Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents


In this article, we will describe how our tools help at different stages of establishing & improving the compliant QMS, using the PDCA cycle (Plan, Do, Check, Act) as the guideline. 


This stage is about strategic design of the QMS structure and its processes. We will focus on a few popular universal standards, namely ISO 9001, 27001, and 31000.

ISO 9001

This standard sets out the criteria for a QMS and applies to the organizations engaged in design, development, production, and servicing of goods (i.e., to most software development organizations).


In this article (this section and beyond), we will dive deeper into principles 3-6.

Engagement of people

There are two important components to this principle: empowerment/competence and collaboration.


  • Artifacts can be shared in a variety of formats.

  • Comments and evidence can be added to all Xray issue-based entities (e.g., Tests) and also to Test Runs. 

Process approach and Improvement

The effectiveness of the quality management approach depends on how thoroughly it is integrated into all facets of your organization. Having the Atlassian ecosystem as the single source of truth significantly simplifies this process aspect.


  • Different deployment versions (Server/DC and Cloud) with the seamless connectivity between Jira and Xray
  • Flexible ways for organizing your project related items (all-in-one vs testing entities separately)
  • Different levels of objectives with traceability and quality gates
  • Improved visibility into interrelated tasks with proper assignments and notifications
  • Establish KPIs and quantifiably measure them
    • add custom fields to any entity (e.g. probability, severity, performance thresholds)
    • implement additional customizations (e.g., ScriptRunner, Automation for Jira)
    • integrate with other Jira apps to widen the feature set provided by our tools

Evidence-based decision making

This principle is primarily enabled by detailed reports and formats that promote easier visibility and awareness. With Jira and Xray, you can export data in compliance-focused, human-readable formats and automate data snapshots.


“Easy to make reports, diagnosis is quick and straightforward. The FDA submission requires specification reports and traceability reports. Jira Snapshots compiles these reports from the Jira and Xray data, avoiding burdening the team.”

Caris Life Sciences Success Case

ISO 27001

This standard establishes the requirements for an information security management system. ISO 27001 focuses primarily on maintaining the confidentiality, integrity, and availability of information: 

Confidentiality and Information integrity

To support confidentiality and information integrity principles, Jira and Xray allow you to: 


Atlassian is ISO 27001 certified. Xray holds a SOC 2 Type 2 certification.

Availability of data

With Xray, you can ensure data persistence without tampering, maintain history visibility, and track changes.


  • In order to enable auditing and facilitate diagnosis, data must be stored, and changes, whenever applicable, need to be clearly identified. In Xray, all data is persisted and can be easily tracked using a historical timeline. You can even monitor individual test step modifications - if a step is changed, the record gets into the Xray Test History tab on the Test issue screen (under Activity).

Image RemovedImage Added

  • Historical results (i.e. Test Run details) cannot be modified. The same applies to past changes made on Jira issue-based entities.
    • If a Test changes, the recorded results don't. A warning appears in case the user is still allowed to rerun the test. If they are not allowed (because the Test Execution issue is resolved) then the execution cannot even be restarted. 

Image RemovedImage Added


SOC 2 is similar in its goals & controls and includes five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality and Privacy. The features described above also align with the sample SOC2 checklists.

ISO 31000

This standard family sets the guidelines for engaging in Enterprise Risk Management (ERM). It provides guidance on how to identify, assess, treat, and communicate risks.

ISO 31000 cannot be used for certification purposes directly. But organizations can compare their risk management practices with an internationally recognized benchmark, providing sound principles for effective management and corporate governance.

Risk definition & mitigation

ISO 31000 defines risk as the “effect of uncertainty on objectives”. There are three key concepts: 


We will dive deeper into this topic when discussing the ISO 26262 standard later on.

Do, Check, Act

The Do stage of PDCA is more about the tactical implementation of the QMS. Check and Act stages detail how the quantified results are processed. The goals are to determine the effectiveness and efficiency of each process toward its objectives, to communicate these findings to the stakeholders, and to develop new best practices based on the audit.

As these stages build on top of the strategic design one described above, we will focus more on the unique aspects and “hands-on” examples. We will analyze will review the popular standards specific to the automotive sector, namely IATF 16949, ISO 26262, and ASPICE, to more closely analyze the requirements to achieve compliance.



For the examples from the medical sphere, please refer to the success cases from Caris Life Sciences and MyndTec as well as this webinar.

IATF 16949

This standard is an ISO 9001 interpretation agreed upon by major American and European automotive manufacturers. It focuses on the avoidance of errors (not on the discovery) and defines the requirements for the development, production, and installation of automotive-related products. It is more about hardware, while ASPICE covers software.


  • Advanced Product Quality Planning (APQP)
  • Failure Mode and Effects Analysis (FMEA)
  • Statistical Process Control (SPC)
  • Measurement Systems Analysis (MSA)
  • Production Part Approval Process (PPAP)

ISO 26262

The standard covers functional safety in the automotive industry and provides the definition as “the absence of unreasonable risk due to hazards caused by malfunctioning behavior of electrical/electronic systems”. The standard covers the entire lifecycle of a safety-related system and outlines a risk-based approach to developing and implementing such systems in road vehicles.


The access controls and the data integrity measures mentioned previously enable efficiency and transparency in the Verification and Validation processes covered by this standard. We will focus on the Verification level here and talk more about Validation in the ASPICE section.


