A comprehensive look at ISO/IEC/IEEE 15288 goals, standards, and tools to achieve compliance.
Product development is evolving quickly; over the past few years, it’s become increasingly complex. A study of nearly 300 design and engineering professionals found that 92% of respondents say they’re experiencing at least one form of increased complexity. Moreover, 76% say they’re experiencing at least three.
A set of standards, such as those found in ISO/IEC/IEEE 15288:2015, can help manage increased complexities using established frameworks. But if you aren’t familiar with the standards, you might have many questions such as: What is ISO/IEC/IEEE 15288:2015? What organizations use it? And how can it help with product development?
We’ve created a guide to help answer these questions so you can determine whether using this standard is right for your organization and explore other tools that can help.
Building a new system is a large undertaking that involves a variety of moving parts and components. The success of any project, of course, relies on those parts working in synergy and solving for any potential disconnects. That’s why having a common set of practices can help. ISO/IEC/IEEE 15288:2015 was designed to create a standard reference of activities to be executed within a specific system engineering process. The standards are designed for those in systems engineering leadership, such as:
Systems Architects
Systems Developers
Project Managers
Computer Scientists
The standards are commonly used to guide internal work on systems development but can also be used as an external reference. For example, if you work with a partner, you might use ISO/IEC/IEEE 15288:2015 to help create agreements about how work is completed.
Building a New System is Growing More Complex
A recent study of almost 300 design and engineer professionals found that not only are engineering systems getting more complex, but many organizations aren’t equipped with the right tools to manage the intricacies of complex system development.
92% of respondents reported experiencing at least one form of increased complexity.
76% report dealing with three or more increased measures of complexity.
25% report their products are becoming more complex in five or more ways.
How is ISO/IEC/IEEE 15288:2015 used?
During product and system development, you’re working to solve a specific customer challenge. Using ISO/IEC/IEEE 15288:2015 helps you accomplish this goal by providing a framework for your processes. But how exactly are standards typically used? Here are a few examples.
Used by an organization. An organization might use ISO/IEC/IEEE 15288:2015 to create an environment of desired processes. An infrastructure or method, procedures, technologies (and more) typically support these processes.
Used by the project. You might decide to use what is found in ISO/IEC/IEEE 15288:2015 as internal standards to support the deployment of an existing environment or offer a new system or service. In addition, standards are used to judge the performance of a project in a specific environment.
Supports partner agreements. Agreements are the foundation of any successful relationship, including those with suppliers or other external parties. You might partner with a supplier, for example, to select relevant processes and activities within the standards and create agreements based on those elements.
Used to evaluate processes. ISO/IEC/IEEE 15288:2015 can serve as a process reference model to determine whether your existing processes support a specific goal around process improvements.
As you can see, you have flexibility when using standards. You can implement all frameworks or just a few of them. ISO/IEC/IEEE 15288:2015 can serve as a starting point, selecting what fits best for your project, processes or organization to guide your decisions.
To learn more about what’s included in each of the six parts of ISEO/IEC/IEEE 15288 and how Jama Software can help, download our Comprehensive Guide here.
https://www.jamasoftware.com/media/2023/02/2023-02-09-guide-to-iec15288.jpg5121024Cary Bryczek/media/jama-logo-primary.svgCary Bryczek2023-02-09 03:00:052024-01-18 01:15:16The Complete Guide to ISO/IEC/IEEE 15288:2015 — Systems and Software Engineering
In this blog, we recap the “Implementing Requirements Management for ISO 21434” webinar.
As the automotive industry becomes more complex and more connected, cybersecurity is emerging as a major concern, and therefore priority, for development teams.
According to Juniper Research, there are 206 million cars on the road with embedded connectivity and by 2025, the number of vehicles leveraging 5G embedded connectivity will surpass 30 million –– over eight million of those in the United States alone.
One standard in particular has been developed to address cybersecurity risks in the design and development of car electronics – ISO SAE 21434 “Road vehicles — Cybersecurity Engineering.”
