Medical device companies must acquire either a CE mark to sell their products in the EU or FDA approval for the US market. These regulatory audits involve rigorous planning and documentation management; for medical device companies, this means assembling a Design Technical File and providing evidence that the company operates within an ISO 13485 compliant Quality Management System (QMS).

In other words, teams must prove that they know what they are doing by demonstrating consistency in software development, as opposed to achieving success through luck.

Why Jira Users Should Consider Using Confluence As Their QMS

The tight integration between Confluence and Jira Software means that issues can be accessed with ease from the Confluence page for status updates, and links to related Confluence pages can be viewed within Jira Software.

Many companies use Jira for their medical device development before even implementing a Quality Management System.

There are many standalone QMS solutions on the market, and some of them link with Jira, but these only pull the information from Jira into their own platform.

Confluence enables businesses to continue their work in Jira and link issues directly to pages in Confluence and vice versa. These links support full traceability between requirements and issues in Jira and the QMS records in Confluence.

Confluence For Collaborative Document Management Across Organizations

Confluence Tile

Confluence is more than a mere editor like Word, it supports the management of documents for aspects such as versioning, links, references, grouping in spaces, and so on.

Confluence is a Document Management System (DMS) where the QMS lives.

Signing electronic documents is a natural expectation of an Electronic Document Management System, and while Confluence does not have a built-in signature capability, there are several Atlassian Marketplace apps, such as those created by Comalatech, that fill this gap.

Building A Compliant QMS In Confluence

Medical devices, like other safety-critical products, can be very complex and so are often developed by distributed teams or by businesses working together in partnerships.

In order to pass regulatory approval, detailed specifications must be recorded, this includes logging any approved changes. Regulatory audits require a documented historical trail, for example, a history of changes requested, approved, or implemented throughout the development life cycle. Manual documentation control can be successful but often leads to cumbersome processes with human error likely to occur within larger projects.

Although this process can be extremely complicated and interconnected between bigger teams, the standard requirements for Document Control are actually quite simple.

These requirements, described in ISO 13485:2016 §4.2.4, §4.2.5, and FDA 21 CFR 820.40, are summarized below:

  1. Documents must be reviewed and approved, i.e. have signatures (electronic or handwritten) and include a date;
  2. If reviewed or modified, they must be re-approved;
  3. Each document must have a revision clearly displayed on it;
  4. Each document should be clearly identified as a draft, released or not, obsolete (other states are possible; these are the minimum requirements);
  5. Documents must be available for people who need and use them;
  6. Documents must remain legible;
  7. The company must prevent documents from becoming lost or damaged;
  8. Obsolete documents cannot and should not be used,
  9. External documents (e.g. standards, regulations) must be controlled;
  10. Changes must be approved by the same function(s) (e.g. R&D) as the initial approval or equivalent; a record of changes shall be kept.
  11. Documents must be retained for the life of the device, but not less than records generated by these documents; (e.g.: SOP-AA-bbb gives guidance on how to fill in FORM-cccc; FORM-cccc was used to document the test of product X; thus SOP-AA-bbb cannot be destroyed until the end of life of product X (but it can be retired/obsolete). Note: specific jurisdictions and devices may have higher or different requirements.
  12. Records (e.g. completed forms, results, etc.) follow the same principles;
  13. Records must be retained for the life of the device if no less than 2 years. Note: specific jurisdictions and devices may have higher or different requirements.
  14. There must be procedures that control the Document Management process.

Obviously, all of this can be done manually, but with distributed teams and larger projects, digital Document Control Systems with e-signatures are the most convenient solution.

Both FDA and ISO 13485 require a Document Control System that demonstrates product safety and reliability. Automated systems drive processes that integrate workflow and data capture with applications, databases, notifications, and tracking. 

Getting rid of paper and investing in the right electronic solution not only enhances digital documentation handling but increases the likelihood of regulatory compliance.

The biggest roadblock for electronic records and signatures is compliance with FDA 21 CFR 11.

Document Management Systems with e-signatures must abide by certain requirements in the medical devices industry, such as preservation of data, availability, access control, and more. These requirements are relatively loose in Europe, but FDA 21 CFR 11 in the US lists a number of detailed clauses that make it nontrivial to comply with. While having the eQMS on Confluence Cloud with a basic electronic signature app may be sufficient for the EU, the US market requires a more complex ecosystem.

Medicompli

The MediCompli solution is what’s needed for the US market. It expands and configures the Confluence Document Management System to be fully FDA 21 CFR 11 compliant. MediCompli comes with a pre-installed SoftComply eQMS for completeness and extends the SoftComply eQMS with FDA-compliant Document Approval, CAPA, Training, Change Request Workflows and Compliant Access Management.

Hosting Options

Atlassian tools

All of this is hosted on AWS so there’s no need to worry about maintaining servers or applying security patch updates.

Clearvision (now part of Eficode) is an ISO 27001 accredited Atlassian and AWS partner, which means teams can rest assured their tools are in safe hands.

Published: Jun 24, 2020

Updated: Jun 22, 2023

Atlassian