Recent Posts
Archives

Posts Tagged ‘ComplianceExcellence’

PostHeaderIcon [AWSReInvent2025] A Leader’s Guide to Achieving Compliance Through Software Excellence

Lecturer

Tom Godden is an Executive in Residence at Amazon Web Services (AWS), where he draws on his prior role as Chief Information Officer at Foundation Medicine, a leading genomics diagnostics company in Cambridge, Massachusetts. Ian (co-presenter) offers additional insights from regulated environments.

Abstract

Regulated industries face a persistent dilemma: how to deliver software rapidly while satisfying stringent compliance requirements. Traditional development models, with their linear handoffs and manual processes, often exacerbate this tension, producing delays, fragmented evidence, and a compliance burden that feels detached from core engineering work. Modern approaches, however, demonstrate that compliance can emerge naturally from practices focused on quality and automation. By integrating tools like version control and continuous pipelines, organizations generate robust audit trails as a byproduct of efficient delivery. This article examines the flaws in legacy methods, details the mechanisms of contemporary practices, explores the leadership needed for change, and considers the broader implications, illustrated by experiences in genomics diagnostics under standards such as FDA 21 CFR Part 11, ISO 13485, and GMP Annex 11.

The Inefficiencies and Risks of Traditional Sequential Development

Many organizations continue to structure software development in a sequential manner, akin to an assembly line in manufacturing. Requirements are defined by one group, passed to designers, then to developers, testers, and finally to those responsible for deployment. Although this approach may appear structured, it introduces fundamental inefficiencies that become especially problematic in regulated settings.

A primary issue is the idle time that arises during handoffs. Teams often wait for deliverables from previous stages, creating bottlenecks that extend project timelines significantly. In complex projects, these delays compound, turning weeks into months and hindering the ability to respond to new insights or market demands.

Context loss during these transitions compounds the problem. When knowledge moves between specialized groups, critical details—such as the rationale for design choices or awareness of subtle edge cases—frequently fail to transfer completely. This leads to misunderstandings, rework, and the accumulation of technical debt that makes systems increasingly difficult to maintain.

Documentation suffers particularly in this model. It is often treated as a separate, post-development activity, requiring teams to reconstruct events after the fact. The resulting records tend to be incomplete or inconsistent, as memories fade and priorities shift. In regulated industries, where auditors demand clear, contemporaneous proof of every decision and change, this creates ongoing anxiety and resource-intensive preparation.

The sequential structure also reinforces organizational silos. Quality and compliance teams position themselves as final gatekeepers, reviewing work produced by others. This can foster adversarial dynamics, with engineers perceiving oversight as obstructive and assurance personnel viewing development as insufficiently rigorous. Compliance thus becomes an added layer of work rather than an integrated aspect of engineering.

In fields like medical devices or pharmaceuticals, where software directly influences patient safety, these inefficiencies carry high stakes. They delay innovations that could improve outcomes and consume resources that could be directed toward scientific advancement.

How Modern Practices Generate Compliance Inherently

Contemporary methodologies offer a fundamentally different approach, one where compliance evidence arises automatically from the act of building high-quality software. At the heart of this shift is the use of distributed version control systems like Git. Every change to code is recorded with precise details: who made it, when, and why, along with links to related discussions or requirements. This creates a complete, immutable history that serves as a reliable source of truth.

Automated testing builds on this foundation. Tests execute whenever code changes, generating detailed reports on coverage, results, and any regressions. These reports provide objective validation that the software functions as intended, without requiring manual creation.

Continuous integration and delivery pipelines integrate these elements into a cohesive flow. They define and enforce the exact steps for building, testing, and deploying software, ensuring consistency across environments. Human approvals can be incorporated where necessary, but they become part of the automated process rather than separate hurdles.

The pipeline itself receives the highest level of governance. Changes to deployment logic undergo the same review as application code, recognizing that the mechanism responsible for consistency must be trustworthy.

In this ecosystem, evidence accumulates continuously and effortlessly: commit histories, test executions, pipeline runs, approval records, and deployment details, all linked and timestamped. There is no need for a parallel compliance effort; the work of engineering excellence produces the required proof.

This also transforms the role of compliance specialists. Instead of reviewing completed work, they collaborate early to design effective controls and automations. Their expertise helps prevent issues rather than detect them late.

Transformation in Practice: The Genomics Diagnostics Example

Foundation Medicine’s experience provides a concrete illustration of these principles in action. The company develops genomic tests for cancer treatment, and its software falls under FDA classification as medical devices, requiring rigorous control and traceability.

Initially operating with sequential processes and manual documentation, the organization faced the common challenges: slow releases, high administrative overhead, and stressful audits.

Tom Godden led a comprehensive shift to automated, AWS-hosted pipelines. These became the most carefully controlled components, with any modification subject to thorough review.

The outcomes were substantial. Release cycles shortened dramatically, enabling faster incorporation of new scientific knowledge into clinical tools. Defect rates decreased as automated checks identified issues early. Audits became collaborative, with inspectors able to trace production releases directly to source changes, tests, and approvals.

Compliance teams moved from policing to partnering, contributing to system design and improving overall quality. Time previously spent on documentation and audit preparation was redirected toward advancing patient care.

This case demonstrates that modern practices not only meet regulatory demands but exceed them, delivering better software faster and with less risk.

The Essential Role of Leadership in Driving Change

Implementing these changes requires strong leadership to overcome inertia and align the organization. Executives must clearly articulate the vision: compliance is not a separate goal but a natural result of building reliable software quickly.

Building a coalition of advocates across engineering and compliance creates internal momentum. Transparency, such as dashboards showing adoption progress, can harness positive competition.

Temporary parallel operations—running old and new processes side by side—provide undeniable evidence of improvement, reducing skepticism.

Reorganizing into cross-functional squads eliminates silos and aligns incentives, so that success is shared.

Leaders grant teams autonomy in how they achieve outcomes, within defined guardrails, to maintain engagement and innovation.

Long-Term Benefits and Strategic Implications

Short, focused initiatives—such as ninety-day sprints—allow steady progress without disrupting ongoing work.

Leveraging built-in telemetry for evidence archiving minimizes additional effort.

Over time, the old “compliance theater” fades, replaced by systems where pipelines enforce standards reliably and evidence flows continuously.

Organizations gain multiple advantages: faster innovation, higher quality, lower risk, and compliance that enables rather than constrains. In regulated markets, this can become a competitive differentiator, allowing leadership in both technology and responsibility.

Relevant links and hashtags

Links: