Confluence for FDA Regulated Document Management

I am a long time user and fan of Confluence and have recently moved to a new role in an FDA regulated environment. One of my primary goals is to help convert the existing paper-based document control system to an electronic system. I have looked into several off-the-shelf systems but they are all charging obsurd amounts of money. Given what I know of Confluence, I think that it could be a very sutiable system given that our organization implements the correct procedures around it. With that said I have the following questions;

  1. Do you know of any existing customers who are using Confluence for Document Management in an FDA regulated environment?
  2. If so, would they be willing to discuss the validation process with us?
  3. Is Atlassian Iscompliant to an international quality standard (for example, ISO 9001)? Would I be able to get a copy of any certifcation documents as we would need these in the event that we are audited.
  4. Would Atlassian be willing to complete and return a vendor audit document to cover our FDA requirements?
  5. Is there any additional information that you might be able to provide?

I greatly appreciate any and all feedback that you could provide!

10 answers

1 accepted

Hi @jtabatabai,

We released a document that describes how some of our customers (Comalatech) achieve compliance with the FDA Title 21 CFR Part 11 regulatory requirements for Electronic Records and Electronic Signatures using Comala Workflows.

You can find it here. Check it out and let us know what do you think. If you are also interested in ISO 9001, please contact us through our support system.

Kind regards,

Gorka

I hate to be the bearer of lots of bad news, but I'm afraid I won't be able to answer questions 1 or 2, as that would violate our privacy policies, but I can say that Atlassian is not certified by any of the Standards organizations. That's not to say that we couldn't pass certification, but we have not actively sought to be audited and cerfied.

We do not complete vendor audit documents as we don't have the resources to dedicate to such a task, but for more general queries, I would suggest contacting us at sales@atlassian.com.

@jtabatabai -

This is a very valid / good use case.

I think I could help you on this, to further your discovery/explore.

Our team has done some work in this area - and also understand the different concerns you describe well.

We have released CFR Part 11 Compliance E-Signatures (FDA) for JIRA, and happy to work with you on a Confluence version!

We have not released a Confluence product plugin yet b/c Part 11 compliance has a number of interpretations (massive spec!) and Confluence content is a bit more diverse in content types compared with JIRA (where all DB/transactional based).

Regardless of that though, happy to share our experiences and provide other insights (which is longer than a simple forum answer - involved!), at the development / solution level. Also provide some guidance on the validation doc you have, wrt Confluence/JIRA.

There are corps out there (e.g., pharma, medical, food supply, etc.) that are using JIRA/Confluence in this way now - I know.

My email is ellen@appfusions.com if you would like to discuss/vet more.

Best,

Ellen

p.s.

BTW - This is an especially favorite topic b/c I worked on a project where we'd designed a very complex DMP system with a large pharma in my earliest days as a consultant in the Atlassian space.

The beauty of JIRA - a powerful workflow engine with endless possibilities.. Confluence too!

p.p.s.

Also to echo Tim's comments:

"That's not to say that we couldn't pass certification, but we have not actively sought to be audited and cerfied."

This is true. Yes, possible, for sure!

Discussed this internally a bit further - and would like to add to my prior answer here. I will also email you Jeff and we can catch a call to discuss your SOP.

While base-JIRA and Confluence have not been officially certified, per se, they are being used at large health care companies, including large pharmas and biotechs.

The products are carefully documented and tested. The availability of the source code only makes it easier to audit if necessary. There are multiple ways to achieve compliance; here is one possible way designed to contain costs:

Step 1: We ensure your Confluence configuration satisfies E-Signature, Access Control and Traceability requirements. An early discussion with your QA rep may uncover your company's specific requirements (not sure if you are GMP, GLP, GCP or GDP). Then we develop supporting components to meet these needs (self-run, automated, auditor-run).

Step 2: Qualifying the installation of Confluence. This can be achieved by carefully documenting the installation steps, including your custom configuration (user access configuration, workflow configuration, etc.).

Step 3: Validating your functionality. This involves developing Validation Plan, System Requirements, Test Scripts and Traceability Metrics. Your Validation SOP may suggest other artifacts or steps, such as Performance Qualification.

Step 4: Meeting other requirements, for example a secure controlled hosted solution to further validate the environment and ongoing data security and integrity in preparation for auditor compliance.

AppFusions can help you through this process. It is our belief that high quality document management implementations should not cost an arm and leg.

Hi all,

So is this the end of Confluence and FDA? 

I hope not... whats the latest?

Regards,

Daniel

 

Not at all.  I was able to validate Confluence that was in line with our internal procedures and compliant with FDA regulations.  It is a great application and has been a major improvement for our organization.

Hi, @jtabatabai. I'm kind of in a similar situation as you are. Long time fan of Confluence, looking to set up an ISO13485 and CFR 21 Part 11 -compliant QMS. The landscape of QMS software looks quite depressing to me, I would be very happy if there was a way we could connect and you'd tell how it worked out for you. 

