Computerized System Validation in ISO 9001:2015

Chris G

Registered
Hi everyone,
as part of our software development, which has to be done compliant to ISO 9001:2015, we are planning to use Jira to maintain parts of our documented information.
A colleague now suggested, we would have to do a validation of Jira, because it is an externally provided tool. Specifically in the sense of a computerized software validation like in ISO 13485:2016.

Is that correct?
 

Randy

Super Moderator
What are you using now or when you got your certs, did you validate it?

If you're just using MS Windows/Office did you validate it?

THe short answer is NO, unless you're having problems maintaining, securing and retrieving
 

Chris G

Registered
What are you using now or when you got your certs, did you validate it?

If you're just using MS Windows/Office did you validate it?

THe short answer is NO, unless you're having problems maintaining, securing and retrieving
Now we are using Templates created in Word or Confluence. Those have been validated, but that is because these tools are also used in development of products under the 13485 cert. There have been no problems until now in regard to the performance of the tool.
 

Tidge

Trusted Information Resource
I haven't used JIRA on a software project for quite some time, but I can offer a quick assessment from this description:
Hi everyone,
as part of our software development, which has to be done compliant to ISO 9001:2015, we are planning to use Jira to maintain parts of our documented information.
JIRA has a lot of functionality, but the only elements that require validation IMO are the controls/functions related to the integrity and availability of the records kept in JIRA.

Some specifics: If JIRA is only going to be used to keep track of issues, you probably want some controls on who can create/modify/transition issues, and generate some assurance that the controls work as intended.
 

Tagin

Trusted Information Resource
For 9001, I would think what would be applicable is:
  • 8.4 - control of outsourced service
  • 7.5 - control of documented information
    • 7.5.3.2b - what if Jira becomes unavailable? (they get cyberattacked, go out of business, drop the product, etc.)
  • 8.3.4 - D&D controls
Software validation - in the sense of 13485 - would not be required, unless you deem the risk requires it. But you have existing history of using Jira, so to me that provides you with the evidence that risk of its features working incorrectly or unreliably is low.(I misread - I thought you were already using Jira.)
 
Last edited:

geoffairey

Involved In Discussions
Are you talking about ensuring that the product meets your operational needs, or was the conversation in line with Security requirements?

Each has different requirements.

From 9001, you’re making a change to use a different tool, so adoption of a new tool would be a change and should be managed as such.
for Security/ISO 27001 you need to ensure that Jira will meet your company’s security requirements including any laws, e.g. GDPR
 

Chris G

Registered
Thank you everyone for providing me with input to think about!

Some specifics: If JIRA is only going to be used to keep track of issues, you probably want some controls on who can create/modify/transition issues, and generate some assurance that the controls work as intended.
Yes that is true. We should do a risk based validation of the workflow to be used.


For 9001, I would think what would be applicable is:
  • 8.4 - control of outsourced service
  • 7.5 - control of documented information
    • 7.5.3.2b - what if Jira becomes unavailable? (they get cyberattacked, go out of business, drop the product, etc.)
  • 8.3.4 - D&D controls
Software validation - in the sense of 13485 - would not be required, unless you deem the risk requires it. But you have existing history of using Jira, so to me that provides you with the evidence that risk of its features working incorrectly or unreliably is low.(I misread - I thought you were already using Jira.)
Section 8.4 was referenced to me as well, but i am struggling to understand how it applies here, because 8.4.1 a), b) and c) do not apply to using Jira for development of the product. Am I missing something here?

  • 7.5.3.2b - what if Jira becomes unavailable? (they get cyberattacked, go out of business, drop the product, etc.)
We are using the "Server" edition, so it is actually hosted by us and controlled by our IT department.

Are you talking about ensuring that the product meets your operational needs, or was the conversation in line with Security requirements?
My main concern is being compliant to the requirements regarding documented information.

From 9001, you’re making a change to use a different tool, so adoption of a new tool would be a change and should be managed as such.
In the sense of section 6.3 or 8.5.6?
 

Tagin

Trusted Information Resource
Section 8.4 was referenced to me as well, but i am struggling to understand how it applies here, because 8.4.1 a), b) and c) do not apply to using Jira for development of the product. Am I missing something here?


We are using the "Server" edition, so it is actually hosted by us and controlled by our IT department.

Ah, I had assumed it was the cloud version. In your case, it is not an outsourced service, so 8.4 doesn't really apply. They are still a provider (of updates, bug fixes, and support, to the extent applicable to you).



My main concern is being compliant to the requirements regarding documented information.


In the sense of section 6.3 or 8.5.6?

As stated in TS9002:2016 8.5.6, 6.3 and 8.5.6 are intertwined:
The intent of this subclause is to ensure that the organization reviews and controls changes that occur during the production and service provision, in alignment with the provisions determined during the planning of the quality management system (see ISO 9001:2015, 6.3).

So, here is where the documented information requirements changes (6.3) intertwine with the implementation of this software development tool (8.5.6). So, you are already in the mindset of addressing both things simultaneously!
 
Top Bottom