Define what a requirement is and its relevant metrics


Xray provides multiple levels of requirements and different ways to define the hierarchical relationship (e.g., using issue links, sub-tasks).

Image RemovedImage Added

So, you can reflect the ISO 26262 and ASPICE model for documenting the system (both hardware and software) requirements in a way that clearly reflects the scope, dependencies, status, etc. For this example, let’s assume we are working with an Automated Driving System, here is how a few requirements for it could be arranged:

Image RemovedImage Added

The hierarchical view is achieved with the Structure add-on for Jira



ASIL = Impact x (Probability x Controllability). Although the definition of risk in ISO 31000 is slightly different, these 3 key concepts are still largely applicable for that standard as well.

Image Removed        Image RemovedImage Added

We could then classify the requirement entities by ASIL directly, or just impact, or any other user-defined field.


We have already set up the ASIL and related values to match ISO 26262 at the requirement/story level. We can choose to maintain the same level of detail at the test level or do a more customized risk assessment - e.g., combining ASIL with complexity for an aggregate Risk Score metric:

Image RemovedImage Added

You can not only add tests to the execution based on risk values in filters, but also prioritize the execution order accordingly.


  • inhibiting transition of the Test Plan workflow status, unless all tests or a certain % are passing
    • can be accomplished with the combination of ScripRunner and Xray REST API or custom field

Coverage and traceability

Guarantee requirements coverage

Epic and Story issues, common in Agile environments, can be covered by creating tests and tracking coverage directly from Jira. From the user story issue screen you can immediately create a Test. It is also easy to go back to the user story, using the issue link that was created automatically between the Test and the user story.

Image RemovedImage AddedImage Removed

Image Added

Within the Test Coverage Report, you can have a birds-eye view of quality status of your requirements, based on the tests that cover them and their results. To ease your analysis, you can group stories by specific metrics; for example, by risk level. That way you can have a better understanding of whether a higher priority issue is ready to be released or not.

Coverage information is updated in real-time and is multidimensional. In other words, we can analyze requirements from different perspectives: risk level, priority, version, environment, etc.

Image RemovedImage AddedImage Removed

Image Added

Enable audit visibility with full traceability


Another useful report, right in Jira, is the Traceability Report. We can analyze our Epics, child Story issues, show the Tests that cover them, along with the reported results and, hopefully not many, defects that may have been found. If the user story is part of an Epic, the corresponding panel from the Traceability Report will automatically show all the Tests that validate the child stories and will provide a quick overview of the Epic status, making it easier to decide whether it can be released or not.

Image RemovedImage Added

You can also handle reports focused on custom metrics. For example, one of the items for ISO 26262 compliance is estimating random failure rates over the lifetime of the device (Failure Rate= R/T, where R is the number of failures and T is total time). You can start by customizing a template (from scratch or from the template store) to fit your compliance requirements, with all the data to be embedded, logos, and other information (e.g., legal disclaimers). Then Xporter can use a JQL function to get a list of defect-type issues and perform the count on it (or you can consider this snippet option which is a bit trickier).


The abbreviation stands for “Automotive Software Process Improvement and Capability dEtermination”. It is a domain-specific variant of the international standard ISO/IEC 15504. The underlying SPICE framework is based on the ISO/IEC 12207 software development standard and is tailored specifically to the needs of the automotive industry. In general, ASPICE builds on the V-Model of software development.

The ASPICE framework consists of a process reference model, a process assessment model, and a process capability model. The process reference model defines a set of processes that are relevant to automotive software development, while the process assessment model provides a method for evaluating the maturity of these processes within an organization. The process capability model provides a way to measure and compare the capability of organizations in the automotive supply chain.

Image RemovedImage Added

Given the overlap mentioned, we are going to focus on the aspects we didn’t cover in the ISO 26262 section, specifically the process reference model and its validation/testing aspects.

Testing techniques

For the testing side of the ASPICE model, given the complexity of modern enterprises, all types of testing are necessary, with efficient coordination between them. No matter which approaches teams choose or the tools they prefer for test automation and CI/CD goals, it is essential to enable all of them in a frictionless way. And our suite of tools is flexible enough to do that.



"Challenging Autonomy with Combinatorial Testing (CACTus) may be used by practitioners to exercise systems as part of efforts to obtain compliance with standards like ISO 21448 or UL 4600."


Once the test suite is established, you can launch the execution directly from Jira (for both manual and automated types). Regardless of the testing approach or execution type, Xray can provide visibility of testing results, including evidence, in one place for faster feedback loops.


XEA can integrate with Xray to bring the best of both worlds: have exploratory testing evidence tracked in Jira, be accessible by the team, and reflect on the related requirements.

Image RemovedImage Added

In Agile and DevOps teams, it is also especially important to enable adoption of any test automation tool/library and CI/CD tool. With the new feature - Remote Jobs Triggering - you can launch the pipeline action directly from the Test Execution issue. Then, detailed results from the automation framework can be imported to Xray and tracked consistently with other tests. You can take it a step further and link test code to requirements.

Image RemovedImage Added

Lastly, in Xray it is possible to define several different issue types to be handled as "defects." That makes them easier to distinguish and manage - they can be classified (similar to other entities) by priority, severity, impact, and user-defined fields. They can also be covered explicitly with tests.

Image RemovedImage Added


A few other relevant automotive standards that we can help with are:

  • SOTIF (ISO/PAS 21448)
  • ISO 21434
  • UL 4600
  • IEEE 29119