Tag Archive for: Compliance & Regulation

Jama Software is always looking for news that would benefit and inform our industry partners. As such, we’ve curated a series of customer and industry spotlight articles that we found insightful. In this blog post, we share an article, sourced from Innovation News Network, titled “Benefits of the Inflation Reduction Act for Solar PV Manufacturing” – originally published on March 18, 2024.

Benefits of the Inflation Reduction Act for Solar PV Manufacturing

The US Inflation Reduction Act (IRA) has been a significant catalyst in the economic landscape, particularly within the solar photovoltaic (PV) manufacturing industry.
This article will explore the beneficial impact of the IRA on this green technology sector, considering the financial implications, the stimulation of technological advancement, and the prospects under the current legislation.

We will unravel the intricacies of this relationship, setting a foundation for a comprehensive understanding of the future trajectory of the solar PV manufacturing industry in the context of the IRA.

Understanding the Inflation Reduction Act

To fully grasp the impact of the Inflation Reduction Act on solar PV manufacturing, a comprehensive understanding of this legislation is necessary.

The act’s interpretation is rooted in the law’s intent to curb inflation by manipulating economic strategies and regulating financial practices, which brings a focus to its economic implications.

At its core, the IRA aims to stabilize pricing and enhance the dollar’s purchasing power, inadvertently promoting the affordability of renewable energy technologies like solar PV manufacturing.

The legal provisions of the act are its foundational pillars, governing its implementation and enforcement. They outline the responsibilities of key stakeholders, the rights of affected industries, and the penalties for non-compliance.

For the solar PV manufacturing sector, the act’s provisions could potentially reduce production costs and foster competitiveness.

However, like any significant policy shift, the act also brings Implementation Challenges. These can include industries needing to adapt to new economic conditions or potential resistance from sectors negatively affected by the act.

The solar PV manufacturing industry may need to invest in operational adjustments to fully exploit the benefits of the act.

RELATED: Traceable Agile™ – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries

IRA’s impact on solar PV manufacturing

Drawing upon the legal provisions and economic implications of the IRA, we can explore its tangible effects on the solar PV manufacturing sector.

The act, through its policy implementation, has instigated several changes in this sector, notably in job creation, trade relations, environmental impact, and market competition.

The IRA has been instrumental in job creation within the solar PV manufacturing industry. It has stimulated this growth by providing tax incentives for manufacturing companies to enhance their workforce. This policy implementation has bolstered the industry and helped reduce unemployment rates.

Trade relations have also been impacted by the IRA. The act has fostered a more favorable trading environment for solar PV manufacturers by reducing inflationary pressures on imported raw materials. This has enhanced the competitiveness of US manufacturers in the global market, improving the country’s trade balance in the process.

Regarding environmental impact, the IRA has indirectly boosted the use of renewable energy sources. By making solar PV manufacturing more economically viable, the act has encouraged the production and use of solar panels, thereby reducing greenhouse gas emissions.

Lastly, the act has spurred market competition. The reduced inflation rates have made it more cost-effective for new businesses to enter the solar PV manufacturing sector. This has increased the number of manufacturers, promoting a more competitive market and a wider range of options for consumers.

Financial benefits of the IRA

Delving into the financial benefits of the Inflation Reduction Act, we observe a significant enhancement in the economic viability of the solar PV manufacturing sector. The IRA offers multiple rewards that collectively contribute to the growth and prosperity of this industry.

One of the most compelling benefits is the provision of tax incentives. These incentives lower the tax burden for solar PV manufacturers, freeing up capital that can be reinvested in the business.

This leads to investment growth, another key benefit of the IRA. Increased investment enables manufacturers to expand their operations, purchase new equipment, and hire more employees, fostering business expansion.

In addition to tax incentives and investment growth, the IRA promotes cost efficiency. By reducing the inflation rate, the act increases the purchasing power of manufacturers. This allows them to acquire raw materials and other necessities at lower costs, thereby improving the bottom line and encouraging economic stability.

Moreover, economic stability is further enhanced as the IRA helps to stabilise the value of the dollar. This is crucial for solar PV manufacturers, who often deal in international markets. A stable dollar value reduces the risk of currency fluctuations, providing a more predictable business environment.

IRA and technological advancements

Building on the economic implications, the Inflation Reduction Act also catalyzes technological advancements in the solar PV manufacturing industry.

By providing financial incentives, the IRA stimulates technological investments, leading to accelerated innovation in solar PV technology. These investments are crucial for research and development, enabling companies to explore new, efficient methods of solar PV production.

The IRA implications on technological advancements are significant. The policy’s effectiveness in encouraging investments has been reflected in increased technological breakthroughs, improved production processes, and enhanced solar panel efficiency.

These advancements not only strengthen the industry’s competitive edge but also contribute to environmental sustainability by promoting cleaner energy sources.

However, advancement challenges persist. The rapidly evolving nature of technology necessitates continuous investment and innovation. Despite the financial benefits provided by the IRA, the high costs associated with advanced technology development and implementation can pose a hurdle.

Therefore, while the IRA has been instrumental in fostering growth and innovation, addressing these challenges requires strategic planning and sustained commitment.

Moreover, the effectiveness of the IRA in driving technological advancements is contingent on a supportive regulatory environment. Policymakers must ensure that the IRA’s provisions align with the industry’s evolving needs, encouraging continued investment and innovation.

A dynamic policy framework can help maintain the momentum of technological progress, ensuring the solar PV manufacturing industry’s long-term competitiveness and sustainability.

RELATED: Jama Connect® for Traceable MBSE™

Future solar energy prospects under the IRA

Looking ahead, the Inflation Reduction Act holds promising potential for the future growth and development of the solar PV manufacturing industry.

It is expected to usher in advancements in various dimensions, including job creation, market expansion, environmental impact, global competition, and sustainable development.

The IRA could stimulate job creation by allocating funds for research, development, and manufacturing processes in the solar PV industry. This would not only increase employment but also enhance the skills of the workforce in this thriving sector.

Market expansion is another potential benefit of the IRA. With reduced inflation, the purchasing power of consumers is likely to increase, leading to heightened demand for solar PV products. This would pave the way for the expansion of the solar PV market.

The table below encapsulates the future prospects under the IRA for the solar PV manufacturing industry:

The IRA could bring about positive environmental impacts by encouraging cleaner energy production, thus reducing greenhouse gas emissions.

Additionally, it could enhance global competition by providing the US solar PV industry with a competitive edge.

Lastly, the IRA could foster sustainable development by promoting environmentally friendly and sustainable practices in the industry. These prospects under the IRA paint a bright future for the solar PV manufacturing industry.

Understanding ISO/IEC 27001: A Guide to Information Security Management

In today’s interconnected world, the importance of securing sensitive information cannot be overstated. Organizations face numerous threats to their information assets, ranging from cyberattacks to data breaches. To address these challenges, many businesses turn to internationally recognized standards for information security management, with ISO/IEC 27001 standing out as a cornerstone in this field.

RELATED: A Guide to Understanding ISO Standards

Overview of ISO/IEC 27001:

ISO/IEC 27001 is a globally recognized standard that provides a systematic approach to managing sensitive information, ensuring the confidentiality, integrity, and availability of data within an organization. Developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), this standard outlines best practices for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).

Key Principles:

  • Risk Management: ISO/IEC 27001 is fundamentally built on the concept of risk management. Organizations are required to identify and assess information security risks, implement controls to mitigate those risks, and continuously monitor and review the effectiveness of these controls.
  • PDCA Cycle: The Plan-Do-Check-Act (PDCA) cycle is at the core of ISO/IEC 27001. Organizations plan their ISMS, implement the plan, check its effectiveness through monitoring and measurement, and act to continually improve the system.

Scope and Requirements:

  • Scope Definition: Organizations must clearly define the scope of their ISMS, specifying the boundaries and applicability of the standard within their operations.
  • Risk Assessment: A comprehensive risk assessment is a critical component. This involves identifying assets, evaluating vulnerabilities and threats, and determining the potential impact of information security incidents.
  • Control Objectives and Controls: ISO/IEC 27001 provides an Annex A, which includes a set of control objectives and controls covering various aspects of information security, such as access control, cryptography, and incident management. Organizations choose and implement controls based on their specific risk profile.

Implementation Process:

  • Leadership and Commitment: Senior management plays a crucial role in the successful implementation of ISO/IEC 27001. Leadership commitment ensures that information security is integrated into the organization’s culture and business processes.
  • Documentation: Proper documentation is essential to demonstrate compliance with the standard. This includes the Information Security Policy, risk assessment reports, and records of monitoring and measurement activities.
  • Training and Awareness: Employees need to be aware of their role in maintaining information security. Organizations should provide training programs to enhance the awareness and competence of personnel.

Certification Process:

  • Third-Party Certification: Organizations can undergo a certification process conducted by accredited certification bodies to validate their compliance with ISO/IEC 27001. This certification provides assurance to stakeholders, customers, and partners that the organization has implemented a robust ISMS.

