Phases
Understanding the seven phases of the NUP lifecycle for regulated software development
The NUP lifecycle is organized into seven distinct phases, extending the traditional OpenUP four-phase model with additional phases for strategic planning and production operations. Each phase is designed to ensure quality, compliance, and audit-readiness throughout the software development process.
What is a Phase?
A phase is a distinct stage in the project lifecycle with specific goals and deliverables. Each phase addresses unique needs and produces artifacts required for regulatory compliance.
A phase is a span of time between two major milestones and has specific focus and objectives. At each phase-end, an assessment is performed to determine whether the objectives of the phase have been met.
In regulated software development, phases provide:
- Clear milestones for stakeholder review and go/no-go decisions
- Audit checkpoints for compliance verification
- Quality gates before proceeding to next phase
- Documentation requirements specific to each stage
- Risk reduction through incremental validation
The Seven NUP Phases
1. Strategy Phase
Purpose: Establish strategic direction, conduct market research, and define objectives and key results (OKRs) for the project.
Key Activities:
- Define Project: Conduct market research, initial project scoping
- Define OKR: Establish Objectives and Key Results
- Plan and Manage Iteration: Iteration planning throughout the phase
Key Tasks:
- Conduct Market Research
- Identify and Document OKR
- Plan Iteration
- Manage Iteration
Key Deliverables:
| Artifact | Description |
|---|---|
| Project Definition | Market research findings and project scope |
| OKR Documentation | Objectives and Key Results framework |
| Iteration Plans | Strategic iteration planning documents |
| Market Analysis | Competitive and market research findings |
Compliance Focus:
- Document organizational context for auditors
- Establish governance and accountability structures
- Define regulatory landscape considerations
- Align with enterprise quality management system
Exit Criteria:
- Market research completed
- OKRs defined and approved
- Project definition documented
- Initial iteration plan established
- Decision to proceed to Envision
2. Envision Phase
Purpose: Develop comprehensive enterprise and solution architecture vision, strategy, and governance frameworks.
Key Activities:
- Develop Intellectual Property Strategy
- Define and Establish Architecture Capability: Governance, team, principles, tools, scope, framework tailoring
- Develop Architecture Vision: Establish project, identify stakeholders, confirm business goals, evaluate capabilities, assess readiness, define scope, develop vision, identify risks
- Develop Business Architecture
- Develop Data Architecture
- Develop Application Systems Architecture
- Develop Technology Architecture
- Generate Architecture Roadmap
- Develop Migration Plan
- Manage Architecture Change
- Establish Implementation Governance
Key Tasks:
- Architecture capability establishment (6 major subtasks)
- Architecture vision development (9 major subtasks)
- Business, Data, Application, Technology architecture development
- Architecture roadmap generation
- Migration planning and governance establishment
Key Deliverables:
| Artifact | Description |
|---|---|
| Architecture Vision Document | Comprehensive architecture vision |
| Business Architecture | Business capability and process models |
| Data Architecture | Data models and specifications |
| Application Architecture | Application systems design |
| Technology Architecture | Technology stack and infrastructure |
| Architecture Roadmap | Phased implementation plan |
| Migration Plan | Transition and migration strategy |
| Implementation Governance | Governance framework for execution |
Compliance Focus:
- Document intended use and user populations
- Identify applicable regulatory frameworks (FDA, HIPAA, etc.)
- Establish architecture principles aligned with compliance
- Define quality objectives and governance
Exit Criteria:
- Architecture vision approved by stakeholders
- Business, Data, Application, Technology architectures defined
- Architecture roadmap established
- Implementation governance framework in place
- Decision to proceed to Inception
3. Inception Phase
Purpose: Initiate the project, establish scope, understand users and requirements, and identify risks.
Milestone: Lifecycle Objectives Milestone - Do we agree on project scope and objectives, and should the project proceed?
Key Activities:
- Initiate Project: Plan the project
- Plan and Manage Iteration: Multiple iterations throughout phase
- Understand User Experience: Understand users and their needs, use customer journey maps
- Identify and Detail Requirements: Find and outline requirements, detail requirements, create test cases
- Ensure DevOps Involvement: Early DevOps team engagement
Key Tasks:
- Plan Project
- Plan and Manage Iteration
- Understand Users and Their Needs
- Use Customer Journey Maps
- Find and Outline Requirements
- Detail Requirements
- Create Test Cases
- Ensure DevOps Involvement
Key Deliverables:
| Artifact | Description |
|---|---|
| Project Plan | Comprehensive project planning document |
| User Personas | User profiles and characteristics |
| Customer Journey Maps | User experience flow documentation |
| Initial Requirements | Requirements list and specifications |
| Test Cases | Initial test case definitions |
| Risk Assessments | Identified risks and mitigation plans |
Compliance Focus:
- Define all applicable regulatory frameworks in detail
- Document intended use, indications, and contraindications
- Establish traceability from the start
- Define quality and compliance objectives
- Initial hazard analysis (for safety-critical systems)
Exit Criteria:
- Project plan approved
- User research completed
- Initial requirements documented
- Test cases created for key requirements
- Go/no-go decision made (Lifecycle Objectives Milestone)
4. Elaboration Phase
Purpose: Refine requirements, develop solution architecture, and build foundational solution increments.
