Compliance

Trust, but verify.

—Ronald Reagan, citing a Russian proverb

Compliance refers to a strategy and a set of activities and artifacts that allow teams to apply Lean-Agile development methods to build systems that have the highest possible quality, while simultaneously assuring they meet any regulatory, industry, or other relevant standards.

Enterprises use SAFe to build some of the world’s largest and most important systems, many of which have unacceptable social or economic costs of failure. Examples of these high-assurance systems include medical devices, automobiles, avionics, banking and financial services, and aerospace and defense. To protect the public safety, these systems are often subject to extensive regulatory or customer oversight and rigorous compliance requirements. In addition, many enterprises are subject to other government regulations (e.g., Sarbanes-Oxley Act, Health Insurance Portability and Accountability Act [HIPAA], Affordable Care Act [ACA], state insurance regulations) that require similar attention and audits to ensure compliance.

Historically, organizations operating under such regulations have relied on comprehensive quality management systems (QMS). Based on phase-gated development models, they’re intended to reduce risk and ensure compliance. Unfortunately, these traditional approaches don’t scale, even when some teams follow Agile practices. Nor do they keep pace with accelerating time-to-market demands. Of greater concern is that even when the higher Cost of Delay (CoD) is accepted, these traditional approaches often do not increase quality or eliminate risk. As Deming notes, “Inspection is too late. The quality good, or bad, is already in the product.”

This chapter offers guidance on how to apply Lean-Agile methods to build these systems faster and better, while also addressing critical compliance requirements.

Details

Traditional waterfall practices often mandate that full system specifications are defined and committed to in detail, up-front, long before all the real system behaviors can be known. Even worse, the sequential nature of phase-gated development produces large batches of work, long cycles between system integration points, and late feedback. In addition, compliance activities are typically deferred until the end of the project, providing little insight into compliance progress.

Collectively, these practices often result in missed deadlines, disappointing business or mission outcomes, lower quality, and substantial (and late) compliance challenges. In contrast, high-assurance Lean-Agile development builds in quality incrementally—early and throughout the development lifecycle. Moreover, it does so while including the very elements and activities necessary to ensure compliance.

The Role of the Quality Management System

To satisfy compliance requirements, organizations must demonstrate that their system meets its intended purpose and has no unintended consequences that might cause harm. They must also develop the objective evidence required to prove that the system conforms to those standards. To that end, organizations that build high-assurance systems define their approved practices, policies, and procedures in a QMS. These systems are intended to ensure that development activities and outcomes comply with all relevant regulations and provide the required documentation to prove it.

Unfortunately, the QMSs of many organizations are still heavily influenced by traditional phase-gated waterfall methods. This seriously inhibits, and can even prevent, the adoption of newer methods, as the older methods are hard-coded into the only approved way of working. As Figure 1 illustrates, SAFe describes an incremental approach to both development and compliance. It means those who want the benefits of Lean-Agile development (faster time-to-market and higher quality, to name two of these benefits) will typically have to evolve a Lean QMS.

The illustration shows a rightward arrow with four milestones: requirements complete, design complete, critical design complete, and planned deployment. Below which, the following four blocks are arranged vertically and are shown connected by a downward arrow: requirements, design, implementation, and verification. To the left of the blocks, an arrow from QMS points to lean QMS. Five arrows from lean QMS reads, build the solution and compliance incrementally, organize for value and compliance, build in quality and compliance, continuously verify and validate, and release validated solutions on demand. Three iterations are shown and in between the iterations, PDCA cycle is shown.

Figure 1. A Lean-Agile quality management system improves quality and makes compliance more predictable

The remainder of this chapter provides guidance on Lean-Agile strategies and patterns that develop these high-assurance systems.

Build the Solution and Compliance Incrementally

Even with a set of robust specifications, engineering teams never have all the answers when development begins. Instead, they have a set of hypotheses that must be tested through a series of short, iterative experiments, which provide validated learning to ideally advance toward the ultimate solution. Figure 2 highlights SAFe’s incremental development approach, comparing Shewhart/Deming’s plan–do–check–adjust (PDCA) learning cycles with a traditional waterfall model.

The diagram shows two sections titled “waterfall” and “incremental.” The waterfall section shows the following blocks connected by a downward arrow: requirements, design, implementation, and verification. At the top-right corner, one PDCA cycle is shown. Below requirements and design, documents icon is shown. Below implementation, more documents icon is shown. Below verification, unverified system and certified solution icons are shown. The incremental section shows four program increment bars. Before each bar, certified solution icon is shown. And above each certified solution icon, PDCA cycle is shown.