In this session we will discuss:
Overview of managing requirements in ISO 21434
Similarities between requirements for functional safety and cybersecurity
Updating an example requirements management data model for cybersecurity requirements
Proposal for implementing a TARA in a requirements management database
Below is an abbreviated transcript and a recording of our webinar.
Implementing Requirements Management for ISO 21434
Adrian Rolufs: Welcome to this webinar on Implementing Requirements Management for ISO 21434. My name is Adrian Rolufs, and today I’ll be taking you through the process we went through at Jama Software to update our data models for supporting 21434. I am the Director of Solutions at Jama Software, focused on our automotive and semiconductor business, and my experience is primarily focused on working with customers who are implementing requirements management and traceability solutions in the automotive industry. Today, we’ll go through an overview of what the impact on requirements management is from 21434. We’ll discuss the similarities between the requirements for functional safety and cybersecurity as it applies to requirements management. We’ll go through an example of how we updated the requirements management data model to support the cybersecurity requirements. And then we also have a proposal for how to implement a TARA in their requirements management database. We’ll go through reasons why you might want to consider such a solution. So, let’s dive into it.
First of all, let’s spend a little bit of time explaining what Jama Software is. Jama Software is a company that produces a requirements management solution. We focus on providing a complete tool for implementing a V model, all the way from high-level needs analysis into requirements and system design, through to integration and verification and validation. Our customers use Jama for managing requirements, building traceability to verification and validation, and reviewing all of that in a live online database to make sure that their documentation is of high quality, as well as making it as easy as possible for engineers to do that. And as you can see, there are a lot of companies across industries, especially in automotive, that have adopted our solution as their primary requirements management solution.
So let’s talk a little bit about the impact that 21434 has to requirements management. As you’re maybe familiar, there’s a number of clauses in 21434 focused on the cybersecurity engineering best practices for development of road vehicles. It focuses on development of electronic and software systems and specifically goes through and defines best practices for the processes for identifying cybersecurity risks, identifying ways to mitigate those risks, as well as development of the products that are going to implement features to mitigate those cybersecurity risks. And it supports the implementation of a cybersecurity management system which is required for many automotive manufacturers these days.
Adrian Rolufs: So within the framework of ISO 21434 there are specific areas that have the biggest impact to your requirements management process. The first one is within the cybersecurity activities and assessments. There are planning documents, there’s a cybersecurity case that has to be developed, and there are work products that have to be managed to be compliant with ISO 21434. And a lot of those have an impact to the work that would typically be done in a requirements management solution. So we’ll be looking at taking those requirements into account in how you would use a requirements management solution. The really core piece of it is the concept and product development phases of ISO 21434. Those directly result in new requirements that need to be managed, designed, that needs to be implemented to meet those requirements and verification and validation activities. And these are the core activities that are typically managed in a requirements management solution, like Jama Software’s Jama Connect.
This is also a really important area to avoid creating silos in an organization. It’s very easy to create different organizational structures for managing cyber security from traditional requirements management processes. And it’s our belief at Jama Software that all requirements should be managed in a comprehensive and consistent way so that development teams can easily see what all the requirements they need to meet, and the organization can track all requirements in the same way. This leads to higher quality products, leads to more consistency, and it leads to more on time delivery. So as we’ll see today, we have developed a framework that allows you to manage these requirement design and verification and validation artifacts that are specifically required for cyber security in the same way as you would manage other requirements in verification and validation.
Adrian Rolufs: So another standard that a lot of organizations are following when they’re thinking about cyber security is ISO 26262. So this is the standard for functional safety and road vehicles, and it’s very common that a product or a system that needs to adhere to the cybersecurity standards also will have functional safety considerations as well. And so it’s very common to have a process that needs to accommodate both of these standards. Fortunately, there are quite a few similarities between them so it’s quite easy to develop a process that can allow you to build systems that meet both standards. Both of the standards start from the identification of an item, which is also commonly the system that you are analyzing, and help you identify the risks to functional safety or to cybersecurity, and then derive new requirements on your system in order to be able to mitigate against those risks.
They both define a V model that allows you to organize requirements and validation and verification according to system engineering best practices. And they both cover the development of a conceptual system, the full system, and then the hardware and software within those systems. And specifically, they both focus on the electronics and the software that runs on those electronics as opposed to mechanical systems, which typically don’t really have a functional safety or a cybersecurity consideration.
