Compliance and Regulatory

ForwardBlood is designed under a quality management system aligned with FDA 21 CFR 820 design controls. Our software development process follows structured design input and design output traceability, ensuring that every requirement is linked to its implementation and verification evidence.

Design reviews are conducted at defined lifecycle stages to evaluate completeness, correctness, and adequacy of design outputs against design inputs. Our verification and validation activities confirm that the software performs as specified under the conditions it will encounter in clinical use.

This quality system alignment is foundational to how ForwardBlood is built — not an afterthought applied to finished software. Design controls, document control procedures, and corrective and preventive action (CAPA) processes are integrated into our daily development workflow.

ForwardBlood is building to IEC 62304 software lifecycle process requirements. Our development practices are structured around the standard's lifecycle activities: software development planning, requirements analysis, architectural design, detailed design, implementation, integration testing, and system testing.

Requirements management and traceability are maintained throughout the development lifecycle, linking user needs to system requirements, software requirements, and validation tests. Architecture documentation captures the decomposition of the system into software items, with defined interfaces and risk classifications informing the rigor applied at each level.

This is a development process commitment — IEC 62304 defines how we build software, not a product certification. Our maintenance processes, including problem resolution and change control, are designed to sustain lifecycle compliance as the platform evolves.

ForwardBlood is pursuing HIPAA compliance across the technical, administrative, and physical safeguard requirements of the Security Rule. Our technical safeguards include encryption of data at rest and in transit, role-based access controls with the principle of least privilege, and comprehensive audit logging of all data access and system events.

Administrative safeguards encompass workforce security awareness training, documented security policies and procedures, information access management controls, and security incident response planning. Physical safeguards are addressed through our cloud infrastructure providers, whose data center security controls are independently audited.

Business associate agreements will be executed with all third-party service providers who may access, transmit, or store protected health information on behalf of ForwardBlood or its customers.

ForwardBlood is designed with UK regulatory requirements in mind, including the Medicines and Healthcare products Regulatory Agency (MHRA) medical device regulations and UKCA marking requirements. Our quality management system and software lifecycle processes are aligned with standards recognized under the UK Medical Devices Regulations 2002 (as amended post-Brexit).

As the UK regulatory landscape for software as a medical device continues to evolve, ForwardBlood monitors guidance from the MHRA and maintains awareness of requirements for device classification, conformity assessment, and post-market surveillance within the UK market.