Figure 2. Rapid plan–do–check–adjust learning cycles increase quality and reduce risk

Figure 2 highlights two important implications for compliance. First, building smaller, working parts of the solution early allows compliance activities to also begin early, removing the large bow wave of performing such actions at the end. Each increment assesses the viability of the current solution, as well as progress toward compliance, providing early feedback on the system’s ultimate fitness for use. Second, specifications are created and evolved over time in small batches, with faster feedback on decisions and the opportunity for continuous review and assessment.

Organize for Value and Compliance

Agile Release Trains (ARTs) are the primary value-delivery organizations in SAFe. Each train requires all the skills necessary to build and release the Solution, including those responsible for quality assurance (QA), security, testing, and Verification and Validation (V&V). (While some regulations require independent, objective assurance, compliance representatives can still participate continuously as members of the ART.) The result is an ART designed in the manner illustrated in Figure 3.

Eight stacks representing business, product management/system engineering, hardware, software, quality, testing, V and V, and security are shown. Arrows from the stack point to agile release train which in turn points to a solution. Below the ART, a rightward arrow divided into six sections is shown. A T-shaped structure overlapping the arrow comprises of the solution management and product management icons along with teams icon.

Figure 3. Agile Release Trains include all disciplines including compliance

Solution and Product Management ensure that the Solution Intent and backlog properly reflect compliance requirements. Teams also ensure that their work includes appropriate compliance activities.

Build in Quality and Compliance

Built-In Quality is one of SAFe’s four Core Values and a core tenet of the Lean-Agile Mindset. SAFe describes the use of built-in quality practices, including automation to detect compliance and quality problems and, when detected, stopping the entire system to focus everyone on resolving the problem. This philosophy applies systems thinking by ‘optimizing the whole,’ ensuring fast flow across the entire value stream and making quality everyone’s job. From this perspective, quality is a culture, not a job title.

To that end, compliance concerns are also built directly into the development process, and automated wherever possible, as illustrated in Figure 4.

Four stacks representing quality, safety, V and V, and security are shown. An arrow from the stacks points to the following tests: functional test (ticked), security test (cross mark), performance test (ticked), QA test (hold), and compliance test (cross mark). Two iterations are shown. In between the iterations, a rectangle consisting of the following three blocks (bottom to top) is shown: compliance test automation, functional test automation, and building functionality. An arrow labeled “done” from the rectangle points to the following tests (all ticked): functional test, security test, performance test, QA test, and compliance test. An arrow labeled “progress” from the rectangle points to the following tests: functional test (ticked), security test (cross mark), performance test(ticked), QA test (hold), and compliance test (cross mark). Beside the progress arrow, Dev team icon is shown. An arrow from the stacks points to the rectangle.

Figure 4. Building compliance into design–build–test automation

Not all compliance activities can be automated, however, as some regulatory requirements mandate manual reviews, including activities like Failure Mode and Effects Analysis (FMEA) and audits. These activities are simply planned as part of the team backlog. The goal is to conduct these reviews as the solution is being built, reducing the last sign-off activity from a large, extended event to a quick and boring ‘non-event.’

With this approach, the program receives fast feedback on the degree to which the team’s compliance activities are being met and, conversely, how those activities may be impacting team performance. Figure 5 shows the feedback cycle between team activities and the practices defined by the Lean QMS.

The diagram shows two iterations labeled “program increment.” To the left of the first iteration, Lean QMS icon is shown. In between the iteration, solution intent icon along with NFRs is shown. Below which, solution icon is shown. An arrow from solution intent and solution points to lean QMS. An arrow consisting of review, test automation, continuous integration, V and V, audit, and traceability links from Lean QMS points to the solution and solution intent.

Figure 5. Program increments provide a feedback loop for compliance activities and practices

Continuously Verify and Validate

Most high-assurance systems require V&V to ensure that two criteria are met:

• The system works as designed (verification).

• The system meets the needs of the user (validation).

V&V must always occur against a known set of requirements. Otherwise, there is nothing to verify and validate against. As Figure 6 illustrates, SAFe uses solution intent as the repository for existing and emerging requirements and designs.

Arrows from traceability point to requirements model, solution model, domain model, test model, and realization. Requirements model reads, customer, regulatory; functional and use cases; and NFRs – safety, security. Domain model reads, business process and business rules. Solution model reads, analysis and architecture/interfaces. Test model reads, test plans, test cases, and execution results. Realization read, code, hardware; documentation; and manufacturing, installation. Arrows from solution intent and solution point to compliance documents and information. Above the solution intent, Lean QMS icon is shown.

