I am a long time user and fan of Confluence and have recently moved to a new role in an FDA regulated environment. One of my primary goals is to help convert the existing paper-based document control system to an electronic system. I have looked into several off-the-shelf systems but they are all charging obsurd amounts of money. Given what I know of Confluence, I think that it could be a very sutiable system given that our organization implements the correct procedures around it. With that said I have the following questions;
I greatly appreciate any and all feedback that you could provide!
We released a document that describes how some of our customers (Comalatech) achieve compliance with the FDA Title 21 CFR Part 11 regulatory requirements for Electronic Records and Electronic Signatures using Comala Workflows.
I hate to be the bearer of lots of bad news, but I'm afraid I won't be able to answer questions 1 or 2, as that would violate our privacy policies, but I can say that Atlassian is not certified by any of the Standards organizations. That's not to say that we couldn't pass certification, but we have not actively sought to be audited and cerfied.
We do not complete vendor audit documents as we don't have the resources to dedicate to such a task, but for more general queries, I would suggest contacting us at email@example.com.
This is a very valid / good use case.
I think I could help you on this, to further your discovery/explore.
Our team has done some work in this area - and also understand the different concerns you describe well.
We have released CFR Part 11 Compliance E-Signatures (FDA) for JIRA, and happy to work with you on a Confluence version!
We have not released a Confluence product plugin yet b/c Part 11 compliance has a number of interpretations (massive spec!) and Confluence content is a bit more diverse in content types compared with JIRA (where all DB/transactional based).
Regardless of that though, happy to share our experiences and provide other insights (which is longer than a simple forum answer - involved!), at the development / solution level. Also provide some guidance on the validation doc you have, wrt Confluence/JIRA.
There are corps out there (e.g., pharma, medical, food supply, etc.) that are using JIRA/Confluence in this way now - I know.
My email is firstname.lastname@example.org if you would like to discuss/vet more.
BTW - This is an especially favorite topic b/c I worked on a project where we'd designed a very complex DMP system with a large pharma in my earliest days as a consultant in the Atlassian space.
The beauty of JIRA - a powerful workflow engine with endless possibilities.. Confluence too!
Also to echo Tim's comments:
"That's not to say that we couldn't pass certification, but we have not actively sought to be audited and cerfied."
This is true. Yes, possible, for sure!
Discussed this internally a bit further - and would like to add to my prior answer here. I will also email you Jeff and we can catch a call to discuss your SOP.
While base-JIRA and Confluence have not been officially certified, per se, they are being used at large health care companies, including large pharmas and biotechs.
The products are carefully documented and tested. The availability of the source code only makes it easier to audit if necessary. There are multiple ways to achieve compliance; here is one possible way designed to contain costs:
Step 1: We ensure your Confluence configuration satisfies E-Signature, Access Control and Traceability requirements. An early discussion with your QA rep may uncover your company's specific requirements (not sure if you are GMP, GLP, GCP or GDP). Then we develop supporting components to meet these needs (self-run, automated, auditor-run).
Step 2: Qualifying the installation of Confluence. This can be achieved by carefully documenting the installation steps, including your custom configuration (user access configuration, workflow configuration, etc.).
Step 3: Validating your functionality. This involves developing Validation Plan, System Requirements, Test Scripts and Traceability Metrics. Your Validation SOP may suggest other artifacts or steps, such as Performance Qualification.
Step 4: Meeting other requirements, for example a secure controlled hosted solution to further validate the environment and ongoing data security and integrity in preparation for auditor compliance.
AppFusions can help you through this process. It is our belief that high quality document management implementations should not cost an arm and leg.
Hi, @jtabatabai. I'm kind of in a similar situation as you are. Long time fan of Confluence, looking to set up an ISO13485 and CFR 21 Part 11 -compliant QMS. The landscape of QMS software looks quite depressing to me, I would be very happy if there was a way we could connect and you'd tell how it worked out for you.
@Jeff and others who may help ;-)
We are a small company active in control of drugs on the market (in fact one of our many activities).
We are ISO17025 compliant but still struggling with a full paper quality management system. We are now (at least) looking for an electronic document system for the management of our QMS.
I know ISO17025 (derived from ISO9000) is much less demanding than FDA but still we have to validate the system.
On the other side we are already using Confluence and Jira in our IT development team.
When the demand of an electronic QMS came to my ears, I thought naturally that Confluence was a valid option. I've already tested plugins like Workflows and I think everything we need is already in Confluence or in a plugin. Nevertheless, validation is a must.
There are especially 2 phases of the validation which are a bigger concern for me:
I know source code of confluence is available but...
What's your experience with validating such a software ?
Any help would be greatly appreciated!
We have just released a Confluence add in that provides a 'Page Quality' macro that can be used to address some of the key document quality concerns for content.