Milestone: Lifecycle Architecture Milestone - Do we agree on the architecture and is the remaining risk acceptable?
Key Activities:
- Identify and Detail Requirements: Expanded requirements analysis
- Plan and Manage Iteration: Iterative development management
- Develop the Architecture: Outline and refine architecture
- Develop Solution Increment: Design, implement, test, integrate
- Test Solution: Implement test scripts, integrate, run tests
- Ongoing Tasks: Change requests, artifact versioning
Key Tasks:
- Find and Outline Requirements (expanded detail)
- Detail Requirements
- Create Test Cases
- Outline the Architecture
- Refine the Architecture
- Design the Solution
- Implement the Solution
- Code Review
- Implement Developer Tests
- Run Developer Tests
- Integrate and Create Build
- Implement Test Scripts
- Run Tests
- Request Change
- Ensure Artifact Versioning
Key Deliverables:
| Artifact | Description |
|---|---|
| Detailed Requirements | Comprehensive requirements specifications |
| Architecture Design | System structure and component design |
| Style Guides | Development standards and guidelines |
| Solution Design | Component-level design documents |
| Build Artifacts | Initial integrated builds |
| Test Scripts | Automated test implementations |
| Architecture Baseline | Validated architecture foundation |
Compliance Focus:
- Map requirements to regulatory controls
- Document design decisions (ADRs)
- Perform security threat modeling (STRIDE, DREAD)
- Plan for data protection and privacy (HIPAA, GDPR)
- Validate architecture against regulatory requirements
Exit Criteria:
- Architecture reviewed and validated
- Requirements baseline established
- Initial solution increments built and tested
- Compliance mapping verified
- Lifecycle Architecture Milestone achieved
5. Construction Phase
Purpose: Build the complete system through iterative development with continuous quality gates.
Milestone: Initial Operational Capability Milestone - Is the product ready for beta testing and deployment preparation?
Key Activities:
- Iterative feature development
- Unit testing and code coverage
- Integration and system testing
- Continuous integration/deployment
- Documentation updates
Key Deliverables:
| Artifact | Description |
|---|---|
| Source Code | Version-controlled implementation |
| Unit Tests | Automated tests with coverage reports |
| Code Review Records | PR approvals and review comments |
| Build Artifacts | Compiled, deployable packages |
| User Documentation | User manuals and help content |
Compliance Focus:
- Maintain traceability (requirement → code → test)
- Follow secure coding standards
- Document all code changes with rationale
- Preserve code review evidence
- Conduct incremental verification activities
Exit Criteria:
- All planned features implemented
- Unit tests passing with required coverage
- Code reviews completed for all changes
- No critical/high defects open
- Initial Operational Capability Milestone achieved
6. Transition Phase
Purpose: Prepare and execute controlled release of the system to production environments.
Milestone: Product Release Milestone - Is the application ready for release and have objectives been met?
Key Activities:
- Beta testing and user acceptance testing
- Deployment planning and preparation
- Training and documentation finalization
- Production environment setup
- Cutover and go-live execution
Key Deliverables:
| Artifact | Description |
|---|---|
| Deployment Plan | Step-by-step deployment procedure |
| Release Notes | Changes included in release |
| Training Materials | User and operator training |
| Rollback Plan | Procedure to revert if needed |
| Go-Live Checklist | Pre-deployment verification |
Compliance Focus:
- Complete validation testing
- Obtain regulatory approvals if required
- Document deployment procedures
- Verify production configuration
- Ensure rollback capability tested
Exit Criteria:
- User acceptance testing completed
- Training delivered
- Deployment plan approved
- Production deployment successful
- Product Release Milestone achieved
7. Production Phase
Purpose: Operate, monitor, and continuously improve the system in production.