Figure 6. SAFe’s solution intent provides support for verification and validation

Traceability from solution intent ensures that the artifacts produced during each Program Increment (PI)—the actual software, hardware components, and other outputs—address regulatory and compliance specifications, providing end-to-end evidence that V&V requirements have been met.

The SAFe Requirements Model Supports V&V

In SAFe, all elements of the requirements have test cases (see Figure 7), which are created at the same time as the functionality. Each increment yields new functionality and, consequently, adds new tests. As the number of tests grows, automation is vital to prevent testing activities from becoming bottlenecks.

The left of the illustration shows a stack of four layers representing the backlog items icon and two sections: enabler functionality and build functionality. The enabler functionality section shows a block labeled “enabler” that reads, exploration, architecture, infrastructure, and compliance. The build functionality section shows the following blocks: feature, story, feature acceptance test, story acceptance test, and unit test. An arrow labeled “realized by” from feature points to the story. An arrow labeled “tested by” from feature points to feature acceptance test. Two arrows labeled “tested by” from story points to story acceptance test and unit test. The right of the illustration shows solution intent icon with an oval at the bottom labeled “NFRs” representing the solution specification and constraints. A section titled “constrains functionality” shows a block labeled “nonfunctional requirement.” An arrow labeled “tested by” from the block points to another block labeled “system qualities test” representing strive for automation.

Figure 7. SAFe’s requirements meta-model supports verification and validation

Make V&V and Compliance Activities Part of Regular Flow

By incrementally building the necessary artifacts in the solution content over a series of PIs, SAFe supports continuous verification. Figure 8 illustrates how this process works.

Two iterations are shown and in between the iterations, the following are displayed. A block named “Feature” points to a section titled “feature DOD” that shows the following checkboxes checked: pass all acceptance tests, UAT/customer signoff, quality audit, and safety/sec/etc. review. A block named “story” points to a section titled “story DOD” that shows the following checkboxes checked: peer review, delivered and baselined, and automated tests. A block named “design review” points to a section titled “design enabler DOD” that shows the following checkboxes checked: all actions recorded, all action resolved, and solution intent updated. An arrow from the feature DOD points to Lean QMS and solution. Above the lean QMS, system demo icon is shown. Before the iteration, an arrow from the backlog item of solution management points to the backlog item of Dev team.

Figure 8. Verification and validation activities are part of the value delivery flow

Verification activities are implemented as part of the flow of value delivery (e.g., backlog items or Definition of Done [DoD] as described earlier). While the artifacts will satisfy the objective evidence needed at the end of development, they are created iteratively throughout the life cycle. Validation occurs when Product Owners, Customers, and end users participate in ART planning, demos, and validation of fitness for purpose.

In the example in Figure 8, regulations require design reviews and specify that all actions be recorded and resolved. The ‘design review’ Enabler backlog item offers evidence of the review, and its DoD ensures that actions are recorded and resolved per the Lean QMS. If needed, the actions themselves could be tracked as enabler stories. Regulations may also require that all changes be reviewed, which is addressed by a compulsory peer review DoD for all stories.

SAFe recommends building the integrated solution frequently (or elements of the system for cyber-physical solutions), at least at every iteration for the System Demo. Building and integrating frequently allows continuous validation from User Acceptance Testing (UAT), customers, and end users. For each iteration, the system demo provides objective evidence that the integrations perform as intended and that the entire system has advanced forward while maintaining quality and compliance standards.

Release Validated Solutions on Demand

SAFe recognizes that although the product development process happens in a predictable cadence (Develop on Cadence), the release process (Release on Demand) may require additional activities:

• Validation testing of the final release candidate (e.g., medical trial, flight test)

• Review of the objective evidence required before production approval and release

• Customer, regulatory, UAT, sign-offs, or other document submissions

Even then, Lean-thinking organizations always strive to fully automate delivery and, where possible, build in automated final release checks as part of a SAFe Continuous Delivery Pipeline and release on demand.

LEARN MORE

[1] Leffingwell, Dean. Agile Software Requirements. Pearson Education, 2011.

[2] “Achieving Regulatory and Industry Standards Compliance with SAFe” [White paper]. http://scaledagileframework.com/achieving-regulatory-and-industry-standards-compliance-with-safe/.

[3] “Achieving Regulatory and Industry Standards Compliance with SAFe” [Webinar]. https://www.youtube.com/watch?v=-7rVOWTHZEw&feature=youtu.be.