Tag Archive for: cybersecurity

Diagram of a car rendering depicting the style of Software Defined Vehicles

Unlocking the Potential: The Importance of Software Defined Vehicles Explained

Introduction

The automotive industry is undergoing a massive transformation, driven by technology. One of the most exciting developments is the concept of Software Defined Vehicles (SDVs). In this blog post, we will explore the importance of SDVs and how they are revolutionizing the automotive landscape.

What is a Software Defined Vehicle?

Software Defined Vehicles are automobiles that rely on software and data to control major functions, such as propulsion, safety systems, and entertainment features.

Unlike traditional vehicles, which heavily rely on hardware, SDVs leverage advanced software algorithms and connectivity to enhance performance, functionality, and user experience.


RELATED: Effectively Managing Cybersecurity in Jama Connect® for Automotive and Semiconductor Industries


Benefits of Software Defined Vehicles

1. Flexibility and Customization

SDVs offer tremendous flexibility and customization options. Software updates can be deployed remotely, allowing manufacturers to introduce new features or improve existing ones without physical modifications. This not only enhances the vehicle’s performance but also enables personalization according to user preferences.

2. Enhanced Safety and Autonomous Capabilities

SDVs play a crucial role in advancing vehicle safety and autonomy. With software-controlled systems, real-time data can be processed and analyzed more efficiently, enabling the vehicle to make instant decisions and react to various scenarios. From adaptive cruise control to automated emergency braking, SDVs are paving the way for a safer and more autonomous driving experience.

3. Improved User Experience

Software Defined Vehicles provide a seamless and intuitive user experience. Smart infotainment systems, integrated navigation, and connectivity features ensure drivers stay connected and informed on the road. Additionally, software updates can optimize vehicle performance and functionality, ensuring a consistently delightful driving experience throughout the ownership period.

4. Enhanced Sustainability

SDVs contribute to sustainability efforts in multiple ways. By optimizing energy consumption, software algorithms can improve fuel efficiency or increase the range of electric vehicles. Moreover, SDVs enable over-the-air updates, reducing the need for physical recalls and reducing waste associated with hardware replacements.

Challenges and Considerations

1. Cybersecurity

With increasing connectivity and reliance on software, cybersecurity becomes a critical concern. As Software Defined Vehicles become more commonplace, manufacturers and developers need to prioritize security measures to protect vehicles from hacking and unauthorized access.

2. Data Privacy

The extensive use of software in SDVs generates vast amounts of data. It’s crucial to develop robust privacy frameworks to ensure the responsible collection, storage, and use of data, protecting user privacy rights.

3. Regulatory Framework

The emergence of Software Defined Vehicles raises questions about legal and regulatory frameworks. Governments and authorities need to adapt and establish comprehensive regulations to ensure safe and responsible integration of SDVs into existing transportation systems.


RELATED: Buyer’s Guide: Selecting a Requirements Management and Traceability Solution for Automotive


Conclusion

Software Defined Vehicles represent a paradigm shift in the automotive industry. By harnessing the power of software and connectivity, SDVs offer unparalleled flexibility, improved safety, enhanced user experience, and sustainability benefits.

However, to fully unlock the potential of SDVs, we must address challenges related to cybersecurity, data privacy, and regulatory frameworks. Embracing this transformative technology will lead us into a future of smarter, safer, and more efficient transportation.

Note: This article was drafted with the aid of AI. Additional content, edits for accuracy, and industry expertise by Matt Mickle, McKenzie Jonsson, and Decoteau Wilkerson.

Stay tuned to our blog for future software defined vehicles content, including more in-depth explanations of how to adapt to these key challenges.


Stay tuned to our blog for future software defined vehicles content, including more in-depth explanations of how to adapt to these key challenges.



IoMT Image showing a doctor and patient discussing a chart

Embracing the Future of Healthcare: Exploring the Internet of Medical Things (IoMT)

Internet connected devices, part of the Internet of Things (IoT) are everywhere. These devices, often referred to as “smart” devices are in our homes, cars, offices, and gyms. Therefore, it is no surprise that smart devices are making their way into our healthcare environments. In the ever-evolving landscape of healthcare, technological advancements continue to revolutionize the way we diagnose, monitor, and treat patients. Among these groundbreaking innovations, the Internet of Medical Things (IoMT), also called Healthcare IoT, has emerged as a powerful force, combining the power of the internet and medical devices to improve patient care, enhance efficiency, and drive positive health outcomes. This article delves into the world of IoMT, exploring its potential and highlighting its significance in shaping the future of healthcare.

Understanding IoMT

IoMT refers to a network of medical devices, sensors, software applications, and healthcare systems interconnected through the internet. These interconnected devices gather and exchange vital data, enabling healthcare providers to remotely monitor patients, track health conditions, and make informed decisions in real-time.


RELATED: Elevating Your Medical Device and Life Sciences Product Development Processes with Jama Connect®


How IoMT Transforms Healthcare

  1. Remote Patient Monitoring: IoMT allows healthcare professionals to remotely monitor patients’ health conditions in real-time. Connected devices, such as wearables and implantable sensors, collect valuable health data, including heart rate, blood pressure, glucose levels, and more. This continuous monitoring helps in the early detection of abnormalities, enabling prompt intervention and preventing complications.
  2. Enhanced Patient Engagement: IoMT empowers patients to actively participate in their own healthcare. Connected devices enable individuals to monitor their health parameters, track progress, and access personalized health information through user-friendly mobile applications. This increased engagement and access to information promote medical compliance, leading to improved health outcomes.
  3. Efficient Healthcare Delivery: IoMT streamlines healthcare delivery by automating processes and reducing human error. Smart devices integrated with electronic health records (EHR) systems enable seamless data sharing, eliminating the need for manual data entry. This enhances the accuracy and speed of medical documentation, enabling healthcare providers to focus more on patient care.
  4. Predictive Analytics and AI: IoMT-generated data, combined with advanced analytics and artificial intelligence (AI), provides powerful insights for healthcare decision-making. Machine learning algorithms can analyze vast amounts of patient data to identify patterns, predict disease progression, and support personalized treatment plans. This data-driven approach improves diagnostics, enhances treatment outcomes, and reduces healthcare costs.

Challenges and Security Considerations

While the IoMT brings forth numerous benefits, it also presents challenges and security concerns that must be addressed. Privacy and data security are critical considerations when dealing with sensitive patient information. In addition to privacy concerns, healthcare data is used to devise and implement patient care plans, and incorrect or altered data can result in detrimental, rather than successful care. Robust security measures, including encryption, access controls, and regular system audits, must be implemented to safeguard patient data from potential cyber threats.

The Impact of IoMT on Healthcare Professionals

The Internet of Medical Things (IoMT) not only benefits patients but also has a significant impact on healthcare professionals. With IoMT, healthcare providers can access real-time patient data, allowing for more proactive and informed decision-making. This immediate access to critical information enables doctors and nurses to remotely monitor patients, detect potential issues early on, and intervene promptly. By leveraging IoMT, healthcare professionals can optimize their workflows, reduce administrative burdens, and focus more on delivering quality care to their patients. Additionally, IoMT facilitates collaboration and consultation among healthcare providers. Through secure data sharing and telemedicine applications, specialists from different locations can review patient information, discuss treatment plans, and provide expert advice. This seamless connectivity between healthcare professionals promotes knowledge sharing, enhances diagnosis accuracy, and enables comprehensive, multidisciplinary care. IoMT enables healthcare providers to leverage the collective expertise of a network of professionals, ultimately improving patient outcomes and optimizing resource allocation.


RELATED: Requirements Traceability Diagnostic


IoMT in Remote and Underserved Areas

One of the most significant advantages of IoMT is its potential to address healthcare challenges in remote and underserved areas. In regions with limited access to healthcare facilities, IoMT offers a lifeline by bringing medical expertise and resources virtually. Remote patient monitoring through connected devices enables healthcare professionals to remotely assess patients’ vital signs, chronic conditions, and recovery progress. This capability is particularly valuable for individuals living in rural areas, elderly patients, and those with limited mobility. Furthermore, IoMT can bridge the gap between patients and specialized healthcare services. Through telemedicine, patients in remote locations can consult with medical specialists without the need for long-distance travel. This reduces the burden on patients and their families, improves access to specialized care, and enhances health outcomes. The IoMT’s ability to deliver healthcare remotely has the potential to revolutionize healthcare delivery, ensuring that quality care reaches even the most underserved populations.

The Future of IoMT: Advancements and Opportunities

IoMT is rapidly evolving, with continuous advancements and exciting opportunities on the horizon. As technology progresses, we can expect further integration of IoMT with AI and machine learning algorithms. These advancements will enable more accurate diagnostics, personalized treatment plans, and predictive analytics, leading to precise and targeted healthcare interventions and improved patient outcomes. Moreover, the emergence of 5G technology will play a pivotal role in unlocking the full potential of IoMT. The high-speed and low-latency capabilities of 5G networks will support real-time data transmission, facilitating seamless connectivity between devices and healthcare systems. This will revolutionize telemedicine, remote patient monitoring, and enable new applications such as robotic surgeries and augmented reality-based medical training.

