Change is a feature of product management, but uncontrolled change or thrash can be detrimental. As product managers, we need to not only manage changes within our teams but also ensure that any regulatory requirements are carefully adhered to.

In Software as a Medical Device (SaMD), the stakes are even higher. The nuances of change management become critical, given the regulations and the potential impact on patient safety. This article explores the complexities of change management in SaMD product development and offers a structured approach to navigate these challenges effectively.

1. Understanding the Nuances of Change Management

The key to effective change management is recognising which changes require attention and to what extent. Specifically, in regulatory industries like MedTech, understanding when regulatory frameworks apply—or do not apply—is crucial.

For instance, in a SaMD company, you may have several products, both internal and external. Some of these products will be directly part of the SaMD, while others are not directly part of the SaMD certification but still fall under other regulatory standards like ISO 15189 for medical laboratories. This distinction affects how changes are managed.

These different levels of regulatory compliance can lead to frustration among product teams. Common questions include:

• What requires a comprehensive change management process, and what does not?

• Where is the line between different levels of compliance?

• Can we iterate and ship some features quicker because they're not directly our SaMD product, without going through our full SaMD-accredited Software Development Life Cycle (SDLC) process?

2. Creating an Assessment Matrix

To determine how to manage each product based on its regulatory impact, we can create an assessment matrix. This matrix helps define principles and criteria to categorise products into tiers, enabling tailored change management processes for each level.

Defining Principles

• Regulatory Impact: Assess the extent to which a product is subject to regulatory scrutiny under frameworks like SaMD regulations or ISO 15189.

• Product Functionality: Determine how the product contributes to the overall SaMD ecosystem or other regulated services.

• Risk Level: Evaluate the potential risks associated with changes to the product.

Establishing Criteria

By defining clear criteria, we can classify products into tiers that dictate the required level of change management. This ensures compliance without unnecessarily hindering innovation and development speed.

3. Defining Tiers of Regulatory Impact

A simple matrix is required to categorise the products into regulatory tiers. Keeping it to three tiers makes it simple and clear to product squads what tier their product fits into and what actions they need to take.

Here is a simple example using three tiers for a personalised cancer testing company:

Tier 1: Direct SaMD Regulated Product

Definition: This product is directly audited by a regulatory body for SaMD.

Example: A cancer bioinformatics pipeline that analyses Next-Generation Sequencing (NGS) data.

Required Actions:

• Strict Change Control Processes: All changes must go through formal change control procedures, including rigorous documentation, justification, and impact analysis.

• Comprehensive Testing and Validation: Perform extensive verification and validation activities to ensure the product meets all regulatory and safety requirements.

• Regulatory Approval: Significant changes may require prior approval from regulatory bodies (e.g., FDA, TGA).

• Detailed Documentation: Maintain meticulous records of all changes, testing results, risk assessments, and approval signatures.

• Key Stakeholder Sign-Off: Obtain approvals from key stakeholders, such as the Chief Product Officer (CPO), Chief Technology Officer (CTO), Regulatory Affairs, and Quality Assurance.

Tier 2: Indirect Regulated Product

Definition: Products that are not directly regulated as SaMD but form a key part of the customer journey that encapsulates the regulated product.

Example: An app that customers log into to order and see the status of their tests.

Required Actions:

• Moderate Change Control: Implement documented change management processes that include impact assessment and necessary testing.

• Regulatory Alignment: Ensure changes comply with any other relevant standards like ISO 15189/CLIA.

• Selective Documentation: Keep records of changes, test results, and approvals, with depth varying based on impact.

• Stakeholder Buy in: If there are other regulatory changes, these will require sign-off from relevant stakeholders, such as the Head of Laboratory or Pathologist. Ensure buy in from other stakeholders to help understand impact on the SaMD.

• Impact on SaMD: Assess whether changes could indirectly affect the SaMD or overall compliance.

Tier 3: Non-Regulated Product

Definition: Products or services not directly related to the SaMD or other regulated products but managed to deliver the overall product lifecycle.

Example: A Enterprise Resource Planning (ERP) system for company operations.

Required Actions:

• Standard Change Management: Follow general SDLC change management processes focused on efficiency and minimising business disruption.

• Basic Documentation: Maintain internal records of changes for accountability and future reference.

• Internal Stakeholder Engagement: Get alignment and buy-in from stakeholders, or “agree to disagree” and continue with the product vision.

• Risk Assessment: Evaluate operational risks and necessary regulatory risks to ensure it remains Tier 3.

4. The Product Requirements Document (PRD) as the Baseline

The Product Requirements Document (PRD) is the cornerstone for defining product requirements and managing changes. It should serve as the baseline that determines a product's regulatory tier and outlines the necessary actions for compliance.

Key Elements to Add to the PRD

1. Regulatory Requirements Section:

   • Tier Classification: Clearly state the regulatory tier (Tier 1, Tier 2, or Tier 3) that the product falls into, based on its features and impact.

   • Reference the Matrix: Include the assessment matrix or a link to it within the PRD.

   • Criteria Documentation: Document the criteria used for this classification to provide transparency and rationale.

   • Applicable Regulations: Detail all relevant regulations and standards applicable to the product, such as SaMD guidelines or ISO 15189.

2. Version Control and Approval Sign-Off:

   • Change Log: Add a dated change log to document all revisions to the PRD.

   • Stakeholder Review Field: Include a section where stakeholders can sign off on changes. This can be a digital approval.

   • Accountability: This ensures all changes are reviewed and approved by the necessary parties, maintaining compliance and accountability.

By adding these key elements to the PRD, you create a comprehensive document that not only defines product requirements but also serves as a central tool for managing changes and ensuring regulatory compliance.

Key Takeaways

• Centralise Information in the PRD: Use the PRD to define the product, determine its regulatory tier, and guide change management processes.

• Explicitly State Regulatory Impact: Clearly include regulatory considerations and classifications within the PRD to provide transparency and direction.

• Implement Formal Approvals: Establish and document approval protocols for changes affecting compliance, involving all necessary stakeholders.

• Prioritise Clear Communication: Ensure all team members understand the regulatory requirements and the implications of changes by making the PRD accessible and understandable.

• Maintain Consistency and Compliance: Regularly update the PRD and align it with regulatory documentation to support compliance and facilitate audits.

Conclusion

By clearly outlining regulatory considerations and change management procedures within the PRD, product teams can effectively navigate the complexities of SaMD development. This structured approach balances innovation with compliance, ensuring the successful delivery of safe and effective products to the market.

Embracing these practices minimises frustration, improves communication, and upholds the highest standards of quality. The PRD becomes not just a document but a strategic tool that guides the entire development process, integrating regulatory requirements seamlessly into product management.