Preface for the 2020 version
When I first wrote this article in 2016, the benefits of using the Atlassian Cloud vs. Atlassian server products for electronic quality management systems (eQMS) were distinct, as the cloud-based option wasn’t as robust as it is today. While many of the issues I wrote about are still relevant, Atlassian has just announced that they’re restricting their self-managed options and focusing on their cloud offering. In light of this new push and the related improvements the company is promising, we’ve updated this article to reflect today’s realities for our heavily regulated life science customers.
When companies first contact us to discuss how we can help them, many ask whether it’s possible to implement their eQMS or regulated developments process on the Atlassian Cloud.
In this article, I answer that question. For simplicity, I’ll focus here on Jira Software, but many of the same considerations also apply to Jira, Jira Service Desk, Confluence, and other Atlassian tools.
In a few words
If you choose to use Jira Software Cloud, you’ll have to either accept or mitigate the compliance risk: because you have no control over the platform, you can’t demonstrate that you’re using a validated system.
This is why traditional life sciences companies typically don’t use the Atlassian Cloud for anything regulatory related.
We see, however, a shift by start-ups, especially those in the SaMD (Software as a Medical Device) space, who are opting to use the Atlassian Cloud for a variety of reasons. Understanding the benefits and risks will help you make better decisions for your eQMS heading into 2021 and beyond.
There are four areas we need to consider:
- Compliance with FDA and other regulatory requirements
If you use Jira for quality management but export the data before final sign-offs and/or rely on external evidence to establish compliance (i.e., signed and scanned printouts from Jira), then the Atlassian Cloud could be a suitable platform. In fact, we created the new Speedy PDF Sign-Offs for Jira Cloud to help fast-moving teams capture official sign-offs and document issue resolution and approvals without slowing down their flow. In many instances, this downloadable documentation suffices in showing that industry-specific testing processes were followed.
However, if you plan to use Jira data as evidence for compliance, for example, to demonstrate that CAPAs have been opened and managed to completion or that required training has been carried out, the Atlassian Cloud won’t be enough. In that case, your best option today will be to use a Jira Server or Data Center instance. However, this will mean re-evaluation in a couple of years to understand your options after 20204.
It used to be that Jira on the Atlassian Cloud was less flexible and extensible than on the Atlassian Core Server, but today things have changed. With Atlassian’s push for customers to utilize their cloud platform more and more, the gap between available extensions in the cloud and on the server has significantly narrowed.
I would go further and say that any gaps that still exist are very likely to be removed over the next couple of years. Given that Atlassian is retiring their server products, I strongly recommend not staying on the server just because a specific feature you got used to is not available on the cloud.
Platform selection is strategic, while most features are just tactics.
- IT administration
How easy will it be for your company to run a Jira Server instance? You can delegate IT admin tasks and hardware management to a third-party organisation, but nothing beats the Atlassian Cloud in terms of a “no-hassle”’ solution. This is only going to be more and more apparent as Atlassian continues to make changes to its server products, ends server support in 2024, and expands its cloud services.
Ultimately, the real cost of each of the two alternatives for your organisation – using Jira on the Atlassian Cloud or Jira Server – will directly relate to the first three points. With the dramatic increase in the cost of Atlassian Server Licenses (in 2019 and in February 2022), the balance has tilted decidedly in favor of Atlassian Cloud.
The detailed discussion
- Why can’t we use Atlassian Cloud records as proof of compliance?
The main reason is that regulatory bodies insist on software validation. The key regulation here is FDA CFR 21 part 11, but other guidelines and regulations from the FDA, as well as from European authorities and others, all agree that you need to demonstrate that you control any software platform you use. The ISO 13485:2016 standard for medical device quality management contains even more explicit requirements for validating software applications used for operational purposes.
The most fundamental way that the Atlassian Cloud violates these requirements is the fact that you have no control over the actual Jira version that you use. Even if you validate the Atlassian Cloud, Atlassian is pushing new versions of Jira to the cloud a couple of times a month. While it’s great that users always have access to the latest version, it negates the possibility of using Atlassian Cloud data directly for your electronic compliance records.
Further, for the most part, you don’t have control over where your data is geographically hosted. As of right now (October 2020), Atlassian has an “Enterprise Atlassian Cloud Early Access Program,” which provides you with the ability to dictate if your data is stored in the US, EU, or “Global.” Depending on the data you store and your geography, as well as if you buy the “Enterprise Cloud,” this alone may mean that you can’t host your data in the Atlassian Cloud.
It’s also worth pointing out here that currently Atlassian can be, to some extent, legitimised as a third-party supplier to the regulated healthcare industry because it does hold security and privacy-related certificates: ISO 27001 and is working toward obtaining an ISO27018 (reference: Atlassian Security Practices))
However, as Atlassian does not allow supplier audits or make any regulatory representation regarding its own QMS (beyond the Security ISO standards), you will have to take an additional step for the sake of compliance. You will need to create a supporting document that demonstrates the reasoning of why it is OK to use. The bullet-proof way is to set up a controlled installation with a validation plan.
- What functionality would we miss out on if we used the Atlassian Cloud?
One of the reasons we can use Jira for eQMS processes is its inherent flexibility and extensibility. Some of the extension points and third-party plugins are not available if you’re using Jira in the Atlassian Cloud. (For more on this topic, see Jira Plugins for Quality Management and Managing Your CAPAs in Jira: Key Questions Answered).
If what you need is missing from the cloud, then you may experience:
- A less streamlined user interface because there is less flexibility to control how the various issue-related screens look
- Limited automation options
See Atlassian’s guidance on restricted functions in Atlassian Cloud apps.
Still, keep in mind that this situation is rapidly changing, given Atlassian’s push to accelerate the journey to the cloud. If you have questions, we’re here to advise on what critical functions are available as extensions and third-party plugins — and what aren’t.
- What about hosting our own Jira Core Server instance?
The hassle-free use of the Atlassian Cloud may be tempting but, as outlined above, there are a number of down sides. Hosting your own instance of Jira Core Server would avoid those, but then you would need to manage the application in-house, increasing the burden on your IT team.
However there is another alternative. There are companies that specialise in hosting Atlassian instances, giving you all the benefits of your own Altassian Core Server instance with none of the hassle of managing it. We work with several providers and will be able to recommend the best one to suit your specific requirements, however I’ve had very good experiences with the people at AtlasHost.
- But would it be cheaper to host Jira Core Server ourselves?
All costs included, a Jira Server installation would tend to be the more expensive option. This is especially the case since the 2019 price increases by Atlassian for their server products. The coming 2022 fee hikes will continue that upward trend. And while Jira Server is currently still good value for money, when it comes to compliance support as Atlassian phases out its server products and server support, these costs may well increase.
The writing is on the wall with the rise of SaaS (Software as a Service): within the next few years, server-hosted Jira (and Confluence) eQMS will become rare. We will be working with our customers to help them gain all the benefits from moving to the Atlassian Cloud without increasing their compliance risks.
We’re dedicated to keeping you informed about all of the changes on Atlassian’s end and what it means to improve your business efficiency and profitability without compromising compliance. Sign up for our newsletter and stay tuned to our blog for all the latest information.