Benefits of ISO/IEC 27001:

  • Risk Reduction: By identifying and addressing potential risks, organizations can significantly reduce the likelihood of security incidents.
  • Enhanced Reputation: ISO/IEC 27001 certification enhances an organization’s reputation, demonstrating a commitment to information security best practices.
  • Legal and Regulatory Compliance: Adherence to ISO/IEC 27001 helps organizations comply with various legal and regulatory requirements related to information security.
  • Competitive Advantage: Certification can be a differentiator in the marketplace, giving organizations a competitive edge by assuring customers of their commitment to information security.

Continual Improvement:

  • Monitoring and Review: Regular monitoring and review of the ISMS ensure its ongoing effectiveness. This includes conducting internal audits and management reviews to identify areas for improvement.
  • Feedback Loop: ISO/IEC 27001 emphasizes the importance of feedback mechanisms, ensuring that lessons learned from incidents or changes in the business environment are incorporated into the ISMS.

RELATED: Best Practices Guide to Requirements & Requirements Management


ISO/IEC 27001 provides a robust framework for organizations to establish and maintain an effective Information Security Management System. By adopting this standard, businesses can mitigate risks, enhance their reputation, and demonstrate a commitment to safeguarding sensitive information in an ever-evolving digital landscape. As information security continues to be a top priority, ISO/IEC 27001 remains a valuable tool for organizations seeking a comprehensive and internationally recognized approach to managing information security.

Note: This article was drafted with the aid of AI. Additional content, edits for accuracy, and industry expertise by Matti Gray, Mandi Walker, and McKenzie Jonsson.

In this blog, we recap our webinar, “Key Systems Engineering Skills: Critical Thinking and Problem Framing” – Click HERE to watch it in its entirety.

Key Systems Engineering Skills: Critical Thinking and Problem Framing

Elevate your team’s success by exploring the role of critical thinking in a system engineering competency model.

In this insightful session, Chris Unger, Retired GE Healthcare Chief Systems Engineering Officer and Principal at PracticalSE LLC, and Vincent Balgos, Director of Medical Device Solutions at Jama Software®, discuss how critical thinking and decision-making skills are integral to systems engineering.

In this insightful session, you will learn:

  • Explore the vital role of critical thinking and decision-making in systems engineering.
  • Learn practical techniques for decision framing and closure.
  • Gain insight on how systems engineers should manage design decisions on a project.
  • See a simple model of how and when to engage with stakeholders in design decisions.

Below is an abbreviated transcript of our webinar.

Chris Unger: We’re going to talk today about a follow-up to the last webinar, where I’m going to talk about some of the most important systems engineering skills, critical thinking, and problem framing. So, how do skills in general, and soft skills, fit into improving systems engineering? So, in prior talks, I’ve suggested you keep your processes very simple but make them effective, and that’s easy to say but hard to do. That means you have to understand the system of the SE processes, how they connect, and where the diminishing value of the processes, the source process heading off, happens. As an example, a topic could be a technical risk, or it could be a trade-off between different possible solutions. So, we want to understand how those to the risk management and the decision process interact.

In order to do that, the best systems engineers have to have really good judgment. In addition, we have to influence people. Being simplistic, hardware and software engineers design things, things do what they’re told. I know it’s oversimplified, but our deliverables are instructions on how the software and hardware engineers do things. So, the best systems engineers here have an area of depth that they’re experts in, so they bring some technical credibility. They have systems of breadth, they understand all the systems processes and how they interact, and they have great interpersonal skills. Today I’m going to focus on how you achieve a balanced and optimized design, how you focus on your cost versus risk, and doing that through basically decision making.

So, first I want to talk about the Helix Model. So, the Helix Project was a project funded by the government and, the US government, and their concern was for big aerospace and NASA projects you tend to produce a major, billion-dollar development every 10 years, and then you do 10 years of support. So, people often move on. They were worried about how you create the truly brilliant leader systems engineers from a team that may be a little bit sparse. They developed this model up here in the front and simplistically, you start with things you learn in school, how to do good mechanical engineering, electrical engineering, and software engineering techniques. You then go into an organization, and so you spend the first five years learning about your company. Things like, well, if you’re going to be doing a say glucose monitor, what does blood chemistry look like? What does a sensor look like? What’s a workflow? So, you become a good organization-specific mechanical engineer.

Then you learn about lifecycle. How do you go from womb to tomb, from customer needs to disposal and disposition with all the regulations across the world in terms of chemical safety? So, after five, maybe 10 years, you understand your domain, you understand the lifecycle and you understand your technology. What differentiates after that? What they found was the skills on the bottom half of this page, the Systems Mindset, so big picture thinking, and paradoxical mindset. You’ve all heard that joke about fast, good and cheap, pick two of the three. Well, that’s the world in which systems engineers live. We make trade-offs between things that are inherently conflicting. The other thing is, we’ve got to make decisions quickly, so you’ve got to have a flexible comfort zone. You’ve got to be willing to wait till you have the critical information but make a decision without all the information you want.

RELATED: A Path to Model-Based Systems Engineering (MBSE) with Jama Connect®

Unger: In terms of the middle column, Interpersonal Skills, just the obvious stuff as I mentioned. You’ve got to influence the other engineers to make a good decision. Then finally here in Technical Leadership, balanced decision-making, and risk-taking. So, I had a general manager one time say, “We’re in the business of managing risks, not avoiding risks.” The least-risk program is also a boring one, but you also don’t want to take moonshots and everything. So, you really want to balance. It’s another case of a paradoxical mindset. Balance risk-taking with hitting a schedule predictably. So, these are the kinds of skills that really differentiate as systems engineering leaders, 10 to 15 years into your career. I’m going to talk more about these, decision-making, stakeholder management, and barrier-breaking.

So, I put together a very simple Systems Engineering Competency Model. I started with the NASA handbook and the NASA lifecycle. I simplified it, into that they had scope and requirements management separated, and I actually agree with those being different. But in reality, on the size of programs that we typically implemented, the people who did one typically did the other. Same thing, the architecture and the design, those were typically the same people. So, you have the upfront design, you have implementation. So, managing the subsystems actually do the implementation of what the design asks them to do, and you integrate it, such that you find your defects early. Then you manage all the lifecycle, the serviceability, manufacturability, disposability, and all the “ilities.”

Then leadership, obviously, there the interpersonal skills. This was developed for GE Healthcare, so I just picked it from our existing leadership skillset and I simplified it. What you’ll notice here is I put down at the bottom, critical thinking, as a technical skill. For many executives, and for other functional engineers, critical thinking is important, but as I mentioned, since we deliver instructions and designs to other engineers, framing decisions, taking vague things from product management and marketing, and turning them into clearer problems or functions to solve, I consider that a core technical excellence of systems engineering. But that’s vague. How do I actually measure that? So, I came up with this fairly simple set of observable behaviors. So, first of all, framing problems takes an ambiguous problem identifies the critical stakeholders, and turns them into a clear problem a more junior engineer can solve.

So, first, let’s talk about framing the problem. Even an entry-level person has to be able to understand a problem that’s been framed for them. But as you get to more senior people, the 10 to 15-year level, you have to be able to frame a complex problem, see around corners, use foresight to sort out essentials from the detail, and identify risks and emergent behavior that need to be incorporated in the decision, that other engineers might not see. Even at the strategist level, you can take a complex and ambiguous problem clarify the ambiguity, and turn it into simply just a complex and interconnected problem.

So, if we’re talking about maybe the 10 to 15-year-old person, not the most senior executives, you’ll be able to take a complex problem, identify ahead of time problems other people don’t see, and capture that. Balance cost, schedule, technical risk, and team capabilities, and make a trade-off based on sound evidence and data. Balance your intuition, when you don’t have all the data with waiting and gathering data where you need it. Then finally, making the decision is maybe the easy part. You have to make sure the team follows your leadership. Take accountability for making the right decisions, delegate where you can, and then ensure that the entire team buys into the decisions that the team or you have made. So, that’s the theory.

RELATED: Traceable Agile™ – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries

Unger: Let’s talk about how we manage design decisions. First of all, why? Why is this a critical skill? By identifying the critical design decisions, it allows the team to focus on the most important thing, and separate out the core from the distractions. It helps teams identify work items. So, for example, one time when I was working with the ultrasound team in Japan, we had a bunch of really experienced engineers and they were working on a new ultrasound probe. It had moved an active component into the probe and there was a thermal issue. They were talking in Japanese for about five, 10 minutes when I was asked to frame the problem and I said, “Yeah, you’re talking too fast and too much. This is not that easy. Come back to me and tell me what you’re actually doing.”

They were figuring out how to measure the thermal properties in the lab. I said, “Well, imagine you had a probe that was safe, with maybe 39°C, but that was uncomfortable to handle. Have you worked with the application people on how much value? If you spent $50 more and took the temperature down by 1°C, would that be worth a trade-off? The team, “Oh, that’s interesting.” They were actually focused on the technical feasibility, not the real market and customer acceptance problem. So, by doing this upfront, you can make sure that you have a complete work process for the team. Then once you’ve made the decision, it minimizes rework by making sure the decisions stay closed.

