---
title: "Delivering Compliant Software Faster with Validated DevOps"
type: white-paper
publisher: Ketryx
source: "https://www.ketryx.com/assets/validated-devops-white-paper"
content: text extracted from PDF (layout/tables/figures not preserved)
---

# Delivering Compliant Software Faster with Validated DevOps

*Source: [https://www.ketryx.com/assets/validated-devops-white-paper](https://www.ketryx.com/assets/validated-devops-white-paper)*

---

Delivering Compliant Software Faster with Validated DevOps © Ketryx Corporation 2024 1

Introduction Software has become essential in creating innovative healthcare products that drive better patient outcomes. As MedTech companies strive to accelerate the development of more advanced medical device software, they must also make accommodations to meet the industry’s regulatory compliance requirements. These regulations add a significant number of steps and complexity to the software development lifecycle. Navigating and complying with these strict regulatory requirements often conflicts with the need to develop software at the pace expected in today’s market. © Ketryx Corporation 2024 2

The Challenge Today’s software environment is more complex than it was just a few years ago. Modern software is built using cloud-based platforms, incorporates AI/ML capabilities, and leverages open-source components. While these advancements offer many benefits, each can potentially introduce risks and vulnerabilities into code. Regulatory agencies such as the FDA have responded by raising the bar for compliance standards and modifying regulations so that companies can deploy safer software faster. However, in the case of MedTech, many companies’ processes and tools weren’t designed for speed, and they don’t take advantage of regulatory changes that allow manufacturers to modify their products without additional clearance. Industry infrastructure has simply not kept pace with the design complexity and speed of modern software. As a result, teams building medical devices are very slow to execute projects because their legacy quality controls and IT infrastructure cannot validate software at scale. It is common to hear that teams take one to three months to release software after the completion of the actual development in large part because the documentation process is so manual. According to a McKinsey study, between 2006 and 2016, the average design complexity and total effort for medical software surged by over 30% CAGR while productivity remained flat, rising just 2% annually. McKinsey attributes the trend to software differentiation (i.e. functionality) as well as the growing adoption of cloud- based solutions. In fact, processes are so manual and tedious that the industry suffers from nearly a 50% attrition rate of software developers. Software developers in MedTech often become frustrated by the unique tooling challenges they face compared to their counterparts in unregulated sectors. MedTech companies frequently provide developers with non-standard (and often inferior) tools, limiting their ability to leverage best-in-class development solutions. This not only hinders productivity but also leaves little time for creativity and innovation. Source: McKinsey&Company, Productivity drivers in Medical device and healthcare software development, Pg 7 © Ketryx Corporation 2024 3

Companies getting DevOps right DevOps delivers quantifiable technical and business benefits, including shorter development cycles, increased deployment frequency, and faster time to market. Leaders include: Amazon’s move to AWS from dedicated servicers allowed it to scale capacity and transition to a continuous deployment process, releasing updates every few hours. Fidelity leveraged DevOps to develop and launch a critical and differentiated trading application. Target used DevOps to develop its mobile savings app and to leapfrog other retailers during COVID. Etsy transitioned from a waterfall model to a fully automated deployment pipeline, enabling more than 50 deployments per day. The Solution The good news is that there is a path forward for rapid innovation in MedTech: Validated DevOps. Validated DevOps empowers organizations to accelerate their software development lifecycle and stay competitive, all while maintaining a commitment to quality, safety, and compliance. By embracing DevOps methodology, MedTech companies can reap the benefits — such as increased development speed and enhanced developer satisfaction — that have long been available in non-regulated industries. © Ketryx Corporation 2024 4

If you look at the software industry as a whole, it’s clear that DevOps has become the norm for agile development. Research from the Continuous Delivery Foundation found that 83% of developers worldwide are regularly involved in DevOps activities. By using DevOps to deliver high-quality software faster and more efficiently, MedTech companies can catch up with the rapid pace of modern software development and remain competitive in an increasingly digital healthcare landscape. The DevOps model has helped many successful companies by: DevOps yields shorter product lifecycles DevOps refers to a set of practices that combine software development (“Dev”) and IT operations (“Ops”) to streamline and automate software delivery. DevOps emphasizes automation, continuous feedback, and collaboration, which improves the speed and overall quality of the software. Accelerating time to market By continuously testing and deploying, developers can identify and address issues early in the development cycle. This shift in when bugs and code issues are identified in the software development lifecycle greatly reduces overall time and effort. Enabling developers to improve their output An agile DevOps process enables developers to implement modern tools, innovate faster, and improve their skills. Companies using DevOps offer a more familiar, efficient, and collaborative work environment for developers. Supporting AI/ML in product design AI/ML models require frequent training and updates. Continuous integration and deployment (CI/CD), a key part of DevOps, enables teams to make frequent software changes with a series of automated tests and validation processes that prevent the introduction of errors or unacceptable risks. Reducing labor hours and costs The collaborative nature of DevOps breaks down silos between departments, reducing duplicated effort and facilitating more effective use of resources. It also helps teams avoid costly delays caused by drawn-out meetings or miscommunication. © Ketryx Corporation 2024 5

