Constructive Constraints: Enforcement Is the Key to Faster Medical Software Development

Software developers in regulated industries often feel encumbered by inflexible procedures, training requirements, and work stoppages that slow down their workflows. 

What if, instead of manually following and documenting adherence to QMS procedures, developers could operate within a set of guardrails that prevent process deviation by enforcing SOPs in development tools like Jira and GitHub and automatically providing the required documentation proving compliance? 

That’s the promise of enforcement (aka engineering controls), where quality and compliance are infused into every stage of the total product life cycle so developers can work faster because the right actions are always taken in the right order. The concept of guardrails is well known in software development — now regulated industries can start reaping similar benefits such as accelerated time to market, enhanced collaboration, and decreased risk. 

The problem with a manual approach to software quality and compliance 

Manual implementation of QMS procedures is the norm in medical device software manufacturing. Considering the industry's history, it’s easy to understand how we’ve become stuck in a familiar yet inefficient operating model for regulated development. 

With firm roots in hardware manufacturing, medical device companies are used to following and documenting adherence to QMS procedures in a highly manual way. In the mid-20th century, this was primarily done on paper, and there were frequent work stoppages to go through the procedure checklist and ensure everything was done correctly and with the proper approvals and signatures. 

Fast-forward to today, most organizations are still working this way to build their medical device software. While Excel files have replaced pen and paper, the idea is the same: Humans are responsible for following procedures — developers must reference long and complex SOPs that define requirements and instructions — and manual checks are used to catch process deviations. 

Making a developer regularly leave their coding environment and state of flow to look up procedures to ensure compliance takes a serious toll on productivity. When you consider the collaboration that must occur among a global workforce of developers working on many different features, in many different systems and subsystems, for one release, these manual processes become a massive bottleneck. In fact, it’s common for large medical device companies to follow a prolonged release cycle — biannual, yearly, or even every other year — to accommodate manual enforcement of QMS procedures. 

“The fewer tools that my developers have to worry about, the better, because they should be worrying about saving people's lives through our products. They don't need to be worrying about yet another tool to make sure that they can get our technology out there.” – VP of Engineering, AI Medical Device Company

Some of the most common manual activities that drain time and hurt productivity include making teams: 

• Manually verify that SOPs are executed correctly. 
• Manually maintain a requirements traceability matrix and other documentation.
• Manually track personnel training to ensure employees are properly certified to approve work.
• Manually confirming that employees are signing and approving documents in the correct order.
• Holding designated meetings (milestones) and work stoppages to manually review processes and work to date. 

To enter the 21st century and remain competitive in the market, MedTech companies must move toward a developer-first approach to quality and compliance — putting the needs and workflows of developers at the center of their product strategy. 

A new way to prevent process deviation: Enforcement 

As a result of the hardware factory origins of medical device manufacturing, regulated software is still subject to highly manual quality and compliance checks where humans are involved every step of the way. 

Of course, this stems from a commitment to patient well-being. But for many processes it is actually much safer to create engineering controls and have a computer monitor and enforce QMS procedures. This is due to two factors: 1) the nature of QMS procedures and their need to be constantly verifiable, and 2) computers’ ability to verify repeatedly without getting tired and making mistakes. 

Instead of asking developers and other team members to follow specific procedures and then having the quality team verify that everything was done correctly, it’s much more efficient and less risky to implement well-designed and native guardrails that make developer tools follow the rules without error. Enforcement controls are similar to a traffic circle — they provide a structured and efficient way to help people follow the rules, avoid stoppages, and reduce the likelihood of accidents while keeping things flowing smoothly. 

Automated enforcement guardrails, along with other process and tool improvements, can accelerate a large MedTech company's software release cycle from every other year to every other week. Rather than taking up developers’ time with non-value-added activities, these guardrails ensure that they follow the obvious, deterministic procedures that don’t involve critical thinking. Why should developers spend significant amounts of time confirming compliance with procedures when they could be spending the majority of their time innovating and solving more complicated problems? With enforcement, processes are compliant by default so developers avoid mistakes while freeing up bandwidth to do more strategic work. 