Now, this decision list and prioritization should start early. It would be comfortable to wait until you know everything, but that’s too late. So, it’s a living document. Don’t wait to get started until you have enough information to make a good plan. Start with what you know, and then build out as you continue. So, one of the first things I talk about is, what is a decision? As an example, I’ve had teams come to me saying, “The operating system selection is a decision.” It’s like, “No. It’s actually not typical. It’s typically a collection of decisions.” So, I draw this little arrow here. It’s basically a decision is a point in which you select between different paths going forward and you pick one way versus another. So, deciding whether to include a stretch item in scope or not is a decision. Deciding between very specific designs and implementing a feature is a decision. Setting a critical to-quality parameter or balancing between different parameters, so cost versus reliability or cost versus performance, is a decision.

Key Systems Engineering Skills: Critical Thinking and Problem Framing

Jama Software is always looking for news that would benefit and inform our industry partners. As such, we’ve curated a series of customer and industry spotlight articles that we found insightful. In this blog post, we share an article, sourced from Innovation News Network, titled “Expanding EV infrastructure in the US: Both on- and off-road” – originally published on November 20, 2023.

Expanding EV Infrastructure in the US: Both On- and Off-Road

The expansion of electric vehicle infrastructure in the US has been challenged by various issues, from governance to location. Here, we explore the issues and how they can be combated.

The evolution and expansion of electric vehicle (EV) infrastructure, encompassing both on-road charging stations and off-highway electrification, is a burgeoning topic in the United States. This issue has been characterized by significant regional disparities, with varying levels of availability across different parts of the country.

Furthermore, it is marked by distinct challenges that arise in urban versus rural settings as well as on- and off-road contexts. The role of government support and policy direction also comes into play in shaping this landscape.

As interest in electric vehicles continues to surge, understanding the intricacies behind their supporting infrastructure becomes increasingly crucial. Off-highway electric vehicles have their own unique set of requirements when it comes to charging infrastructure, presenting numerous design and manufacturing challenges.

Looking ahead, predicting future trends within this area is challenging due to its rapidly evolving nature but nonetheless vital for planning and strategizing growth trajectories within this realm.

Availability of EV infrastructure in the US

The uneven distribution of electric vehicle charging stations across the United States underscores a significant disparity, with coastal areas generally boasting greater availability than their counterparts in the Midwest and rural regions.

This can be attributed to several factors, including regional disparities in both population density and average income level, which directly influence infrastructure cost and consumer adoption rates of EV technology.

For instance, densely populated urban centers, particularly those along the coasts such as New York City or San Francisco, tend to have higher per capita incomes. These areas are more likely to invest in expensive EV technology and support the infrastructure costs associated with establishing charging stations.

The increased presence of these facilities subsequently encourages more consumers within these regions to adopt electric vehicles due to decreased concerns over charging time.

In contrast, regions characterized by lower population densities or average income levels –such as many Midwestern states and rural areas – are typically less equipped with EV charging infrastructure. This results from a combination of factors: reduced consumer demand for EV technology due to financial constraints; longer distances between destinations that increase concern over charging times; and higher per-unit infrastructure costs arising from the need for more extensive grid enhancements in less developed areas.

As such, despite growing national interest in reducing carbon emissions through transitioning towards electric vehicles, these challenges contribute significantly towards regional disparities in the availability of EV charging stations across America.

Thus, it is imperative that future efforts aimed at expanding this crucial segment of green transportation infrastructure consider these distinctive geographical characteristics and obstacles.

RELATED: Traceable Agile™ – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries

The challenges of expanding EV charging infrastructure

Significant stumbling blocks surface when scrutinizing the surge in electric vehicle utilization, particularly pertaining to potential power supply problems, prohibitive price points of charging stations, and a paucity of policies promoting progress. These issues include:

Infrastructure costs

The establishment of an extensive network of charging stations necessitates substantial capital outlay from both public and private sectors. The latter’s involvement is critical since government funding alone may not suffice.

Technological limitations

Current technology restricts rapid mass-charging capabilities, potentially leading to power grid stress during peak demand periods. This limitation necessitates additional investments in technology development and grid reinforcements.

Public awareness

Despite growing interest in electric vehicles, many potential users remain uninformed about their benefits or how to utilize existing EV infrastructure effectively.

Sustainability concerns

While electric vehicles significantly reduce greenhouse gas emissions compared to conventional fuel cars, the production process itself can have a substantial environmental footprint, largely due to battery manufacturing processes.

The availability of EV infrastructure in rural and urban areas

Differences in the accessibility and utilization of EV charging stations between rural and urban areas present a nuanced challenge in promoting wider adoption of this sustainable mode of transportation. Rural EV adoption faces obstacles such as a lack of public charging infrastructure due to less population density and greater travel distances.

Moreover, financial considerations play into these disparities as well; the high cost associated with the installation and maintenance of charging stations may not be justified by the potential low usage in rural settings. This situation leads to EV accessibility being heavily skewed towards urban regions where there is higher demand.

On the other hand, urban planning challenges also arise in expanding EV infrastructure within cities. The densely populated nature of urban environments results in space constraints for installing new charging stations. Available funding also becomes a critical factor – adequate EV infrastructure funding is necessary for both the construction and operation of sufficient charging facilities to meet growing demands.

Additionally, differences between these two types of geographies are reflected not only on human mobility but also have an impact on the environment.

While increased use of electric vehicles can significantly reduce greenhouse gas emissions in densely populated cities, achieving similar outcomes in rural areas can prove much more difficult due to their unique characteristics.

Government support

In light of these challenges, it is noteworthy to mention the initiatives taken by American governmental bodies to bolster the proliferation and accessibility of charging amenities for electric vehicles. The US Government has employed a mixture of methods to support this development:

Federal incentives

At the federal level, several incentives have been introduced over recent years to encourage EV adoption. For instance, the Electric Drive Vehicle Battery and Component Manufacturing Initiative provided $2bn in grants for manufacturing of advanced batteries and electric drive components.

Private partnerships

On top of direct funding, the US government also fosters private partnerships aiming at enhancing electric vehicle infrastructure. An example would be the ‘EV Everywhere Grand Challenge’, launched by the Department of Energy (DOE), which works with national laboratories, universities, private industries, and other governmental agencies to increase availability of high-speed charging stations across country.

Infrastructure financing

Additionally, there are efforts directed at infusing capital into public charging infrastructure through financing programs like the Clean Cities Alternative Fuel Vehicle Deployment Initiatives which allocated millions towards building EV charging stations nationwide.

Technological advancements and environmental impact

Given that environmental impact is a key driver behind the shift towards electric vehicles, governmental policies are expanding physical infrastructure but also investing in research & development for technological advancements that could reduce emissions further while improving EV range and battery life.

Developing off-highway EV charging infrastructure

The development of charging facilities for electric vehicles designed for non-highway use represents a unique and complex challenge, necessitating innovative solutions and strategies. Off-highway adaptations require not only the installation of charging stations in remote or less accessible areas but also the incorporation of infrastructure financing to support their construction and maintenance.

Technological advancements have been pivotal in addressing these challenges, making it feasible to develop energy-efficient charging systems that can withstand harsh environmental conditions while providing reliable service. These advancements range from solar-powered charging stations to smart grid technologies that optimize electricity usage during off-peak hours.

Investing in this type of infrastructure is critical for promoting sustainable solutions within the transportation sector, particularly in industries such as mining, agriculture, and construction where off-road vehicles are prevalent. The integration of renewable energy sources with charging infrastructure offers dual benefits: reducing greenhouse gas emissions associated with traditional fossil fuel-based power generation and extending the reach of EV technology into areas beyond urban centers.

Furthermore, public-private partnerships offer potential avenues for securing necessary funding without placing undue financial burden on local communities or individual businesses.

As such, developing an efficient and resilient off-road EV charging network requires a holistic approach incorporating technological innovation, targeted investment strategies, and sustainability considerations.

RELATED: Jama Connect® for Automotive

The challenges of designing and manufacturing off-highway EVs

Designing and manufacturing electric off-highway vehicles presents unique challenges, with research indicating that a significant one is ensuring these machines can withstand the rigors of heavy-duty applications, an issue reported by 60% of manufacturers. Battery longevity is a critical concern in this regard since off-road vehicles often operate in extreme conditions that could quickly diminish battery life.

Similarly, terrain adaptability is another challenge. Electric vehicles must be designed to handle diverse terrains, from rocky landscapes to sandy dunes, without compromising on performance or energy efficiency.

Material sourcing poses yet another problem due to the need for lightweight but highly durable materials for construction. This brings us to durability concerns which are paramount because, unlike regular city electric cars, off-highway EVs have to endure harsher operational conditions requiring them to be more robust and longer-lasting.

Finally, cost efficiency continues to be an obstacle as developing high-performance, yet affordable electric off-highway vehicles remains a struggle for many manufacturers, due to the high costs associated with batteries and other essential components.

