“I never thought I’d work in regulatory affairs.”
Everyone in Quality Assurance or Regulatory Affairs (QA/RA) will have said or heard this sentence at some point in their career. Some colleagues perceive us as those strange people who spend days reading uninspiring legislation. For others, we are the internal police chasing them to follow rules we have also set.
No wonder we end up asking ourselves how we got here – and why we like it.
What motivates us – QA/RA people – to get out of bed in the morning and do our best in our jobs? This article will explain how QA/RA teams grow over time and how the roles change, showing why our work is actually challenging, exciting, and rewarding. The insights belong to me and my colleagues: Nathan Pollpeter, Tamara Petteta, and Ricardo Roovers.
The evolution of the QA/RA team
Let’s first see how quality and regulatory affairs teams come to exist in a company’s lifecycle.
Start-up (0 – 10 employees)
The compliance role is often born out of a different role, such as engineering. Once we learn that the products we build require regulatory clearance, we are the ones who start digging into standards and regulations.
At this stage, a person in the development team tends to take the lead, often with the support of external consultants who can help with the finer details. As the organisation grows, they become the ‘go-to’ person for quality and regulatory questions, working to bring the first product to market.
Small enterprises (10 – 50 employees)
With further growth, the organisation needs to address more topics than just the basics in our industry, i.e., the EU Medical Device Regulations (MDR 2017/745) and ISO 13485. The focus extends to reading, understanding, and further implementing many other standards, regulations, and guidance documents. It’s not a one-person job.
The regulatory team grows from a single person to a larger team, typically including dedicated regulatory affairs and quality representatives. The roles may still be embedded within the development team. Nevertheless, collaboration with other departments becomes essential to help professionalise and optimise processes.
Medium-sized enterprises (50-250 employees)
At this point, organisations have the capabilities to address continuously evolving regulations, standards, and guidance documents. Changes to requirements are released as often as every one or two months. Each time, they require an assessment of their impact on the business and products.
With more products being released onto the market and more customers in different countries, the company needs further product approvals (e.g., FDA clearance for the US, ANVISA registration, Health Canada, etc.) and additional system certifications (e.g., MDSAP). Thus, the team continues to grow too, extending the RA teams and adding QA positions. The QA/RA roles become more specialised and independent.
Large enterprises (250+ employees)
By now, the company has matured quality and regulatory procedures in place, often at the cost of agility.
Procedures are strict, and their application requires more checks to mitigate potential deviations. Large enterprises often use detailed and extensive design and development procedures with a high degree of predictability. Once products come out of the design and development process, they conform precisely to the standard formats for which clearance has been proven.
The role of QA/RA is to ensure the consistent implementation of procedures and, at set intervals, verify that procedural compliance is met. There is less room for flexibility in regulatory processes. Furthermore, procedure changes have a much greater impact on the organisation and its products.
What it takes to fill a QA/RA role
So, the QA/RA roles change over time in growing organisations, expanding in scope and depth. It may be surprising, but these roles are among the most dynamic and diverse in the company. People filling them need to:
- Be an expert on all the applicable regulations and standards (a list that is growing fast!);
- Have an in-depth understanding of the products and their technical functionalities;
- Have excellent technical writing and communications skills and be able to explain complex (technical, quality, regulatory) concepts for nearly anyone, and regulators, in particular, to understand;
- Be involved in almost every aspect of the organisation (marketing, sales, design and development, human resources, management, logistics);
- Communicate at all levels throughout the company. One day we may be talking to the system engineers, and the next one, we may be sitting with management;
- Take a firm stance in situations when management or colleagues’ decisions do not align with regulatory requirements, carefully balancing business needs while never compromising on patients’ safety, security, and rights.
With team members checking all these boxes, a successful QA/RA team knows exactly what is happening throughout the company at all times. Through internal audits, management reviews, and daily catch-ups, they have an overview of the business’ strengths and weaknesses.
Three major challenges
A typical day in the QA/RA team is often exciting and demanding, with patient safety top of mind as the gravest concern. These are the main pitfalls we face:
The wide scope
By far, our biggest challenge is the broad scope of the function and the many competencies we need to apply each day. Whilst trying to oversee most processes and products horizontally, we often need to take vertical deep dives. We may engage in policy, engineering, clinical, or even deep statistical discussions. Moreover, we often have to switch between several topics on the same day. Colleagues expect us to fully grasp the extent of all conversations – and that’s no small feat.
