Practices
NUP development practices and best practices for regulated software
Practices in NUP are proven approaches and techniques that teams should adopt to ensure quality, consistency, and compliance throughout the software development lifecycle. This section documents key practices organized by category.
Practice Categories
Available Practice Guides
| Practice | Category | Description |
|---|---|---|
| Version Management | Core | Semantic versioning and release management |
| Branching Strategy | Core | Git Flow and branch management |
| Security Practices | Security | Secure development lifecycle practices |
| Cloud Practices | Cloud | Best practices for cloud services |
| Health Checks | Operations | Application health monitoring |
Practice Adoption Levels
NUP practices can be adopted at different maturity levels:
Level 1: Foundation
Essential practices that every team must implement:
| Practice | Description | Minimum Requirement |
|---|---|---|
| Version Control | All code in Git | 100% of code versioned |
| Code Review | Peer review of changes | All PRs reviewed |
| Automated Testing | Unit tests | 70% code coverage |
| Documentation | Code and API docs | All public APIs documented |
Level 2: Standard
Practices that established teams should implement:
| Practice | Description | Target |
|---|---|---|
| CI/CD | Automated pipelines | Full automation |
| Security Scanning | SAST/DAST | Every build |
| Observability | Logging, metrics, traces | Full coverage |
| Infrastructure as Code | Terraform/Pulumi | 100% IaC |
Level 3: Advanced
Practices for mature, high-performing teams:
| Practice | Description | Target |
|---|---|---|
| Chaos Engineering | Resilience testing | Quarterly exercises |
| Feature Flags | Controlled rollouts | All new features |
| A/B Testing | Data-driven decisions | Key features |
| Cost Optimization | Cloud cost management | Monthly reviews |
Practice Integration with NUP Lifecycle
Discovery Phase Practices
- User research and journey mapping
- Requirements gathering techniques
- Stakeholder analysis
- Risk identification
Design Phase Practices
- Architecture decision records (ADRs)
- Design reviews
- Threat modeling
- API design first
Development Phase Practices
- Version management (semantic versioning)
- Branching strategy (Git Flow/GitHub Flow)
- Code review process
- Pair programming
- Test-driven development
Verification Phase Practices
- Automated testing pyramid
- Security scanning (SAST/DAST)
- Performance testing
- Accessibility testing
Deployment Phase Practices
- Blue-green deployments
- Canary releases
- Feature flags
- Rollback procedures
Maintenance Phase Practices
- Health checks and monitoring
- Incident response
- On-call rotations
- Post-mortems
Practice Documentation Template
Each practice in NUP follows a standard documentation format:
# Practice: [Name]
## Overview
Brief description of the practice and its purpose.
## Why This Matters
Business and technical justification.
## When to Apply
Situations where this practice is applicable.
## How to Implement
### Prerequisites
What you need before starting.
### Steps
1. Step-by-step implementation guide
2. ...
### Examples
Concrete examples and code samples.
## Verification
How to verify the practice is being followed.
## Common Pitfalls
Mistakes to avoid.
## Related Practices
Links to related practices.
## References
External resources and standards.Practice Compliance Matrix
For regulated environments, map practices to compliance requirements:
| Practice | FDA QSR | HIPAA | NIST CSF | SOC 2 |
|---|---|---|---|---|
| Version Control | ✓ | ✓ | ✓ | ✓ |
| Code Review | ✓ | - | ✓ | ✓ |
| Security Training | ✓ | ✓ | ✓ | ✓ |
| Change Management | ✓ | ✓ | ✓ | ✓ |
| Access Control | ✓ | ✓ | ✓ | ✓ |
| Audit Logging | ✓ | ✓ | ✓ | ✓ |
| Backup/Recovery | - | ✓ | ✓ | ✓ |
| Incident Response | - | ✓ | ✓ | ✓ |
Getting Started
- Assess Current State - Evaluate which practices your team currently follows
- Prioritize Gaps - Identify the most critical missing practices
- Implement Incrementally - Start with Level 1 practices, then progress
- Measure and Improve - Track adoption and continuously improve
Related Resources
- Guidelines - Detailed development guidelines
- Checklists - Practice verification checklists
- Tools - Tool recommendations for practices
- Code Reviews - Code review process
Compliance
This section fulfills ISO 13485 requirements for QMS general requirements (4.1), documented procedures (4.2.3), and continuous improvement (8.5), and ISO 27001 requirements for information security policies (A.5.1), secure development lifecycle (A.8.25), and operational procedures (A.5.37).
How is this guide?
Last updated on