The future of EV infrastructure both on- and off-road

Transitioning from the challenges of designing and manufacturing electric off-highway vehicles, it is pivotal to envision what the future holds for EV infrastructure. This includes both on- and off-road contexts, as each comes with its unique set of considerations pertaining to infrastructure financing, renewable energy integration, vehicle-to-grid technology, and battery disposal methods.

The future landscape of EV infrastructure will likely be shaped by a variety of factors. The pace at which this change occurs may largely hinge upon infrastructure financing – securing sufficient funds to create an expansive network of charging stations that facilitate higher EV adoption rates. As more consumers opt for electric vehicles, there will be an increased demand for reliable and accessible charging facilities.

Therefore, investment in this sector is crucial not only for supporting current users but also promoting further uptake.

Simultaneously, the integration of renewable energy sources into these infrastructures represents a crucial aspect. By harnessing power from sustainable resources such as solar or wind energy, the environmental impact can be further mitigated while optimizing energy usage overall.

Moreover, vehicle-to-grid technology presents another promising avenue where electric cars do not just draw power but can feed surplus back into the grid during peak demand hours – thereby acting as mobile energy storage units. This could revolutionize how electricity grids operate while offering additional revenue streams for EV owners.

Lastly are considerations regarding battery disposal methods. With growing numbers of electric vehicles on- and off-road comes increased volumes of spent batteries which necessitate effective recycling or disposal strategies to minimize environmental harm and potential resource losses.

Thus, these aspects collectively indicate a multifaceted future wherein technological advancements must go together with strategic planning and responsible practices.

The US Government’s solutions offer hope

In conclusion, the path to an electrified future, both on- and off-road, resembles a vast and uncharted road. Despite challenges such as regional disparities in charging station availability, hurdles in infrastructure expansion, and manufacturing complexities for off-highway vehicles, progress is being made.

The US Government’s support, alongside innovative solutions, offers hope that these obstacles can be overcome. As the dawn breaks on this new era of transportation, one cannot help but feel a sense of anticipation for what lies ahead – a highway illuminated by the promise of sustainable mobility.





Jama Software is always looking for news that would benefit and inform our industry partners. As such, we’ve curated a series of customer and industry spotlight articles that we found insightful. In this blog post, we share an article, sourced from Innovation News Network, titled “Why penetration testing is critical to every robust cyber security strategy” – originally published on November 2, 2023.

Foreward by Josh Turpen – Chief Product Officer, Jama Software®

A big “Thank You!” to Chris Dickens for a great article. As part of our security program here at Jama Software, we have a layered approach to security tests and scans. Scans are done on every build, automated tests are run on every build, and active PEN tests are done multiple times per year. As the only SOC 2 Type 2 product in the space, we have set a high bar for ourselves because we know the importance of security to our customers.

Why Penetration Testing is Critical to Every Robust Cyber Security Strategy

Chris Dickens, Senior Solutions Engineer at HackerOne, outlines an effective penetration testing strategy.

Digital transformation has become an essential requirement for any business that wants to remain competitive in an increasingly digital global landscape.

However, it’s not always straightforward. In many cases, digitizing key processes can expose businesses to a wide array of new cyber security risks they aren’t used to, potentially leading to damaging breaches, attacks and/or loss of sensitive data if they aren’t careful.

In order to protect against such threats, a well-rounded cyber security strategy needs to be put in place alongside any digital transformation initiative.

However, cyber security isn’t a ‘one and done’ activity, strategies must be continuously evaluated and tested to ensure they remain effective.

Cyber criminals constantly evolve their attacks, so cyber security must also evolve. Whatever works now will likely be outdated in just a few weeks or months.

One of the best ways to stay ahead is through regular penetration testing (pentesting), which can give companies a fast, accurate snapshot of the current state of their cyber defences. This point in time activity features ethical hackers putting themselves into the shoes of malicious actors in an attempt to breach a system’s security for the purpose of vulnerability identification.

Typically, both humans and automated programs are used to research, probe, and attack a network using various methods and channels known to be used by cybercriminals.

But too many still don’t fully understand how pentesting works, or how they can effectively implement it into their wider security strategy.

RELATED: Unlocking the Potential: The Importance of Software Defined Vehicles Explained

How has pentesting changed?

The era of secretive, closed-door penetration testing is a thing of the past. In those days, you had to depend on the skills and schedules of usually big companies, enduring long waits, and limited insight into the results and tester’s actions.

Nowadays, penetration testing has evolved significantly. It often commences within a few days and is typically conducted on a smaller scale more frequently. This transformation is credited to innovative platforms that offer real-time transparency into the testing process and a more inclusive approach when bringing testers on board.

The emphasis is now on results and experience from the ethical hacking community rather than formal education and certification. The creation of new AI-based hacking methods and willingness to test source code has also greatly improved the output.

While this may sound quite daunting for the business involved, pentesting is an incredibly effective way to discover major vulnerabilities in their security before they can be exploited, which is critically important for keeping sensitive data safe.

Arguably, penetration testing’s best advantage, however, is its thorough coverage and documentation. Due to its in-depth and refined testing, in most cases, vulnerabilities are discovered and documented, including details on how the bug can be exploited, its impact on an organisation’s compliance, and advice on how to remediate the issues.

Unlike other offensive security engagements, pentesting also allows organisations to test internal systems alongside unfinished applications – this is especially useful when leading up to a new product announcement or organisation acquisition.

Using pentests to inform both present and future security strategies

As mentioned, pentesting is a great way for businesses to gauge the effectiveness of their existing security defences at that moment in time.

However, too many organisations tend to treat it as though it’s the beginning and the end of the process, which it isn’t.

Pentesting is a tool, not a strategy, and as valuable as they are, pentests are only useful if the results are translated into an effective overall security strategy for the future.

An effective modern pentesting strategy should contain the following elements:

  1. Establish key security priorities- First and foremost, businesses must determine what they need to protect. While it’s impossible to protect everything all the time, key assets should be prioritized based upon the damage the asset would cause if it was to be compromised. Typically, highly sensitive information such as proprietary IP, competitive and legal information, and personally identifiable information (PII) will be top of the list.
  2. Get security buy-in from all employees- A sustainable security culture requires buy-in at all levels of an organization, from the executive board to the reception desk. If every employee takes responsibility for company security, it’s much easier to build a model where risks are shared, and teams across the company can scale securely.
  3. Use pentesting as a regular security touchpoint- Regular penetration testing is a great way to promote a more proactive approach to security. All too often, organizations aim to meet only the minimum requirements for compliance – and believe themselves to be secure, which is a highly risky strategy. By contrast, combining regular pentests with bug bounty programs provides a continuous feedback loop that allows companies to quickly identify new vulnerabilities and deal with them before they come to the attention of malicious actors.
  4. Make robust cyber security a strategic differentiator- A recent study by PwC found that 87% of global CEOs are investing in cyber security as a way of building trust with customers. If the lifeblood of the digital economy is data, its heart is digital trust. Organizations with a sound security strategy can quickly turn it into a strategic differentiator for their brand, which is invaluable in highly competitive business sectors and industries.

RELATED: Buyer’s Guide: Selecting a Requirements Management and Traceability Solution for Automotive

The best cyber security strategies can quickly adapt to change

Modern enterprise security is not easy. As more businesses embrace digital transformation and cloud computing becomes the new normal, reliance on IT is at an all-time high.

Consequently, even a small data breach can potentially have a devastating impact. On top of this, attack surfaces are exponentially larger than they were just a few years ago and continue to grow at an alarming rate.

The best practice approach for security teams is to color outside of the lines by infusing new and independent thinking. With this in mind, penetration testing offers much more than just a scan and definitely more than a tick-box compliance requirement.

By developing a cyber security program that employs an agile approach, organizations can prioritize flexibility and make rapid changes when needed.

Engaging ethical hackers enables organizations to deploy an army of specialized experts that will work around the clock to identify vulnerabilities and conduct pentests for both regulatory compliance and customer assessments. In today’s highly competitive and volatile business environment, few organizations can afford to forego such a crucial security advantage.

Contributor Details
Chris Dickens – Senior Solutions Engineer, HackerOne

This image portrays product and engineering predictions for teams in 2024.

2024 Predictions for Product and Engineering Teams

As Product and Engineering Teams move into 2024, we aim to gain a deeper insight into the factors driving transformation in the development of products, systems, and software and explore how teams within this industry are adapting to meet the challenges posed by these evolving complexities.

In the final part of this six-part series, we asked our own industry experts Josh Turpen – Chief Product Officer, and Preston Mitchell – Vice President, Global Solutions, to weigh in on the product development and engineering trends they’re anticipating in the coming year in the coming year and beyond.

We like to stay on top of trends in other industries as well. Read our predictions for Automotive predictions HERE, Aerospace & Defense HERE, Industrial & Consumer Electronics (ICE) HERE, Medical Device & Life Sciences HERE, and SoftTech HERE.

