Tag Archive for: risk management

ISO 13485

In this blog post, we will cover key components of the important medical device standard ISO 13485 and cover steps for successful adherence. 

In the complex world of medical device development, teams not only face challenges of innovation, but also a shifting regulatory environment and evolving standards.

Balancing the competing interests of customers and stakeholders with the guidance and regulations from different entities across global boundaries presents challenges that even the most organized and methodical teams may struggle to meet.

In this environment, systems thinking can greatly improve the ability of medical device development teams to get products from the idea stage to market. By breaking down complex problems into manageable pieces, teams can better evaluate their systems and streamline and strengthen processes.

Using an applied systems approach will also help resolve inefficiencies in the development process and produce the outputs necessary for the design history file (DHF).

A growing number of organizations and teams are already pursuing a general systems approach by applying the guidance in ISO 13485:2016. This standard helps define a framework for the Quality Management System (QMS) for medical device development and pushes the development process naturally toward a systems approach. But for those teams that have not yet adopted the standard, adding one more document or piece of guidance to the overall process can feel like another layer of complication.

It doesn’t have to be. Adopting this standard can help standardize and systematize the medical device development process. Though it may look daunting at first, once adopted, ISO 13485 can streamline processes and position organizations for a better outcome with regulatory requirements.

RELATED: How to Executive a Successful Design Review When Building Medical Devices

The Purpose of ISO 13485

The standard was developed by the International Organization for Standardization (ISO) to outline the standard for a Quality Management System (QMS) for the design and manufacture of medical devices.

The ISO defines “medical device” as “a product, such as an instrument, machine, implant or in vitro reagent, that is intended for use in the diagnosis, prevention and treatment of diseases or other medical conditions.” It is a stand-alone document designed for use by organizations of any size involved in any stage of medical device development, from design to production to installation to service of devices. Both internal and external parties can use the standard to support the auditing process.

ISO 13485 is the most common standard for quality management in the field of medical device development across the globe. Adoption of the standard indicates a commitment to the highest quality and safety across the development process, and it provides a foundation for QMS requirements.

While not required by all government entities, the standard does provide a good foundation for addressing regulations such as the EU Medical Device Directive and the EU Medical Device Regulation. In 2018, the FDA proposed a rule that would align US FDA 21 CFR 820 with ISO 13485:2016; this rule would make this standard the mandatory QMS for medical devices.

Note: The rule was set for release in 2019; however, as of December 2020, the rule was still forthcoming. Check for current guidance.

RELATED: Your Guide to Selecting a Medical Device Development Platform

Requirements for ISO 13485 Adherence

Though adoption of ISO 13485 may look complicated or daunting, in reality, adhering to the standard helps eliminate some of the ad hoc nature of requirements and systems in the medical device field.

With increasing worldwide adoption of ISO 13485 by both companies and government entities, the medical device industry should start to realize some harmonization and consistency of processes and systems. This standardization will help streamline the industry overall and allow important innovations a smoother and potentially faster route to market.

The requirements to obtain ISO 13485 certification start with a QMS. ASQ defines a Quality Management System as “a formal system that documents the structure, processes, roles, responsibilities and procedures required to achieve effective quality management.” The QMS must include documentation that defines the overall scope and implementation of the QMS; important documentation includes Quality Policy, Quality Objectives, and Quality Manual.

Bottom Line These documents should be sure to address customer requirements. In addition, organizations need to create mandatory and additional processes and requirements necessary for all stages of development. Examples of documents required by ISO 13485:2016 can be found here.

Key Takeaways from Our Complete Guide

  • ISO 13485 and systems thinking go hand-in-hand; teams will find that adoption of ISO 13485 directs them toward systems thinking.
  • Adoption of this standard will streamline processes and position medical device teams for better regulatory outcomes.
  • ISO 13485 is a stand-alone document; however, it closely aligns with ISO 9001:2008 and EN ISO 13485.
  • ISO 13485 and ISO 14971 are related, but ISO 14971 is more focused on risk management – the two standards can be used in tandem.
  • This standard is not mandatory; teams can develop a Quality Management System (QMS) without the standard as long as it meets regulatory requirements. However, adoption of the ISO 13485 will create a QMS that is ideally positioned to meet the requirements of various regulatory and legislative entities, including the EU.

Jama Software’s Complete Guide to ISO 13485 for Medical Device Development covers requirements for adherence, the difference between ISO 13485 and other medical device standards, and steps for successful adoption and certification.

Download The Complete Guide to ISO 13485 for Medical Device Development to untangle everything there is to know about this important standard.


How EN 50128 Establishes Functional Safety Standards for Railway Software

In increasingly complex, rapidly evolving, and highly regulated industries, product development teams must build safety-critical products, while streamlining risk management and keeping accuracy and security at the forefront. This blog post will define functional safety and EN 50128 and explain why compliance with safety standards is critical to railway software and industrial manufacturing teams.

What is Functional Safety?

As part of the overall safety of a system or piece of equipment, functional safety is a key component that builds upon automatic protection. The best way to reduce risks in industrial manufacturing is to ensure automated protection systems have predictable responses to malfunctions or failures.

The concept of functional safety applies to everyday life and every industry you can think of. The International Electrotechnical Commission (IEC) provides this example of transportation functional safety:

“When you board a train, the subway or a cable car, functional safety ensures that the doors close before the vehicle departs and that they don’t open while it is in movement. They also ensure that the railway signaling system helps avoid that an oncoming train crosses your train’s path.”

