The Core Tension: Agile Speed vs. QMS Documentation
IEC 62304 software development lifecycle requires: documented software requirements specification, software architecture design, unit/integration testing, traceability matrix linking requirements to tests, and change control for every modification. In a traditional interpretation, each sprint's code changes would require a formal change request, impact assessment sign-off, and retrospective documentation — introducing 3–5 day overhead per sprint. Our internal benchmarking showed this would reduce effective sprint velocity from 28 story points to 11 — a 61% productivity loss.
BiQadx Hybrid SDLC Framework
The solution is a continuous documentation pipeline: (i) User stories in Jira are tagged with IEC 62304 software risk class (Minor/Major/Critical) at creation; (ii) Acceptance criteria in each story map directly to software requirements specification (SRS) items via a bidirectional Jira-Confluence plugin; (iii) Pull requests in GitHub trigger automated test runs (Jest unit tests, Cypress E2E tests) and populate the software integration test record with pass/fail evidence; (iv) On sprint close, an automated job generates the sprint's design history file contribution (DHF delta) combining Jira tickets, test run reports, and peer review records, submitted for QMS Manager e-signature via DocuSign API within 48 hours of sprint completion.
Change Control Without Stopping the Sprint
Software change control (SCC) is the classic agile-QMS collision point. Our approach: changes are classified at PR creation by the author (Minor: no functional impact on patient safety; Significant: affects diagnostic calculation logic; Critical: affects safety mechanism or alarm). Minor changes are auto-approved post-CI pass and peer review, logged to SCC register. Significant changes require QMS Manager review (48h SLA). Critical changes trigger a synchronous multidisciplinary team (MDT) review before merge. Retrospective analysis of 14 sprint cycles: 78% Minor, 19% Significant, 3% Critical. Mean SCC cycle time: Minor 4h, Significant 31h, Critical 4.8 days.
First Surveillance Audit Results
An ISO 13485:2016 Stage 2 surveillance audit conducted by BSI (British Standards Institution) in November 2025 reviewed the hybrid SDLC for compliance. Auditor findings: zero major non-conformances (MNCs), two minor observations — (i) sprint retrospective meeting minutes were not consistently filed in the DHF, (ii) change classification justification documentation could be more granular for Significant changes. Both observations resolved within 30 days. Auditor comment: 'The automated DHF pipeline represents a leading-practice approach to agile software compliance that other Class IIb medical device manufacturers would benefit from adopting.'
