In recent years several regulations have come into place that increase requirements on software development and product development in general. The European Union introduced MDR (Medical Device Regulation) in 2021 which sets several regulations in place that governs development and production of medical devices in Europe. The med-tech industry has had time to adapt to MDR for almost three years.
Expansion of EU Regulatory Landscape
The EU is now preparing additional regulations including CRA (Cyber Resilience Act) and RED-DA (Radio Equipment Directive Delegated Act) which both focus on cybersecurity.
Scheduled for 2024 and 2025, these regulations share numerous similarities with MDR:
- Risk management - a demand for a well-established development process to identify risks within products and the ability to trace risks through the whole software development process.
- Secure by design - to design software from a cybersecurity and/or patient security standpoint.
- Quality management system - a quality management system developed by the vendor to ensure compliance with regulations.
- Documentation and traceability - Well defined end customer documentation describing the product from a regulatory perspective in addition to other aspects. Traceability of requirements and development process in general for regulatory audit purposes.
- Intended use - a clear definition of the product's intended use which is also part of the technical documentation given to customers.
- Validation and verification - an independent validation and verification process.
- Post market activities - activities which identify security and quality issues within released products and the processes for correcting these issues.
All the elements above require a well-defined, structured and at the same time fast paced software development process to ensure excellence and maintain competitiveness. Since regulations are updated regularly, the quality management system has to be continuously improved to better comply with regulations and enable post market activities.
To ensure seamless continuity of all of these processes and avoid reviews slowing down the development process, we use agile development principles and collaborative DevOps.
Importance of Agile Development and Ways of Working
Agile development is a structured and at the same time agile process that allows seamless improvements and changes. Development is done in short increments, known as sprints. The development process during increments is very structured.
After every increment there is a retrospective with the purpose to review the last increment and provide an opportunity to improve regulatory compliance and changes. This process is repeated over and over to guarantee constant improvement of the development process.
One of the crucial pieces of the agile development team is well structured ways of working. WoW practices and techniques can be defined in a document which, in our case, describes how the team works with development increments. The document is maintained and updated incrementally as part of retrospectives by the development team.
A ways of working document can include:
Various elements play a role in improving regulatory compliance, with some being mandatory and others focused on enhancing auditability.
CI/CD Task Automation
Automation in the form of CI/CD pipelines provide another opportunity to introduce automated tasks to comply with regulations. Task automation removes the need to do manual conformance checking and automated tasks can be changed over time to comply with regulatory changes.
Examples of automated tasks include:
- Automated vulnerability checking - to find security risks in developed code and also in open-source libraries used within the product.
- Linting - to identify bugs, programming errors and verifying that code is written to follow coding conventions, find vulnerabilities and regulatory requirements.
- Running automated tests - to verify that requirements have been met.
A CI/CD pipeline together with agile planning tools such as Jira can be used to log product builds, development activities and automated tasks. Logs can be used for regulatory audit purposes.
This review of the agile development process proves its compatibility for regulatory requirements around software development. That's why it's more important than ever for companies to focus on implementing agile development processes and to focus on constantly evolving them.