Design Trends – What are the biggest trends you’re seeing in your industry right now? How will they impact product & engineering teams through product, systems, and software development?

Josh Turpen: Software continues to eat hardware. This trend is accelerating in the complex product space, particularly in automotive. This is driving companies to be “agile” but at the cost of quality.

Preston Mitchell: The big trend will be how to focus using the emergent Artificial Intelligence (AI)/ Large Language Models (LLM) solutions so they actually help the team be more efficient or profitable. Plenty of emerging tech in the AI space but remains to be seen how “useful” it will be. There is a huge opportunity to leverage this in ways that are beneficial for teams with the right focus. For example, we’re just starting down this path at Jama Software® with Jama Connect Advisor™, which helps train business analysts/product managers / engineers on how to write their requirements in more concise fashion with less ambiguity.

Biggest Challenges – What are some of the biggest challenges you think product & engineering teams will be working to overcome in 2024?

Turpen: Quality at scale and speed will continue to be a problem. This is exacerbated by the increasing complexity in software.

Opportunities – What are some of the biggest opportunities you think product & engineering teams should be considering in 2024?

Mitchell: Automation. Consider where automation can reduce the complexity and time needed to deliver large scale products. I’ve worked with hundreds of companies that build very complex products and I’m still amazed at how many of their internal processes are manual. AI will certainly be the 2024 buzzword – but currently most AI tools are still beta and rely on a human to prompt for an answer – not exactly automating a repeatable process. When I mean automation opportunity I’m talking about the low-hanging fruit of manual business processes – for example, automating task links between multiple engineering tools.

RELATED: How to Plan for Large Language Model (LLM) Adoption Within Your Engineering Organization

Regulations – What changing regulatory guidelines do you anticipate having an impact on companies in 2024?

Turpen: Companies that seek to identify risks (not just in products, but in process) will come out on top. Anti-fragile product development pipelines are the logistical super-power for the next phase of product development.

Tool Innovation – From a product & engineering toolset perspective, what are some of the processes you think forward-thinking organizations will be working to leverage or incorporate into their process and why?

Turpen: Moving from the individual engineer to the team/product pipeline will give management the opportunity to intervene early to reduce risk. Products that are focused on a best-of-breed world will give companies a leg up on legacy vendors and their suite approaches.

Mitchell: Forward-thinking orgs will adopt data-driven assessment of the product development lifecycle. Today there are no generally accepted measurements of Research and Development (R&D) efficiency. It’s hard for organizations to predict if a product will be delivered on time and without defects. Launch delays and regressions are common and almost generally accepted. Organizations commonly measure a product’s performance after it is launched (revenue, profit, adoption.) Why don’t we measure what happens before it is launched? Why don’t we measure the R&D lifecycle? Forward thinking orgs will adopt ways to measure their development lifecycle to they can better predict success or failure…and some may not like what they find.

Cybersecurity – What role will cybersecurity play in product & engineering development in the coming year and beyond?

Turpen: Cybersecurity will be baked into requirements and, therefore, products for everything from thermostats to ADAS.

Survival Factors – In your opinion, what are the biggest differences between product & engineering companies that will survive to see 2030, and ones that don’t?

Turpen: Agility tempered with quality will be the common trait of survivors. We’re already seeing companies get slapped with criminal charges based on their inability to see and manage risk.

Mitchell: With the hot economy and low interest rates before recent inflation there was a lot of investment in new startups and emerging technologies — think self-driving cars and AI. The economy is still doing well, but tempered with higher interest rates, so the investors of years past are looking for a return on their prior investment and will be more tempered with any new bets they place. The companies that survive to see 2030 will be the ones that find clear use cases that people are willing to pay for in these emerging technologies. New products and tech just “because it’s cool!” will not survive without a commercialization path.

RELATED: Traceable Agile – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries

Advice – What advice would you give to new product & engineering teams entering the market?

Turpen: Move fast and KNOW what you’re going to break.

Mitchell: Ask questions and seek advice from your peers or mentors who have built something before in your industry. Determine who your ideal “first customer” would be and work hard to speak with them, show them your early prototypes, and validate your assumptions about what they need.

Emerging Topics – What topic(s) do you wish companies were paying more attention to?

Turpen: Management of the engineering process.

Mitchell: Solving very easy efficiency problems in the engineering process like automating flow of data between disparate systems. I just spoke with a customer whose testers were redundantly logging defects in two different systems! Come on! Set aside some time to automate that process!

Identifying Mistakes – What is the biggest mistake you see product and engineering teams making right now?

Turpen: Throwing money at hard problems with little understanding of success and no management of the outcome.

Mitchell: Assuming a tool will solve their problems. Process first, then tool.

Innovation – What is the most innovative thing you’ve seen with product and engineering teams this year that you anticipate other companies following suit in coming years?

Turpen: Moving away from the “big meeting” to an asynchronous, stateful collaboration process.

Predictions – What do you think will remain the same in your industry throughout 2024?

Turpen: Companies who think the answer to their engineering process problems is a monolithic tool will continue to lose ground and engineers to their competitors.

Do you think there will be any major disruptors for product & engineering teams in the coming year? How do you think it will impact the industry?

Turpen: We’ll see the first set of major Intellectual Property (IP) lawsuits based on uncontrolled LLM. This will force companies to think about security and IP protections in their own AI development.

Mitchell: This will not happen in one year, but I foresee AI solutions replacing the need for traditional learning assets like static help guides, training videos, and maybe even support sites. Users don’t need to read a help guide, watch a tutorial, or submit a support ticket if an AI assistant is guiding them in the process and available for quick questions. Effort to build those types of traditional learning assets will be redirected to investments in AI assisted “on the job” learning while using the product.

What do you predict for product & engineering regulations in 2024?

Turpen: A continued increase in the importance of security/safety regulations in the automotive/medical industries with more penalties for poor performance.

Will those trends still be prevalent 5 years from now? 10 years?

Turpen: Yes, this is an area that will only grow in complexity and impact.

This image shows the speakers for a webinar titled, "Critical Alignment for Security, Safety & Product Development Team"

In this blog, we recap our webinar, “Critical Alignment for Security, Safety & Product Development Team” – Click HERE to watch it in its entirety.

Critical Alignment for Security, Safety & Product Development Teams

Break down silos to unite teams for the future of vehicle technology!

Safety, security, and development teams tend to work in silos due to differing objectives, tooling, and methodologies; historical contexts; educational backgrounds; and even fundamental terminology.

The increasing interconnectivity of vehicles makes it hard to separate safety and security from development. In the complex world of software, teams must break down silos, foster collaboration, and streamline documentation to ensure agile development and adapt to evolving demands.

In this webinar you will learn:

  • Why it’s important to have compliance teams speaking the same language
  • What we’re seeing and expecting from the industry to bring these specialized teams closer
  • How to keep security, safety, and development teams aligned using Live Traceability™
  • How to avoid rogue development and keep track of progress with Traceable Agile™ practices

Discover how Jama Connect® can empower Automotive and Semiconductor development teams to improve their end-to-end lifecycle and avoid costly rework.

Below is an abbreviated transcript of our webinar.

Kevin Dibble: I’d like to talk about the agenda for today and focus on the word alignment because that’s where we’re going to cover how we bring together cybersecurity teams, safety teams, product development teams, and even project management.

There’s a lot of siloing and opportunities in organizations for these specialized groups to work separately. But we’re going to talk about the importance of bringing these teams together and show some enabling technologies around live traceability and traceable Agile practices. So that’s the focus for today. But first, let’s start with the problem, and I want to isolate safety and security to begin with. So how are teams working today in these two functional areas?

With the puzzle piece in the middle, I’m trying to communicate that these teams want to work together, but the puzzle doesn’t quite fit yet. So let’s look at some of the underlying reasons why.

First, with functional safety, the standards for functional safety in automotive, ISO 26262, has been around since 2011, and the safety work’s been around even longer than that. So for OEMs, tier ones, and even some tier twos, the organizational competency, processes tool, the culture of safety are quite mature.

But on the right side, we have cybersecurity, which in automotive is a new discipline, with new standards, new audits, and assessment requirements, and requirements coming very rapidly from OEMs and tier ones worldwide.

RELATED: Traceable Agile – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries

Dibble: These teams are going through training. The processes for doing product development according to standards like ISO 21434 are new or in development still. The discipline itself is new and transforming out of IT security. And so this helps to understand perhaps some of the underlying factors of why these teams might be working separately or not working exactly on the same page.

Which leads to a silo situation. And I’ve got functional safety on the right and cybersecurity on the left. Both of those standards and both of those disciplines require automotive V-Model development, with strict requirements for documentation, quality, and compliance with the V-Model.

And so what’s happening is that the organizations pulling together these disciplines along with product development are doing some sharing in risk analysis, and basically handing requirements to product development teams, and not yet in a stage where they’re fully collaborating. And that presents some problems. And it adds some risk.

A couple of examples here are both safety and security risk-based standards for understanding how we mitigate the risk of something wearing out like hardware or defects that could cause safety issues on the one. And then on the cybersecurity side, how do we mitigate the risk of an attacker using a threat to infect or change the behavior of a system?

