Tuesday, November 6, 2007

Scrum in a FDA regulated environment

I was asked the other day about how you could possibly implement a Scrum development methodology in a regulated environment. In the past I dealt with many CRM systems which had to comply with PDMA and 21 CFR Part 11 compliance for systems involved in the physician sampling of controlled substances and RX drugs in the US market.

This post isn't strictly about SaaS but I still thought it worth blogging about.

When building software within FDA boundaries there are certain key processes which need to be adhered to, to ensure your software is 'validated' and to reduce the chance of irregularities being discovered by FDA or Customer Audits before you find them yourself.

The key starting point for this conformance is a Quality System. When Auditors come in, this is the first document they ask for, "Where is your Quality Manual?". They will then perform an audit to verify that your product release processes conform to what you have written in your Quality System.

Now the traditional process in this case has been the Waterfall method, with a top heavy design document stage. This process really means big lags between releases and continual revision of documents and the required re-validation of documents and coding after change. The revisions were unavoidable in waterfall as no one got to review the product until close to the end of the long development phase. Then there is the good old Traceability Matrix. This is used to ensure that every requirement bullet point in your 180 page document Functional Spec and 200 page Design Document is traceable through all stages of the Waterfall. An impossible task to get right the first time. We are talking potentially thousands traceable points. When undergoing validation, random checks through this matrix would undoubtably find a missing link and things would have to start over again.

This is in contrast to Scrum, with its iterative release process, sprint cycle of 3 to 4 weeks, daily meetings, managable small sets and clear cut requirements and early feedback. The traceability matrix is small and easily tracked and issues are found early on as the progress is visible on a daily basis.

The perception has been you cannot use SCRUM in this regulated software environment. But in reality, what auditors are looking for is a Quality System you have implemented which is consistently being followed to ensure compliance with the legal aspects of your software. So if your Quality System states that you use Scrum Methodology and that your documents contain the expected FDA Requirements, as long as you are conforming to your quality system during your development projects, then you will pass validation.