Zum Hauptinhalt springen

Engineering Excellence in Highly-Regulated Environments

Ensuring efficiency and compliance in modern agile engineering of medical devices, IVDs and healthcare software

In a world where medical devices or in vitro diagnostics (IVDs) and health applications are becoming increasingly complex, so too are the requirements and procedures for developing these devices. Today’s engineers often struggle to implement new methods and regulations, while also continuing to work as efficiently as possible when they develop novel technology products. As a partner to various R&D, QM and IT organizations, Deloitte offers a holistic, integrated approach to improving and accelerating your product engineering process. One key success factor is making sure your organization has an automated, end-to-end product development lifecycle in place.

Adding new Capabilities


Each system – or system of systems, in some cases – goes through an engineering lifecycle, which is sometimes referred to as a product development lifecycle (PDLC). In terms of today’s DevOps and value chains, these life cycles can range from a very early ideation phase to end-of-life activities for an obsolete product. It is essential to link several of these practices together in order to guide the engineering team from its initial concept through the full-scale implementation and into the operations phase. With today’s technology, we can easily complete the lifecycle using different frameworks, industry best practices and tools, but they rarely work well together. The result is often a series of isolated practices with dead ends, unnecessary documentation or data that is either not collected when it should be or processed during the wrong step. In some cases, key practices are simply added on to existing legacy workflows, whether it is modern engineering methods or new regulatory requirements, as detailed below: 

Many life science players use lean and agile practices, with implementations ranging from simple Scrum to Kanban or scaled agile methods. In this highly-regulated industry, choosing the right method (that reflects your enterprise’s existing procedures and engineering culture) is as important as adapting your chosen method to the relevant regulatory requirements and restrictions. Both are vital for a true lean/agile culture that has a solid foundation of training and management buy-in. Enterprises that diligently apply these practices throughout the organization and enlist support from a team with profound life science experience will succeed in unlocking the true potential of lean/agile management.

Best Practices for Agile in MedTech

More about Kanban in MedTech

Enterprises often use agile techniques only in the development phase, because they believe the priority should be giving the agile team full control over the implemented functionality. This can cause conflicts in terms of defining the product, when taking (agile) product ownership comes up against the strong discipline of traditional product management practices as well as the constraints of the medical experts. Lean portfolio management as described in SAFe is a smart way to resolve these conflicts, define areas of responsibility and successfully navigate from enterprise strategy to pure systems engineering. It is also a smart way to resolve conflicts between slower, more time-consuming hardware development and agile software development.

Learn more

To stay competitive, medical device manufacturers have to bridge the gap between development and engineering/operations. Software developers often adopt practices and tools from DevOps (or even SecDevOps). When it comes to hardware or PEMS, Design for Six Sigma (DFSS) is generally a good solution. It includes methods that identify weaknesses and reduce defects later in the lifecycle but is also designed to lower manufacturing costs and minimize problems on the production line. Unfortunately, many engineering teams are unfamiliar with DSFF practices/tools or they use them in parallel with the product development lifecycle (PDLC) – both of these tactics will reduce the efficiency as well as the effectiveness of DFSS.

In recent years, we have seen the pressure on medical device manufacturers increase significantly. Not only are there new regulations from authorities in both Europe and the US; enforcement has also become stricter as medical infrastructure and healthcare providers are exposed to more severe risks every day. Medical device manufactures (but also healthcare software providers) sometimes struggle to keep pace with the new regulatory requirements. Unfortunately, having the right procedures in place isn’t enough. Oversight officials are asking for comprehensive threat modelling or penetration testing, even as the market for cybersecurity talent runs dry. Deloitte offers outsourcing services to leverage capabilities not within your company skill set, while our medical device experts help you improve and modernize your procedures, guidelines and tools.

Learn more about Cybersecurity @ Scale

Learn more about Cybersecurity Testing

Medical devices often process very sensitive patient health data. Due to the increasing use of technology and the connectivity of medical devices, medical device manufacturers must deal intensively with data protection regulations. The laws and requirements that must be considered can vary depending on the region and the country that are potential sales markets. Therefore, relevant data protection requirements must be taken into account in the design of the product and embedded in the product engineering process. Deloitte supports the development of medical products – from making the first sketch to launching the product and beyond – we support you with our data privacy engineering capabilities to comply with data privacy requirements. With our profound knowledge of the health sector our offering is a holistic approach which enhances your operating model for product development. As data privacy becomes an integral part of the product engineering process it allows you to focus on the engineering process itself while staying relevant (and sustainable) at the same time.