Conclusion

The Internet of Medical Things (IoMT) represents a revolutionary paradigm shift in the healthcare industry, offering immense potential to improve patient care, increase efficiency, and drive positive health outcomes. By harnessing the power of interconnected medical devices, sensors, and advanced analytics, IoMT enables remote patient monitoring, enhances patient engagement, streamlines healthcare delivery, and leverages predictive analytics. Despite challenges, with careful attention to security and privacy, IoMT has the potential to shape the future of healthcare, ushering in an era of personalized, connected, and data-driven medicine.

Note: This article was drafted with the aid of AI. Additional content, edits for accuracy, and industry expertise by Jakob Khazanovich, McKenzie Jonsson, and Decoteau Wilkerson.



In this blog, we recap our webinar, “Accelerate Your ECSS Standards Compliance with Jama Connect®“. Click HERE to watch the entire thing.


Streamline your systems engineering efforts and ensure your products meet all the necessary industry standards.

Jama Connect® enables digital transformation with a more efficient and user-friendly approach to managing space systems development. It can optimize your systems engineering efforts and ensure your products meet all the necessary industry standards.

Learn how to incorporate regulations governing European space systems development into your Jama Connect solution. In this webinar, we discuss how customers can leverage a library of the European Cooperation for Space Standardization (ECSS) standards right inside their Jama Connect instance.

Cary Bryczek, Director of Aerospace & Defense (A&D) Solutions at Jama Software® along with fellow A&D experts Alisa Eikanas and Martijn Janssen, provide a high-level overview of the ECSS standards, along with best practices for leveraging them within Jama Connect, including:

  • ECSS Process workflows and how they align with processes managed within Jama Connect
  • Establishing an ECSS Library in Jama Connect to provide a Single Source of Truth
  • Explanation on how to tailor the ECSS requirements and leverage Jama Connect’s Reuse capability


Below is an abbreviated transcript of our webinar.


Accelerate Your ECSS Standards Compliance with Jama Connect®

Cary Bryczek: So welcome to today’s webinar. I am Cary Bryczek, the Director of Aerospace and Defense Solutions. I lead up a global team of industry and Jama Connect experts. For today’s webinar, two esteemed members of the team will be speaking. First to speak is Martijn Janssen. Martijn is a senior consultant at Jama Software. He has been working with PLM and requirements management solutions for over 15 years and is very proficient in not only Jama Connect but the Siemens industry software solutions as well as PTC Windchill. He currently works on implementing space-related systems such as satellites, launchers, and space-related components in the European Union for our Jama Connect partners. Martijn is a specialist in both systems engineering and information technologies.

We are also joined by Alisa Eikanas. Alisa is a senior consultant at Jama Software. She has over 15 years of experience supporting multi-discipline engineering teams and brings more than 10 years of experience as a business analyst to Jama’s customers. She works with our largest US government and commercial space customers in the US and she’s an expert at helping customers migrate data from legacy requirements tools such as Doors to Jama Connect. And with that, I’ll pass it over to you Martijn.


RELATED: Jama Connect® for Space Systems Datasheet


Martijn Janssen: Well, thank you for the introduction there, Cary. So welcome everybody to our webinar on ECSS. I’m very excited today to introduce you to the way we manage ECSS standards within Jama Connect. Over the past couple of years, we’ve been working with a lot of customers on managing ECSS standards within our solutions, and today we’re going to show you some examples of how we manage to do that.

So without further ado, I’m going to go over some of the ECSS standards, which include,  the use cases our customers face, and then afterward Alisa will dive into the system and show you some of those use cases in action in Jama Connect. Let’s dive into the presentation.

When we talk about ECSS, and I presume many of you here already are aware, but for those of you that are not aware of ECSS, ECSS is a European Cooperation and it’s a collaboration between the ESA, the European Space Agency, and many different other space agencies across the world to make sure that we have a single set of standards that we can use across companies working in the European space activities. Many of our customers around the world are looking to those standards, making sure they’re compliant with them, and working with those standards in different projects and at different levels.

So ECSS is a standard. You can find a lot of information on the website for ESA about the standards. They’re all there to be found if you’re not aware of them already. The way that ECSS is organized and set up is something you will see in the standards on the website itself, but we also have the organization within our Jama Connect application. So once Alisa’s going to show the demo, you will recognize a lot of those structures in Jama Connect.


RELATED: CIMdata: Digital Thread in Aerospace and Defense


Janssen: So when we talk about the standards, the standards are divided into branches and disciplines. So you will find, for example, the different branches on the top level there. So for example, the space project management branch or the engineering branch. Below those branches, you will find a lot of disciplines detailed per section. They are numbered in a specific way. Again, when we look into the demo, you will see a lot of those specific annotations come back and we maintained that same structure within Jama. So many of our customers use a subset or a number of these standards in their Jama Connect application to make sure they are compliant and they are working towards the standards that ESA has set for these specific projects. So the main structure in here is recognizable towards what is on the websites and in the organization of ECSS.

Outside of the actual organization of the disciplines and the branches, the disciplines themselves are even further, let’s say detailed in documents. All these documents fall into one of those disciplines. So for example, when we look at the discipline of system engineering, you can see a large number of documents below that, talk about different topics. So for example, on testing, on verification, on referencing coordinate systems, all kinds of documents describing the standard, what you need to do to be compliant towards those standards.

Now these documents are pulled into Jama Connect. And as you will see later on, we have all these documents available for you to start tracking and tracing compliance. So the structure from a branch to a discipline to all the documents is something that you will recognize in the demo later on by Alisa and where you can find and filter and search for certain topics that are numbered and maintained by the ESA.

To watch the entire webinar, visit:

Accelerate Your ECSS Standards Compliance with Jama Connect®



Large Language Model (LLM) Image

How to Plan for Large Language Model (LLM) Adoption Within Your Engineering Organization

The initial free and unprotected access to ChatGPT (the most well-known Large Language Model) has led some individual engineers to try out the tool by using company owned trade secrets and intellectual property (IP) as prompts. The predictable result has been IP leakage with numerous high-profile examples, including at Samsung. As a result, many companies, including Apple, have banned internal use of the technology outright. Additional risks are just starting to be understood given the lack of consent provided by the actual owners of content that was used to train the LLMs. This leaves the concept of ownership of LLM output, and the ability to protect intellectual property that includes LLM output in question and legal experts are advising caution. Clearly, it will take some time for legal frameworks and precedents to be established for the use of LLMs in product development and for enterprise-class integrations to be developed to LLMs that at properly allow for company level standards and governance of IP. Numerous lawsuits, such as Clarkson v OpenAI, are now underway alleging all of the data to train the LLMs was obtained without consent or renumeration and violates copyright law.


RELATED: Best Practices Guide to Requirements & Requirements Management


Clearly, it will take some time for legal frameworks and precedents to be established for the use of LLMs in product development and for enterprise-class integrations to be developed to LLMs that properly allow for company level standards and governance of IP. Given the risks and unresolved legal questions LLMs pose for product development, how should an engineering organization plan an adoption path to achieve potential benefits from intelligent assistance for engineering tasks?

The guidance we provide our clients is to focus on the following three areas, ranked in order of greatest benefit from intelligent assistance:

  1. Improve requirements quality – Poorly specified requirements account for up to 64% of defects and are the costliest ones to correct. The International Council on Systems Engineering (INCOSE) and the Easy Approach to Requirements Syntax (EARS) have established best practices for requirements specification and unfortunately, LLMs are trained on publicly available requirements content that is rife with all the most common errors addressed by INCOSE and EARS. The best intelligent assistant to improve requirement quality is a Natural Language Processing (NLP) approach that analyzes requirements against INCOSE and EARS best practices and recommends improvements – which is exactly what Jama Connect Advisor™ does. Jama Connect Advisor protects all IP and engineers learn how to write better requirements through intelligent guidance.
  2. Manage by exception – The engineering function is one of the last in the enterprise to be managed through data. The engineering process is often fragmented across teams and tools which leads to late identification of cross-discipline issues that result in defects, delays, cost overruns, and recalls. Jama Connect® intelligently solves this problem through Live Traceability™ which automatically syncs data across best-of-breed tools and tracks engineering progress against the chosen development model (e.g., V-model) to identify issues as early as possible and thereby reduce the risk of defects, delays, cost overruns, and recalls.
  3. Increase engineer productivity – The biggest drains on engineering productivity are most commonly integration meetings and rework. Jama Connect’s Live Traceability intelligently alerts teams to impactful change from other engineering disciplines. Live Traceability eliminates the need for time-consuming and mind-numbing integration meetings and is proven to reduce rework based on our groundbreaking benchmarking study. Further productivity gains can be achieved by leveraging LLMs for requirement decomposition and we intend to be one of the first to market with an enterprise-class solution that protects IP and enables company standards.

