The Value of an Engineering Compliance Consultant

Automotive recalls have been in the headlines this year. In fact, more calls have been recalled this year than ever before. But automakers and suppliers aren’t the only ones catching mistakes, some of which have resulted in fatalaties.

A visit to the portal Recalls.gov will give you a jumping-off point to various government sites on recalls of boats, tires, consumer and automotive products, and more, as well as food and other industry non-conformance. Drill down further into the site, and you’ll see the price that companies pay after the product is well underway and the damage is done.

For example, the U.S. Consumer Product Safety Commission (CPSC) reported that a floor-cleaning device manufacturer must pay a $725,000 civil penalty for a defect in floor cleaners that were overheating. The company received many complaints from consumers, but did not report it to the CPSC as required by law.

Building the Best

For the engineering design community, there is a persistent drive to build the best products. Doing so, however, means being compliant with a growing load of regulatory compliance, which includes safety as well as security measures from various agencies. Professional societies and non-profit consortiums also serve to self-regulate various industry standards. For example, ISO, ASTM and IEEE are all recognizable industry associations whose members agree to establish standards and comply with the same. This brings into question, however, the value of a consultant. Just where is the value in the services of a consultant in the design process, and what is at the crux of the value they provide?

“We review the product and design to understand the regulatory approval strategy, and then facilitate validations and standards testing,” he explains. “We have all been in the medical business for a minimum of 15 years, and many of us are engineers. We understand how an engineer thinks and speaks, and we know the regulatory requirements. The mesh of those two items is fairly unique in this industry.”

Rothkopf notes that many clients are start-ups, because staffs at these new companies typically do not have years of medical experience, “and they commonly need their hands held through the process. Since we have been around for many years, we understand the client’s specific needs. From there, we simply execute.”

The sequence of events in a design is important, but often overlooked. In other words, the steps and processes of product design and development may proceed without regard for various regulatory measures that influence specific facets of the design. This highlights the importance of a thorough check for requirements and compliance before the product development moves too far forward.

Other Facets of Design Risk

It’s not just pure safety issues that concern a designer. Nowadays, it’s also security.

For example, Deloitte’s Cyber Risk Services practice helps organizations address cyber risks, including regulatory requirements, to their products.

“We help clients understand the cyber threat landscape as it relates to business risk, and assist them in developing practical cyber risk programs,” says Sean Peasley, principal of Deloitte & Touche LLP in Costa Mesa, CA. “This can include assessing risks, evaluating compliance standards, assisting in the development of cyber risk programs, designing and implementing security controls, testing product security, educating the workforce, and extending the reach of cyber risk compliance out to key third parties. We help clients address identified compliance issues, interact with regulatory authorities, and respond to inquiries, investigations and other regulatory actions.”

As Peasley explains, if a medical device company gets a letter from the FDA saying that the agency is aware of a security flaw and wants more information on how the flaw is being addressed, “we’ll help them assess the risk, respond to the inquiries, and assist in developing a methodology and framework to both correct the current problem and help avoid similar ones in the future.

“Compliance is an indispensable part of the overall risk program, but Deloitte’s approach is distinct because it also considers the potential motivations of various threat actors, and helps organizations proactively consider the potential attack surfaces that surround each product,” Peasley continues. “This is important because it helps manufacturers become more confident in bringing innovation to market.”

It is, however, a significant shift in how many organizations have traditionally approached cyber threats, he says.

“Historically, engineering design organizations focused compliance on meeting sector standards at an enterprise security level,” Peasley explains. “The shift to Internet-connected devices requires a vastly different approach to product development. We help companies identify product security considerations earlier in the development lifecycle, helping reduce instances in which flaws are identified in the testing phase—or worse, once the product has been released. Integration of threat awareness early in the process has the potential to not only better protect the public, but also to lower overall production costs.”

Peasley says that organizations still don’t have the internal resources to approach cyber threats in a truly holistic way. In general, product designers have that role because they can create functional, useful products—not because they understand security risks or are expected to know how a device could be exploited. Deloitte specialists bring a depth and breadth of knowledge about both products and the threat landscape, he says.

“Understanding risk is not about building up a fortress around the product; it’s about understanding the motive of the actor and anticipating how they are going to try to exploit the system for gain,” he adds. “If you’re only focused on how to prevent someone from hacking a device, it’s easy to miss real intention, and therefore, the real danger. That actor probably isn’t just looking for the data on one device—they could use the attack to mask or execute a much more dangerous breach of your intellectual property, which the network may not be set up to detect. It’s a completely different mindset that we bring to our assessments.”

An Ounce of Prevention …

A prevailing problem is that designers are quick to jump onto the drawing board, but do not realize that there are regulatory bodies that have standards to allow or disallow products and product features to be used. As Rothkopf notes, it’s an issue that affects industries from medical to automobile and aerospace.

“They are regulated industries for a reason: Poor designs can and have killed,” he points out. “Design must be built from the beginning to meet specific documented requirements and validations. When they don’t like this client, there is a huge delay and extra costs associated with the project that could have been avoided.”

But the biggest problem, as Rothkopf sees it, is that manufacturers don’t ask about design impact early enough: “They go along merrily and then get popped in the end when they didn’t design the product to a specific regulation or standard.”

More Info

• Deloitt
• MEDIcept