

And, with all the work you have to put it, I guess you have to ask yourself whether it's worth it. In the end, your company probably wants to develop a product and make money, and setting up your QMS is only a tiny part of that.

 

2. Choose a QMS Plugin For Jira / Confluence

You second option is to choose to extend Jira / Confluence features with a QMS plugin. The main features you're looking for here are compliant e-signing of documents and requirements and risk management.

For e-signatures, I've had quite a few customers use Komala for that. It seems to work reasonably well. However, I've talked to one auditor who mentioned that one of the companies they audited recently lost all their signature information in Confluence which obviously was a huge problem.

So there's definitely some risk here as you're "bolting on" functionality to Confluence which doesn't exist in its core, and you're essentially at the mercy of the companies which manage the plugins you've purchased.

For requirements and risk management, I've heard of SoftComply being used, but none of our clients chose it so far so I don't have any first-hand experience.

Generally speaking, this approach of Jira / Confluence with plugins works reasonably well. The main drawbacks as mentioned by an auditor recently are these:

  • Atlassian had a data loss incident in 2022. Since then, medical device auditors are increasingly auditing companies on whether they have an additional backup procedure in place, because it can no longer be assumed that data in Confluence and Jira is always available.
  • Exporting "normal" QMS documents from Confluence with large tables ends up "squashing" those tables and making them unreadable. This often ends up being a huge problem.
  • Confluence doesn't have native version control in the sense of "let me retrieve all old document versions for version 1.2 of our product". While documents are version controlled, you can't create "checkpoints" which would enable you to show your documentation for a certain product at a certain point in time to auditors.

 

3. Choose Another Software Entirely

Your third and last option is to choose another software entirely outside of Jira and Confluence. Personally, this is my preferred option because, as mentioned above, I've recently heard many negative opinions by auditors about QMS setups in Jira and Confluence. Also. the first approach of setting up everything from scratch is simply not feasible for most startups who can't spend unlimited time tweaking their own custom QMS setup.

The most common options here are OpenRegulatory Formwork, Greenlight Guru and Qualio. Of those, Greenlight Guru and Qualio have very intransparent pricing and lock their customer in quite heavily with year-long contracts, so startups are increasingly avoiding them.

The often-preferred eQMS software for startups is OpenRegulatory Formwork because it has a free tier, unlimited users and a lot of transparency (e.g. monthly cancellation).

The benefits of a separate QMS software outside of Jira / Confluence are:

  • More flexibility: You're no longer limited by the data model and document editor of Jira and Confluence.
  • Data exports are custom-tailored to what auditors expect.
  • No "bad reputation" among risk-averse auditors due to data loss; providers often have data backup and business continuity plans in place.

 

Integrating With Software Development?

Additionally, one often-cited idea is that Jira and Confluence might be beneficial due to better integration between software development teams. Integrating regulatory compliance documentation with software development work sounds great on the surface, but in reality, I haven't seen this work out well, even after consulting 150+ companies. Here's an interesting article on the topic.

So yeah.. it's possible, but not always a great idea. Here's another article which is quite critical of Jira QMS setups.

Hope this was helpful and happy to answer any questions!

3 comments

Comment

Log in or Sign up to comment
Kristian Klima
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
June 6, 2024

Hello @Oliver Eidel 

As for your second point, to be more specific, the versioning issue.

In my setup, which admittedly is not QMS, I run Comala Document Approval (which is the barebone version of their sophisticated apps you're likely referring to) in combination with their Publishing app (sync between two spaces) in a setup with Scroll Documents by K15t.

And Scroll Documents allows you to do a proper versioning. You create snapshots of your documents iterations which can be browsed at any point (or used as a source for Scroll Viewport but that's another story).

Once your docs pass the approval process, you create a snapshot with Scroll Docs. And then you can iterate more and create more snapshots which you can brows and compare at will.

Combination of Comala workflows, Publishing, and Scroll Documents also allows to separate document authoring and the approval process from the snapshots which would live in a different Confluence space - in which you can have a different, tighter, permission setup. Also, a second synced space is, in a way, a backup layer in itself.

I agree with your 'at the mercy' argument, having said that, I've run the above setup (sans QMS) for 18 months and the only issues I experienced were related to my using that barebone workflow app version.

It might be worth exploring and I'm OK with discussing the details of my Confluence/App setup.

Disclaimer: I'm not working for Appfire or K15t.

Like # people like this
Oliver Eidel
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
June 6, 2024

Interesting, I didn't know about Scroll Documents, thanks!

Like # people like this
Matteo Gubellini _SoftComply_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 7, 2024

HI @Oliver Eidel ,

There are a few Apps in Confluence that do electronic signatures but admittedly not many with proper versioning. Scroll Documents is one of the few.

For our customers we initially had to create a dedicated App for Comala to report the Change History Table inside the page, with independent versioning. (see. Change History Table link).

Anyway, eventually we decided to create our own document management system, designed specifically for the MedTech sector (See Document Manager Link), with electronic signatures, versioning and everything else.

At SoftComply we also have Risk Management tools for Jira, while for requirements we heard good feedback on R4J, and Xray for test management.

Your recommendation about the Estonian standardization website is great, we always do the same with our customers and we purchased several standards ourselves there. The fact that you can buy single licenses rather than the whole thing saves a good bit of money.

Disclaimer: yes I'm with SoftComply!

Like # people like this
vgratsac
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
September 11, 2024

Hello @Oliver Eidel ,

Your article is really interesting and well argumented, thank you very much for that.

I simply regret that you forgot to mention your relation with OpenRegulatory. This disclaimer would have make your article even more transparent.

TAGS
AUG Leaders

Atlassian Community Events