A structural tension exists between DevOps agility and security compliance requirements—particularly IEC 62443-4-1—in critical infrastructure domains. Method: This study proposes and empirically validates RefA, a security-compliance-adapted DevOps lifecycle framework. RefA introduces actionable, non-security-expert-oriented processes via standardized security activity integration, cross-functional knowledge transfer mechanisms, and organizational change support. It employs IEC 62443-4-1–driven process modeling, longitudinal empirical research, and industrial-grade DevOps adaptation techniques, validated across multiple phases at Siemens AG. Contribution/Results: RefA demonstrably enhances product teams’ autonomous capability to implement compliant DevOps practices, strengthens security-by-design maturity, and improves delivery efficiency—thereby systematically bridging the agility–compliance gap in safety-critical contexts.

Companies adopt agile methodologies and DevOps to facilitate efficient development and deployment of software-intensive products. This, in turn, introduces challenges in relation to security standard compliance traditionally following a more linear workflow. This is especially a challenge for the engineering of products and services associated with critical infrastructures. To support companies in their transition towards DevOps, this paper presents an adaptation of DevOps according to security regulations and standards. We report on our longitudinal study at Siemens AG, consisting of several individual sub-studies in the inception, validation, and initial adoption of our framework based on RefA as well as the implications for practice. RefA is a prescriptive model of a security compliant DevOps lifecycle based on the IEC 62443-4-1 standard. The overall framework is aimed at professionals, not only security experts, being able to use it on implementing DevOps processes while remaining compliant with security norms. We demonstrate how RefA facilitates the transfer of security compliance knowledge to product development teams. This knowledge transfer supports the agility aim of ensuring that cross-functional teams have all the skills needed to deliver the compliant products.