News Stay informed about the latest enterprise technology news and product updates.

Sparta counters DevOps naysayers with compliance automation

Compliance can be automated along with the app development process as part of a DevOps transformation, one life sciences company found.

A life sciences company swam upstream against a current of regulatory compliance and cultural resistance to successfully implement a DevOps process.

Sparta Systems Inc., based in Hamilton, N.J., makes software used by large pharmaceutical and biological research organizations to ensure the quality of their products, so the regulatory stakes are high. But the company found continuous delivery as part of a new software-as-a-service offering of its software actually improved its standing with regulators, thanks to compliance automation.

Automating software development, testing and deployment with a combination of tools from Atlassian, open source communities and Amazon Web Services (AWS) has solidified the data trail the company can furnish to auditors to prove its compliance with most regulations, according to Bruce Kratz, vice president of research and development at Sparta.

"When we go through an audit, we have an auditor choose a particular requirement; or, a lot of times, they'll come in with a requirement they want to see, something that's important to their business," Kratz said. "We'll start at the user story and trace it all the way through to the source code, the unit tests, validation tests, and it's all linkable and traceable through the process."

It's an option within tools, from Atlassian's JIRA to Jenkins' continuous delivery to AWS' infrastructure as a service, but most companies don't take advantage of it, Kratz said.

"You might be surprised at how many companies -- big companies -- still can't do even a basic traceability between all those elements," he said.

Compliance automation an uphill battle

Before it could pass audits with its compliance automation process, Sparta's management, led by Kratz, first had to convince its internal stakeholders that such things were possible in the life sciences market.

You might be surprised at how many companies -- big companies -- still can't do even a basic traceability between all those elements.
Bruce Kratzvice president of R&D at Sparta

"We had quite a few people who just refused to change or couldn't accept that we could apply it to the life sciences industry," Kratz said. The company had to transform a 15-year-old software code base for test and development automation, and figure out compliance automation along the way -- a daunting task. Kratz brought in outside consultants from cPrime Inc., an Agile consulting firm in Foster City, Calif., to act as Agile coaches for his staff, including managers, who were questioning their roles as priorities shifted.

"We had a very top-down approach to managers before, where our managers would assign tasks and developers would do them, and we've migrated to a more self-directed team," Kratz said. "We've basically worked through those issues one at a time, one by one."

Kratz described the process of implementing test and development automation as chipping away, bit by bit.

"The thing that's helped us is looking at the problem in small increments," he said. "It's a marathon, not a sprint."

A lot of companies hire a third party to get transformed, and after six months, they think they will be transitioned and done, according to Kratz.

"That's kind of a naïve view of the process and what you have to go through," he said.

Compliance automation an ongoing process

Sparta's next move is to learn how to automate testing for a standard called GMP, which stands for good manufacturing practice.

"It was first driven around manufacturing systems, but now, it's also been applied to software," Kratz said. "It's a highly manual test of functionality, and ... it requires evidence that the tests actually passed, and that evidence has historically been a person signing off on each and every step."

Still, Kratz said he believes this testing can also be automated, though he's not yet sure how.

"It's pretty specific to our industry, so I wouldn't expect a company like Atlassian to tackle this, but that's an area that I really want to solve," he said.

Beth Pariseau is senior news writer for TechTarget's Data Center and Virtualization Media Group. Write to her at bpariseau@techtarget.com or follow @PariseauTT on Twitter.

Next Steps

Major enterprises share DevOps adoption stories

The monkey wrench that is DevOps compliance

The dangers of too-hasty automation

PRO+

Content

Find more PRO+ content and other member only offers, here.

Essential Guide

Use these DevOps examples to reimagine an IT organization

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What changes in a DevOps implementation for highly regulated industries?
Cancel
Compliance affects many industries: Life sciences, banking, finance, health, etc.
Cancel

-ADS BY GOOGLE

SearchDataCenter

SearchAWS

SearchServerVirtualization

SearchCloudApplications

SearchCloudComputing

DevOpsAgenda

Close