The controls or the mitigations for those two types of risks might result in conflicting requirements. For example, how to handle a communication channel, and I’ve given you an example right here.

Those two teams have to work together along with product to solve those differences, as well as to build an integrated system that at the end of the product release cycle we’re not finding surprises in terms of conflicting requirements and implementations that don’t work together cohesively. And so that’s one of the areas cyber and safety silos can cause problems.

RELATED: Unlocking the Potential: The Importance of Software Defined Vehicles Explained

Dibble: Now, we’ve heard about safety issues, recalls, and unfortunately crashes and fatalities for years. But I want to highlight some of the things that are being written in the press even recently about the threats that cybersecurity is now trying to address. From taking control of fleets of vehicles to shutting down production lines to causing safety-related hazards potentially, these are very real threats, and this is why the industry is moving so quickly to adopt the new cybersecurity standard.

To be able to tie together the disciplines of safety and security as well as product development, communication is critical. These safety analysis and threat analysis can’t happen in a vacuum. The teams have to work together, and this is where that alignment concept becomes so important.

Also, both these standards, 21434 and ISO 26262 require the establishment of communication channels between safety, security, and other disciplines like quality. So the developers of these standards certainly were aware of the need for these teams to talk and to achieve alignment.

Critical Alignment for Security, Safety & Product Development Teams

In this blog, we’ll recap our eBook, “What You Need to Know: ANSI/AAMI SW96:2023 — Medical Device Security” – Click HERE to download it in its entirety.

What You Need to Know: ANSI/AAMI SW96:2023 — Medical Device Security

A comprehensive guide to understanding ANSI/AAMI SW96:2023 and mitigating security risks


Managing risk around a medical device’s entire lifecycle has become increasingly complex. Many devices use third-party components, which is especially true for devices that require a network to operate. This increased need for connectivity, along with other emerging threats, is putting security at the forefront of medical device industry standards.

A recent report titled “2023 State of Cybersecurity for Medical Devices and Healthcare Systems” found 993 vulnerabilities in the 966 medical products it examined—a 59% year-over year increase from 2022. Software applications, including those that medical devices relied on to work, accounted for 64% of the vulnerabilities found.

With device vulnerability increasing, new standards aim to keep up with emerging threats. As a result, ANSI/AAMI SW96:2023 was created to help protect against threats, understand risk, and guide manufacturers in taking the most appropriate actions to enhance security. However, because the standard is relatively new, many device manufacturers are still finalizing the interpretation on how this impacts their organizational processes. If you’re still working to get familiar with the standard, we’ve created a complete guide to make the task easier.

Third-party components may increase security risk, with one study finding that software alone accounted for 64% of noted vulnerabilities.

What is ANSI/AAMI SW96:2023?

ANSI/AAMI SW96:2023 guides security risk management for medical devices, aligning with the processes included in ISO 14971:2019.

The new standard addresses the entire lifecycle of a medical device, including areas such as design, production, and post-production. It’s intended for use with AAMI TIR57 Principles for Medical Device Security – Risk Management, which addresses cybersecurity analysis, and AAMI TIR97, Principles for Medical Device Security, which guides processes for managing medical devices in the post-market space.

The goal of the new standard is to support manufacturers in ensuring that medical devices are reliable, work as intended, and don’t cause harm to patients, operators, or the environment. It also focuses on mitigating any potential risks around device failure.

SW96:2023? The standard includes policies, procedures, and best practices designed to evaluate, control, and monitor potential risks involved with a medical device.

RELATED: Understanding Integrated Risk Management for Medical Device

Why is security for medical devices important?

Security has always been important to medical device manufacturers, which is why considerations are included in ISO 14971:2019. However, ANSI/AAMI SW96:2023 aims to deepen security-related standards.

Addressing potential security risks throughout the entire product lifecycle, including design, production, and post-production, enables manufacturers to identify and mitigate potential risks through a more focused and proactive approach. It helps manufacturers continually identify, review, and safeguard against fast-evolving threats.

Understanding the security risk management process

As you get up to speed with ANSI/AAMI SW96:2023, the “security risk management process” section includes details for mitigating potential threats. It includes six major sections, everything from
security risk analysis to production and post-production activities. Each section contains a detailed framework, but for the sake of simplicity, we’ve highlighted a few main points for each.

The 6 Sections of Security Risk Management

  1. Security risk analysis. It focuses on selecting product security standards, performing threat modeling, and establishing capabilities to identify and detect security vulnerabilities across a medical device’s entire lifecycle.
  2. Security risk evaluation. Establishes a security assessment strategy and testing processes.
  3. Security risk control. Identifies, designs, and implements security risk control measures, as well as verifying the implementation effectiveness of any security risk control measures.
  4. Evaluation of overall security residual risk acceptability. Determine if the “security residual risk” of a device is acceptable.
  5. Security risk management review. A security management report is prepared.
  6. Production and post-production activities. Potential vulnerabilities are monitored to identify any new security risks. Also, it establishes processes to stay aware of new threats, creating security incident response plans and other measures to identify ongoing vulnerabilities.

Section 1: Security Risk Analysis

The security risk analysis focuses on selecting product security standards, performing threat modeling, and establishing capabilities to identify and detect security vulnerabilities across a medical device’s entire lifecycle. It covers:

  1. Security risk analysis process: It suggests that manufacturers perform a security risk analysis, and the results are recorded in the “security risk management file.”
  2. Intended use and reasonably foreseeable misuse: The “security risk management” file includes reference documents developed in compliance with clause 5.2 of ISO 14971. It needs to account for “the use of a medical device in a way not intended by the manufacturer, but which can result from readily predictable behavior.”
  3. Identification of assets and characteristics related to security: You’ll also identify potential medical device vulnerabilities such as third-party components, hardware, and software.
  4. Security risk estimation: You will estimate the associated “risks” for each of the identified security vulnerabilities and potential impacts on areas like confidentiality and integrity.

Section 2: Security Risk Evaluation

The security risk evaluation establishes a security assessment strategy and testing processes. A few areas it considers:

  1. Evaluation of each security risk: Identify each security risk area, determining if a “security reduction” is required.
  2. Evaluation of security risks with a potential safety impact: Consider every potential risk to determine any potential safety impacts.

RELATED: Application of Risk Analysis Techniques in Jama Connect® to Satisfy ISO 14971

Section 3: Security Risk Control

This section is focused on identifying, designing, and implementing security risk control measures, as well as verifying the implementation effectiveness of any security risk control measures, including:

  1. Security risk control option analysis: Determine if a security risk control measure is appropriate for mitigating security risks to an “acceptable level.”
  2. Implementation of security risk control measures: Security risk measures are selected based on the prior step.
  3. Security residual risk evaluation: After the security risk control measures are implemented, the manufacturer evaluates the security residential risk and records this evaluation in the security risk management file.
  4. Benefit-risk analysis: If a security residual risk is found to be “acceptable” using the criteria created in the security risk management plan, and further security risk control isn’t practical, the manufacturer conducts benefits versus security risk analysis.
  5. Risks arising from security risk control measures: The manufacturer reviews the effects of the security risk control measures to understand whether new security vulnerabilities and threats are introduced that could impact security, safety, or privacy.
  6. Completeness of security risk controls: The manufacturer periodically reviews security risk control activities to ensure all vulnerabilities and threats are considered and security risk control activities are complete.

Section 4: Evaluation of Overall Security Residual Risk Acceptability

After the security risk controls are implemented and verified, the manufacturer determines if the overall “security residual risk” created by the medical device is acceptable.

Section 5: Security Risk Management Review

The standard recommends a review of the execution of the security management plan before releasing a new device. According to ANSI/AAMI SW96:2023, the review should ensure:

  1. The security risk management plan has been appropriately implemented.
  2. The “security residual risk” is at an acceptable level.
  3. Methods are in place to gather and review details in the production and post-production phases, and leadership has reviewed and approved the plan.

Image showing the flow of different stages of risk.

Section 6: Production and Post-production Activities

The final section is focused on establishing, documenting, and maintaining a system to monitor, assemble, and review information about medical device security in the production and post-market phases. Also, it establishes processes to stay aware of new threats, creating security incident response plans and other measures to identify ongoing vulnerabilities.

DOWNLOAD THE ENTIRE EBOOK: What You Need to Know: ANSI/AAMI SW96:2023 — Medical Device Security

2024 Predictions for Medical Device & Life Sciences Product, Systems, and Software Development

2024 Predictions for Medical Device & Life Sciences Product, Systems, and Software Development

As the medical device & life sciences industry transitions into 2024, we aim to gain a deeper insight into the factors driving transformation in the development of products, systems, and software and explore how teams within this sector are adapting to meet the challenges posed by these evolving complexities.

In part four of this six-part series, we asked the following industry experts to weigh in on the medical device & life sciences product, systems, and software trends they are anticipating in the coming year:

We like to stay on top of trends in other industries as well. Read our Automotive predictions HERE, Aerospace & Defense HERE, Industrial & Consumer Electronics (ICE) HERE, SoftTech HERE, and Product & Engineering Teams HERE.