So in order to bring those aspects of those standards into a requirements management data model, we need to take a look at what those standards require and how is that similar or different than how you would typically implement requirements management without taking those standards into consideration. So let’s take a look at the key aspects that feed into product development. So for many organizations, they’re already considering functional safety analysis as an input to their product development. So developing a new product starts with market analysis, understanding what the needs in the market are, understanding what types of products you could build to meet those needs. And that’s the key driver for the business justification for developing the products in the first place, and building a product that’s going to meet the needs of the market. So, that’s always the first and foremost consideration.
https://www.jamasoftware.com/media/2022/07/2022-07-28-implementing-requirements-management-for-iso-21434-1-1.png5121024Jama Software/media/jama-logo-primary.svgJama Software2022-07-28 03:00:362023-01-12 16:46:30[Webinar Recap] Implementing Requirements Management for ISO 21434
In this blog, we recap the “Understanding Integrated Risk Management for Medical Device” webinar.
Companies involved in developing medical devices understand the importance of risk management, but their approaches can vary significantly in terms of the time it takes to manage risk, the ability to connect risks to specific requirements and tests, and the capacity to pull together relevant documentation for an audit. To meet these challenges, medical device developers need a comprehensive approach to risk management.
In this presentation, industry and solution experts will explore how teams can integrate risk-based thinking into their product development lifecycle.
Attendees will learn more about:
Risk management in the medical device industry
Guidance and best practices to follow
How to manage risk analysis
The importance of risk traceability throughout project activities
Below is an abbreviated transcript and a recording of our webinar.
Understanding Integrated Risk Management for Medical Device
Mercedes Massana: So today we’re going to talk about risk management. First, we’ll start with the basics, the things we need to know to understand risk management, then we’ll talk about the elements of a risk management process, about some risk management tools that we can use, and then we’ll end with risk management and incorporating that into your traceability matrix.
So let’s start with the basics. So what is risk management? It’s the systematic application of management policies, procedures and practices to the task of analyzing, evaluating, controlling and monitoring risk. And in this case, we’re talking about product risk, not so much project risk, right? So all medical devices carry some level of risk, no matter how simple they are. There’s always some level of risk for the medical device, and we need to consider who can be hurt by the medical device. Who does this risk apply to? And that can be obviously the patient, but it can also be the operators or clinicians, right? The nurses. It could be bystanders, it could be service personnel working on the device. It could be even other equipment if we interfere with other medical equipment, and it could even be the environment.
Mercedes Massana: It is the responsibility of the manufacturer to determine how much risk they’re willing to accept, or the market is willing to accept for the intended use of the device. So the regulatory agencies don’t tell you what is acceptable from a risk perspective, but it’s up to the manufacturer to determine that.
So why do we practice risk management? Well, first of all, it’s so that we can produce safe products and release only safe products, right? So we want to prevent safety-related problems in the field. Having to recall product is very bad for companies, right? There have been companies that have gone out of business because of safety issues in the field. Having a good, well-documented risk management file can substantiate due diligence if somebody tries to sue you, so you have the documents that can help support that you did the right things.
It can also encourage a defect-prevention mindset. So when you start practicing risk management early on in development, you start designing with defect prevention in mind. You want to prevent defects that can cause harm and risk. It helps you identify potential safety issues early while you can still influence the design, right? And then, from a regulatory perspective, documents from your risk management files are always needed for submissions, and in audits, most likely these documents would be presented in audits.
And then it also allows risk-based decisions to be made throughout the product life cycle. So we think of risk management just as the product and things we need in order to get regulatory approval or to have in an audit, but really, having a robust risk management file can help us make decisions and verification, validation in manufacturing, even for our suppliers and what controls we ask them to implement. So having a robust risk management file can really help us in every facet of product development.