Today, medical device teams rely on SOPs and processes that were originally designed for hardware-based devices. These processes are typically manual, which is at odds with the automation practices that are a core component of the DevOps methodology. Manual processes require many different people to manage individual components, making it difficult to quickly scale systems or increase efficiency. Existing MedTech tools such as product lifecycle management (PLM), requirements management, testing, and project management solutions were also not designed for software. Rather, they were built to design and develop hardware systems at a time when products were not as complex as they are today. They were designed to support the release of a singular version of a hardware device (rather than for the frequent iterations required in software development). This leads to teams having to rely on meetings, shared Excel approval spreadsheets, and other manual methods that cannot keep pace with modern software development efforts. Three obstacles to fast release cycles Even for companies that are eager to start reaping the benefits of DevOps, transitioning to this model isn’t like flipping a switch. Here are some of the top challenges that must be overcome. #1 Traditional MedTech processes and tools are highly manual © Ketryx Corporation 2024 6

Major technology companies in non-regulated industries release software daily or even hourly, a pace that would allow incredible innovation in MedTech. However, the comprehensiveness and manual nature of verification and validation processes make it difficult to execute rapid iteration. Regulatory agencies such as the FDA demand that manufacturers provide documentation as evidence of software safety, reliability, and compliance using prescribed practices. Most companies create this documentation manually. However, typical DevOps tools are designed to test and deploy code changes automatically—they weren’t designed to provide required levels of control, Part 11-compliant audit trails, and related documentation. In addition, design controls and V&V activities are typically managed in systems that are completely disconnected from the systems where code is built, tested, and deployed, essentially nullifying the value of DevOps. However, this problem can be overcome with proper tooling that connects the compliance and DevOps tools together. By creating an interconnected system with shared gates, it is possible to align DevOps with V&V. Code changes automatically create a change request while the DevOps cycle can be gated by the successful completion of the V&V cycle. #2 The verification and validation cycle doesn’t align with the speed of DevOps © Ketryx Corporation 2024 7

#3 Outdated MedTech tools don’t accommodate the changing landscape of software development Most MedTech organizations still use specialized (and sometimes outdated) development tools, requiring developers to invest time in learning how to use unfamiliar systems while navigating complex regulatory frameworks. Developers using traditional lifecycle management systems must frequently switch between tools and spend additional time creating evidence documentation. Furthermore, lifecycle management systems don’t support the changing landscape of open-source dependencies and the software supply chain preventing developers from using powerful open-source software. The ideal environment for software developers maximizes innovation and provides a standard suite of tools and resources to enhance their productivity. Traditional MedTech software simply doesn’t support this type of developer-friendly culture. Examples of a developer-centric approach MedTech companies striving to create an innovative culture for software developers would benefit from considering the following changes: • Maximizing development time by minimizing infrastructure and administrative burdens. • Providing standard and modern development tools, empowering developers to work efficiently. • Reducing the cognitive load of understanding intricate regulations by integrating compliance automatically into developer workflows. • Automating documentation to eliminate this tedious activity from daily tasks while maintaining focus on product impact. © Ketryx Corporation 2024 8

The FDA supports modern DevOps and MLOps The FDA sees and understands the problems faced in developing software. The agency is actively looking for ways to help manufacturers improve their products and take the least burdensome approach to managing their lifecycle. Its Predetermined Change Control Plan (PCCP) is relatively new guidance designed to facilitate innovation and continuous improvement by taking a risk-based approach to change management of AI/ML systems. The FDA stated recently that they plan to allow additional sub-systems and entire products to be governed by PCCP. Manufacturers can take advantage of this by obtaining an approved PCCP with a device submission and documenting they have the appropriate infrastructure (i.e., Validated DevOps or MLOps) to perform quick change control based on the PCCP. MLOps extends DevOps by incorporating machine learning model development, training, deployment, and monitoring into the pipeline, emphasizing data management and model versioning. With this PCCP guidance, the FDA is clearly stating that manufacturers can release as often as they’d like as long as they can prove that they are following their approved and controlled process. This means companies can adopt validated DevOps and MLOps practices and start releasing — and innovating — at a much faster pace. Source: FDA.gov: Marketing Submission Recommendations for a Predetermined Change Control Plan for Artificial Intelligence/Machine Learning (AI/ML)-Enabled Device Software Functions ... To perform quick change control based on the PCCP. With this guidance, the agency is clearly stating that manufacturers can release as often as they’d like as long as they can prove that they are following their approved and controlled process. “ ” © Ketryx Corporation 2024 9