2024 Predictions for Medical Device & Life Sciences Development

Design Trends – What are the biggest trends you’re seeing in your industry right now? How will they impact medical device & life sciences development?

Shawnnah Monterrey: We are seeing a significant increase in healthcare innovations, especially with in-vitro diagnostics, and clinical decision support software.

The ability to connect medical devices to share medical device data through emergence, evolution of cloud computing, and the increase in data storage capability has led to the derivation of new clinical insights, in diagnostics, and clinical decision support. Artificial Intelligence (AI) and Machine Learning (ML) are being applied to clinical and patient data in unique and novel ways, such as in-vitro fertilization, cancer treatment recommendations, and the automation of status-quo manual clinical processes.

The increase in research allocated to understanding our DNA, and its relationship on our health, has led to the rapid adoption of DNA-based clinical tools utilizing next-generation sequencing and other DNA detection technologies such as DNA nanotechnology tools, chip-based digital Polymerase Chain Reaction (PCR) detection, Clustered Regularly Interspaced Short Palindromic Repeats (CRISPR) diagnostic technology, etc. to aid in the diagnosis and treatment of complex diseases such as cancer, neurodegenerative diseases and dementia and even behavioral, and psychiatric disorders.

Vincent Balgos: As we’re seeing in other industries, a common trend in the medical industry is that organizations are refreshing their internal processes to scale, integrate, and increase efficiency. With extrinsic pressures (market, financial, and regulatory), there is continual effort to optimize organization activities, specifically around product development processes, and leverage previous work as much as possible.

Biggest Challenges – What are some of the biggest challenges you think medical device & life sciences companies will be working to overcome in 2024?

Monterrey: A few of the biggest challenges companies will face in 2024 include but are not limited to:

  • Being competitive and innovative in a highly regulated environment
  • Understanding regulatory requirements in new or less mature regulated areas
  • Obtaining funding to support regulatory and development efforts

Companies who are focused on aligning their product roadmap with a sound regulatory strategy will not only unlock funding but obtain revenue faster, which will allow them to leap ahead of the competition.

Regulations – What changing regulatory guidelines do you anticipate having an impact on companies in 2024?

Monterrey: U.S. Food & Drug Administration (FDA) is not known to be fast, but within recent years, the FDA has released a record number of guidances and have even changed the medical device regulation in a few areas. While the industry is playing catchup on hundreds of new guidances in areas such as:

  • Software as a Medical Device (SaMD)
  • Cybersecurity
  • Clinical Decision Support Software
  • Mobile Applications

The FDA is working on furthering the regulation and guidance around many areas including, 510(k) Third Party Review Program, In Vitro Diagnostics (IVDs), AI/ML, and the use of real-world and simulated data in pre-market submissions.

It would be wise for companies to start understanding and applying new draft guidances that are relevant to their products in advance of the final draft. Once a final version is issued it could drastically interrupt your product development and launch plans.

Balgos: There are a few regulations that will start or continue to have an impact on the industry:

  • FDA’s Final Guidance on Cybersecurity for Medical Devices – Continuing the focus on Software (SW) in previous years, this new final guidance will require ongoing discussions on the new security requirements (ex: Software Bill of Materials (SBOM)), activities, and expected documentation.
  • FDA’s proposed ruling on Laboratory Developed Tests (LDT) – In the latest turn of events in this long running topic, this new proposed rule to transition away from Enforcement Discretionary (ED) to more explicit LDT oversight by FDA will have significant impact to the laboratory industry. Industry feedback has been active and complex, so will be interested to see if there will be a resurgence of the previous VALID Act or will the new proposed ruling stand as is.
  • Based on FDA’s proposed 2024 list of prioritized guidances, there will be additional information around AI/ MLin context of lifecycle management, pre-submissions, and change management considerations.
  • In the EU, both the Medical Device Regulation (MDR) and In-Vitro Dianostics Regulation (IVDR) will continue to impact companies as they transition to these new rulesets. Even with the time extension on MDR, companies are continuing to struggle in converting their processes to comply with the new regulations as 2024 rolls out.

Romer De Los Santos: The FDA just released the final guidance on cybersecurity in medical devices that includes additional tasks and deliverables that medical device manufacturers must start to implement. Design and development procedures for software that is part of or is a medical device itself will need to be updated with this new guidance in mind. Software Bill of Materials (SOBM), security risk assessments, threat modeling, and consideration of the entire lifecycle for security risks and mitigations are just some of the things that are required in today’s interconnected world.

RELATED: Understanding Integrated Risk Management for Medical Devices

Tool Innovation – From a medical device & life sciences engineering toolset perspective, what are some of the processes you think forward-thinking firms will be working to leverage or incorporate into their process and why?

Monterrey: Product development costs, regulatory complexity, and time-to-market are all increasingly trending topics in the medical device industry. Companies that are thinking ahead of these trends are focusing on their competitive advantage, which includes their innovation or core Intellectual Property (IP) and leveraging the support of industry experts and built–for–purpose tools.

This includes:

  • Investing in existing regulatory and quality management frameworks, including software, built-in processes, and training
  • Hiring regulatory and quality experts who understand the regulatory landscape and have domain expertise related to their products
  • Integrating medical/clinical grade or complaint platform software, components, and development tools

De Los Santos: Firms will need to leverage tools like Jama Connect to start to track security risks, SBOM, and the documentation for a multitude of software variants, upgrades, and patches. While the tools enable compliance with regulatory requirements, medical device manufacturers need to create a robust and lightweight design and development process that leverages the capabilities of their tools. For many firms, this means looking at the total development lifecycle holistically instead of tacking on quick fixes to their procedures to meet current regulatory requirements.

What role will cybersecurity play in medical device & life sciences development in the coming year and beyond?

Monterrey: Per the current FDA guidance, obtaining per-market approval/clearance for a medical device with firmware or software, connected, or not connected all require some level of cybersecurity compliance, especially around risk management. This has put an extra strain on medical device manufacturers because the guidance is very technical and rigorous and currently does not provide guidance around the level of application based on the risk of the device. I hope to see a future revision that accommodates lower risk devices, but for now it’s worth investing in cybersecurity experts who can help you certify your device and associated processes.

Balgos: As noted in a recent FDA webinar around cybersecurity, there is continual discussion in how to regulate this topic, and the expected deliverables to the agency. One area is SBOM and how to properly document all the elements of software for a medical device.

De Los Santos: Cybersecurity will play a starring role as manufacturers start to revise their design and development processes to include it.

In your opinion, what are the biggest differences between medical device & life sciences companies that will survive to see 2030, and ones that don’t?

Monterrey: Those who survive to see 2030 will respect the regulatory landscape and put in place proper attention and investment, instead of those trying to delay, resist, or evade the inevitable. Although it might not feel like it, the changes being put in place are to our benefit, with the intent of providing the industry with a clearer pathway for new innovations. It will just take a while for the regulations to harmonize and for the industry to adopt to the new ways of thinking by leveraging data, tools, and expertise to rapidly innovate.

De Los Santos: Companies that are adaptable and innovative with not only their products, but their design and development process will survive to see 2030.

What advice would you give to new companies entering the medical device & life sciences industry?

Monterrey: Build your product for the industry – align your product development efforts with your business model and regulatory strategy and do not try to obtain premarket approval for your device without the support of experts in the industry unless you have done so successfully before.

De Los Santos: Keep it simple.

What topic(s) do you wish companies were paying more attention to?

Monterrey: I wish more companies would focus on defining their regulatory strategy early in the development lifecycle and not wait until they have only six months or less to start thinking about getting their device approved or cleared. Depending on the complexity of your device, regulatory compliance efforts could take 12-36 months, with most of the efforts around verification and validation. Six months prior is often too late and could be detrimental to your business launch plans that do not meet your stakeholder expectations.

De Los Santos: I wish companies would focus on fixing their process problems instead of patching them. A little more front-end work will save future teams lots of time.

RELATED: Jama Connect® for Medical Device & Life Sciences Development Datasheet

What is the biggest mistake you see companies in medical device & life sciences making right now?

Monterrey: Two biggest mistakes I see are:

  • Trying to make a medical device not a medical device, even though it is a medical device
  • Not narrowing down a product’s intended use for the first launch

Balgos: Cutting corners for short-term gain, but in reality, these cuts will actually cause long-term consequences exponentially. Example: Documentation. Time and time again, our technical customers (and from my own personal experience) are being pressured to get products out the door and do the documentation later. There are several issues with that: 1) technical documentation and files are required for regulatory submissions for market clearance, 2) this generally conflicts with most good Engineering and Quality practices as they will need time for review/approval, and 3) it’s much harder to document something long after it’s happened. These issues culminate in taking much longer to complete the documentation, and thus impacts the long term.

De Los Santos: Companies should not make their procedures more complex than they need to be.