You can find it in the Atlassian Marketplace here: https://marketplace.atlassian.com/plugins/com.gumvillage.confluence.pagequality.pagequality
The following quality principles, particularly for printed versions, can be met using this macro:
The information shown can include a number of useful page attributes such as who last modified the page, who the contributors are, the date changed, the page id etc.
Users can choose to use a preset default list of page information that can be set at a global or space level, or alternatively, the page information can be set at the page level using the macro's options.
The macro also has a simple page approval feature. Users can note their approval of a particular version of a page by clicking on the 'Approve' button. Pages can be unapproved in a similar way.
We have just released an eQMS plugin for Confluence with a full integrated quality system for Medical Devices.
It contains full guidance for FDA's 21 CFR compliance
For Confluence Cloud users: you might find this add-on useful. It's an electronic signing tool that can help with 21 CFR Part 11 compliance.
Very interesting topics covered in the log so far.
We are using Jira, Confluence as our software development tools. When we start using these tools, we never thought we might use these tools for Medical device clearance. Please suggest me how can I validate these tools to meet FDA requirements.
Confluence can be used as a document management system for your QMS or the technical documentation.
Jira can be used as requirement management system coupled with BitBucket, Bamboo and other tools. Jira will manage the workflow and the traceability to requirements. Jira is anyway so flexible it can be used for other purposes. We have an add-on for risk management of medical devices https://marketplace.atlassian.com/plugins/com-softcomply-riskmanager-cloud/cloud/overview
Regarding the validation itself, it's not an impossible task for either platforms. The FDA guidance at this link https://www.fda.gov/MedicalDevices/ucm085281.htm provides a good starting point.
We have also put together a small article regarding validation of cloud tools https://softcomply.com/fda-compliance-and-the-cloud-tools/
Specifics of validation of each tool are too complex to be discussed in a blog post, but as a rule of thumb the steps are:
1) Define requirements
2) Assess risk
3) Create a validation plan. IQ and OQ at a minimum, and maybe even PQ to stress the environment.
Check SoftComply products
Regarding your sentence: Regarding the validation itself, it's not an impossible task for either platforms. The FDA guidance at this link https://www.fda.gov/MedicalDevices/ucm085281.htm provides a good starting point.
This link isn't working. Do you know where similar/the same information might currently be?
We are also trying to manage documentation of medical devices in FDA Part 11 compliant way with Confluence and Comalatech Workflow. One big issue that is an unsolved blocker for us is the problem that you can display eg an image in your page that is actually an attachment of another page. A reader/reviewer/approver will not notice unless he checks every link using the edit mode. Even if you set your page permissions to read-only once it has been approved, you can still change the image/attachment of the other page and therewith indirectly the content of locked page. Also, you cannot configure Confluence so that you cannot use attachments of other pages. All events triggered when an attachment is updated go only to the page it is attached to and not to any other page referring to this attachment. I cannot imagine a way to circumvent this issue unless you lock the entire database with a final approval. If you are already using Confluence in a FDA Part 11 compliant setting, how did you solve this issue?
We are in a similar situation and decided to state in a SOP/work instruction to not use attachments from other pages. Additionally, every attachment has to be uploaded as a new version and needs to come with a change on the page. This is due to Confluence always linking to the most current version of an attachment and due to uploading attachments does not trigger a new page version.
Otherwise this is a major issue when looking through the page: a page version can be both, draft and effective. Also, old page versions will always link to the most current attachment/image which can falsify old records.
We might solve this at a later stage with a custom add-on.
Leave your contact if you need more information.
I'm product manager in Comalatech, the company behind Comala Workflows. We are working on a new feature to save snapshots of the approved pages i.e., frozen versions of the pages when those were finally approved. Please, create a support ticket https://comalatech.jira.com/servicedesk/ so I can follow up there.
That sounds interesting! We have experimented with a proprietary plugin that generates a PDF export of a page once a page reaches the approved state. The PDF is attached to its source page and we have a document header on the page which has links to the pdf as well as to the history of all electronic signatures. The problem with our approach is that you have to argue that users should read the authoritative PDF exports, but in practice, they are of course reading the confluence page. It would be much nicer if there would be a solution that allows users to only consider the Confluence page if they are looking for regulative relevant information.
I have created SUPPORT-823
Thanks for your support!
As an alternative to the PDF-based approach, as mentioned on this thread, you can also use a third-party app, Scroll Documents (to be clear: I work for the developer of this app), to save versions of multi-page documents directly in Confluence. You can then view and share these versions from within Confluence itself at any later time.
Scroll Documents is currently only available on Confluence Cloud, but we’re currently developing a server version too (in the server version, versions will be saved as static content, so you also don’t have to worry about content from dynamic macros changing in the future). To keep updated and get more info about the server version, please sign up on our website and you’ll be the first to know when it's ready.
Two vulnerabilities have been published for Confluence Server and Data Center recently: March 20, 2019 CVE-2019-3395 / CVE-2019-3396 April 17, 2019 CVE-2019-3398 The goal of this article is...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs