What JIRA Software workflows you use for your software lifecycle?

arronar

Registered
Hi everybody.

I work to a company that will produce software for medical devices. We are at the stage trying to understand and incorporate the I.E.C 62304 to our day to day actions. By reading on the internet is seems that JIRA Software is a good candidate for managing the whole software lifecycle.

So far I have made a specific JIRA workflow for the problem reporting/resolution (see below) procedure.

JunXLnO.png

I was wondering now what kind of workflow will I need to develop for the development part. By default JIRA provides you with the following workflow for the development board.
x0CzYHi.png
According to your experience, is this sufficient or should be more complex (i.e add code-review, verification steps )? What kind of workflows do you use for that case?
 

shimonv

Trusted Information Resource
My two cents:
Jira should be aligned with your software development procedure.
The screenshot below (from IEC 62304) describes the software development procedure as a whole.
Some things can be done in Jira and some are best handled as QA documents (e.g. development handling, and software release).

Shimon

Screen Shot 2022-03-26 at 18.20.55.png
 

arronar

Registered
Thanks for the prompt reply.
I suppose you mean that except from JIRA Software one might need to use either Confluence (for the documents) or Office Word etc. Sure I totally agree. But based on the image you posted, I'm wondering what kind of workflow do you use for the 5.5 Clause. I mean, ok, I got that 5.1-5.4 clauses are more document based but in my opinion 5.5 needs to be transformed into a JIRA workflow because it's the implementation stage of the software. Am I missing something here?
 

yodon

Leader
Super Moderator
A lot depends on your team culture. For example, we have a fairly small team with pretty deep experience in software development for medical devices. They know to do things like the code reviews and unit (re)verification and do these things without prompting. If you have a large team with not much medical device experience, you may well want to put triggers in to help ensure those things are done.

One thing to note is that the basic Jira workflow as you show is development-centric. If you look at section 6 in the standard, it is at a little higher level. I think many companies have an ECO process to cover section 6 and then the software change control process (per the Jira workflow) to cover section 9

One other note: between 62304 and 13485 (and possibly other standards / regulations you're under), you will likely need to update Jira to collect more data than what is provided out of the box.
 

shimonv

Trusted Information Resource
Section 5.5 (software unit implementation and verification) is more suited for Jira and the workflow is straightforward.
The acceptance criteria and the results can be logged in Jira.
 

srkn14

Involved In Discussions
Is it a common practice to Validate JIRA(csv per GAMP) if it is used purely for Software development activities( per IEC 62304) for SaMD?

Thank you
 

yodon

Leader
Super Moderator
I would assert that Jira does need to be validated as it is a computer system that is used in the execution of your quality system. (Further, depending on your use, you may fall under Part 11 if you distribute in the US.)

But why this caveat:


There's no definitive approach to CSV and I think there's some general believe that applying GAMP to CSV is a bit of a square peg / round hole situation (with enough force, you can make it work).

FDA has actually addressed this in the DRAFT guidance for Computer Software Assurance. I'm rather a fan of the approach as it allows some common sense - especially for widely-used commercial applications like Jira.
 

Tidge

Trusted Information Resource
Is it a common practice to Validate JIRA(csv per GAMP) if it is used purely for Software development activities( per IEC 62304) for SaMD?

It's been a while since I worked within JIRA, but IIRC a typical workflow involves 'issue tracking'... there is an opportunity for verbal gymnastics on the difference between "issues" and "issues", but I would offer even-money odds that if you mentioned JIRA and issue tracking together, that a regulatory authorities eyebrows could be raised.

I (personally) wouldn't worry so much about JIRA (as a software tool), but I would worry about the controls around the use of JIRA... and a software validation assessment would speak to those. For example, the last project I worked on used JIRA, but anyone could create/close issues. Typically it is necessary to submit an anomalies list with a software submission, and so some controls have to be implemented, even for SaMD. For us, the unresolved JIRA issues were transitioned into our more tightly controlled issue-tracking system.
 

srkn14

Involved In Discussions
It's been a while since I worked within JIRA, but IIRC a typical workflow involves 'issue tracking'... there is an opportunity for verbal gymnastics on the difference between "issues" and "issues", but I would offer even-money odds that if you mentioned JIRA and issue tracking together, that a regulatory authorities eyebrows could be raised.

I (personally) wouldn't worry so much about JIRA (as a software tool), but I would worry about the controls around the use of JIRA... and a software validation assessment would speak to those. For example, the last project I worked on used JIRA, but anyone could create/close issues. Typically it is necessary to submit an anomalies list with a software submission, and so some controls have to be implemented, even for SaMD. For us, the unresolved JIRA issues were transitioned into our more tightly controlled issue-tracking system.[/QUO

Hello Tidge,
appreciate if you can elaborate on the "some controls" in this case as I can think of Role based user access and system operational and administrative procedural controls.

You information helps confirm if I am doing right.

Thank you
 

srkn14

Involved In Discussions
I would assert that Jira does need to be validated as it is a computer system that is used in the execution of your quality system. (Further, depending on your use, you may fall under Part 11 if you distribute in the US.)

But why this caveat:



There's no definitive approach to CSV and I think there's some general believe that applying GAMP to CSV is a bit of a square peg / round hole situation (with enough force, you can make it work).

FDA has actually addressed this in the DRAFT guidance for Computer Software Assurance. I'm rather a fan of the approach as it allows some common sense - especially for widely-used commercial applications like Jira.

You are right, we may be over doing things but our corporate CSV procedure is developed per GAMP Methodology and hence we have to follow that.

(Further, depending on your use, you may fall under Part 11 if you distribute in the US.), I may need to understand further on "when do we fall under part11 and ER/ES and show our compliance". I read the "Guidance for Industry for Part 11 ER/ES" several times and do not have a clarity. our QA says that "system login is equal to electronic signatures" which I do not agree with.
Part 11 Electronic Records Electronic Signatures Scope and Application

Appreciate your input.
 
Top Bottom