Mercedes Massana: So compliance is a big part of risk management. ISO 14971 is the application of risk management to medical devices. It is an FDA-recognized standard. It’s actually even called out in a couple of guidance documents from FDA, and it is referenced by a number of IEC standards. So we need to be compliant with ISO 14971 in order to get through FDA, and in order to achieve the CE mark. ISO 13485 mentions risk management 15 times, and it says that we must consider risk in supplier controls, for verification, for validation, in testing and traceability, for CAPA, even for training of personnel.
So this tells you how important risk management is to having a medical device, developing a medical device, and maintaining a safe device in the field. So risk management should be practiced first as a system-level activity, so we should start risk management from the top down. That means that very early in development, when we start our design efforts, we analyze the risk that the system can perform, just by knowing the intended use. We don’t even need to have a design. Then we attempt to mitigate those hazards and we drive risk controls through requirements that then get implemented in our design, so only the system can actually cause a hazard. The system might have many components, but unless I have all of the system put together, I can’t cause a hazard.
https://www.jamasoftware.com/media/2022/07/2022-07-12_Understanding-Risk-Medical-Webinar-Social-Image.png5121024Jama Software/media/jama-logo-primary.svgJama Software2022-07-12 03:00:522023-01-12 16:46:32[Webinar Recap] Understanding Integrated Risk Management For Medical Device
If you’ve worked in product development for any time at all, you’ve probably heard the term “ISO” used in conjunction with the terms “standards” and “compliance” (along with a variety of four- and five-digit numbers).
But what does that all mean, and how does it affect you? In this article, we will provide you with a basic guide to understanding ISO standards.
What is ISO and What are ISO Standards?
The International Organization for Standardization is a nongovernmental organization. It consists of a network of standards bodies from 165 member countries (currently), with one body representing each member country. The American National Standards Institute (ANSI), for example, represents the United States. The organization maintains a central office in Geneva, Switzerland, to oversee this network.
Because “International Organization for Standardization” is a mouthful and would have different acronyms in different languages, the organization’s founders chose ISO—derived from the Greek ‘isos’, meaning equal—as its official abbreviation. As the group’s website proclaims: “Whatever the country, whatever the language, we are always ISO.”
ISO’s purpose is to help unify standards on an international basis. ISO standards are designated by the term ISO followed by a number, like ISO 9001. In some cases, ISO standards share a numeric code with an industry association, as in the case of ISO/IEC 12207. IEC stands for the International Electrotechnical Commission, which prepares and publishes international standards for electrical, electronic, and related technologies.
Nearly 800 ISO technical committees and subcommittees are tasked with standards development. As of June 2021, ISO has published some 23,886 international standards covering almost all aspects of technology and manufacturing.
What Are the Benefits of ISO Standards?
ISO forms a bridge that links the public and private sectors. Many of its member institutes are either departments of their national governments or mandated by them. Other member organizations are rooted solely in the private sector, having been set up by industry association partnerships within their country. ISO helps these diverse bodies reach consensus on solutions that meet both the requirements of business and the broader needs of society.
ISO standards help make the world a safer place and give consumers confidence that the products they buy are safe, reliable, and of high quality. Regulators and governments count on ISO standards to help develop better regulation, knowing they have a sound basis thanks to the involvement of globally recognized experts.
Finally, compliance with ISO standards gives companies an advantage in the marketplace. ISO certification provides assurance to potential customers that the company adheres to industry best practices. In many industries, companies require that their suppliers are certified to certain relevant ISO standards.
The ISO process for creating a new standard begins when an alliance of industry associations or consumer groups submits a request. ISO then recruits subject matter experts and industry stakeholders to form a technical committee or subcommittee. This committee executes a two-round drafting process and then takes a formal vote on the second draft. This second draft is called the Final Draft International Standard (FDIS). If the FDIS is approved, it is certified by the central secretariat, and ISO publishes it as an official international standard.
As technologies and best practices evolve, industry associations may request an update of an ISO standard. Different versions of the standard are distinguished by the year the revision was published appended to the standard designation. For example, the latest version of ISO 9001 is ISO 9001:2015.
What ISO Standards Are Related to Product Development?
ISO 9001
The ISO 9000 family of quality management standards is easily the most popular set of industry standards in the world. Of these, ISO 9001 is the only one to which companies can be certified.