RELATED: Best Practices Guide for Writing Requirements


To get started with intelligent assistance, learn how best to improve requirements quality across your engineering organization with the NLP application of EARS and INCOSE best practices.



EU Medical Device Regulation (MDR) and In-Vitro Device Regulation (IVDR)

In this blog, we recap the “An Overview of the EU Medical Device Regulation (MDR) and In-Vitro Diagnostics Regulation (IVDR)” webinar.


Looking to stay ahead of ever-evolving regulations governing medical devices?

In this webinar, we discuss the continual rollout of the EU Medical Device Regulation (MDR) and In-Vitro Device Regulation (IVDR) and the impact they’re having on the medical device industry.

Vincent Balgos, Director of Medical Device Solutions at Jama Software and Saby Agai, Sr. Consultant at Jama Software, provide a high-level overview of the new regulations, along with general industry observations and future considerations for organizations with medical products marketed in the EU market area, including:

  • New classifications, grandfathering clause, and risk management requirements
  • The number of notified bodies, backlog, and remediation efforts for placed products
  • Future considerations regarding the compliance compatibility of IVDR & FDA and traceability
  • Finally, learn how the Medical Device Framework in Jama Connect® can help streamline your compliance efforts and ensure your products meet all the necessary regulatory requirements.
Below is an abbreviated transcript and a recording of our webinar.

Why it Makes Sense to Store Cybersecurity Risk Management Items Inside a Requirements Management System

Saby Agai: So, in the first part of the webinar we will talk about the EU medical device regulations. There is a small agenda to that. Basically, we would like to show the key changes and challenges that the MDR means compared to the MDD. We would also like to talk a little bit about what we see as the challenges for the process transformation of the medical device developers and also a bit of discussions with the race on the timeline for the MDR. The second section is on the MDR for the MedDev engineering. So basically, how the engineering teams can do anything with the MDR. We’ll talk about harmonized standardization. How does that fit in the concept of the MDR? And some of the medical device best practices that we would recommend. So the medical device regulations now has quite a bit of history because the MDR is valued also for existing [inaudible 00:04:15] devices and also for all the new devices.

The medical device regulations entered into force historically in May 2017, and there was a bit of extension period in 2020 that the certificates issued under the MDD before the MDR remained valid up to four additional years. So it was a bit of a time extension for manufacturers to migrate the legacy devices to the MDR. Recently 2023, the EU commission had the new rule based on 607 was the number of it on the time extension for the medical device regulations. So there are two-time extension now in force for December 2027 and 2028 for all devices. As part of this modification, the commission removed the sale of period from the original context of the Medicaid device regulation.

Three key area that we would mention that we see as key challenges with the MDR is first is the technical documentation. So because of the legacy medical devices has to be reclassified in a context of the new MDR, those manufacturers highly likely will face it extended set of documentation for market clearances in the EU. It’s particularly true for software as a medical device because, basically the class one level has removed by legislation for all software as a medical device. The other thing on the technical documentation is that the MDR is far more prescriptive about the requirement content of the technical documentation, and it’s particularly true and there are more detailed requirements needed for the quality management system. So the manufacturer will have to ensure that they not only have full access and control for the documentation of the device, but also they should keep the eye on the market and the vigilance market, post-market vigilance area, as well as publication or new common specifications.


RELATED: Buyer’s Guide: Selecting a Requirements Management and Traceability Solution for Medical Device & Life Sciences


Agai: So there is a bit of higher focus on the post-market activities in the context of the MDR. And the technical documentation basically has two key parts in Annex II, annex III it’s detailed. Annex II there is a list of requirements for the technical documentation itself for the device design, and also, in Annex III, we see details or requirements for technical documentation post-market surveillance. So nothing particularly new, only an extended set of expectation and requirements for all these contents. Little note something on the technical documentation. So historically, the technical documentation has a tradition to be seen as a burden on the med tech developers and additional administrative work. And quite often, at the end of the development cycle, there is a massive effort made to make what is documentation available for regulators and also for market clearance. It definitely could require very intense administrative work from the engineering sometimes stress involved and also, the content creation has not much help or not much support for the regional engineering activities, which is the development.

So these content created purely to support the market access activities and it should not necessarily should be a case, though. So, for example, we in Jama has a medical solution. It’s a example proven a tool actually can support both med tech developers to enhance the development efficiency as they develop a new device as well as to support these technical documentation needs at the same time. So it’s a opportunity also for organizations to get most out of using a tool when they thinking about to ease the burden of the medical device regulation technical documentation part.


RELATED: Jama Connect® Validated Cloud Package for Medical Device and Life Sciences


Agai: Thirdly but not lastly, there was a new, particularly in EU requirements for the unique device identifier. So basically, 2021 was a deadline to register an MDR UD MDR devices with the UDI in the [inaudible 00:09:02] framework, and for the IVDR, it’s 2022. Looking into purely on the numbers, we could say that the content of the MDR compared to the MDD is actually four time heavier. So the extent and the legal tax basically is four time more. There are five plus on axis that we can see, and there is a special attention on safety and patient safety particularly because 293 times mentioned the safety word in MDR where in the MDD was the 24. All these numbers also telling that the regulators in EU want to have higher scrutiny compared to the MDD, and they also have more details on that level of expectation that they would like to see from manufacturer. And there is a definite focus on patient safety that we can see.

Two more things to mention is that quite often, in the context of the MDR, the legacy devices should be reclassified into a higher level class. So it means that the quality management process support is more intense, and more support expected. More activities and works are expected from the manufacturer to keep the same device basically on the market. It also could mean that companies should take a step for high-level maturity as an organization and it’s true also for the design and device development activities. So one of the challenge with that is that if we talk about the same device with higher regulatory scrutiny, how do we retain and enhance profitability? Because the administrative burden is definitely something that goes towards the cost part of the profitability. So the design and development goes under higher level of process expectation in that sense, and it goes higher level of design documentation needs as well. So one of the advantages using the tool in general medical device environment that the medical solution can ease actually this work and enable a bit quicker, and the developers can leverage a little bit more help on these challenges.

To watch the entire webinar, visit
An Overview of the EU Medical Device Regulation (MDR) and In-Vitro Diagnostics Regulation (IVDR)


Cybersecurity

In this blog, we recap the “Why it Makes Sense to Store Cybersecurity Risk Management Items Inside a Requirements Management System” webinar.


In this webinar, “Why it Makes Sense to Store Cybersecurity Risk Management Items Inside a Requirements Management System”, learn about the implementation of the Threat and Risk Analysis (TARA), the centerpiece of the new Automotive Cybersecurity standard ISO 21434.

Many companies currently use spreadsheets to develop TARAs, which can be challenging when managing large sets of requirements across distributed teams and car line variants. In this webinar, we’ll examine why a requirement management system (RMS) is well-suited to manage the TARA work product and can make a significant impact on managing this data across teams, supporting compliance audits, and assessments.

Attendees will gain insights into TARA’s complexities and how the right tooling solution can make a difference in managing this data across teams, supporting compliance audits and assessments.

Key Takeaways:

  • The Threat and Risk Analysis or TARA is the centerpiece of the ISO 21434 Automotive Cybersecurity standard
  • Overview of TARA
  • ISO 21434 compliance requirements when implementing TARAs
  • Why an RMS is well-suited to manage TARAs

Below is an abbreviated transcript and a recording of our webinar.


Why it Makes Sense to Store Cybersecurity Risk Management Items Inside a Requirements Management System

Kevin Dibble: Thanks, Juliet. Okay. I’m going to just go through the agenda and then get right into 21434. I’ll start with a high-level introduction and then get into the focus of our topic today, which is the threat and risk analysis, which is a centerpiece of 21434, also known as the TARA. And then make an argument for the management of a TARA using an RMS or a requirement management tool. And then Steve will take over and talk about what that would look like in Jama software and summarize with some key points of managing TARAs in Jama versus some traditional methods. And then we’ll have time for some questions.

So with that, again, this is going to be a very high-level overview of 21434. I have a feeling that some of you have worked in cybersecurity for some time, others are just brand new to the term. And so, I want to touch on this as a basis for the rest of the discussion.

And so, first, what is 21434? It is the automotive industry standard for developing cyber secure systems. After several years of review, it was approved in August of 2021 as the method for developing cyber secure systems. In terms of the standard itself, it’s structured and uses a lot of the same terminology as the functional safety standard called ISO 26262. So if you’re familiar with functional safety, then this standard will make a lot of sense the way that it’s organized. Some of the terms such as an item definition, a concept phase, a cybersecurity goal, even TARA parallels functional safety terms like functional safety concept, functional safety goals, or the HARA, Hazard and Risk Analysis. And so, that’s just a reference point as you’re learning about this new standard. Now as far as its scope, it covers or it applies to passenger vehicles and cargo vehicles.