We learned that the only path to success is having short lines between the QA/RA team, management, and all disciplines. At the end of the day, everyone in the company plays a role in ensuring quality and regulatory compliance.
Balancing bureaucracy and flexibility
Trying to keep up with the neverending changes in our field, it’s easy to isolate ourselves from the other teams and operations. This may enforce bad habits that lead to unforeseen incidents, simply because it is hard to be sufficiently involved in the daily operations of growing organisations.
Some companies try to solve this problem by resorting to bureaucracy (e.g., forms and extra layers of signing off). Of course, templates are useful for controlling and monitoring the operations, allowing room for traceability and improvement. As an example, checklists have proven their effectiveness in aviation and are not perceived as a burden or extra workload but as making flights easier.
However, unnecessary control and checkpoints can seriously hamper an organisation’s pace. Faced with many requirements to meet to get things done, colleagues may avoid involving quality and regulatory affairs for fear of increasing paperwork.
Ask anyone in large manufacturing companies about their perception of QA/RA, and they will compare them with the police. On the other hand, ask the QA/RA team about their biggest concern, and they will tell you it’s not being involved enough. This tension can become painful for all parties. If the business can’t progress as envisioned, the QA/RA team gets the blame.
Managing bureaucracy and flexibility is a complicated balancing act. One way to resolve misalignment is to regularly inform and train management on regulatory requirements and their application. This will help them understand the need to embed the QA/RA team sooner rather than later.
Many vendors in our industry are struggling with the implementation of the MDR 2017/745. More than a year after its launch, only 17% of the products in our field comply.
Yet, this is only one of many trials in the perpetually changing regulatory landscape. For software and AI-enabled medical devices, there are well-known and upcoming legislative frameworks to consider:
- GDPR 2016/679 and all changes in privacy and security legislation;
- The AI Act COM (2021) 206, introducing a complete suite of requirements and harmonised standards;
- The Electronic Health Data Space (EHDS 2022/0140) regulation, which takes a stand on interoperability with electronic health record systems;
- New UK legislative requirements (UKCA);
- Changing FDA requirements for AI medical devices;
- Changes to harmonised standards;
- MDCG guidance documents under the MDR 2017/745; and so on.
The stream of publications is an enormous struggle for QA/RA in the AI space. To make matters worse, local authorities are issuing more local requirements, often in their languages only, in an attempt to address the lack of international harmonised standards and regulations. We observed a similar trend in security and privacy requirements.
Consequently, it’s highly complex to identify and understand which national and international requirements apply to their medical devices, especially for small and medium-sized enterprises with limited resources. It is currently easier to release some implantable medical devices than AI software.
A way to tackle this is to join forces with industry and standardisation organisations. As Aidence, we are members of COCIR (European trade association) and NEN (Dutch standards committee), which inform members of changes in legislation and standards. Such memberships also provide us with the opportunity to contribute to international standards. In addition, memberships to regulatory journals (e.g., the Journal of Medical Device Regulations) support staying abreast of changes and their implications.
QA/RA at Aidence
Today, Aidence has four people working full-time in one Regulatory Compliance team. We chose to combine quality and information security management into one department to ensure that our procedures, policies, and forms are fully compliant with ISO 13485 and ISO 27001. Compared to quality management, information security requires additional technical expertise, for which we rely on the technical and security teams.
RA and product development teams work closely to guarantee that the products and new features are in line with the existing and upcoming regulations. The RA team is responsible for patients’ safety by monitoring and approving product releases, mitigating any expected or unexpected risks, and preventing non-compliant products from reaching the market. The duty of ensuring compliance ultimately falls on the Person Responsible for Regulatory Compliance (PRRC), as per Article 15 of the MDR.
We regularly hold cross-functional team meetings to address all compliance risks, from quality, regulatory, and information security. We also frequently update management on new and ongoing compliance risks and the status of mitigating actions. This empowers our team to raise risks in a transparent way and avoid unpleasant surprises during audits or, even worse, penalties.
Is it all worth it?
If you didn’t think highly of your QA/RA colleagues, I hope this article changed your mind. They play a massive role in making new, life-saving technologies accessible to more patients. Obtaining regulatory approvals or quality certificates are milestones your whole company celebrates. They wouldn’t be possible without QA/RA.
Working in our field means constantly growing and making a difference in people’s health, safety, and data security. Yes, sometimes we have to take an unpleasant control role or analyse tedious regulations. Still, when you consider the impact of compliance on patients’ lives and the business we work for, you can only conclude that our role is exciting, challenging, and rewarding!