ISO 9001 describes how to put a Quality Management System (QMS) in place to better prepare your organization to produce quality products and services. Today, over one million companies in more than 170 countries are certified to ISO 9001:2015.
ISO/IEC 12207
ISO/IEC 12207, Systems and software engineering – Software lifecycle processes aims to define all the processes required for developing and maintaining software systems, including the outcomes and/or activities of each process.
First introduced in 1995, ISO/IEC 12207 establishes a common framework for software life cycle processes with well-defined terminology that can be referenced by the software industry. It defines the processes, activities, and tasks to be applied during the acquisition of software products or services, as well as during the supply, development, operation, maintenance, and disposal of software products and to the software portion of firmware, as well.
ISO/IEC 12207 also provides a process that can be employed for defining, controlling, and improving software life cycle processes.
ISO 8887
ISO 8887 specifies the requirements for the preparation, content, and structure of technical product documentation (TPD) of the design output for the cycles of manufacturing, assembling, disassembling, and end-of-life processing of products. It describes the TPD needed at the critical stages of the design process.
Beyond those requirements, the standard also identifies and describes methods and conventions appropriate to the preparation of documentation necessary to realize a design, including the application to multiple life cycles. ISO 8887 also incorporates guidance on the ultimate reusing, recovering, recycling, and disposing of the components and materials used.
ISO/TS 16949
Based on ISO 9001, ISO/TS 16949 is a technical specification (TS) aimed at the development of a quality management system that provides for continual improvement within the automotive industry. First published in 1999, it emphasizes defect prevention and the reduction of variation and waste in the automotive industry supply chain and the assembly process.
According to the British Standards Institution (BSI), the ISO/TS 16949 standard was created by the International Automotive Task Force (IATF) to help streamline this process. It focuses on the avoidance of errors and defines the requirements for the development, production, and installation of automotive-related products. Today, certification is required by almost all Tier 1 companies, many of whom require their Tier 2 and Tier 3 suppliers to certify. As a result, over 50,000 certifications have been issued to date against this standard.
ISO 26262
ISO 26262, Road vehicles – Functional safety applies to safety-related systems that include one or more electrical and/or electronic (E/E) systems and that are installed in series production passenger cars. Introduced in 2011, this standard addresses possible hazards caused by malfunctioning behavior of E/E safety-related systems, including the interaction of these systems.
With the increased number and interaction of electronic systems within passenger vehicles, this standard is being adopted rapidly within the automotive industry.
ISO 13485
Unlike many ISO standards, ISO 13485, Medical Device Quality Standards, is a single document and does not belong to a family. It was originally published in 2003 and revised in 2016.
ISO 13485 puts a quality management system in place for the production of medical devices and equipment and is very specific to the health industry. It is often implemented with ISO 9001 to show that an organization is qualified to do business in the medical device field.
ISO 13485 is a regulated standard against which over 25,000 certifications have already been issued.
Product developers sometimes ask, “What are the differences between standards and requirements?”
According to Merriam-Webster, a requirement is “something wanted or needed; a necessity” or “something essential to the existence or occurrence of something else.” Other definitions include “a necessity or prerequisite” and “something required or obligatory.”
Webster’s defines a standard as “something set up and established by authority as a rule for the measure of quantity, weight, extent, value, or quality” or “something established by authority, custom, or general consent as a model or example.” In other words, a standard is a principle, example, or measure used for comparison—a benchmark used to evaluate suitability for a purpose.
To meet a requirement, a thing, person or organization must do exactly what the requirement says. To meet a standard, a thing, person or organization must meet the minimum requirements of the standard and align with its intent. Standards typically allow some leeway for tailoring to individual organizational practices and obligations.
As mentioned earlier, many corporate and governmental customers want their suppliers to adhere to certain ISO standards, especially in industries that are multi-tiered or highly regulated. Certification to applicable standards is often a contractual requirement within those industries.
Is ISO Compliance Required by Law?
The ISO standards themselves are not legally binding. There are no laws that compel companies to meet or be certified to any ISO standards.
However, national regulators may refer to ISO standards as examples of good practice. For example, a building regulation might say you must comply with certain local regulations and that one way of complying with those is to comply with a given ISO standard.
