Software development

Software development in increasingly regulated markets


Bojan Pišler

Staff Software Architect

Contact the article author via emailVisit the author's LinkedIn profile


February 6, 2024

To stay compliant in a changing regulatory landscape, it's crucial to establish a clear and flexible software development process. In this article we will discuss how an agile approach in combination with well defined ways of working and task automatization not only enables staying in conformity with the ever-changing EU regulations but also addresses the dynamic challenges of the current policy-driven environment.

Development of medical software (©Adobe Stock)

Development of medical software (©Adobe Stock)

In recent years several regulations have come into place that increase requirements on software development and product development in general. The European Union introduced MDR (Medical Device Regulation) in 2021 which sets several regulations in place that governs development and production of medical devices in Europe. The med-tech industry has had time to adapt to MDR for almost three years. 

Expansion of EU Regulatory Landscape

The EU is now preparing additional regulations including CRA (Cyber Resilience Act) and RED-DA (Radio Equipment Directive Delegated Act) which both focus on cybersecurity.

Scheduled for 2024 and 2025, these regulations share numerous similarities with MDR:

  • Risk management - a demand for a well-established development process to identify risks within products and the ability to trace risks through the whole software development process.
  • Secure by design - to design software from a cybersecurity and/or patient security standpoint.
  • Quality management system - a quality management system developed by the vendor to ensure compliance with regulations.
  • Documentation and traceability - Well defined end customer documentation describing the product from a regulatory perspective in addition to other aspects. Traceability of requirements and development process in general for regulatory audit purposes.
  • Intended use - a clear definition of the product's intended use which is also part of the technical documentation given to customers.
  • Validation and verification - an independent validation and verification process.
  • Post market activities - activities which identify security and quality issues within released products and the processes for correcting these issues.

All the elements above require a well-defined, structured and at the same time fast paced software development process to ensure excellence and maintain competitiveness. Since regulations are updated regularly, the quality management system has to be continuously improved to better comply with regulations and enable post market activities.

To ensure seamless continuity of all of these processes and avoid reviews slowing down the development process, we use agile development principles and collaborative DevOps.

Importance of Agile Development and Ways of Working

Agile development is a structured and at the same time agile process that allows seamless improvements and changes. Development is done in short increments, known as sprints. The development process during increments is very structured.

After every increment there is a retrospective with the purpose to review the last increment and provide an opportunity to improve regulatory compliance and changes. This process is repeated over and over to guarantee constant improvement of the development process.

One of the crucial pieces of the agile development team is well structured ways of working. WoW practices and techniques can be defined in a document which, in our case, describes how the team works with development increments. The document is maintained and updated incrementally as part of retrospectives by the development team.

A ways of working document can include:

  • Coding conventions - conventions which describe how the team should write code.
  • Code review process - rules for how to conduct code reviews and how many peers should review and approve code changes.
  • Definition of done - defines which conditions and acceptance criteria that must be satisfied for code changes to be accepted. Some examples of what definition of done can include:

    • Number of reviewers - number of code reviewers that must approve code changes.
    • Automated testing - the requirement to write automated tests that verify code changes and requirements.
    • Ticket referencing - referencing of tickets for logging and audit purposes to capture that a task has been implemented and that requirements have been met.
    • Vulnerability checking - that code changes pass automated vulnerability checks.

Various elements play a role in improving regulatory compliance, with some being mandatory and others focused on enhancing auditability.

CI/CD Task Automation

Automation in the form of CI/CD pipelines provide another opportunity to introduce automated tasks to comply with regulations. Task automation removes the need to do manual conformance checking and automated tasks can be changed over time to comply with regulatory changes.

Examples of automated tasks include:

  • Automated vulnerability checking - to find security risks in developed code and also in open-source libraries used within the product.
  • Linting - to identify bugs, programming errors and verifying that code is written to follow coding conventions, find vulnerabilities and regulatory requirements.
  • Running automated tests - to verify that requirements have been met.

A CI/CD pipeline together with agile planning tools such as Jira can be used to log product builds, development activities and automated tasks. Logs can be used for regulatory audit purposes.

This review of the agile development process proves its compatibility for regulatory requirements around software development. That's why it's more important than ever for companies to focus on implementing agile development processes and to focus on constantly evolving them.

More from our blog

Step with us into the brave new world of cloud

Get in touch

1 hour with our expert • Free of charge • No strings attached