Introduction
Whether you are working in safety, security, AI or other disciplines, it is critical that you show compliance of standards and regulations to your customers and to external regulators. Taking a compliance approach illustrates to everyone internally and externally that you take these requirements seriously and enables the required culture for success. Compliance not only requires training of staff, but also requires the voice from top management. In this blog we discuss an approach to build up a compliance department within your organization.
Step 1: Establishing your Program Charter and Philosophy
Vision
To modernize compliance with pragmatism, deep collaboration, and data-driven decision-making.
Defining Core Missions of your Compliance Department
- To delight your engineering team with compliance processes that are seamlessly integrated with your current design practices, with careful consideration for your unique challenges and constraints.
- To provide confidence to your customer base by proactively and effectively meeting applicable regulations and state-of-the-art technical standards.
- To continuously educate your compliance team, your engineering team and obtain buy-in across your entire engineering organization on the compliance processes, policies and software tools.
- To be decisive while being empathetic with your engineering team when addressing and mitigating risks to quality, safety, security, ethics and privacy, which requires additional effort.
Measuring Success of your Compliance Department
- Engagement: Periodic Net Promoter Score (NPS) style surveys from your product development team to measure their overall experience with compliance policies and procedures, including effectiveness of collaboration with your compliance department.
- Education: Periodic evaluation of the awareness, knowledge and competence of your engineering team on the requirements of relevant regulations and technical standards, particularly around how it pertains to their day-to-day role.
- Effectiveness: Successful product acceptance/ sign-off by your customers and successfully passing periodic (yearly) independent third-party compliance audits.
Step 2: Establishing your compliance team structure and the collaboration framework with your engineering team
Overall Strategy
In any organization, there are two equally important compliance challenges leaders are faced with – (1) To achieve compliance to standards and regulations on ongoing programs to meet customer demands on tight timelines (2) To build a product development framework that allows the organization to comply with all relevant standards and regulations for all future projects with optimized time and cost investments. To solve these two related but distinct problems, your company needs to deploy different approaches and mindsets in the near-term, while working to converge them into a singular approach over the long-term. In other words, this type of “scaled compliance model” will help us address your time-sensitive customer needs today while also working and gathering insights to build the ideal and optimized framework for the future.
Near-term:
- Establish a strong compliance task force consisting of 1 leader and 3 members under supervision from your Head of Compliance. The task force leader will ideally be a system-level expert with excellent program management and customer communication skills. The members will ideally comprise 2 software development experts (one with deep safety background and one with deep cybersecurity background) as well as 1 hardware development expert.
- The main objective of this task force is to deeply understand the compliance demands of your customer and the current implementation maturity of your engineering team on ongoing projects and determine a “tailored due diligence approach” to meet highly critical aspects of standards & regulations, ensure there is a comprehensive risk mitigation plan without over burdening your engineering team.
- It is necessary for this task force to be composed of multi-standard experts with real product development experience to work alongside and gain the trust of your engineering team. This will be designed to be a highly collaborative relationship i.e., rolling up their sleeves and getting to work with your engineering colleagues – not merely saying what to do but showing how to do.
Long-term:
Assemble a 10-member compliance department, consisting of subject matter experts in relevant regulatory and standards for safety critical software-dominant systems. In addition to members of the compliance task force, it is essential to onboard subject matter experts in the following domains:
- Systems engineering and process expert & Trainer
- Software requirements engineering, architecture, and tooling expert & Trainer
- Systems and Software Safety Verification & Validation expert & Trainer
- Cybersecurity Verification & Validation expert & Trainer
- Technical writer and documentation manager
There will be two main objectives for this compliance department:
- To establish an integrated standardized development process to naturally achieve compliance to standards and regulations at scale in close partnership with your engineering team.
- Continuously educate, coach, and build up your existing engineering team and future hires on this established standardized process and find opportunities to evolve and improve the process over time. Therefore, it’s critical that compliance department members are also good trainers.
- The compliance department will gradually transition over time from performing development tasks along with the engineering team to becoming effective coaches, advisors, and independent reviewers of the compliance efforts of your engineering team. Our ultimate desire is to make compliance to standards and regulations a very natural outcome of a standardized product development process that has been meticulously developed in partnership with your engineering team i.e., compliance by design.
Step 3: Establishing a Governance and Audit Strategy
- In the near-term, your engineering team will not be expected to fully comply with relevant standards and regulations. Therefore, the governance will be established for individual programs in a light-weight manner by your compliance task force with the help of bespoke due diligence checklists, product release criteria and technical leadership committee sign-off procedures.
- In the long-term, your engineering team is expected to fully comply with relevant standards and regulations. Your compliance department’s vision and strategy will ensure the standardized product development processes would already incorporate all necessary activities, documentation procedures, and best practices for the engineering team to achieve compliance to these technical standards and regulations.
- It is your aim to build a set of “responsibility indicators” that will help us measure and monitor the performance on quality, safety, cybersecurity, and privacy on each program. For instance, “Status of successful completion of static code analysis against AUTOSAR or MISRA C++ guidelines for relevant software components”, “Cybersecurity information that have not yet been triaged” among others.
- Additionally, the compliance department will review the “Responsibility case” i.e., combination of QMS evidence, safety case arguments, and cybersecurity case at specific stages of the product development process. For a software product – when software requirements are complete, when software architectural and unit designs are complete, when software integration & verification tests are complete.
- Your compliance department must be empowered and authorized to take mitigation steps, including, but not limited to pausing the product development if major compliance risks are identified.