So just a little bit different than ISO 262 there, passengers would include buses, commercial or non-commercial. I think even tripods and some of those other types of motorcycle hybrid type of devices are in or vehicles are in scope as well. It applies to series production and it uses a lifecycle that starts at the request for a quotation for an item. And I’ll define that in a little bit and goes all the way through to the end of cybersecurity support. So like functional safety, we’re not talking about supporting the risks and the hazards associated in this case with threats from attackers leading up to SOP, but it extends far past that. In fact, in 21434, instead of using the term SOP or start of production, which is a critical milestone in any automotive product development program, they call that milestone the release to post-development.


RELATED: Functional Safety (FuSA) Explained: The Vital Role of Standards and Compliance in Ensuring Critical Systems’ Safety


Dibble: And I want to camp on that for just a second because it raises a really important point and it’s very relevant to what we’re going to talk about regarding the TARA. Release to post-development. So the automotive industry is under a lot of change and OEMs want to be or are becoming mobility providers and services will be sold after the car is released. And some of those services weren’t even imagined at the time the car was sold. That’s so different than where the automotive industry was even five years ago. And this standard recognizes that and embraces it along with another important concept, which is that the world of cybersecurity and the landscape for threats and the technologies and the tools that are used to attack vehicles is constantly changing. And so, at the release to production, what is assumed to be protected in terms of say a set of cryptographic keys or a communication bus might be more vulnerable in five years than it was when the car was released because of new techniques, new methods, new tricks, new hacks, and other things that have been discovered.

And so, that’s an important concept because it feeds to our idea that we’re going to get into about the TARA as a living document, as a living asset that begins all the way at the concept phase at the beginning of the high-level architectures of the item or the system in the car. And extends all the way until the end of life for cybersecurity support, which is 10, 15 years down the road. Now, the 21434 has both requirements for developing cyber secure systems, is kind of what I’m showing you on the right, but it also has process requirements. And to that end, there is an audit of the process and an assessment of the results of your project according to 21434. That assessment piece is important for our discussion because when we think about the TARA and the pieces of it or the items of the TARA, then we have to think in terms of what are the evidences we need to leave behind and produce in order to pass an assessment, very important consideration.


RELATED: A Guide to Road Vehicle Cybersecurity and Risk Management: Part 1


Dibble: And so, we have audits for the processes and then assessments for the end result. So that’s very brief overview of 21434. I want to make sure I leave you with the… If you remember anything about 21434 besides the TARA, you’ll hopefully remember this, is to manage unreasonable risk of damage to road users due to a malicious attack to a vehicle or a vehicle data, confidentiality, integrity and availability. Let me unpack that for just a second. Unreasonable risk, this is when you get into a car, when you operate a vehicle, you assume some risk. But that risk doesn’t include driving down the highway at 70 miles an hour, turning right and the car going left or the headlights going off while you’re on the highway at night. It applies to road users. That’s the people that use the road, the driver, the passengers, and the people surrounding it.

All of that is our scope for how we’re going to define threats according to 262 and then mitigate them against malicious attack due to… That’s the cyber aspect of this. And then what’s being attacked and what are we protecting? We’re protecting vehicle systems, functions, data, et cetera. We call them assets according to their properties, confidentiality, integrity and availability. There could be more properties, that’s the CIA that we’re protecting. Why is cyber such a hot topic? Well, I would say there’s several reasons, but here’s two of the big ones. On the left of my slide, the advent of the connected car coupled with the automated driving functions. I’m not going to read through all the stats here, but the connected car is here. It’s 2 billion in terms of the market in 2021 to grow to $5.3 billion in 2026. And the connected car is accessible via the internet, accessible via Bluetooth and other network interfaces, which all result in attack services. It also has a lot more software.

To watch the entire webinar, visit
Why it Makes Sense to Store Cybersecurity Risk Management Items
Inside an Requirements Management System


Airborne Systems Solution

In this blog, we recap our press release, “Jama Software® Delivers Major Enhancements to the Jama Connect® for Airborne Systems Solution” – To read the entire thing, click HERE


Jama Software® Delivers Major Enhancements to the Jama Connect® for Airborne Systems Solution

Accelerate and optimize airborne systems development with a new set of supported frameworks, projects, and standards

Jama Software®, the industry-leading requirements management and traceability solution provider, has announced enhancements to its Jama Connect® for Airborne Systems solution. Jama Software is committed to continuously enhancing its industry solutions, enabling customers to easily manage requirements, achieve Live Traceability™ and accelerate systems development.

The Jama Connect for Airborne Systems Solution is a complete set of frameworks, example projects, and procedural documentation used to accelerate the implementation of Jama Connect for organizations developing airborne systems and components. This is the third major upgrade to the solution since 2019 and these new capabilities are available to existing and new customers alike. The update both refines the existing solution elements and expands the scope of the solution to meet airborne safety and cybersecurity standards ARP4761A and DO-326A respectively.

“Having all of the applicable 14 CFR regulations preloaded at the beginning of a new project greatly accelerates assigning the driving requirements without extensive data entry.”

Jeffrey Spitzer, Chief Engineer at Transcend Air

The newly upgraded Jama Connect for Airborne Systems provides the following benefits:

  • Reduced adoption time of new standards such as ARP4754A/DO-178C/DO-254/ARP4761A when developing complex airborne systems
  • Reduced deployment time and risk of negative outcomes with defined and justified configuration, export templates, and reports
  • Increased confidence and decrease time-to-value with an established scope and direct alignment of requirements for Airborne Systems

“Jama Software continues to lead with innovation and work alongside our customers to invest deeply and cater to the needs of the Aerospace and Defense (A&D) industry. The Jama Connect for Airborne Systems solution has enhanced support and provides a standards-compliant framework that can streamline compliance demonstration for aviation system development. This is a major milestone for us! And we are here to help our customers stay ahead of the rapidly changing Aviation industry.”

Cary Bryczek, Director of Aerospace and Defense Solutions at Jama Software

The Jama Connect for Airborne Systems Solution consists of multiple components that make up a ready- to-use configuration including:

  • Airborne Systems Dataset: Includes frameworks and sample sets aligned to ARP4754A, ARP4761A, DO-178C, DO-254, DO-326A along with US Code of Federal Regulations Airborne Systems Library (eCFR) – pre-imported Title 14, Subchapter C, Parts 21-59.
  • Procedure Documentation and Reports: The procedure documentation provides teams with straightforward processes that they can follow to make the best use of Jama Connect in compliance with the standards included in the dataset.
  • Data Exchange (Add-On): This utility allows the exchange of requirements, architecture, and tests across the supply change and between tools using the industry standard ReqIF format.
  • Success Program (Add-on): Includes an Aerospace and Defense Jama Consultant to optimize your Jama Connect configuration, teach best practices, and train your team.

“Jama Connect has enabled Ursa Major to document airborne systems requirements and track verification closure in a streamlined and organized way which has enhanced communication and success between our teams.”

Maggie Mueller, Systems Engineer at Ursa Major Technologies, Inc.

To learn more about Jama Connect for Airborne Systems Solution, please visit our
Aerospace and Defense page.
If you would like to speak with one of our industry experts and book a free Jama Connect trial click here.


Read the entire press release here!
Jama Software® Delivers Major Enhancements to the Jama Connect® for Airborne Systems Solution


automotive

As we enter 2023, Jama Software asked selected thought leaders – both internal Jama Software employees and our external partners – across various industries for the trends and events they foresee unfolding over the next year and beyond.

In the final blog of this five-part series, we asked Steve Neemeh,  CEO / CTO of LHP Engineering Solutions – Danny Beerens, Senior Consultant at Jama Software – and Richard Watson, Practice Director at Jama Software – to weigh in on automotive product and systems development trends they’re anticipating in 2023.

Click the following links to visit part 1 – 2023 Predictions for Product & Systems Development Teams – part 2 – 2023 Predictions for Aerospace & Defense Product Development – part 3 – 2023 Predictions for Industrial and Consumer Electronics Product Development– and part 4 – 2023 Predictions for Medical Device Product Development

Read more about the authors at the end of this blog.


2023 Predictions for Automotive Product Development

Design Trends – What are the biggest trends you’re seeing in your industry right now? How will they impact automotive product, systems, and software development?

Steve Neemeh: A generation ago software was introduced in engine controls that changed the automotive industry and allowed for efficiency and emissions improvement that mechanical systems could not provide. In today’s world, software is entering a new stratosphere of complexity. Rather than focusing on emissions, the goal is the user experience. High-tech meeting transportation changes the paradigm for automotive companies.

Danny Beerens: I don’t see a lot has changed in this regard. What is changing is what’s being built, not how it is being built.

Richard Watson: Taking advantage of Live Traceability™ will become increasingly important.


