We even explored creating a separate database for the regulated components and data elements. Although that idea was not feasible for us, I suggest giving the idea some consideration for your project. The drain of maintaining the compliant state will negatively impact the schedule and budget. Knowing which functional or feature sets directly or indirectly touch regulated components will help you decide how well optimized the release-and-delivery plan is in regards to regulated components. When changes come down the pike that touch regulated components, you need to be on top of the impacts and risks to the validation efforts that have already taken place and the tests that still remain. Be very aware of the time it will take to certify the regulated components. Targeting the last set of sprints as the time for deploying the regulated components will save on recertifying those components. Moving regulated components to production without certification can be extremely costly to the organization.
Penalties for noncompliance quickly reach into hundreds of thousands (and possibly millions) of dollars, and the negative public exposure can damage a company’s reputation. In some cases, besides monetary damages, a company might be forced to go back to paper until all the exposures are mitigated. The trend for governments across the world to impose continued regulations will increase. As QA professionals, the burden to deliver quality in the compliant state falls squarely into our hands. Quality is a marathon and not a sprint, and the investment to maintain the compliant state needs to be articulated clearly to management. It is a continual process that must be integrated into the fabric of the organization. The cost for compliance is high and can be deemed a cost of doing business, but that is not good enough. As QA professionals, we need to explain the cost and risk-benefit equation of testing and regulatory compliance and articulate to business owners the real cost of quality in attaining the compliant state.