For example, the traditional approach to traceability involves using a spreadsheet tool like Excel to create a traceability matrix. Developers must then copy-paste data back and forth between the spreadsheet and their systems of work, introducing the risk of human error as well as time and resources spent on hand-offs and rework. Enforcement guardrails, on the other hand, automatically force the identification and reference to impacted items and track changes in real time to reduce errors and speed up software development. 

Or consider the fact that every requirement (e.g., ticket in Jira) must be signed by an R&D leader and a quality leader. A computer could — and should — be used to ensure that only well-trained individuals are able to sign off on approvals. Instead, most companies have someone manually check a spreadsheet to confirm that the person signing off has undergone the proper training. Such points of friction drive up overhead and slow projects down significantly. 

The benefits of automated enforcement guardrails 

Automated enforcement connects various IT systems to bring to life the logic of QMS procedures and ensure they are executed correctly. Many developers are familiar with guardrails that automatically enforce rules and save them time (e.g., static code analysis, automated tests, and security checks), so they welcome the idea of preventing process deviation via SOP enforcement in their preferred tools. 

“By creating rules, you paradoxically set people free — in the space between guardrails.” – Jeff Lawson, Cofounder of Twilio  

Here are the key benefits that enforcement brings to your medical device product lifecycle: 

• Assured compliance: By embedding quality checks into software development, enforcement ensures that all procedures are followed accurately and consistently, minimizing human error and enhancing the safety and reliability of medical devices. 
• Faster time to market: Enforcement accelerates the overall development process, shortening release cycles from months or years to weeks so that companies can bring new devices to market much faster and respond more swiftly to market demands.
• Increased innovation: Automated guardrails free developers from repetitive, complex, time-consuming tasks, allowing them to dedicate more bandwidth to coding and creative problem-solving. 
• Retention of top talent: Developers prefer engaging and challenging work over tedious, non-coding-related activities. Enforcement reduces their compliance burden, improving job satisfaction and retention rates in a tight software labor market. 
• Enhanced collaboration: Automated quality and compliance checks reduce friction and enhance communication between quality and development teams, as quality professionals no longer have to badger developers to complete certain tasks. 
• Ease of use and retention: Developers today expect to have guardrails in place that reduce friction and allow them to focus on coding and other core areas of expertise. Getting immediate feedback from automated enforcement guardrails helps developers "stay in the zone." 

It’s also important to note that, while enforcement boosts efficiency and reduces overhead, it does not result in people losing their jobs. It simply allows teams to reallocate their attention to more strategic work that delivers more value to the company. 

"Ketryx enables our engineering team to concentrate on their core tasks, boosting productivity. Our quality team can now actively participate in the design process instead of just driving documentation efforts. This integration has increased our value to the design team, as we no longer need to constantly remind others about documentation." – Quality Assurance Director, SaMD company 

The best approach to enforcement for regulated software development 

If you are experiencing the symptoms of slow, fragmented development (e.g., projects not being delivered on time or skyrocketing project costs), Ketryx can help. Our connected lifecycle management platform allows MedTech companies to enforce the processes they already have across the tools they’re already using while automatically generating evidence of compliance to reduce rework, speed up product innovation, and lessen the cognitive load of developing complex systems. 

For instance, Ketryx’s enforcement guardrails can prevent users from: 

• Approving items unless they are properly trained. 
• Approving a test execution before its underlying test case specification has been approved. 
• Creating orphaned requirements, specs, risks, or test cases.
• Signing/approving out of the designated order. 
• Changing design inputs without re-verifying design outputs.
• Creating a test plan without including required tests such as risk controls.
• Introducing or changing software dependencies without approvals.
• Assessing risks in a way that is inconsistent with predefined risk evaluation schemes.
• Releasing software without up-to-date and approved design controls and evidence documents.

Interested in learning more about how Ketryx can help you develop regulated software faster and at a lower cost while ensuring high quality? Download A Guide to Implementing CI/CD in your AI/ML SaMD Projects.