Demystifying PCCPs In April 2023, the FDA published a new draft guidance, Marketing Submission Recommendations for a Predetermined Change Control Plan (PCCP) for Artificial Intelligence/Machine Learning (AI/ML)-Enabled Device Software Functions. This guidance reflects the FDA’s efforts to develop a regulatory framework for the emerging AI/ML-based software in healthcare. It provides medical device manufacturers with a means of swiftly introducing AI/ML-based technologies to market while ensuring patient safety and effectiveness. A PCCP is designed to accommodate the iterative nature of AI/ML-based software functions which the FDA terms “ML-DSFs.” ML-DSFs, by definition, continuously improve through modifications. With a PCCP, manufacturers can gain premarket authorization for specified automatic and manual modifications to an ML-DSF, bypassing the need to re-submit the device for FDA review. This new process is in contrast to the FDA’s traditional approach of premarket review for changes to medical devices. A PCCP comprises three key components Description of Modifications Outlines planned modifications and their rationale. A Modification Protocol Details how modifications will be developed, validated, and implemented, covering data management, training, and updates, among other items. An Impact Assessment Assesses the benefits and risks associated with implementing a PCCP, ensuring that modifications do not introduce undue risks Get a free PCCP template: https:/ /go.ketryx.com/devops-pccptemplate The PCCP encompasses modifications related to performance specifications, device inputs, and limited changes in device use and performance, all aimed at maintaining or improving the safety and effectiveness of an ML-DSF. However, the plan does not cover modifications that alter a device’s intended use or indications for use, nor does it include minor modifications that do not necessitate new marketing submissions. Once an FDA-approved PCCP is part of a device’s marketing authorization, manufacturers can make specified modifications without requiring additional marketing submissions, provided the changes adhere to the PCCP’s description and protocols. © Ketryx Corporation 2024 10

How Validated DevOps drives compliant software innovation Validated DevOps allows teams tasked with developing validated software to leverage DevOps best practices while establishing additional controls to ensure that products still meet safety, quality, and regulatory requirements. Think of Validated DevOps as a way of performing small QA tests — many of which are automated — during each step of the development process instead of testing everything at the end of development. It helps teams identify and remediate any issues that arise before moving to the next phase of work. Some of the most essential features of Validated DevOps include: Key aspects of DevOps in a regulated environment • Documentation: By thoroughly documenting every aspect of the DevOps process, companies can ensure consistency, reproducibility, and adherence to regulatory standards. • Compliance: Companies must ensure that their DevOps processes, tools, and practices align with the specific regulations and guidelines applicable to their sector. • Security: Implementing strong security practices, including encryption, access controls, and continuous monitoring, is critical for protecting sensitive data throughout the DevOps pipeline. • Quality assurance: Quality assurance is a critical component of DevOps in regulated industries. Strict quality control measures, such as adhering to SOPs without deviation, help ensure that the software is free of defects and meets required quality standards. • Testing: Rigorous testing and validation processes are necessary for ensuring that software functions as intended and meets all regulatory requirements. • Traceability: By establishing clear links between requirements, development, and testing, regulated companies can affirm that every aspect of their software is traceable and can be readily audited. • Change control: In regulated industries, change control processes must be particularly rigorous to ensure that all changes are properly evaluated, approved, and documented. In essence, Validated DevOps combines the principles of DevOps with a strong focus on safety, compliance, and quality assurance. Automation of process controls to reduce the potential for human error, promote efficiency and precision across all tasks, and enable more frequent product iteration. Documentation that is automatically generated for all work, eliminating the need for disconnected spreadsheet entries or protracted meetings. This also establishes trust with regulators by defining a map between regulatory standards and the company’s practices. An environment that supports modern software tooling, allowing developers to build regulated software using the tools and practices they are already familiar with, such as Jira, GitHub, and Bitbucket. 11 © Ketryx Corporation 2024

