Agile Methods‎ > ‎Agile Discussions‎ > ‎

SET 2010: Can Scrum be used in regulatory environment?

posted Dec 30, 2009, 1:04 AM by Marcel Baumann   [ updated May 10, 2011, 6:12 AM ]
Often you read Scrum approach is only for small projects or for web development but not for security related applications such as elevator software or MedTech products. We have successfully developed such applications using Scrum and agile extreme programming XP approach. Based on our experiences in real projects we postulate that
  1. Internal quality of the application is high. Scrum has mechanisms to avoid cheating on internal quality, the team is the sole responsible for internal quality. Test driven development and continuous integration guarantees that each new functionality has tests and these tests are executed each time something is checked in the source control management system through the continuous server CI.
  2. Maintainability of the application is impressive. Scrum and extreme programming XP have mechanisms to avoid entropy growth in the application. Each time a piece of code is extended, it must be refactored and improved. Modern tools such coding guidelines checkers - FxCop and StyleCop for .NET, PMD, NCSS, and Findbugs for Java - insure that standards are high and known coding issues are detected as soon as a modification is checked in through the continuous server CI and communicated in realtime to the team.
  3. Regression problems are seldom. Test driven development TDD provides a huge set of unit tests. Modern tools such as code coverage application, unit test and mocking framework helps to detect early regression errors when a new feature is added to the application.
  4. The application is no dangling parts. Scrum forces the team to deliver a shippable piece of software at the end of each iteration, in our case every two weeks.
Another major critic is that documentation is missing in a Scrum project. In our project we have
  1. Subsystem and unit specification for all components of the application. Often people forget the documentation delivered for free in all TDD projects. Each unit test shows how the code must be used to realize a specific application function. Coding guideline checkers also guarantee that the code documentation is written, code walkthrough and refactoring activities guarantee that this documentation is useful. 
  2. Each specification also traces the realized requirements in the component. The unit test shows that requirement was correctly implemented. With some additional tool it is possible to generate automatically the trace between the test result for a test during a test campaign with the associated component and requirement. This data can be stored in the requirement management tool for quality gate criteria and traceability if you are working in a regulated market. This approach fulfill all needs of ISO-9000, CMMI, and FDA regulations.
  3. The traceability of stories to requirements to unit tests to test result coupled with the weighting of test cases based on a risk matrix is the answer to all rules in a regulatory environment.
Therefore we claim that software projects developed with Scrum and TDD have the highest quality and traceability level as required in FDA regulated environment or advanced CMM level. We also claim that Scrum is at least as adequate as universal software development process USDP/RUP/OpenUP for sensitive applications.

The major difference between Scrum and more traditional approaches is the shift of responsibility to the development team and away of a separate quality insurance department. This shift gives more freedom to the development team but increases the burden of responsibility of the software team. This shift brings the role of software engineers inline with other engineer disciplines such mechanical, building or electrical engineering. 

So the answer to the title of this article is a sounding yes. We will present this theme at OOP2010. Do not miss us Thursday 28 January 2010 at the OOP in Munich.