Definition of Live Traceability: The ability for any engineer at any time to see the most up-to-date and complete up and downstream information for any requirement, no matter what stage of development it is in or how many siloed tools and teams it spans. This enables the engineering process to be managed through data, and its performance improved in real-time.

RELATED: Jama Software® Partners with Sterling PLM: Expands Lifecycle Management and Live Traceability™ Expertise Offerings


Biggest Challenges – What are some of the biggest challenges you think automotive companies will be working to overcome in 2023?

Neemeh: The commercialization of the zero-emissions vehicle is the biggest challenge for 2023. The price points are a challenge. The supply chains are limited and not optimized for worldwide expansion. And, the energy grids are outdated in many places, such as California.

In terms of product and systems development, what do you think will remain the same over the next decade? What will change?

Beerens: More and more brands will move to electric vehicles, making those vehicles and specifically their motor management components more software driven. The various other components (primary functions, driver assistance/automation, as well as onboard entertainment) will also become more electronically controlled and thus software driven.

[Side note] Autonomous driving vehicles even sparked new fields in Software Engineering, like Ethical Software Engineering (studies the interactions of human values and technical decisions involving computing).

Clearly the Automotive Industry is shifting from Hardware/Mechanical Engineering and Electo-Mechanical to Software Engineering, forcing Product Data Management, or Product Lifecycle Management, vendors to start including Application Lifecycle Management into their environments. Hence you see Siemens Teamcenter has acquired Polarion and PTC Windchill acquired Codebeamer recently.

The Holy Grail will be an ALM/PLM environment that truly embraces Configuration Management for all engineering disciplines involved, combined.

Anticipating a new player not hindered by their already existing PLM or ALM application, neither their customer base, to develop a truly all incorporating ‘Engineering Assets Configuration Management’ environment, platform or application.

For the next decade, next to fully autonomous driving vehicles, flying cars might be the new way to fight congestion and a more personalized way to get around.

Regulations – What changing regulatory guidelines do you anticipate having an impact on companies in 2023?

Neemeh: With any new products in automotive, recalls will drive governments to regulate safety more closely. Functional safety is now a common term in automotive and most large OEMs are trying to find a way to comply and keep themselves from facing potential liability. The implementation of functional safety in the software development process will keep inching forward until a trigger makes it mandatory.

How do you foresee regulations shifting in Automotive Product and Systems Development over the next decade?

Beerens: Certainly, autonomous driving will introduce regulations to control not only functional safety and cybersecurity, but also for road safety (and legal responsibility) to interact with non-autonomous driven cars, until we’ve reached an era where none of us drive ourselves and all cars are controlled centrally to manage traffic flows.

Demands on alternative powertrains (e.g., hydrogen, or fuel cells) and existing electric driven cars’ necessity for fast charging and/or quick exchange of batteries, will spark off new technologies.

Apart from the obvious increase in data points and data exchange of the vehicle itself (sharing information for predictive maintenance, or usage of the car; tachograph in trucks) and its manufacturer and/or service station, G5 Connectivity of (autonomous driving) vehicles interacting with new traffic control instruments in, next to or on the road that assist with difficult traffic situations (automatically move to the side to allow emergency vehicles to pass), or location (purposely slow down at intersections that don’t have clear visibility of oncoming traffic) and react to traffic lights.

As a reaction to reduce CO2 emissions (cars sales are in a slow decline for a few years now already) new forms of mobility will arise where MaaS (Mobility as a Service) are being offered, sparking off disruptive newcomers to the traditional car sharing companies (renting: Hertz, and even taxi: Uber), like for example Lynk&Co, offering “memberships” for more flexible car usage and for car sharing with family and friends.

Tool Innovation – From an automotive engineering toolset perspective, what are some of the processes you think forward-thinking firms will be working to leverage or incorporate into their process and why?

Neemeh: Functional safety requires a strict development process and tools that support that process. Traditional tools only meet a small piece of that. They need to be integrated into an overall workflow and safety culture.

Any major disruptions to the Automotive Product and Systems Development industry you’re anticipating in 2023?

Watson: Political environment, supply chain issues, increased cost of specific items (such as chips). This increased cost is pushing the buyers into higher income areas, changing what kinds of cars will be successfully built.

Because of cost issues, refurbishing and retrofitting existing cars will become increasingly important. Similarly, car sharing will be increasingly wanted to control costs.

What role will cybersecurity play in automotive development in the coming year and beyond?

Neemeh: Safety can’t be achieved without cybersecurity. Assessment of your system’s vulnerability and its inclusion in your safety case is key to overall product acceptance. The more that cars become connected, the more this becomes important. Autonomous driving will be the pinnacle of connected cars. The more we move in that direction the more cybersecurity becomes a concern.


RELATED: A Guide to Road Vehicle Cybersecurity According to ISO 21434


What sorts of process adjustments do you think development teams will need to make to be successful in 2023?

Watson: Automotive systems continue to have a stronger focus on software and this shift will continue. Different categories of software are provided in a vehicle from safety-critical to entertainment and this drives complexity sky-high.

With regulations continuing to get more stringent, development practices for non-safety-critical software systems must be tightened and this drives a focus to improve Agile practices. “Agile” is not an excuse to “throw something together” and must be supported by improved specification and verification techniques.

In your opinion, what are the biggest differences between an automotive company that survives to see 2030, and one that doesn’t?

Neemeh: Getting prototypes on the road and small-scale production with new technology (EV/Autonomous) is a monumental feat. The next step, however, is the commercialization of that technology into a transportation industry that is concerned about public safety. Those that consider that in the rollout and enable the scaling of safety-critical infrastructure will win, while the others will hit a brick wall of regulation.

Watson: A combination of sustainability with control of spiraling costs. There is a world shift in planetary awareness and the automotive market is at the forefront of reducing our consumption of fossil fuels. Car prices are increasing beyond inflationary rates and this increase will price out much of the lower market. Only organizations that can shuffle sustainability, quality and costs will survive this decade.

What role will cybersecurity play in automotive development in the coming year and beyond?

Watson: A shift towards Internet of Things (Iot) has exposed almost all aspects of automotive systems to the internet and social media. Cybersecurity will take a stronger focus, especially for those software systems that already interact with our social networking applications.

Beerens: Not only for our social networking applications; for long all systems utilizing the various onboard connections simply accepted instructions, without checking if that instruction was from a valid source. The infamous hack of a Landrover during Black Hack 2014 proved that. Encryption and intrusion detection are a good line of defense, but Zero-trust (or validating the source of the commands) Cybersecurity will be increasingly important for onboard systems from entertainment systems, connections like CAN, wifi, bluetooth or NFC, to motor management.

What advice would you give to new companies entering the automotive industry?

Neemeh: Get your workflows set up and your tools ready and optimized before you start throwing bodies at problems. Engineers are expensive. When they are set up properly, they can create miracles. But if they are burdened with administrative problems, they will get frustrated and leave.

Beerens: Look at established tool chains and industry templates to have a running start at the get-go. The European Union has an advisory board with such tool chains and templates. Concern yourself with compliancy from the beginning. Which compliancy standards you concern yourself with will depend on what parts of the auto you are working on.

Watson: Don’t try and define and invent the wheel and get help. There are many development tools available, find which tools work best based on tool reviews. Once selected, ask the vendor for the best way of working and don’t force the tool to do inefficient practices.


RELATED: Accelerate Your Automotive Development Requirements Management with Jama Connect®


What topic(s) do you wish companies were paying more attention to?

Watson: Understanding how to address complex problems without the systematic nature we have relied upon. This is the only way to keep control of costs.

Predictions – What do you think will remain the same in your industry throughout 2023?

Neemeh: The adoption of electric vehicles will continue. Governments are behind it and the adoption rate is increasing.

What do you predict for regulation in the Automotive industry in 2023?

Neemeh: Involvement in the design process and review of ADAS features will become more important. The NHTSA has already started putting frameworks in place for that in the USA. In Europe, functional safety is commonplace and regulated already.

Will those trends still be prevalent 5 years from now? 10 years?

Neemeh: Yes, and it will move as fast as ADAS features move forward. Any autonomous Level 5 applications will jump-start this trend.

Where do you see Jama Software fitting in as the product development landscape evolves, and what can our customers expect as 2023 approaches?

Watson: Jama Software® is perfectly positioned to help the automotive industry allowing extended stakeholders to be directly involved with authoring and reviewing specification and verification activities rather than relying on tool super-users and PDF reports.

Beerens: Jama Connect® is a perfect fit for Product Design and collaboration with all its Stakeholders to refine, expand and improve Product Design, before any of these (proposed) changes are even visible in a PLM environment thereby preventing disruptions in Production before consensus has been reached.

——————————–

About the Authors:

Steve Neemeh joined LHP in 2015 to lead the expansion of the west coast operations. He is the leader of the strategy and solutions architects as well as president of the delivery consulting organization. Steve has over 25 years of Functional Safety experience prior to joining LHP. Steve has launched multiple start-up operations and has taken them to full production. Notably, a complete ground up electronics and software development group to service commercial aerospace electronics and military vehicle power electronics. For LHP, Steve pioneered the implementation of safety critical applications in California, launching functional safety for autonomous driving applications as well as air mobility.