More and more medical devices are using artificial intelligence (AI), particularly when it comes to diagnostic systems or systems designed to relieve healthcare professionals by automating routine tasks. From a purely technical standpoint, enterprises deploying AI need to adapt their engineering procedures to the new product development/testing procedures. A more critical need is to establish an appropriate legal and regulatory environment, not only factoring in various industry-specific regulations but also preparing for the forthcoming Artificial Intelligence Act (AIA).

Learn more

Validating computer systems using traditional methods (CSV) is a very time-consuming and costly endeavor. Besides the obligation to extensively document the process with a focus on the quality of GxP-related data, it is extremely rare for CSV to identify or mitigate any real risk. The real issue with this legacy process, particularly when applied to engineering toolchains, is not only the cost but the effort required when existing, validated workflows or reports have to be changed. Validated (frozen) tools prevent engineering teams from trying novel methodologies, automating tedious manual work and enhancing their efficiency. The FDA is promoting Computer Systems Assurance (CSA) as a method focused on the actual risks to patients. When it comes to developing engineering tools, CSA will not only substantially cut costs, but also give engineers the freedom to be more creative and innovative.

Learn more

Dealing with Legacy Quality Management Systems


When faced with new regulations or novel methodologies, enterprises often adopt an approach that simply adds the minimum regulatory changes to a legacy quality management system (QMS). The intention may be to make on-the-spot improvements at the request of a stakeholder, but it often results in unwelcome issues in the overall end-to-end workflow. Spot improvements may also conflict with the overall vision of a QMS that was designed as a conservative approach to achieve basic regulatory compliance. 

As a result, the new core processes end up as a patchwork of practices that are

  • more engineering-driven – highly progressive – and 
  • more quality management-driven – conservative, documentation heavy. 

Disciplines that are outside the focus of a traditional QMS, such as portfolio management, update management, preventive maintenance, etc. are often forgotten. More critical activities from cybersecurity to agile practices are added without being fully integrated or adapted to the needs of industry-specific regulations or company-specific practices/tools. This causes additional workload, confusion within the engineering team and bad quality/documentation.

Building a Truly Integrated Lifecycle


As discussed, simply adding spot improvements often results in an inflexible process landscape without an integrated, consistent end-to-end approach. Though this setup is often driven by audit/regulatory needs, it often lacks guidance for real-world practices and the right support for modern, automated systems engineering. Enterprises may end up with three different parties driving the actual workflows, each with a different view and mindset.

Your QMS could end up becoming very generic, without providing real guidance for the teams involved. Management will throw in their ideas from consultants, trainings or whitepapers. And while quality and engineering management teams struggle to agree on frameworks or procedures, the engineers use development plans to implement their own ideas for instructions and tools. In the best case, you achieve minimum compliance with the existing process landscape. In the worst case, you end up creating duplicate work, reverse-engineering the necessary documentation or producing useless documentation just to have something in place. 

It is impossible to overestimate the value of seamlessly integrating your process elements (often called base practices). We have developed a process model that supports integration from initial policy development to the tool workflow, covering everything from portfolio management to post-launch activities. As a backbone of this model, we adopt base practices from different maturity models, identify the relevant methods and trainings as well as the right instructions and tools. 

If this idea appeals to you, we would be happy to explain it to you in more detail. Click on the contact on right side of the page to get in touch. 

Our service portfolio


We offer 

  • the skills to define, build, deploy and operationalize your new engineering capabilities from policy to tool-chain 
  • the ability to run activities that you would prefer to outsource, and
  • a deep understanding of process landscapes and current or future regulations to put your innovations in the right context and fully integrate them into your existing processes.

If improvement and change are at the top of your agenda, we would love to partner with you for an initial consultation or an in-depth analysis of your specific situation.

Learn more about:

Risk Advisory

Life Science & Health Care 

Fanden Sie dies hilfreich?

Vielen Dank für Ihr Feedback

Wenn Sie helfen möchten, Deloitte.com weiter zu verbessern, füllen Sie bitte folgendes aus: 3-min-Umfrage