A life sciences company swam upstream against a current of regulatory compliance and cultural resistance to successfully implement a DevOps process.
Sparta Systems Inc., based in Hamilton, N.J., makes software used by large pharmaceutical and biological research organizations to ensure the quality of their products, so the regulatory stakes are high. But the company found continuous delivery as part of a new software-as-a-service offering of its software actually improved its standing with regulators, thanks to compliance automation.
Automating software development, testing and deployment with a combination of tools from Atlassian, open source communities and Amazon Web Services (AWS) has solidified the data trail the company can furnish to auditors to prove its compliance with most regulations, according to Bruce Kratz, vice president of research and development at Sparta.
"When we go through an audit, we have an auditor choose a particular requirement; or, a lot of times, they'll come in with a requirement they want to see, something that's important to their business," Kratz said. "We'll start at the user story and trace it all the way through to the source code, the unit tests, validation tests, and it's all linkable and traceable through the process."
It's an option within tools, from Atlassian's JIRA to Jenkins' continuous delivery to AWS' infrastructure as a service, but most companies don't take advantage of it, Kratz said.
"You might be surprised at how many companies -- big companies -- still can't do even a basic traceability between all those elements," he said.
Compliance automation an uphill battle
Before it could pass audits with its compliance automation process, Sparta's management, led by Kratz, first had to convince its internal stakeholders that such things were possible in the life sciences market.
Bruce Kratzvice president of R&D at Sparta
"We had quite a few people who just refused to change or couldn't accept that we could apply it to the life sciences industry," Kratz said. The company had to transform a 15-year-old software code base for test and development automation, and figure out compliance automation along the way -- a daunting task. Kratz brought in outside consultants from cPrime Inc., an Agile consulting firm in Foster City, Calif., to act as Agile coaches for his staff, including managers, who were questioning their roles as priorities shifted.
"We had a very top-down approach to managers before, where our managers would assign tasks and developers would do them, and we've migrated to a more self-directed team," Kratz said. "We've basically worked through those issues one at a time, one by one."
Kratz described the process of implementing test and development automation as chipping away, bit by bit.
"The thing that's helped us is looking at the problem in small increments," he said. "It's a marathon, not a sprint."
A lot of companies hire a third party to get transformed, and after six months, they think they will be transitioned and done, according to Kratz.
"That's kind of a naïve view of the process and what you have to go through," he said.
Compliance automation an ongoing process
Sparta's next move is to learn how to automate testing for a standard called GMP, which stands for good manufacturing practice.
"It was first driven around manufacturing systems, but now, it's also been applied to software," Kratz said. "It's a highly manual test of functionality, and ... it requires evidence that the tests actually passed, and that evidence has historically been a person signing off on each and every step."
Still, Kratz said he believes this testing can also be automated, though he's not yet sure how.
"It's pretty specific to our industry, so I wouldn't expect a company like Atlassian to tackle this, but that's an area that I really want to solve," he said.
Major enterprises share DevOps adoption stories
The monkey wrench that is DevOps compliance
The dangers of too-hasty automation