Medtech compliance — not regulation — is stifling innovation
This article originally appeared in STAT News on July 26, 2024.
"Regulation is stifling innovation" seems to be a prevailing opinion among medtech leaders who believe the FDA's rules are slowing medical device advancements — especially when it comes to software. I couldn't disagree more.
As someone who has led artificial intelligence (AI) and machine learning (ML) efforts at Amgen, I've seen firsthand how vital these regulations are for keeping patients safe. Looking across the industry, I believe the real culprits behind slow innovation in medtech are outdated compliance practices.
Modern software companies are known for moving fast. That certainly isn't the case for medtech companies. Manufacturers' antiquated processes and tools hinder productivity and time to market, making compliance programs more expensive and less efficient over time. By modernizing compliance toward a developer-first approach, medtech businesses can move fast and keep patients safe , which in turn improves patient services and care.
Thinking critically about compliance practices
To understand the problem, it's important to make the distinction between regulations and compliance. Regulations are the rulebook, while compliance is how an organization chooses to play within those rules.
The FDA requires manufacturers to prove, or validate, that their medical devices, including software, function as intended and have undergone rigorous assurance, testing and risk management. These requirements are good: they keep patients safe by ensuring that medtech products fit their intended purposes.
Compliance, on the other hand, is how companies prove that they've followed the regulations. Because medical device manufacturing was historically centered around hardware, many companies today still take a 20th-century approach to compliance and product development featuring arduous, time-consuming documentation and long release cycles. They are sacrificing speed and innovation for the comfort of the way things have always been done.
Companies that believe their compliance efforts are adequate don't understand how much better their processes and outcomes could be with a more agile approach that still ensures patient safety and follows FDA guidance. I've spoken with countless executives who theoretically understand that finding a smarter way to operate within the rulebook would result in a faster time to market, but aren't sure what that looks like in practice, especially within their existing IT infrastructure.
How manual compliance efforts inhibit innovation
Most medtech companies tackle compliance with a manual, resource-intensive process that is loosely connected from the software development process or disconnected from it. This lengthens development cycles, makes it difficult to respond quickly to the market, and slows innovation. Here are some of the top obstacles that are hindering teams.
Resistance to change
The FDA is not settling for the status quo in regulating medtech. In fact, the agency has been proactive in creating guidance to support innovation — it has released an array of guidances in the last two years that eclipse the total number released in the previous 20 years. For example, it is pioneering the idea of predetermined change control plans that make it easier for companies to design and maintain compliant AI- and ML-enabled medical devices.
Medtech companies themselves, by comparison, are often resistant to modernizing their compliance programs. Many believe their current approach, while slow, produces safe, high-quality products, and therefore doesn't need to change. While some practitioners are concerned about the possibility of human error in manual processes, there is still a great deal of fear associated with using automation to validate products that have a direct impact on patients. This resistance to new methods prevents the adoption of more efficient tools and processes that could accelerate innovation — and save lives — while maintaining compliance.
Outdated methods
Organizations need to keep pace with technological growth if they want to make progress quickly and reach their full potential. The FDA is making an effort to clear the way for businesses to do this. For example, the agency now allows recognized consensus standards that streamline premarket reviews and accelerate market entry for safe medical products. A Boston Consulting Group survey of 100+ senior executives at medtech companies showed that 79% of respondents said they believed the FDA is responding effectively to advancements in medical technology.
Yet manufacturers are not taking full advantage of these opportunities and rely on outdated compliance methodologies and tools. Many companies still use systems from the 1980s and 1990s to document how they meet compliance standards. As a result, they manage and maintain traceability in Excel spreadsheets, row by row, to ensure the right pieces of software are connected to the right resources.
These methods are time-consuming and error-prone — much more so than computer-driven processes — and cannot keep pace with modern software development, especially the rapid release cycles of AI/ML-based systems. Companies should look for opportunities to leverage advanced automation that facilitates compliance within the tools teams are already using such as GitHub and Jira.
Lack of alignment between people, processes, and tools
Critics of the FDA cite the agency's "aging structure and culture" and "incentives that bias its behavior toward long deliberation and excessive caution." On the contrary, I believe the FDA is actively working to modernize its operations and practice a more agile approach to regulation to keep up with the pace of change in medtech.
If anything, medtech companies themselves need to implement structural and cultural changes to keep up with today's regulations and guidance. This requires a holistic approach that addresses companies' tools, processes, and people. Trying to change one without the others is ineffective and can cause significant problems. For example, if a business adopts a new compliance platform that promises to solve its problems but doesn't implement system-wide change to integrate the tool where it's needed and train teams on how to use it, employees are likely to revert back to old workflows.
Evolving to a developer-first paradigm
To transform compliance from burdensome red tape to manageable guardrails, companies must adopt a developer-first approach. This means putting the needs and workflows of software developers at the center of their compliance strategy.
Shifting compliance left
A concept informally called shift left testing is popular in cybersecurity and software development. It refers to moving key security tasks and considerations that traditionally happen at the end of the development cycle to earlier stages. This helps prevent software containing vulnerabilities from traveling through to the end of the development cycle. Medtech businesses should embrace a similar practice by embedding compliance work earlier in — and throughout — the software development process.
In the context of medtech compliance, this means integrating critical aspects of validation, documentation, testing, and other regulatory requirements directly into the development workflow from the start rather than tacking them on at the end. Key compliance artifacts should be created in real time as developers write code.
The benefits of agile, shift-left compliance
An agile development process that shifts compliance left offers significant benefits for medtech innovation. These include:
Faster time to market. By addressing compliance in parallel with development, companies can accelerate release cycles and get innovative products into the hands of providers and patients sooner. Faster product launches are essential for gaining a competitive edge.
Higher-quality products. Shifting left reveals potential problems when they're easier to resolve. The outcome is higher-quality software that reliably meets regulatory standards.
Improved developer productivity. Context switching between writing code and generating tedious compliance documentation is a major drain on developer productivity. Allowing developers to automate compliance tasks in their native workflows eliminates this friction and enables them to spend more time on product innovation.
Streamlined audits and change management. When compliance is embedded into the development process itself, key artifacts and audit trails are generated automatically. This dramatically reduces the time and effort required to prepare for audits and manage documentation. Teams can breeze through these activities and stay focused on development.
Choosing the right compliance paradigms and tools
To implement a developer-first approach to compliance, medtech companies need to provide their teams with the right tools. Introducing multiple point solutions to developers and expecting them to completely overhaul their workflows is impractical. Faced with such a disruptive mandate, many developers will simply ignore the new tools (or worse, seek employment elsewhere).
Instead, companies should adopt tools that meet developers where they are. Ideal developer-first FDA compliance software integrates seamlessly with the platforms engineering teams already rely upon, such as Jira and GitHub. An ideal tool fits naturally into agile workflows, automatically generates compliance artifacts in the background, and makes it easy for developers to review and approve essential items.
Equipped with developer-friendly compliance tools, medtech organizations can shift compliance left, creating an ideal culture of shared ownership. Engineering teams will be empowered to deliver compliant, innovative software at the speed of modern development.
It's time to modernize medtech compliance
Medtech has great potential to transform health care through innovation. However, outdated compliance strategies and tools are slowing manufacturers down in realizing this potential.
By modernizing compliance through a developer-first paradigm, medtech companies can overcome inefficient processes and accelerate the development of safe, effective medical devices that deliver better services and care. The industry can't keep delaying the release of technologies that improve patient lives — the time for transformation is now.