Overview

In this article, we will describe how our tools help at different stages of establishing & improving the compliant QMS, using the PDCA cycle (Plan, Do, Check, Act) as the guideline. 

Plan

This stage is about strategic design of the QMS structure and its processes. We will focus on a few popular universal standards, namely ISO 9001, 27001, and 31000.

ISO 9001

This standard sets out the criteria for a QMS and applies to the organizations engaged in design, development, production, and servicing of goods (i.e., to most software development organizations).

...

In this article (this section and beyond), we will dive deeper into principles 3-6.

Engagement of people

There are two important components to this principle: empowerment/competence and collaboration.

...

• Artifacts can be shared in a variety of formats.
  
  
• Comments and evidence can be added to all Xray issue-based entities (e.g., Tests) and also to Test Runs. 

Process approach and Improvement

The effectiveness of the quality management approach depends on how thoroughly it is integrated into all facets of your organization. Having the Atlassian ecosystem as the single source of truth significantly simplifies this process aspect.

...

• Different deployment versions (Server/DC and Cloud) with the seamless connectivity between Jira and Xray
• Flexible ways for organizing your project related items (all-in-one vs testing entities separately)
• Different levels of objectives with traceability and quality gates
• Improved visibility into interrelated tasks with proper assignments and notifications
• Establish KPIs and quantifiably measure them
• add custom fields to any entity (e.g. probability, severity, performance thresholds)
• implement additional customizations (e.g., ScriptRunner, Automation for Jira)
• integrate with other Jira apps to widen the feature set provided by our tools

Evidence-based decision making

This principle is primarily enabled by detailed reports and formats that promote easier visibility and awareness. With Jira and Xray, you can export data in compliance-focused, human-readable formats and automate data snapshots.

...

“Easy to make reports, diagnosis is quick and straightforward. The FDA submission requires specification reports and traceability reports. Jira Snapshots compiles these reports from the Jira and Xray data, avoiding burdening the team.”

Caris Life Sciences Success Case

ISO 27001

This standard establishes the requirements for an information security management system. ISO 27001 focuses primarily on maintaining the confidentiality, integrity, and availability of information: 

Confidentiality and Information integrity

To support confidentiality and information integrity principles, Jira and Xray allow you to: 

...

Atlassian is ISO 27001 certified. Xray holds a SOC 2 Type 2 certification.

Availability of data

With Xray, you can ensure data persistence without tampering, maintain history visibility, and track changes.

...

ISO 31000

This standard family sets the guidelines for engaging in Enterprise Risk Management (ERM). It provides guidance on how to identify, assess, treat, and communicate risks.

ISO 31000 cannot be used for certification purposes directly. But organizations can compare their risk management practices with an internationally recognized benchmark, providing sound principles for effective management and corporate governance.

Risk definition & mitigation

ISO 31000 defines risk as the “effect of uncertainty on objectives”. There are three key concepts: 

...

We will dive deeper into this topic when discussing the ISO 26262 standard later on.

Do, Check, Act

The Do stage of PDCA is more about the tactical implementation of the QMS. Check and Act stages detail how the quantified results are processed. The goals are to determine the effectiveness and efficiency of each process toward its objectives, to communicate these findings to the stakeholders, and to develop new best practices based on the audit.

...

IATF 16949

This standard is an ISO 9001 interpretation agreed upon by major American and European automotive manufacturers. It focuses on the avoidance of errors (not on the discovery) and defines the requirements for the development, production, and installation of automotive-related products. It is more about hardware, while ASPICE covers software.

...

• Advanced Product Quality Planning (APQP)
• Failure Mode and Effects Analysis (FMEA)
• Statistical Process Control (SPC)
• Measurement Systems Analysis (MSA)
• Production Part Approval Process (PPAP)

ISO 26262

The standard covers functional safety in the automotive industry and provides the definition as “the absence of unreasonable risk due to hazards caused by malfunctioning behavior of electrical/electronic systems”. The standard covers the entire lifecycle of a safety-related system and outlines a risk-based approach to developing and implementing such systems in road vehicles.

...

The access controls and the data integrity measures mentioned previously enable efficiency and transparency in the Verification and Validation processes covered by this standard. We will focus on the Verification level here and talk more about Validation in the ASPICE section.

Requirements

Define what a requirement is and its relevant metrics

...

• inhibiting transition of the Test Plan workflow status, unless all tests or a certain % are passing
• can be accomplished with the combination of ScripRunner and Xray REST API or custom field

Coverage and traceability

Guarantee requirements coverage

...

You can also handle reports focused on custom metrics. For example, one of the items for ISO 26262 compliance is estimating random failure rates over the lifetime of the device (Failure Rate= R/T, where R is the number of failures and T is total time). You can start by customizing a template (from scratch or from the template store) to fit your compliance requirements, with all the data to be embedded, logos, and other information (e.g., legal disclaimers). Then Xporter can use a JQL function to get a list of defect-type issues and perform the count on it (or you can consider this snippet option which is a bit trickier).

ASPICE

The abbreviation stands for “Automotive Software Process Improvement and Capability dEtermination”. It is a domain-specific variant of the international standard ISO/IEC 15504. The underlying SPICE framework is based on the ISO/IEC 12207 software development standard and is tailored specifically to the needs of the automotive industry. In general, ASPICE builds on the V-Model of software development.

...

Given the overlap mentioned, we are going to focus on the aspects we didn’t cover in the ISO 26262 section, specifically the process reference model and its validation/testing aspects.

Testing techniques

For the testing side of the ASPICE model, given the complexity of modern enterprises, all types of testing are necessary, with efficient coordination between them. No matter which approaches teams choose or the tools they prefer for test automation and CI/CD goals, it is essential to enable all of them in a frictionless way. And our suite of tools is flexible enough to do that.

...

Execution

Once the test suite is established, you can launch the execution directly from Jira (for both manual and automated types). Regardless of the testing approach or execution type, Xray can provide visibility of testing results, including evidence, in one place for faster feedback loops.

...