Continuous Delivery Pipelines Reduce Risk in Regulated Environments
Implementing Agile in a regulated environment with Continuous Delivery Pipelines strengthens compliance, reduces risk and accelerates the software process.
Adopting agile methodology practices in regulated environments, such as the pharmaceutical and medical device industry has turned the corner. With the release of guidance (AAMI TIR45:2012) for the medical device industry and its recognition by the FDA in 2013, acceptance of agile in regulated environments is increasing. Fortunately, much of the guidance also applies to medical, pharmaceutical and across other industries as well.
Now that agile is no longer the new kid on the block, agile practitioners, have figured out how to adapt agile to regulated environments. This is opening the door to improved performance for software teams that can now use agile over the slower waterfall methodology.
Regulators of most industries, generally take a descriptive approach to control. Meaning, they don’t specifically tell you how to accomplish compliance, merely what must be achieved.
The ability to map regulated activities into the agile process is critical to the acceptance of agile in a regulated environment. Activities such as planning, requirements analysis, architectural design, coding, testing, and release, have their place solidly in the agile methodology.
Another important aspect of agile acceptance is baking compliance into the process at all stages, including requirements, design, ‘definition of done’, testing, acceptance and validation.
The only problem is, that while agile is an effective methodology, it introduces overhead. Each iteration (sprint) encompasses the entire waterfall methodology in thin slices. If you add the additional compliance overhead, the development process begins to drag. That’s ok with regulators, but not with companies that still need to deliver. That’s not uncommon in highly regulated environments, but the challenge can be solved.
Continuous Delivery Pipelines
Continuous Delivery is a practice centered around automation. It allows you to gain full control of the process, relieve the burden of time-consuming mundane tasks and provides the desired test and compliance coverage coveted by regulators. This process flow is often called a Continuous Delivery Pipeline, as it delivers a continuous flow of high quality, tested compliant code.
Continuous Delivery Pipelines demonstrate a mature Software Development Life Cycle (SDLC) to regulators, complete with a built-in pipeline of controls to isolate access, monitor, track and streamline the flow of development.
Investment in test and compliance automation as a part of the Continuous Delivery Pipeline can greatly alleviate the overhead for executing each iteration. Building compliance into the process creates a documented path to enforce compliance rules early. A commitment that will be appreciated by the regulators.
Some agile practitioners, recommend a “hardening” sprint devoted to ensuring the software meets compliance. While that may be appropriate in some scenarios, my recommendation is that you are better off building it into the process early. This allows you to address compliance as you would any other acceptance criteria. This is similar to systems that incorporate security up front as a part of the design. They are far more secure than those that are bolted on afterward.
Documentation is often a missing piece for regulators. They require the traceability and validation that links all the artifacts in the Continuous Delivery Pipeline of each deployment together, such as:
- Requirements (agile stories with documentation links)
- Coding (list of source code files for implementation of features)
- Testing (number of tests run, test records and coverage, # defects, unit, acceptance, smoke tests)
- Compliance Testing (which compliance Gates were applied and their result)
- Deployment (approval trail, deployment and rollback details)
Continuous Delivery practices demand that this is automated as well. This closes the gap for auditors who are used to seeing stacks of documentation from their waterfall exposure.
Now that agile has gained acceptance in regulated environments, it is time for Continuous Delivery to take its evolutionary place in reducing risk and strengthening the agile process in regulated environments. After all, Agile isn’t agile without Continuous Delivery.
Mr. Barbato brings over 35 years of experience in the software and technology industries to Third Wave. He has invested over 20 years in banking and highly regulated environments. He guides Third Wave’s expert team in applying Continuous Delivery Solutions to reduce risk and increase ROI. Follow on twitter: @frankjbarbato