Why CI / CD significantly improves your SaMD / MDSW development process
Written by Marc Assmann
When developing standalone medical device software or software that is part of a hardware medical device, it is essential to have control over your code. IEC 62304 gives you a very good guidance here. Fundamental parts of this control are version control, change control, release management and traceability between source code and the software version of interest. Having control over your code feeds into almost every process in your QMS, such as Design Control, Clinical Evaluation, Post-Market Surveillance and Vigilance reporting. And thus, it has a strong impact on patient safety and product quality. If e.g., one of your patients or users experiences an issue with your software, you for sure want to identify, which version this user was using when the issue occurred. And you for sure want to trace this version back to your source code to identify potential root causes for this issue. However, Software by design is complex, consists of many different parts and ranges from a few thousands to millions of lines of code, developed by an indefinite number of software developers. The more complex the software is and the more developers are involved in the development process, the harder it gets to keep control over your code. This complexity furthermore has a direct impact on software testing effort and reliability of test results. Especially if you work in a fast-paced environment like Scrum, Extreme Programming and others, which is required to keep up with your competitors. And that’s where we start in this LinkedIn article.
What is a CI / CD pipeline and why should you care?
CI/CD stands for Continuous Integration and Continuous Delivery/Deployment. It is a software development practice that helps developers integrate code changes into a shared repository frequently, with each change being verified by automated builds and tests. This allows for fast and reliable software releases, leading to better quality, faster time to market, and more efficient development processes.
You should care about CI/CD because it can greatly improve the quality and efficiency of your software development process. By automating builds, tests, and deployments, you can reduce the risk of human error and ensure that your code changes are thoroughly tested before they are released. This leads to fewer bugs, faster feedback loops, and a more streamlined development process (see Figure 1).
CI/CD can also help you respond quickly to changing business requirements and customer needs, as you can deploy new features and fixes to production with confidence and minimal manual intervention. Ultimately, implementing CI/CD can help you deliver better software, faster, and with greater reliability.
That’s why code repositories boost your code quality!
Code repositories like GitLab and GitHub are powerful tools for software development, offering numerous benefits for teams working on projects. Even though there also other platforms available, we only refer to GitLab and GitHub in this article because they belong to the most popular web-based Git repository hosting services on the market.
Versioning and Audit Trail:
These platforms provide version control systems, which allow developers to track and manage changes made to source code over time. Each change is recorded as a new version or revision, creating a complete history of changes.
This version history serves as an audit trail, providing visibility into who made what changes, when, and why, which is critical for tracing issues, understanding code evolution, and ensuring accountability.
With this feature GitHub and GitLab fulfill regulatory requirements for design control and traceability.
Access Control:
Such repositories enable granular access control, allowing project administrators to manage permissions for team members and collaborators.
By defining user roles and access levels, organizations can enforce security policies, protect sensitive code, and prevent unauthorized changes.
Access control is a key mechanism within MedTech and Pharma to protect sensitive data from being manipulated.
Master Branch and Feature Branches:
The master branch typically serves as the main development line, representing the "production-ready" code.
Feature branches allow developers to work on specific tasks, bug fixes, or new features in isolation before merging them into the master branch. This approach promotes code stability and minimizes disruptions to the main codebase.
Branching is an ideal feature for controlling the design of your medical device software.
Pull Requests and Peer Reviews:
When a developer is ready to merge their changes from a feature branch into the master branch, they create a pull request. This action opens up the proposed changes for review by other team members, fostering collaboration and knowledge sharing.
Peer reviews help catch potential bugs, identify areas for improvement, and ensure that code adheres to established standards and best practices.
Especially on processes and components that are critical for product quality, competent authorities and regulators demand a 4-eyes check. Hence, pull requests are an easy to use approach for this requirement.
Plugins for Static Software Testing:
Both GitLab and GitHub have integrations for static code analysis tools, such as SonarQube, ESLint, and Brakeman. These tools can automatically detect potential code issues, such as security vulnerabilities, code smells, or styling inconsistencies, early in the development process.
Plugins for Automated Software Testing:
Both platforms support integrations with popular automated testing frameworks and tools like JUnit, Selenium, and Cypress, enabling developers to run tests as part of the development workflow. This ensures that code is thoroughly tested before it is merged into the master branch.
Build Pipelines:
GitLab and GitHub provide built-in continuous integration (CI) capabilities through their CI/CD pipelines.
These pipelines enable teams to automate the building, testing, and deployment processes, resulting in faster feedback loops, improved code quality, and more reliable software releases.
Backup and Restore:
Both platforms offer backup and restore capabilities, ensuring that code repositories and their histories are protected against data loss or corruption.
Why doing stuff manually if a machine can do much better?
- Build creation
- Deployment to sandbox / validation / PROD
- Roll back
- Containerization
Beyond the CI / CD pipeline - adapt your processes
It is hard to argue against the benefits of CI / CD. At first there is a significant overhead when implementing CI / CD tools, because you need to qualify and validate them as a business application used for “manufacturing of your medical device”. And such a tool usually comes with multiple independent parts, often called “tool chain”, consisting of code repository, containerization, test automation, etc.. But qualification and validation is a standard exercise and no witchcraft. And once it’s done, you can work with it and trust in its features and functions.
However, software alone can’t fix issues in your business processes. When implementing a CI / CD tool, check your software development process and all processes that feed into it. Most issues that we see are not directly linked to the software itself but to the corresponding business processes.
Create clarity on the required input and output of your software development process. Understand, who is doing what in your process. And understand what skill set and tools a worker needs, to do their job properly. And how does it all fit into the IT landscape of your company? Did you also think about cybersecurity, GDPR and information safety?
You see, there is plenty of aspects to consider beyond CI / CD. Process improvement is not directly linked to your CI / CD tool but it helps you improve the overall way of working in your company.