 

Thanks!

Hi @Ivan Tarapov

We have experience with customers using Confluence and Comala Workflows to comply with FDA Title 21 CFR Part 11. If you need further information or doubts, drop us a line to support at comalatech dot com.

Regards

Hi,

@Jeff and others who may help ;-)

We are a small company active in control of drugs on the market (in fact one of our many activities).
We are ISO17025 compliant but still struggling with a full paper quality management system. We are now (at least) looking for an electronic document system for the management of our QMS.
I know ISO17025 (derived from ISO9000) is much less demanding than FDA but still we have to validate the system.
On the other side we are already using Confluence and Jira in our IT development team.
When the demand of an electronic QMS came to my ears, I thought naturally that Confluence was a valid option. I've already tested plugins like Workflows and I think everything we need is already in Confluence or in a plugin. Nevertheless, validation is a must.

There are especially 2 phases of the validation which are a bigger concern for me:

  • Design and implementation (coding)
  • Inspection & structural testing ('White-Box' testing)

I know source code of confluence is available but...

What's your experience with validating such a software ?

Any help would be greatly appreciated!

Thanks

We have just released a Confluence add in that provides a 'Page Quality' macro that can be used to address some of the key document quality concerns for content.

You can find it in the Atlassian Marketplace here: https://marketplace.atlassian.com/plugins/com.gumvillage.confluence.pagequality.pagequality

The following quality principles, particularly for printed versions, can be met using this macro:

  • The revision status and relevant changes can be shown
  • The original Confluence document is linked so readers can determine if their copy of the document is up to date, has been changed or is obsolete
  • The Approval button can help to approve documents before release

The information shown can include a number of useful page attributes such as who last modified the page, who the contributors are, the date changed, the page id etc.

Users can choose to use a preset default list of page information that can be set at a global or space level, or alternatively, the page information can be set at the page level using the macro's options.

The macro also has a simple page approval feature. Users can note their approval of a particular version of a page by clicking on the 'Approve' button. Pages can be unapproved in a similar way.

Hi jatabatabai

We have just released an eQMS plugin for Confluence with a full integrated quality system for Medical Devices. 

https://marketplace.atlassian.com/plugins/ee.softcomply.qms.confluence-blueprints/server/overview

It contains full guidance for FDA's 21 CFR compliance

Regards

Matteo

For Confluence Cloud users: you might find this add-on useful. It's an electronic signing tool that can help with 21 CFR Part 11 compliance.

https://marketplace.atlassian.com/plugins/electronic-signing-cc/cloud/overview

Hello,

Very interesting topics covered in the log so far. 

We are using Jira, Confluence as our software development tools. When we start using these tools, we never thought we might use these tools for Medical device clearance. Please suggest me how can I validate these tools to meet FDA requirements. 

Thanks,

Bhupinder

Hello Bhupinder,

Confluence can be used as a document management system for your QMS or the technical documentation. 

Jira can be used as requirement management system coupled with BitBucket, Bamboo and other tools. Jira will manage the workflow and the traceability to requirements. Jira is anyway so flexible it can be used for other purposes. We have an add-on for risk management of medical devices https://marketplace.atlassian.com/plugins/com-softcomply-riskmanager-cloud/cloud/overview

Regarding the validation itself, it's not an impossible task for either platforms.  The FDA guidance at this link https://www.fda.gov/MedicalDevices/ucm085281.htm provides a good starting point. 

We have also put together a small article regarding validation of cloud tools https://softcomply.com/fda-compliance-and-the-cloud-tools/

Specifics of validation of each tool are too complex to be discussed in a blog post, but as a rule of thumb the steps are:

1) Define requirements

2) Assess risk

3) Create a validation plan. IQ and OQ at a minimum, and maybe even PQ to stress the environment.

Regards

 

Matteo

 

_______________________________________________________________

Check SoftComply products

https://marketplace.atlassian.com/plugins/com-softcomply-riskmanager-cloud/cloud/overview

https://marketplace.atlassian.com/plugins/ee.softcomply.qms.confluence-blueprints/server/overview

Hi Matteo

I'm really interested in your eQMS add on for Confluence, but only have the Cloud version.  Will you be developing a similar tool for Confluence Cloud?

Thanks

Bev

Suggest an answer

Log in or Sign up to answer
Atlassian Community Anniversary

Happy Anniversary, Atlassian Community!

This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.

Read more
Community showcase
Kesha Thillainayagam
Posted Apr 13, 2018 in Confluence

We want to hear how your non-technical teams are using Confluence!

Hi Community! Kesha (kay-sha) from the Confluence marketing team here! Can you share stories with us on how your non-technical (think Marketing, Sales, HR, legal, etc.) teams are using Confluen...

2,792 views 26 10
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you