I hear this question often from people in the pharmaceutical branch, air traffic control, banking and finance – any place where strict regulatory compliance is required, and it came up again at my last CSM course.
Regulated environments are complex, both because of the regulations themselves and the high risks associated with the domain being regulated, which means that Scrum is well suited to developing products in this sector. Let’s look at Scrum’s building blocks, some objections to using Scrum in a regulated environment, and then, using traceability as an example, let’s look at how Scrum can be used to address a regulatory requirement.
Scrum is designed for solving complex problems as a team, without defining any domain-specific process. Scrum gives you several building blocks to ensure that your delivered product meets all of the necessary requirements:
Scrum does not tell you to write any particular documents, but if creating and maintaining certain documents is required for your project, Scrum gives you the mechanisms to ensure that they get written and maintained properly.
The Product Backlog is the source of all requirements, both functional and non-functional, for a project. All requirements belong on the backlog. Non-functional requirements should appear high on the backlog, so that the Implementation Team and Product Owner can discuss the implications early in the project. Usually non-functional requirements will get translated into functional requirements and/or items in the definition of done to ensure compliance.
The Product Backlog is ordered. The top most item will be done first. Then the next one, then the next one, etc, until “all” the backlog items have been implemented. (More formally, the Product Owner decides when “all” features have been implemented).
The definition of Done is simply common understanding among everyone in the project on what it means when you say, ‘This feature is done.’ So for instance, if a release note must be written for every feature, then writing the release note belongs in the definition of done. A definition of done typically requires proof that the new functionality has been implemented correctly and that all previously implemented functionality is still working correctly.
The goal is that there should be no undone work at the end of sprint. If that goal is achieved — and teams that achieve it often do so with the help of automated testing — then the Product Owner can call for a release at least at the end of any sprint (and possibly more often, depending on the teams engineering practices).
Under Scrum, teams deliver solutions incrementally, once slice at a time. These slices are integrated together to create the entire product. The increment at the end of the sprint should be ‘potentially deliverable’ – there is no undone work, so if the product owner believes there is more value in releasing than not releasing, she can call for a release.
These “slices” are defined by entries in the Product Backlog (and are often called stories). The stories get mapped to acceptance criteria, which can be logged or documented as appropriate. When the acceptance test is green — and the remaining aspects of the definition of Done are satisfied — the story is considered done.
Even if it is not practical to actually deliver at the end of each sprint, it is still desirable to have granular control of what is done. It is by implementing features in small slices and by insisting that there be no undone work at the end of sprint that Scrum teams achieve the ability to deliver predictably. By measuring progress in terms of deliverable functionality, they gain the ability to predict when the total package will be finished.
When is the whole product really done? When can we really release? That is the decision of the Product Owner. The P-O decides which items will be done first, whether a feature is really done, and when the product as a whole can be released (even if release means “released to the approval process.”).
So how will your project meet the regulatory requirements? Here’s how I would do it:
Yes you do! And you have to deliver to a deadline. Now if time is getting short, which would you prefer?
Even if you really have to deliver everything, option 3 is your best choice, for your customer and your reputation!
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-advertisement | 1 year | Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category . |
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
Cookie | Duration | Description |
---|---|---|
mailchimp_landing_site | 1 month | The cookie is set by MailChimp to record which page the user first visited. |
Cookie | Duration | Description |
---|---|---|
CONSENT | 2 years | YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data. |
_ga | 2 years | The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors. |
_gat_gtag_UA_42152348_1 | 1 minute | Set by Google to distinguish users. |
_gcl_au | 3 months | Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services. |
_gid | 1 day | Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously. |
Cookie | Duration | Description |
---|---|---|
NID | 6 months | NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads. |
test_cookie | 15 minutes | The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies. |
VISITOR_INFO1_LIVE | 5 months 27 days | A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface. |
YSC | session | YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages. |
yt-remote-connected-devices | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt-remote-device-id | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
Cookie | Duration | Description |
---|---|---|
COMPASS | 1 hour | No description |
cookies.js | session | No description available. |
S | 1 hour | No description available. |
4 Comments
Well summarised, thanks Peter!
Thank you Silvana! (And it's so nice when someone posts a compliment which is not simultaneously a SPAM link 😉
Really enjoyed the summary!
I was wondering if you are aware of any pharmaceutical companies that currently use agile methodologies?
Thanks!
Sure, lot's of them. I have had representatives of many in my public courses, and I have company courses for at least two. One that I know of even has a Scrum handbook – How we do Scrum in a/our regulated environment..