Danny Beerens has 15 years of experience implementing, training, maintaining and supporting Application Lifecyle Management processes and their environments. Danny started in Software Configuration and Change & Defect Management (i.e., Workflows.) After joining Telelogic, he moved into Requirements and Test Management over the last decade, in roles as Support Engineer, Process Engineer, Consultant, and System Architect. Throughout his career Danny’s worked on projects and collaborated with customers in the Medical Devices, Aerospace & Defense, Automotive, and Semi-conductor industries. “The need to integrate ALM and PLM (and even beyond!) is apparent across all industries.”

Richard Watson is the Practice Director for horizontal solutions, engaged in identifying and creating services and assets spanning the Jama Software vertical solutions. Richard has a client first attitude and is passionate about Requirements and Systems Engineering. Based in the UK, Richard has been working in the systems and software industry for nearly 35 years and has been directly involved in most aspects of Systems Engineering from testing flight systems, through to software development of modeling tools, and Product management of IBM DOORS. Richard joined Jama Software as Practice Director in 2021.

Medical Predictions

As we enter 2023, Jama Software asked selected thought leaders – both internal Jama Software employees and our external partners – across various industries for the trends and events they foresee unfolding over the next year and beyond.

In the fourth part of our five-part series, we asked Shawnnah Monterrey, CEO at BeanStock VenturesRomer De Los Santos, Senior Consultant at Jama Software – Vincent Balgos, Director of Medical Device Solutions at Jama Software – Michelle Wu, Medical Device Consultant at Wu Consulting – and Ivan Ma, Medical Device Program Leadership – to weigh in on medical device product development trends they’re anticipating in 2023.

Click the following links to visit part 1 – 2023 Predictions for Product & Systems Development Teams – part 2 – 2023 Predictions for Aerospace & Defense Product Development – and part 3 – 2023 Predictions for Industrial and Consumer Electronics Product Development. We will link the final 2023 Industry Predictions when it publishes.

Read more about the authors and their organizations at the end of this blog.


2023 Predictions for Medical Device Product Development

What are the biggest trends you’re seeing in the medical device and life sciences industry?

Shawnnah Monterrey: Biggest trends we are seeing include a rapid migration to the cloud this includes: IoMT, Digital Health, Digital Therapeutics and Big Data such as Genomics, Biotech, and Pharma.

We are seeing a rapid shift towards newly derived clinical insights using pre-existing data from existing medical devices, such as:

  • Companion diagnostics which combine a diagnosis outcome with a therapeutic and monitoring of that treatment
  • Digital therapeutics which use software ONLY to treat patients as opposed to a drug or instrument
  • Novel clinical insights where two or more measurements are combined to produce a clinical determination
  • AI based diagnostics which often consume numerous inputs that could be measured, demographical or even genetic to derive new clinical insights

Romer De Los Santos: Digital health continues to be a major source of growth as personalized medicine, wearable devices, and mobile health gain wider acceptance. Cloud computing, AI, and machine learning are improving patient outcomes by encouraging innovation and making personalized medicine possible. As these constantly evolving technologies continue to grow in complexity the regulatory framework around medical devices that incorporate them are also evolving to keep up.

For many years, medical device manufacturers secured their devices by disabling or designing out interconnectivity. The rise of electronic medical record keeping has forced manufacturers to support limited interconnectivity. They usually depended on security measures taken by their customer’s IT department as the primary risk control measure. That’s no longer acceptable in our interconnected world. The FDA requires manufacturers to consider cyber security threats and to design controls to reduce these risks as much as possible. This has led to developers having to learn more about threat modeling to limit touch points into their software and to creating plans on how to handle data breaches.

The 21st Century Cures Act amended the definition of a medical device to exclude certain software functions. The FDA intends to focus oversight on software functions that affect patient data and therefore pose the greatest threat to patient outcomes. Wise developers architect their software systems based on clearly defined software functions that can be individually evaluated for risk, leading to a reduction in the regulatory burden. Designing and documenting modular software facilitates re-use and therefore faster time to market for novel medical devices.

Michelle Wu: AI and Machine Learning: I continue to see AI and Machine Learning as a trend for 2023. Any pitch competition I attend includes multiple products that are incorporating AI or machine learning. There’s attention now on companies to look for and counteract bias in the data sets and algorithms.

Health equity: A spotlight on health inequities shines brighter since the pandemic and fortunately many companies are looking to do good and do well. Telehealth, remote patient monitoring, digital health apps, are the top areas of innovations that I see to address these disparities.

Vincent Balgos: The pandemic continues to drive the industry, regulators, and the market for COVID-19 related products and services, so I would expect continual development in these areas as new SARS-CoV-2 variants emerge, or other as other diseases arise.

Continual integration of medical life products, and interoperability amongst devices. As software to grows as a critical part of medical device industry, whether standalone SW or integrated with other components, there are many areas for 2023 innovation such as:

  • Software as a Medical Device (SaMD), Software in a Medical Device (SiMD)
  • Cybersecurity
  • Complex data analysis such as bioinformatics, genomic sequencing, imaging processing
  • Artificial Intelligence (AI) and Machine Learning (ML)

New or modified regulations (EU IVDR, EU MDR, and potential US VALID Act) continue to change the landscape in how medical device and life science organizations develop, manufacture, and maintain products.

The new FDA Computer Software Assurance (CSA) guidance that revisits validation in context of the current Computer System Validation (CSV) approach. Many medical companies are looking at this new risk-based approach to streamline their activities, documentation and outputs as the current standard practice can be complex and cumbersome.

Biggest Challenges – What are some of the biggest challenges you think medical device and life sciences companies will be working to overcome in 2023?

Monterrey: Two of the biggest challenges I see are: monetization and regulatory clearance.

Medical devices revenue models rely heavily on reimbursement from CMS which require a CPT code. Obtaining a new CPT code requires a significant investment and burden on the medical device manufacturer to provide clinical evidence which not only shows efficacy but also provides A reduced cost of care when compared to existing methods and treatments. We are seeing that digital therapeutics are struggling in this area. One strategy has been for digital therapeutics to partner with an existing reimbursed pharmaceutical via revenue sharing. But on the upside CMS has recently provided a new code which allows prescription digital behavioral therapy to be reimbursed as a medical benefit which is trailblazing the path for other digital therapeutics to follow.

While digital health applications that are intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease are medical devices and have been regulated by the FDA for many years, there has been new entrants in the recent years that have gone under the radar. With the recently issued guidance from the FDA on Clinical Decision Support Software, FDA attempts to make it clear which products are regulated medical devices, and which are not. This will slow the reduction in the barrier to entry as many digital health applications begin to play catchup.

Ivan Ma: The supply chain for components and materials continues to remain constrained. With lead times stretching well past 6 months, and sometimes getting close to 12 months. Programs should plan for contingencies and with expectations that milestones that require physical materials will be impacted by the last part in. Be wary of strategies that start early but require more total effort to execute.


RELATED: Euro Roundup: MDCG Publishes Guidance on MDR, IVDR Authorized Representative Requirements


In terms of product and systems development, what do you think will remain the same over the next decade? What will change?

De Los Santos: The need to ensure traceability between requirements, testing, risk, and design will continue to be important in the next decade. Changes in what is considered medical device software will lead to revised regulatory strategies by companies agile enough to take advantage of these changes. Documentation must become more modular to match the software they describe.

Balgos: Based on my past 17 years in medical product development, the time pressures to launch safe and effective products quickly to the market has always been a constant theme.

Many attempt the “faster, better, cheaper” approach, but schedule has always been the driver when comes to the project’s managements iron triangle (scope, budget, schedule). While this “faster, better, cheaper” approach may work for other industries, the medical field is especially constrained in that a patient’s safety is non-negotiable.

What will change is how companies adapt to the complexities of the regulation landscape, innovative technologies, and ever growing knowledge of diseases, illnesses, etc. The adaption for advanced tools, processes, and digitization of information will continue to grow industry as scientists/engineers evolve their practices.

What changing regulatory guidelines do you anticipate having an impact on companies in 2023?

Monterrey: In addition to FDA’s guidance on Clinical Decision Support Software there are a few other draft guidance in the works such as Computer System Validation (CSA), Cybersecurity, and AI.

Tools that are used to implement part of all the quality system require validation to ensure that the tool is fit for purpose and mitigates the risk of failures that could pose undetected harm in the medical product. We have seen many of our clients spend significantly more effort on validating tools that do not pose significant risk to their medical device than the medical device itself. FDA’s Computer Software Assurance for Production and Quality System Software draft (CSA) guidance provides great insight on how to take a risk-based approach when validating your tools.

Cybersecurity affects all products in development and on-market, regardless of if they are fully embedded or even connected. For medical devices manufactures that have many legacy devices on-market, this new guidance can pose a significant risk and cost.

Artificial Intelligence and Machine Learning (AI/ML) Software as a Medical Device Action Plan provides some additional insights into FDA’s current thinking behind AI. Although there is no current guidance from the FDA, AI devices continue to be cleared under existing guidance increasingly year or over.

Balgos: The US VALID ACT could have major disruption to lab developed tests (LDT’s) and how they are regulated in the US market. The additional restrictions may impact the growth of new tests, but provide additional oversight to help improve safety. This controversial topic has been a continual discussion point in industry, and that the new VALID ACT provides some additional clarification and guidance.

How do you foresee regulations shifting in medical device and life sciences over the next decade?

De Los Santos: There is a growing understanding among regulatory bodies that cloud computing companies are developing technology that will significantly improve patient outcomes.

Tool Innovation – From a medical device and life sciences engineering toolset perspective, what are some of the processes you think forward-thinking firms will be working to leverage or incorporate into their process and why?

Monterrey: From an engineering toolset perspective – finding automated tools that support the regulation and the team’s ability to be agile for the full development cycle will have a significant impact. Typically, we see our clients taking 6 to 18 months back tracking design activities in order to satisfy the FDA when the product is almost completed. If development is done in a more automated and iterative way – time to market can be significantly reduced, more predictable and lead to higher quality products.

Wu: Tools that make regulatory compliance more efficient. The best tools make it easy for companies to enhance, instead of hampering, their product development and business strategy.

Human centered design. While not a new concept, it is not universally practiced and incorporated. Those that do this well have medical devices that resonate with users and have better product adoption.

Ma: Requirements matter more than ever. Avoid building the wrong thing by keeping track of requirements and risks management using a tool like Jama Connect. If you are paper tracing, you’re operating in the 20th century.

Any major disruptions to the medical device and life sciences industry you’re anticipating in 2023?

De Los Santos: AI, machine learning, and cloud computing were instrumental in the response to the pandemic but have far bigger implications for improving patient health. As companies shift focus away from the pandemic, I expect more innovation around personalized medicine and clinical decision support software, both of which take advantage of these emerging technologies.

Balgos: The US VALID ACT could have major disruption to lab developed tests (LDT’s) and how they are regulated in the US market and industry.

What sorts of process adjustments do you think development teams will need to make to be successful in 2023?

De Los Santos: Development teams should take advantage of the guidance on software functions to improve the architecture of their code and their documentation. The sooner development teams create re-useable code and documentation building blocks, the better.

Balgos: Aligning with new regulations, such as the potential VALID ACT, and new FDA draft guidances such as CSA, Human Factors, and others

For the EU market, organizations need to start early. Notified Bodies engagement as the backlog continues to be longer than expected for re-certification for Medical Devices and IVD’s to the new regulations.

In your opinion, what are the biggest differences between a medical device or life sciences company that survives to see 2030, and one that doesn’t?

Monterrey: Companies that strive to maintain agility while being regulated leveraging tool automation as opposed to paper-based and stage gate processes will have a competitive advantage and higher chance of survival by having the ability to:

  • Address cybersecurity demands in an ever-changing eco-system
  • Derive new clinical insights using real-world data
  • Innovate by releasing product and features in more frequent cadences
  • Stay ahead of obsolesce issues

De Los Santos: The ability to organize software, hardware, and documentation into re-useable building blocks are key to winning in this kind of environment. You must be fast while maintaining a level of quality that ensures patient safety.

Ma: Products that bring true clinical value will win in the long run. The challenge is finding organizations and sources of capital that are methodical enough to identify true clinical value and have the grit and determination to stick with programs that take more than 5 years to reach human use.

Balgos: Adapting to the environment will be key for a company’s survival. Whether new regulations, innovative technologies, or another global event changes in how industry operates, companies that has the ability, resources, and willingness to pivot will likely survive.

What role will cybersecurity play in medical device development in the coming year and beyond?

De Los Santos: Cybersecurity is here to stay! The FDA requires device manufacturers to document how they handle cyber security threats and breaches. Companies can’t depend solely on risk control measures made by the customer’s IT department.

What advice would you give to new companies entering the medical device and life sciences industry?

Monterrey: Invest in tools, training, and infrastructure upfront and hire industry and technological experts to help you navigate the complexity of the cloud environment and regulated space.

De Los Santos: Take some time to define a simple design and development process. Don’t overdo it! You don’t get extra credit for adding extra process work. Use a risk-based approach to determine how much is too much.

Wu: Understand that the path to commercialization is much longer for a regulated medical device or therapeutic as compared to a consumer good.

Gain an appreciation for the regulations, what claims you want to make for your product, and how those two impact your timeline.

Human-centered design, including addressing diversity and inclusion, will differentiate your product from others.

Ma: A mentor told me that medical devices are a hard but worthwhile sport. Play the sport with the intent to bring positive clinical value to people everywhere. The rest, as they say, will take care of itself.

Balgos: Understand the market, regulations, and intended use of products/services and the associated risks.

Encourage good documentation practices early and consistently, as documentation is the lifeblood of the industry. Because if it wasn’t documented, it never happened.

What topic(s) do you wish companies were paying more attention to?

Monterrey:

  • FDA requirements pre-development – implementing a QMS and following a design process.
  • Customer needs – developing with the end user in mind.
  • Software as a profit center – focused on the revenue opportunity software can bring.
  • Tool validation – focus on value-add activities, if you’re spending more time and money validating tools that verifying your medical device you should revisit your QMS for inefficiencies.

De Los Santos: I wish companies would take a little more time cleaning up their processes. Where are you wasting effort? Putting band-aids on your development process costs you more in the long run. What is a working medical product with a poor or non-existent design history file? It’s a brick. It’s a very expensive brick that will require months of remediation work. Design documentation created after the fact is always poor and you’ll also have trouble retaining great engineers if they must spend months remediating documents.

Wu: Women’s Health: While women make up 51% of the population, less than 1% of VC funding is going to FemTech. With an estimated market size of $1.186 Trillion by 2027, the medical device industry is slowly taking notice of the unmet need and market potential of innovation focused on women. Consumer product goods, digital health, and diagnostics are top three product addressing issues unique to women, including menstruation, maternal health, and menopause1. It’s an under tapped area that continues to be prime for disruption.

1 Fem Tech Landscape 2021 by FemTech Focus

Balgos:

  • Risk Management, with respect to Post Market Surveillance (PMS)
  • Change Management
  • Systems Engineering best practices

RELATED: Understanding FDA Medical Device Class and Classifications, and its Impact on Requirements Management


What do you think will remain the same in this industry throughout 2023?

Monterrey: I think we will continue to see slow economic recovery as a result of the side-effects of COVID as it relates to supply chain, pivots, and lower year end earnings. The businesses that end up striving will be those who are focused on long term strategy as opposed to short term reactions to the economy. Reinvestment and patience will be essential to staying ahead competitively.

What do you predict for regulation in the medical device and life sciences industry in 2023?

Monterrey: There will be a watchful eye on cybersecurity, additional thinking around AI and significantly longer wait times for approval.

Wu: While not significant changes in regulation, the change to MDR and IVDR in the EU continues its impact to the industry, especially as companies’ previous MDD certifications lapse, but have yet to obtain their MDR certifications. As of a July 2022 MedTech Europe Survey Report, >85% of existing medical devices that had MDD certification have received MDR. And unfortunately, it is the patients and public that live in the EU that will be affected when they no longer have access to the same medical devices and diagnostics that they had previously. With the 13–18-month time-to-certification with MDR-designated Notified Bodies, nearly double the time historically needed, this influences the worldwide go-to-market strategy of companies.

Will those trends still be prevalent 5 years from now? 10 years?

Monterrey: Digital health applications will begin to dominate the market over traditional hardware devices with new and innovative, diagnostics treatments and therapies leveraging cloud, AI and real-world data. FDA trends over the next 5 to 10 years will move towards harmonization to reduce complexity and improve ease of use. The reduce wait times the FDA will continue to extend devices in the break-through designation and rely on the use certification bodies or 3rd party FDA reviewers like BeanStock Ventures.

Where do you see Jama Software fitting in as the product development landscape evolves, and what can our customers expect as 2023 approaches?

De Los Santos: When properly configured and coupled with a simple design control process, Jama Connect significantly reduces the documentation burden for our customers. In the same way that a good source code management system facilitates code reuse, Jama Connect facilitates re-use of requirements, test cases, and risk documentation. There have been some recent improvements to the Jama Connect that I’ve been requesting since I was a Jama Software customer. I hope people take time to take advantage of them.


Shawnnah Monterrey – CEO, Beanstock Ventures

20+ years’ experience in the medical industry, Shawnnah Monterrey knows a thing or two about guiding innovative products to market.

Prior to founding BeanStock Ventures, she obtained a bachelor’s degree in computer science from the University of California, San Diego and an executive MBA from San Diego State University, then went on to hold product development management positions across numerous global firms, including Illumina, Invetech, Medtronic and Carl Zeiss Meditec. Through this work, she continued to develop a passion for innovation in medical devices, life sciences, and biotechnology.

BeanStock Ventures

BeanStock Ventures is 1 of 9 FDA-accredited Third Party Review Organizations globally which provides software development and regulatory compliance products and services to minimize complexity, and reduce cost and time to market of innovative medical devices.

BeanStock Ventures has over 140 years of combined experience in software development for the healthcare and life science space.

833.688.BEAN (2326)

[email protected]

Michelle Wu – Principal Consultant at Michelle Wu Consulting

Michelle Wu is a senior leader with 20 years of experience in the medical device and life sciences industries with roles in executive leadership, product and process development, manufacturing, and quality. Michelle has a history of successful medical device product development, strategic planning and execution, building teams, process evolution, and managing organizational change. She values a collaborative and diverse, equitable, and inclusive environment, believing that diverse perspectives lead to the best ideas, more cohesive teams, and better results.

Ivan Ma

Ivan Ma has nearly two decades of experience in the medical device industry holding leadership and design positions spanning a wide range of medical devices; from single use devices and active implantables to complex surgical robotic systems. Ivan specializes in bringing early phase projects through development in preparation for FDA submission and human use by introducing balanced discipline to an inherently chaotic process.

Vincent Balgos 

Vincent Balgos currently leads the Medical Solution at Jama Software. Prior to joining Jama Software, he worked in the medical device / IVD industry for over 17 years with roles in systems engineering, product development and project management. Vincent has successful history in launching new products to the global regulated market, and is experienced in product development, risk management, quality systems, and medical device regulations.

Romer De Los Santos

Romer De Los Santos has been developing software and firmware in the medical device industry since 1999. He is proud to have been involved in the development of a wide variety of medical devices including insulin infusion pumps, continuous glucose sensors, solid state mobile SPECT cameras, sequencers, liquid handling robots, and various IVD assays. He’s served in the roles of software developer, product owner, scrum master, internal auditor, systems engineer, software project lead, core team leader, and technical product manager before joining Jama Software as a senior consultant this past February.

cybersecurity

In part 2 of our blog series, we cover the second half of our eBook, “A Guide to Road Vehicle Cybersecurity According to ISO 21434” – Click HERE for part 1.

To read the entire eBook, click HERE. 


A Guide to Automotive Cybersecurity: Part 2

Cybersecurity V-model

cybersecurity

Much like other automotive standards, ISO 21434 defines a system engineering V-model to be followed for the development of cybersecurity features.

Concept Development

The cybersecurity V-model starts with the definition of the exact “item” that will be developed. The item is a component or set of components that implement functionality at the vehicle level and is defined in an item definition. In many cases, the same item definition may be used for both functional safety analysis and cybersecurity analysis.

Once the item has been clearly defined, a Threat Analysis and Risk Assessment (TARA) is performed to identify what cybersecurity threats exist for the item and what the risk of those threats are. For threats where the risk must be reduced, concept level requirements are developed, known as cybersecurity goals. Cybersecurity goals form the highest-level requirements for the system being developed from a cybersecurity perspective. For risks that will remain after cybersecurity goals are achieved, cybersecurity claims are documented to explain what, if any, risks still exist and why they can be accepted.

After defining cybersecurity goals, a cybersecurity concept is created. This documents the high-level concept that will be used to achieve the cybersecurity goals. The concept takes the form of cybersecurity requirements as well as requirements on the operating environment.

Product Development

Once a cybersecurity concept has been developed, the system must be designed in a way that will satisfy the cybersecurity requirements. Any existing architecture must be updated to consider the cybersecurity requirements. Each component of the system should be designed to support the cybersecurity requirements.

Although ISO 21434 provides an example of developing a system in two layers of abstraction, no specific number of layers is required. Instead, the standard leaves it to the product development organization to define a process appropriate for the complexity of their system. This ensures that organizations can adapt the standard to a wide range of systems and, for many, means that their existing system engineering process will satisfy ISO 21434.

Once the components of the system have been designed and integrated, the system must be verified to ensure that it meets the cybersecurity requirements.

The methods for verifying the system can include:

  • Requirements-based testing
  • Interface testing
  • Resource usage evaluation
  • Verification of the control flow and data flow
  • Dynamic analysis
  • Static analysis

The integration and verification activities should be documented in a verification specification and the results of verification documented in a verification report.

Validation of Automotive Cybersecurity Goals

While the focus of verification is ensuring that the item meets the cybersecurity requirements, validation ensures that the item achieves the cybersecurity goals. This is done by first validating that the cybersecurity goals are adequate and then validating that the item achieves the cybersecurity goals. Validation may involve reviewing work products, performing penetration testing and reviewing all the managed risks previously identified. A rationale for the validation activities is required. The completed validation is documented in a validation report.


RELATED: The Impact of ISO 26262 on Automotive Development


Post-Development Activities

Even after product development is complete, the cybersecurity lifecycle continues.

Production

During the production phase, the item that has been developed is manufactured and assembled. A production control plan is required to ensure that cybersecurity requirements for post-development that were identified earlier in the lifecycle are applied to ensure that no vulnerabilities are introduced during production.

Operations and maintenance

Once an item has been integrated into a vehicle and the vehicle is on the road, new cybersecurity threats can still be identified. ISO 21434 requires organizations to have a plan for how to respond to this scenario.

Organizations must create a cybersecurity incident response plan each time a new cybersecurity incident occurs. This plan includes what remedial actions are required and how they will be performed. The response may range from providing new information to vehicle owners, to over-the-air updates, to recalls where the owner must bring the vehicle in for service.

End of cybersecurity support and decommissioning

Given that the cybersecurity lifecycle continues after vehicles have been sold to consumers, a method for ending cybersecurity support for those vehicles is needed. ISO 21434 focuses on developing a plan for communicating with customers when cybersecurity support ends. Since decommissioning can occur without the organization’s knowledge and in such a way that decommissioning procedures cannot be enforced, ISO 21434 only requires making documentation available to explain how to decommission the item with regards to cybersecurity, if this is even required.


RELATED: Best Practices to Accelerate Your Automotive Spice (ASPICE) Capabilities


Integrating the Automotive Cybersecurity with Overall System Engineering

cybersecurity

ISO 21434 defines many cybersecurity-specific requirements and requires personnel with specific cybersecurity knowledge and skills. Because of this, it may be tempting for organizations to silo cybersecurity engineering activities from other engineering activities, but this would be a mistake. While risk analysis required by ISO 21434 can be considered as a separate activity from other system engineering activities, a single product still must be developed that meets a wide range of requirements, including cybersecurity requirements. For this reason, it is best to manage a unified database for requirements, architecture, and design, rather than tracking cybersecurity artifacts separate from others.

To support this, think of cybersecurity analysis as another input to product development, just like functional safety analysis and market analysis.

By taking a unified approach, a single system engineering V-model can be implemented that describes an overall product development process that incorporates cybersecurity without creating silos. While specialists will be focused on performing cybersecurity analysis, implementing known best practices and validating the final system achieves cybersecurity, this must be done in cooperation and coordination with the rest of product development.

cybersecurity

How Jama Connect® Supports Cybersecurity Engineering

One way to implement a unified requirements, architecture, and design database is by using Jama Connect®. Jama Connect for Automotive provides a framework that incorporates the key requirements of ISO 21434 into a single project structure along with overall system engineering.

Specifically, Jama Connect for Automotive provides guidance on supporting the following activities:

  • TARA Cybersecurity goals
  • Cybersecurity concept
  • Design Integration and verification
  • Validation

An example of the framework is shown below:

cybersecurity

Conclusion

ISO 21434 introduces a robust framework for organizations to apply the state-of-the-art in automotive cybersecurity to their product development. This framework is necessary from both a market and regulatory perspective. The high-level of connectivity available in vehicles today means that there many ways for someone to maliciously change a vehicle’s operation. While many consumers may be unaware of the risks today, if there are ever accidents that result from cyber-attacks, that will change quickly. A vehicle OEM’s brand will surely be impacted by such as incident. In addition, regulators have already imposed strong cybersecurity requirements in many regions. ISO 21434 is quickly becoming an essential regulation for companies developing products at all levels of the automotive supply chain.

Whether your team is young or seasoned, small, or large, all together or scattered across boundaries, Jama Connect for Automotive can help improve processes, reduce costs, improve time to market, and help achieve ASPICE compliance. To learn more about Jama Connect for Automotive, download our datasheet.

Interested in learning more about how Jama Connect for Automotive can help provide your team meet market demands more quickly and efficiently?
Visit jamasoftware.com/solutions/automotive or contact us to learn how Jama Connect can optimize success for your organization.