Compliance by design: Bringing medical products to market with Agile processes
Reading time: 4 minutes
Healthcare is one of the most heavily-regulated industries in the world—and with good reason. Regulatory and compliance standards ensure the ongoing health and safety of patients across the globe.
However, sacrificing speed-to-market is rarely an option. There’s no better example than the fast-paced development and distribution of the COVID-19 vaccines over the past few months. Leading pharmaceutical companies and university research laboratories worked tirelessly to make vaccines available as early as possible. While the accelerated development of the vaccine is certainly most impressive, this example also puts into question whether regulatory validation and compliance can be further streamlined as part of the process.
The ongoing pandemic is changing how we think about new ways of working, and seeing that process acceleration is indeed possible raises questions about how the process might be accelerated in the future.
Enter compliance by design: developing software in a way that guarantees regulatory compliance as part of the process, not merely a series of checkboxes that come at the end of development.
There are three main activities that ensure a healthy compliance by design process:
First, by collaborating with a client’s compliance department, the team ensures governance processes, change management, and stakeholder buy-in throughout the process of building Software as a Medical Device (SaMD) products.
Using Agile principles (that is, an iterative approach to project management) the team can solve for possible compliance issues as the product is built, instead of trying to retrofit compliance at the end—a waste of time and resources, which can ultimately delay a product launch, increase cost, and uncover risks.
Secondly, software development in a regulated industry does require some upfront awareness and planning. However, traditional waterfall approaches have repeatedly shown to be inefficient. The project scope and needs will change over time, making sticking to a rigid roadmap impossible.
Instead, at Rangle, we approach building compliant software with our healthcare clients as a partnership. Bringing the compliance department into the project planning from Day 1, we ensure the team understands the constraints regulatory standards will place on the product, and are empowered to solve for them.
Third, as the product build progresses, an oversight and steering team that includes security and compliance experts have weekly check-in meetings to ensure guardrails are in place for the product team. This committee proposes and discusses the boundaries, limits and rules of the product build. With oversight from Rangle’s experts, based on our experience operating steering committees of this kind, the committee identifies a series of triggers, well-understood by the product team, to ensure any questions the team has on how to proceed in the face of potential compliance issues are brought back to the committee for decisioning. We translate the guardrails of the committee into team norms, and enforce them through automated checks in the pipelines. In this way, developers are not blocked by compliance, and awareness of regulatory concerns is immediate. We also have alerts for specific or critical rules, in order to escalate situations to the product team leadership right away.
How does compliance by design work in practice? For Rangle, we ensure software validation and verification is part of the software development process. Features are validated and verified frequently, instead of being a separate phase at the end of the project. We automate quality reports, and enforce the regulatory constraints with automated checks. The team is always aware and never blocked in generating value for the product.
We have used this approach successfully in many projects, including enforcing data-privacy regulations like GDPR and CASL, ensuring compliance with IEC/ISO 62304, sensitive data protection based on HIPAA and PIPEDA regulations, obtaining CE certification to medical devices, and making projects adherent to ISO 13485. It’s a focus on time-to-market, mitigating risks earlier in the process, and reducing costs in the approval process with regulated bodies and governmental agencies at the same time.
It’s a focus on time-to-market, mitigating risks earlier in the process, and reducing costs in the approval process with regulated bodies and governmental agencies at the same time.
Compliance by design brings awareness of the needs of regulatory bodies across all levels of the organization, from the executive to the development team. With this kind of insight and in-process governance, it’s easier to understand timelines, constraints, and build with the end user in mind. In light of this understanding, our teams at Rangle have the awareness and expertise to build compliant digital healthcare software quickly, by involving the right stakeholders throughout the planning and delivery. We work closely with our clients’ experts, bringing them into the process so that compliance doesn’t become a bottleneck, and instead fosters confidence by validating the build of individual parts, as well as the whole. Our expertise is in agility and building compliant products—and partnering within your organization.
For further information on how we work with healthcare clients, click over to our case study page and read Improving lives with the first React Native app with CE mark, which explains our approach to bringing Agile methods to the heavily-regulated healthcare space.