What is the most innovative thing you’ve seen in medical device & life sciences this year that you anticipate other companies following suit in coming years?

Monterrey: The most innovative things I have seen is the creative use of simulated and real-world data to support pre-market approval and the novel application of AI, which uses data from multiple unrelated devices to diagnose, treat, or support various diseases and medical conditions. I am seeing more products provide a technology platform for multiple intended uses. Companies that are successful, understand the long game and focus on the easiest-to-launch intended use first, generate revenue, and then focus on further product applications, including innovations that require a more rigorous regulatory pathway.

Predictions –

What do you think will remain the same in your industry throughout 2024?

Monterrey: I think 2024 will be a very innovative year meaning there are more changes to come, and we will continue to see new and novel clinical innovations continue to disrupt the industry. 2024 is going to be an exciting and unprecedented year!

Do you think there will be any major disruptors in medical device & life sciences in the coming year? How do you think it will impact the industry?

Monterrey: Major disruptors will come from those focusing on diseases and conditions that have previously been ignored or neglected. One area I would like to see advance is the use of software as a therapeutic as opposed to prescription pharmaceuticals, devices, or surgery. Because of limitations in reimbursement and the non-traditional use of software as a therapeutic device, this area has experienced challenges which has delayed its adoption.

Balgos: The emergence of AI/ML has the potential to become an industry disruptor, dependent on its application or intended use. We can see its impact already in non-medical software, so it is only a matter of time before its influence is felt in the medical industry. Hence, there are continual discussions from FDA, industry bodies and experts, in how to regulate, develop and manage AI/ML for medical devices.

What do you predict for regulation in the medical device & life sciences industry in 2024?

Will those trends still be prevalent five years from now? 10 years?

Monterrey: As I stated last year, I still see progress around the harmonization of guidances and standards, which will eventually allow for a more standard way to approach pre-market approval — but I stated previously, this will be messy and complex before it clears itself out. I primarily see the increased use of simulated and real-world data as a new way to validate devices. Animal and in-human use will decrease, and publicly available and validated datasets will become available to quickly assess new medical devices for safety and efficacy.

In this blog, we recap our webinar, “DO-326 Airborne Security Assurance, Threat Modeling, and DevSecOps” – Watch the entire thing HERE.

Cyber vulnerabilities can have a significant impact on safety-critical systems.

Today there is an unprecedented level of digital interconnectivity in everything from vehicle sensors to rovers on the surface of Mars. The aerospace industry has a high degree of cyber connectedness where a negative impact could cause harm to not only aircraft but financial systems, company reputations, international relations, or even physical harm to humans and property.

During this informative session, Cary Bryczek, Director of Aerospace & Defense Solutions at Jama Software®, discusses how Jama Software applies a cybersecure-by-design approach to meeting DO-326A/DO-356A for aircraft systems and how this can be extended to the defense domain.

In this webinar, we covered:

  • Applying the Airworthiness Security Assurance Process
  • Threat (attack) modeling methods
  • Tracing security measures to requirements and tests
  • The role of requirements in DevSecOps tool ecosystems

DO-326 Airborne Security Assurance, Threat Modeling, and DevSecOps

Cary Bryczek: What we’re seeing today is just an unprecedented level of digital interconnectivity in seemingly every system out there. The aviation industry has a high degree of cyber connectedness where a negative impact could really cause harm to not just humans and property, but company reputations, international relations, or financial systems.

What we’re going to see today is how Jama Connect can provide a cyber secure-by-design approach to meeting the many aspects of DO-326 and DO-356, or ED-202 and ED-203 in Europe, the Middle East, and Africa (EMEA.) What we’re going to see is we’re going to apply the airworthiness security process that’s inside of DO-326, and use Jama Connect’s Live Traceability™ to trace security measures to security requirements, trace security requirements to testing, look and see how a threat analysis can all be incorporated into a single platform.

What is Cybersecurity by Design? So one of the things that we see a lot is in the tool ecosystem is a very disconnected set of processes and tools. So whether you’re tracing and using tools that do requirements identification, tracing those to verifications and hardware and software designs, or whether you’re using tools to do aircraft security analysis and tracing those to security architectures and security V&V, we’re noticing the disconnectedness of the processes in the tool ecosystem is causing product delays, cost overruns, product failures, audit failures, late identification of defects, and lack of visibility because the ecosystem is very disconnected, is taking place. There’s poor requirement coordination. Change management is hard between software and hardware, and you have a high degree of manual effort required to produce the traceability that’s required for certification. And you’re seeing this after the fact and Excel is used everywhere. Desktop tools are prevalent in the engineering of these systems, and it’s difficult to integrate desktop tools and Excel files into and across the ecosystem for product development.

RELATED: Jama Connect® Features in Five: Space Systems Framework

Bryczek: So what is Live Traceability? Live Traceability in Jama Connect gives the ability for any engineer at any time to see the most up-to-date upstream and downstream information for any requirement, no matter the stage of the systems development or however many siloed tools it spans. Now, this Live Traceability is important because it’s required by the industry standards like we’ve seen in aviation development and Live Traceability delivers a huge productivity improvement and it reduces the risk and the delay that happens when you have a disconnected tool environment.

So we’re going to talk about DO-326. DO-326 is really a set of standards jointly developed by RTCA and EUROCAE. It came about in 2006. It includes a few separate standards. DO-326 and ED-202 really is about the airworthiness security process specification. It explains the fundamental concepts behind airworthiness cybersecurity. DO-356 and ED-203, the airworthiness security methods and considerations, this explains how to perform cybersecurity investments, how to evaluate threats, and security measures of the system. How do you apply the mitigation measures? DO-355, we’re not going to really talk about that one today, but it’s applicable to if there are changes in an already certified system. So one of the most relevant documents you’re going to start with even before you start down the path for cybersecurity, is creating your product information and security risk assessment document. You’re going to perform an analysis of this, and this analysis should be conducted according to the standards.

So what exactly is airworthiness? So airworthiness security is the protection of the airworthiness of the aircraft from intentional unauthorized electronic interaction. So existing safety processes don’t consider intentional disruption. They look at the faults and failures of an aircraft or the aircraft system on a whole. But DO-326 is specifically looking at intentional human-initiated actions with the potential to affect the aircraft due to some unauthorized access or disclosure or causing some denial or disruption of the information systems, the networks, and the software that’s running on these aircraft systems. So this also might include things like malware or infected devices or the logical effects of any external systems. So the purpose of the airworthiness security process within DO-326 is to establish that when subjected to this unauthorized interaction, the aircraft is going to remain in a condition for safe operation.

So like I said earlier, DO-326 describes the what and DO-356 is the how. I’m sure that you guys have carefully looked at both of these guidelines and these are images from the guidelines. But I just wanted to point out what we’re going to talk about today. We’re going to talk about how the airworthiness security process and threats are mapped in Jama and how you can have security assurance and the risk assessment process from DO-356, how those can be conducted in Jama Connect itself. As you know, DO-326 live in its own. You’re having supporting processes from the development of the aircraft, the development of the system, DO-178, ARP-4754 are all interacting and being conducted at the same time. So there’s no linear, do this first, do this next, do this later. All of these processes are taking place pretty much simultaneously or iteratively as you design and develop the aircraft system.

So the airworthiness security process from a basic level, it’s again, it’s the protection of the aircraft from intentional unauthorized electronic interaction. There are four steps for the basic process. We’re going to first identify the system assets and its parameters. The second step is to identify the threats for all of those assets, identify those risks for each of the threats, so what might happen, and then create controls and mitigations for those risks. You’re going to be adjudicating the degree of harm and assigning a security assurance level, the strongest being SAL3 or the least would be a SAL zero where there’s this limited or protection needs required. So there’s a way to grade those as well.

RELATED: Traceable Agile – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries

Bryczek: The inside of Jama Connect itself, this image describes essentially the architecture of what you’re going to see that what we have in the product. We have a template that you can use to facilitate this. It sits alongside of our template that’s used for ARP-4754, and DO-178, or DO-254. The orange assets essentially is the data model that we’re using to capture the different types of things in the system. So we have assets, we have vulnerabilities. Those are tied to different threat assessments or a threat assessment is performed on these types of objects. We have security measures, we have the security architecture elements, and those feed into the security requirements. This comes pre-configured out of the box. We also have an area where you going to capture the data for that kind of thing.

Having this sort of a data model enables engineers to really perform the analysis to understand, all right, which assets have I not assessed yet? What’s the workflow? Who has reviewed the threat assessment? Have the security measures been satisfied by security requirements? Have we done security testing of the system? So this sort of data model enables the traceability to be instantiated and allows engineers to really more easily create the kind of a content. So one of the benefits you see of using Jama is that the security process is not disconnected from the design and development of the aircraft system itself. It’s done alongside. So that way you have that earlier touch points between the functional aircraft, design engineers and the security engineers. So you’re building in that secure by design approach.

Deep dive into the seven steps of DO-326A compliance in this related whitepaper:
Cybersecurity in the Air: Addressing Modern Threats with DO-326A