Introducing Coauthor, your compliance assistant
Alan Parkinson
Technical Director
Imagine working on a new SaMD project, an image analysis tool or a companion app for a blood glucose monitor, perhaps. Software development is progressing nicely, and you will soon submit to a notified body for approval.
Are you panicking about all the work required to prepare the technical file, thinking about all the time you will need to spend chasing software developers for documentation and evidence that they have followed the software development process. Did they follow the development process? The medical device and the company’s success depends on prompt approval, but this could be a painful 6 months.
Alternatively, are you in the situation where the technical file has been automatically updated with evidence after every software change has been reviewed and approved. The developers have been automatically reminded if a software process step has been missed, so there is no deviation. It should take less than a week to finish preparing the submission for the notified body.
Is this second scenario a dream? How much money would you save in development costs if this was real… 10%, 20%, 30%, more?
This is where Coauthor comes in, a new compliance assistant that applies modern software development practices to IEC 62304 Software as a Medical Device (SaMD) projects. Coauthor takes the lessons learned from agile practices of DevOps and Continuous Delivery in the Finance Industry and applies them to IEC 62304.
Shift-left
The key enabler of continuous compliance within financial companies has been the ‘Shift-Left’ concept. Activities that traditionally took place in the ‘last mile’ after software development was completed (e.g. infrastructure setup, security review, audit, software composition analysis, performance testing, and change control review), are shifted-left to inside the software development v-model and are included in the definition of done for a User Story. This is often made possible by embedding compliance experts into the software development team and having automation assist them by completing the mundane tasks and providing guardrails for the developers to follow.
Coauthor brings the same ideas to IEC 62304 software development.
Continuous Compliance
Coauthor continually monitors your Software Development tools (GitHub) and technical file for compliance issues against IEC 62304 and highlights them in real-time to the software development team or QA/RA manager.
With Continuous Compliance there are no nasty surprises when preparing a submission to a notified body, your project can be compliant from day one and every change made to your software will have supporting evidence or documentation added to the technical file automatically. If the evidence or documentation isn’t available, then Coauthor will alert the person responsible and can even block the software change (GitHub Pull request) until the missing elements are included to avoid the build-up of regulatory debt.
One example of how Coauthor does this is with SOUP. Coauthor can detect when a new software library has been added to the project using SCA (Software Composition Analysis) andit will check if a corresponding SOUP analysis has been included. If not, it will block the Pull request from being merged until it has been added. It can even detect mismatches in software versions.
GitHub, your medical software development platform
Finding software developers experienced in regulatory software development isn’t easy, and software developers from a web-app or mobile app background think it’s bureaucratic.
Coauthor is built upon developers’ favourite development platform, GitHub, and uses ‘GitHub flow’ software development process familiar to software developers from a non-regulatory background. Added guardrails (technical controls) guide them through delivering compliant software, no matter their level of experience with IEC 62304.Coauthor comments on Pull-requests explaining what to do next by quoting plans or SOPs , and highlights any missing information using Pull Request Checks: Missing document or code reviews by a relevant role, incomplete traceability, missing verification activity or supporting evidence, missing SOUP analysis, and missing architecture documents.
Engaging software developers with documentation can be difficult. There is often a tug of war between developers and QA/RA about completing the required documents, and these issues are often uncovered at the end of software development. Coauthor removes the key friction point from software developers contributing to documentation.
Following the agile concept of Docs-as-Code, all software related documents required by IEC 62304 including, development plans, software architecture, requirements, risks, threat models, test for verification and SOUP analysis are stored in the GitHub repository. You get the benefit of documents being versioned following the same system as software but allows developers to engage with documentation writing by not having to switch tools to-do so, and they can be reviewed alongside code in code reviews to make sure they match.
All IEC 62340 documentation stored in GitHub is published to the Coauthor user interface and technical file for any team member to read. For those needing to edit documents a friendly user interface is provided within Coauthor. In all, Coauthor brings to GitHub; Requirements management, ISO 14791 Risk Management, Threat modelling, traceability matrix, software verification reporting with support for Cucumber, software architecture documentation, SOUP analysis, SBOM storage, technical file management and IEC 62340required documents and plans.
How does Coauthor know your policies to monitor for compliance?
Coauthor uses a questionnaire to learn about your development process then generates a YAML ’policy’ file based on this information. This YAML file is versioned in GitHub and this technique is known as “Configuration-as-code”. It allows Coauthor to do three key things:
- Generate SOPs and plans required by IEC 62304 and ISO 14791 for your QMS. The questions and policies are optimised for SaMD development and based on development processes familiar to most software developers.
- Configure guardrails in GitHub to help support software developers in following the software development process.
- Allows coauthor to monitor for compliance gaps in your technical file.
If you change your development process, you just need to update the YAML policy file and Coauthor will generate a new set of SOPs and plans to be reviewed and approved using a GitHub Pull Request. Once approved the new documents will be published and compliance monitoring updated.
Conclusion
Your Software as a Medical Device uses modern technology to improve patient outcomes, and Coauthor compliments it by applying modern techniques to software development and compliance to get you to market faster than ever before. But that’s not all, Continuous Compliance can reduce software development costs by 30%!
If you have any questions about Coauthor or would like to participate in our Case Study trial, join our waitlist and we will arrange a video call with Alan, the founder of Coauthor and Hindsight Software Ltd.