Key Activities:
- Production monitoring and alerting
- Incident response and resolution
- Bug fixes and security patches
- Enhancement requests processing
- Periodic compliance reviews
Key Deliverables:
| Artifact | Description |
|---|---|
| Monitoring Dashboard | System health and metrics |
| Incident Reports | Issues and resolutions |
| Change Requests | Requested modifications |
| Patch Records | Applied fixes and updates |
| Compliance Reports | Ongoing compliance evidence |
Compliance Focus:
- Maintain comprehensive audit trails
- Document all production changes
- Conduct periodic compliance reviews
- Update risk assessments based on operational data
- Preserve system records per retention requirements
Ongoing Activities:
- Monitor system health and performance
- Respond to incidents within SLA
- Apply security patches promptly
- Review compliance status periodically
- Gather and act on user feedback
Phase Milestones
Each phase ends with a major milestone that provides stakeholders with go/no-go decision points:
| Phase | Milestone | Key Question |
|---|---|---|
| Strategy | Strategic Commitment | Should we invest in this initiative? |
| Envision | Vision Approval | Do we have a clear, shared vision? |
| Inception | Lifecycle Objectives | Should the project proceed? |
| Elaboration | Lifecycle Architecture | Is the architecture validated and risk acceptable? |
| Construction | Initial Operational Capability | Is the product ready for beta/deployment prep? |
| Transition | Product Release | Is the application ready to release? |
| Production | Ongoing Operations | Is the system meeting operational objectives? |
Mapping to OpenUP Phases
NUP extends the traditional OpenUP four-phase model:
| OpenUP Phase | NUP Phases | Focus |
|---|---|---|
| (Pre-project) | Strategy + Envision | Strategic alignment, vision, roadmap |
| Inception | Inception | Establish scope, feasibility, commitment |
| Elaboration | Elaboration | Validate architecture, reduce risk |
| Construction | Construction | Build, test, integrate iteratively |
| Transition | Transition | Deploy, train, release |
| (Post-project) | Production | Operate, monitor, maintain |
Why NUP Extends OpenUP
Traditional OpenUP focuses on project delivery but doesn't address:
- Pre-project planning: Strategy and Envision phases ensure projects align with business objectives
- Post-project operations: Production phase covers ongoing maintenance and compliance
For regulated software, these additional phases are critical for:
- Demonstrating business justification to auditors
- Maintaining compliance throughout the product lifecycle
- Ensuring proper handoff to operations teams
Mapping to Regulatory Frameworks
| Phase | FDA QSR | HIPAA | NIST CSF | FedRAMP |
|---|---|---|---|---|
| Strategy | Quality Planning | Risk Analysis | Identify | Categorize |
| Envision | Design Input | Administrative Safeguards | Identify | Categorize |
| Inception | Design Input | Risk Analysis | Identify | Select Controls |
| Elaboration | Design Output | Technical Safeguards | Protect | Select Controls |
| Construction | Design Transfer | Implementation | Protect | Implement |
| Transition | Design Validation | Deployment | Respond | Authorize |
| Production | Design History | Maintenance | Recover | Monitor |
Iterations Within Phases
Each phase is divided into iterations. An iteration is:
A complete development loop resulting in a build (internal or external) of an executable system, usually a subset of the final product under development, which grows incrementally from iteration to iteration to become the final product.
Iteration Characteristics
| Aspect | Description |
|---|---|
| Duration | Typically 2-4 weeks (time-boxed) |
| Output | Working, demonstrable software |
| Scope | Managed to fit the time box |
| Feedback | Enables stakeholder review and course correction |
Why Iterations Matter
Traditional waterfall development has a critical flaw: meaningful feedback comes too late to address without costly rework. Iterative development solves this by:
- Early validation: Stakeholders see working software early
- Risk reduction: Critical risks are addressed first
- Adaptability: Course corrections are less expensive
- Quality: Issues are found and fixed incrementally
Typical Iteration Count by Phase
| Phase | Typical Iterations | Focus |
|---|---|---|
| Strategy | 1-2 | Strategic planning sessions |
| Envision | 1-2 | Vision workshops and roadmapping |
| Inception | 1-2 | Requirements and feasibility |
| Elaboration | 2-3 | Architecture validation |
| Construction | 3-8+ | Feature development |
| Transition | 1-2 | Deployment and training |
| Production | Ongoing | Maintenance cycles |
Risk and Value Through Phases
The project lifecycle focuses on two key stakeholder drivers:
- Risk is highest early: Unknown requirements, unvalidated architecture
- Risk decreases: As iterations validate assumptions and reduce uncertainty
- Value is lowest early: No working software yet
- Value increases: As features are implemented and validated
Best Practices
Phase Transitions
- Conduct formal phase reviews with stakeholders
- Obtain documented sign-off before proceeding
- Archive phase artifacts in version control
- Update project plans for next phase
Documentation
- Document as you go, not at the end
- Use templates for consistency across projects
- Maintain version control for all artifacts
- Enable bidirectional traceability
Quality Gates
- Define clear, measurable exit criteria
- Review all criteria before proceeding
- Address all blocking issues before phase exit
- Preserve evidence of gate passage
Do
- Define clear, measurable objectives for each phase
- Conduct milestone reviews with stakeholders
- Adjust iteration length based on project risk
- Document decisions and their rationale
Don't
- Skip phases (even if they seem unnecessary)
- Extend phases indefinitely (use additional iterations instead)
- Ignore milestone criteria
- Treat phases as waterfall stages (maintain iteration within phases)
Related Resources
Compliance
This section fulfills ISO 13485 requirements for QMS planning (5.4.2), planning of product realization (7.1), and design and development (7.3), and ISO 27001 requirements for information security in project management (A.5.8) and secure development lifecycle (A.8.25).
How is this guide?
Last updated on