Ketryx: The fastest path to Validated DevOps The Ketryx Connected Lifecycle Management Platform helps MedTech companies rapidly transform their software development process to fit within a Validated DevOps model. Ketryx automatically connects best-in-class development tools to your quality and lifecycle systems, building on your existing investment. It will: • Extend your infrastructure so your developers can continue to use the modern tools they know and love. • Enforce existing SOPs and processes, continually documenting that there are zero deviations. • Implement automatic guardrails so that no project can proceed unless you are fully compliant. • Auto-generate documentation and traceability reports and produce a FDA-ready audit trail and DHF. Ketryx’s templating features also allow teams to cross-reference and pull information from relevant projects, simplifying the creation of FDA-compliant documentation. By serving as a centralized repository for all product information, Ketryx eases the burden of traceability on developers and quality assurance engineers alike. It automatically creates Part 11-compliant audit trails, ensuring the integrity and accuracy of your electronic records and providing you with evidence for regulatory compliance audits. This helps your team maintain clear documentation of the relationships among different components of products or systems. Ketryx also enables organizations to meet cybersecurity-related documentation requirements with the option to create an FDA-compliant SBOM in seconds (and easily manage it over the course of the product life cycle). © Ketryx Corporation 2024 12

Beacon Biosignals combines wearable technology and AI-driven analytics to transform and enhance the treatment of neurologic, sleep, and psychiatric diseases. Their scalable solution combines FDA-cleared devices and software, machine learning algorithms, and extensive datasets to accelerate drug development by providing rapid and precise analysis of brain data. PAIN POINTS Manual Traceability Created Inefficiencies Before Ketryx, the Beacon Biosignals team spent many hours on highly manual documentation and traceability processes, leading to longer release cycles. • Manual Documentation: Documentation process for updating requirements and specifications was extremely labor-intensive, significantly slowing down their development workflow. • Traceability Breaks: Time consuming to keep traceability up-to-date with manual and error- prone methods such as Word documents and Excel spreadsheets. • Redundant Efforts: Generation of test plans and reports for software testing that was already automated and documented in code was redundant and effortful. • Microservice Complexity: Needed to manage a microservice architecture with varying regulatory requirements across components, but found traditional documentation approaches inflexible. KETRYX SOLUTION A Self-Documenting SDLC Beacon Biosignals sought a developer-centric solution to streamline SDLC management and selected Ketryx to achieve the following objectives: • Establishing Traceability: Automated traceability in Ketryx significantly decreases manual effort and errors in maintaining documentation for both hardware and software. • Automated Tests: Integration with GitHub Actions automates test execution logging, streamlining the development process. • SBOM Support: With Ketryx, uploading an SPDX and maintaining an accurate Software Bill of Materials (SBOM) became effortless. BUSINESS OUTCOMES Faster Validated Releases With Ketryx, the Beacon Biosignals team quickly realized several key benefits: • Faster Releases: Reduced release cycles from four weeks to two weeks while significantly enhancing documentation quality. • Reduced Documentation Time: Achieved a 75% reduction in documentation cycle time. • End-to-End Traceability: Ketryx automatically generated clear traceability. • Automated Testing Efficiency: Ketryx increased agility by integrating automated testing into the developer workflow and generating documentation of tests for every release. How Beacon Biosignals Reduced Their Release Cycle to Two Weeks for AI/ML Products The shift with Ketryx of having the code be more and more self-documenting has reduced friction. It allows our developers to easily and clearly map their normal development activities to necessary quality activities. — Alex Chan VP of Analytics and Machine Learning, Beacon Biosignals “ ” © Ketryx Corporation 2024 13

Implementing Validated DevOps with Ketryx typically involves the following steps: Transitioning to Validated DevOps with Ketryx Transforming your software release processes can be challenging, but a future-ready solution positions you for long-term success. Ketryx provides a carefully designed, end-to-end framework to help companies seamlessly transition to a Validated DevOps model. From the moment you select Ketryx as your solution partner, a dedicated program manager will guide you through every step of our implementation process while ensuring you’re kept informed on key milestones and project timelines. Implementation Plan • Joint Execution Plan • Key personnel for the client • Client goals • Timelines for completion of each phase Migration Plan • Identify source system data • Data mapping from source systems to target systems QMS Revisions • Update existing QMS • Configure Ketryx to align with SOPs • Document all changes Integrations and Migrations • Complete integrations with Jira, GitHub, and other systems • Execute migrations Product Training • Ketryx provides product training to all teams • Teams trained and ready to execute first release First Release • All configuration items closed • Documents produced and in review • Release complete Continuous Improvement • Regular meetings with Ketryx team • Collect user feedback • Access to documentation and FAQs PLANNING IMPLEMENTATION OPERATIONAL SUPPORT © Ketryx Corporation 2024 14

To learn more about validated DevOps and releasing software faster, contact us today at www.Ketryx.com Schedule a demo today by scanning this QR Code or visiting: https:/ /go.ketryx.com/demo-devops © Ketryx Corporation 2024 15
