A compliance framework for DevOps is ideal when you have a business and technical need for automating the process of developing code and deploying code in the GxP validated environment.
A GxP DevOps framework increases the frequency and quality of deployments to meet customer and business needs while automating compliance and security. It also enables a GxP-compliant software delivery pipeline.
Read our case study to learn how USDM helped a Top 10 global pharmaceutical company create a validated DevOps framework for Microsoft Azure to use artificial intelligence (AI) chatbots that provide automated assistance with GxP content at their clinical sites. The customer lacked the knowledge of how to use DevOps tools in a regulated environment and had no formal software development life cycle (SDLC), computer system validation (CSV), or standard operating procedures (SOPs) governing their Azure DevOps. USDM developed a Master Assurance Plan (MAP) that distinguished GxP, non-GxP, and Software-as-a-Medical Device (SaMD) data to differentiate between formal and informal testing to enable the customer to meet global regulatory requirements, and USDM built a continuously validated Azure infrastructure to scale AI bot use.
Regulated companies wanting to build out a GxP framework in their agile development operations tend to face similar challenges.
- They lack standardized security and compliance processes and policies across the enterprise.
- There is no formal SDLC, CSV method, or SOPs governing their development operations.
- They lack regulatory compliance expertise and don’t know how to use DevOps tools to meet GxP validation requirements.
- They are plagued with time-consuming internal approval processes for GxP activities that slow down agile operations.
- They need an audit of their CI/CD pipeline with regular monitoring to know if ongoing work meets GxP goals but lack the know-how to deliver this monitoring capability.
To learn more about this specific point in a life sciences company’s cloud journey, watch this short clip from a recent webinar where Stepheni Norton discusses a continuously compliant DevOps framework.
DevOps Organizational Readiness and Maturity Model
While these are common challenges, USDM believes you must have a clear understanding of where you are in your organizational readiness and maturity before you start to build a DevOps framework. The following scenarios reflect our experience with many life sciences organizations and are intended to help you think about where you might be in your maturity.
Level 1 – Initial State
People: The starting point of DevOps organizational readiness doesn’t necessarily ooze readiness. There may be separate design, development, and testing teams with a complete lack of relatable terms and references. You often find that teams focus only on their own objectives, and there is no common ownership or overall reward system.
Process: Processes that are in place tend to be ad hoc, reactive, or chaotic. There is no common end-to-end process framework, sign-off criteria, or joint-solution design characteristics that support availability, stability, and flexibility.
Technology: Automation tools typically don’t exist at this stage, so most activities are done manually. More than likely, there is no integration between hardware, operating system installation and configuration, and applications. Information tends to be stored in multiple repositories.
Level 2 – Developing State
People: As readiness enters the developing state, teams still lack a person who will take end-to-end responsibility, and developers are focusing on functional requirements to the near exclusion of non-functional requirements. However, shared touch points are emerging as some developers and operational staff start to engage with each other.
Process: Attempts to establish better managed processes are made, but they are restricted to specific environments like user acceptance testing (UAT).
Technology: Here you may see automatic scripts being developed for hardware and operating systems in the development environment, but testing, training, and system integration testing (SIT) are installed manually.
Level 3 – Coordinated State
People: As coordination makes its appearance in the siloed organization, lead architects and designers start to increase their scope to operational aspects. Joint sessions are held to increase visibility. For example, operational staff may actively engage in the design and build phase, and developers are measured on operational characteristics.
Process: Separate processes still exist, but you’ll see more joint processes between development and operations. Overall, there is a better understanding of the environment and its characteristics.
Technology: Most of the setup in the development environment is automated and only application related components are manually installed.
Level 4 – Managed State
People: In the managed state of organizational readiness, you finally start to see cross-collaboration among teams for the solution life cycle. The lead architect owns the entire solution, including functional and non-functional design, build, test, and run.
Process: There is a single process for the entire solution life cycle – from design and build, to test and run. Teams have clear visibility of all projects in various stages and their functional and non-functional compliance levels.
Technology: Automated setup, testing, and go-live now covers servers, operating systems, and most middleware and application related components.
Level 5 – Optimized State
People: At full maturity, this stage of organizational readiness enjoys one team that is co-located with extensive collaboration and knowledge sharing.
Process: A single process covers the entire solution life cycle from strategy and planning to design, build, test, and run.
Technology: All environment setups are created automatically from a single repository and include servers, operating systems, and all middleware and application related components. There are no manual processes in place.
Things to Consider
Before you can build your DevOps strategy, you need to assess where you are today. The purpose of applying a DevOps assessment is to ascertain the level of maturity for your people, processes, and technology in order to focus on speed, value, and quality (including GxP needs).
The intent is not to provide an all-encompassing assessment, but insight to critical aspects. This assessment focuses on:
- How teams work together
- Automation and effectiveness for go-live
- Stability of your infrastructure
We welcome the opportunity to schedule an assessment of your organization. Contact USDM to get started.
USDM’s Cloud Assurance Benefits
If you are ready for a GxP compliant DevOps framework, USDM’s Cloud Assurance solution delivers continuous validation and meets the necessary U.S. Food and Drug Administration (FDA) requirements. It provides DevOps tools to fully manage your private code repository and automated workflows with verification and validation embedded into your processes.
Also included in the Cloud Assurance solution:
- Services like an annual vendor audit, cloud application validation, and cloud services qualification
- Accelerators for impact assessment, procedures and controls, and change management
- Deliverables that provide a qualification plan and report, an assurance report, and vendor certification
What Business Outcomes Can I Expect?
Implementing a DevOps framework results in a GxP-compliant software delivery pipeline with automated compliance and security built in. You can increase the quality and frequency of your deployments to meet customer and business needs. You can also expect:
- Increased collaboration
- Improved software development quality and speed
- End-to-end testing and traceability
- Faster time to market
- Lower change failure rates
- Increased deployment frequency
We invite you to watch our webinar, How to Maximize Your GxP Use of the Public Cloud, or read our white paper Regulated GxP Workloads in the Public Cloud to learn more about USDM’s public cloud solution.
We would be delighted to discuss your unique situation. Please contact us to schedule a call with our compliance and technology subject matter experts.