Also, while not legally bound, many companies find certification to certain ISO standards is a necessity if they wish to compete for contracts within their industry or with specific customers.
In this guide, we’ve talked frequently about ISO compliance and ISO certification. So, what’s the difference?
Compliance simply means that your product or process conforms to the requirements of the ISO standard. ISO certification, on the other hand, is the result of a formal procedure and thus a bit more complicated.
ISO itself does certify companies directly. Instead, specific certification bodies perform the task of auditing and then certifying an organization’s compliance with a given ISO standard. These bodies, often known as registrars, must themselves be certified under a separate standard, ISO/IEC TS 17021.
During the certification process, the registrar audits the organization to ensure that its operations are in compliance with processes outlined in the current ISO standard. Where inconsistencies or “non-conformities” are found, the organization must typically create a program for correcting these problems before the registrar will issue a certificate.
Once an organization is granted certification, it receives a certification mark that can be used on its company stationery, websites, etc.
When it comes to ISO standards governing ongoing business practices, like ISO 9001 for example, approval is typically valid for a period of three years. After that, the company must recertify to the current form of the standard.
Applying ISO Standards in Lifecycle and Requirements Management
What tools can help meet ISO standards in the realm of product lifecycle management? Jama Software provides several.
First and foremost of these is our flagship product, Jama Connect. For example, let’s say your organization is seeking certification to ISO 9001. To achieve that certification, you need to demonstrate you have put in place a defined, repeatable process for assuring quality. Jama Connect is a tool built specifically for requirements management and requirements traceability. Not only does Jama Connect simplify the tracking and tracing of requirements, it also makes it simpler and easier to maintain and demonstrate a robust quality process. That’s because Jama Connect automates so much of your requirements management process.
Finally, to learn more about choosing the right requirements management tools to help your company attain or maintain ISO certification, download our Requirements Management Buyer’s Guide.
https://www.jamasoftware.com/media/2021/07/2021-07-15_guide-to-iso-standards_1024x512.jpg5121024Jama Software/media/jama-logo-primary.svgJama Software2021-07-15 03:00:152023-01-12 16:49:00A Guide to Understanding ISO Standards
Infographic: Jama Connect™ for Medical Device Development
We’re excited to share our latest infographic for the Jama Connect for Medical Device Development solution which explains how Jama Connect can help accelerate innovation, maintain product quality, and manage the ever-changing complex regulations in medical device development. This is a single powerful platform for medical device teams to manage design controls for device requirements and related risks, simplifying regulatory submissions, and audit preparations while accelerating time to market.
Bringing a medical device to market requires navigating a sea of complex and ever-changing regulations, not to mention bearing significant costs along the way. A device recall can cost $600 million, while the indirect costs of lost revenue and diminished market cap are even higher at $1-3 billion per company. Those costs are especially significant considering the price tag of product development—$75 million in FDA compliance alone, and an average timeline of three to seven years.
→Jama Connect customers have been able to reduce planning time as much as 80%, thanks to consolidated feedback replacing emails and a document-based approach to project management.
→Better quality products get out the door faster. By understanding the impact of change, capturing decisions and feedback in real-time and reusing existing IP, Jama Connect reduces medical device development time by an average of 130 days per project.
→Jama Software reduces rework, which accounts for approximately 30-50% of a given project and arises from issues such as requirements errors. Improving the ability to track requirements from design through verification and validation ensures teams build the right medical devices with the lowest possible lifecycle costs.
In this infographic,we share how, with the right requirements management solution, you can accelerate the development of cost-effective products that also comply with both safety and quality standards.
You’ll learn:
How to overcome the biggest challenges in medical device development
The ways Jama Connect for Medical Device Development can help
Keys to unlocking a better customer experience
https://www.jamasoftware.com/media/2020/06/2020-07-07-med-device-infographic-blog-1024.jpg5121024Karrie Sundbom/media/jama-logo-primary.svgKarrie Sundbom2020-07-07 03:00:002023-01-19 12:57:19Infographic: Jama Connect™ for Medical Device Development