When systems fail to operate, significant disasters can occur. Safety standards, such as EN 50128, are designed to reduce risk tolerance around these events.

What is EN 50128?

EN 50128 is a certification standard issued by CENELEC (the European Committee for Electrotechnical Standardization). The international version of this standard is IEC 62279. This standard specifies the requirements for railway applications, including communication, signaling, and processing systems for railway control and protection systems software.

RELATED: IEC 61508 Overview: The Complete Guide for Functional Safety in Industrial Manufacturing

According to Engineering360, the European standard “specifies the process and technical requirements for the development of software for programmable electronic systems for use in railway control and protection applications.” It aims toward any practical use where there are safety implications. This European Standard applies exclusively to software, the interaction between software and its system, and all safety-related software used in railway control and protection systems, including:

  • Application programming
  • Operating systems
  • Support tools
  • Firmware

Why compliance with safety standards such as EN 50128 is critical to railway software and industrial manufacturing teams

Eliminating all chances of risk may not always be possible. However, manufacturers must continuously seek strategies to mitigate potential safety issues, which is why industry experts in industrial manufacturing have created standards, such as EN 50128, and IEC 62279, to reduce risk and support the development of safety-sensitive products.

According to TUV SUD, “functional safety ensures that safety risks due to hazards caused by the mal-functional behavior of systems are reduced to an acceptable level. These safety risks are increasing in the rail industry as rail technology is becoming more and more complex, with both hardware and software interacting in different ways and components that are sourced from multiple markets.”

RELATED: The Top Six Things You Should Know About TÜV SÜD

How Jama Connect® Can Help Organizations Achieve EN 50128 Compliance

Compliance is an essential goal for organizations in regulated industries, but it is not the only factor when delivering safe and reliable products to market. Organizations need defined processes for development and production and detailed end-to-end traceability to achieve compliance, from high-level user needs to validation and verification.

Jama Connect® is TÜV SÜD certified for developing safety-related products. Jama Software® is the first vendor that is both SaaS and Agile to receive the certification. In 2019, Jama Software completed additional certification as a software tool for railway applications according to EN 50128.

Focus and rigor in the product development lifecycle drives compliance as an outcome. While the ultimate responsibility of functional safety remains with the customer, Jama Connect eases the path to compliance so companies can focus on building products right.

Ensuring Compliance & Managing Risk with Jama Connect

Jama Connect is engineered to ensure quality with frameworks aligned to key industry standards which streamline design, development, testing, and risk management while maintaining compliance. Teams can quickly see the full historical context around a requirement when they contribute to a project — reducing the probability of errors as well as the time and overhead spent on risk analysis.

Interested in learning more? Watch our webinar, Lessons Learned for Reducing Risk in Product Development

In this blog, we recap the “Implementing Requirements Management for ISO 21434” webinar.

As the automotive industry becomes more complex and more connected, cybersecurity is emerging as a major concern, and therefore priority, for development teams.

According to Juniper Research, there are 206 million cars on the road with embedded connectivity and by 2025, the number of vehicles leveraging 5G embedded connectivity will surpass 30 million –– over eight million of those in the United States alone.

One standard in particular has been developed to address cybersecurity risks in the design and development of car electronics – ISO SAE 21434 “Road vehicles — Cybersecurity Engineering.”

In this session we will discuss:

  • Overview of managing requirements in ISO 21434
  • Similarities between requirements for functional safety and cybersecurity
  • Updating an example requirements management data model for cybersecurity requirements
  • Proposal for implementing a TARA in a requirements management database

Below is an abbreviated transcript and a recording of our webinar.

Implementing Requirements Management for ISO 21434

Adrian Rolufs: Welcome to this webinar on Implementing Requirements Management for ISO 21434. My name is Adrian Rolufs, and today I’ll be taking you through the process we went through at Jama Software to update our data models for supporting 21434. I am the Director of Solutions at Jama Software, focused on our automotive and semiconductor business, and my experience is primarily focused on working with customers who are implementing requirements management and traceability solutions in the automotive industry. Today, we’ll go through an overview of what the impact on requirements management is from 21434. We’ll discuss the similarities between the requirements for functional safety and cybersecurity as it applies to requirements management. We’ll go through an example of how we updated the requirements management data model to support the cybersecurity requirements. And then we also have a proposal for how to implement a TARA in their requirements management database. We’ll go through reasons why you might want to consider such a solution. So, let’s dive into it.

First of all, let’s spend a little bit of time explaining what Jama Software is. Jama Software is a company that produces a requirements management solution. We focus on providing a complete tool for implementing a V model, all the way from high-level needs analysis into requirements and system design, through to integration and verification and validation. Our customers use Jama for managing requirements, building traceability to verification and validation, and reviewing all of that in a live online database to make sure that their documentation is of high quality, as well as making it as easy as possible for engineers to do that. And as you can see, there are a lot of companies across industries, especially in automotive, that have adopted our solution as their primary requirements management solution.

So let’s talk a little bit about the impact that 21434 has to requirements management. As you’re maybe familiar, there’s a number of clauses in 21434 focused on the cybersecurity engineering best practices for development of road vehicles. It focuses on development of electronic and software systems and specifically goes through and defines best practices for the processes for identifying cybersecurity risks, identifying ways to mitigate those risks, as well as development of the products that are going to implement features to mitigate those cybersecurity risks. And it supports the implementation of a cybersecurity management system which is required for many automotive manufacturers these days.

Related: What is the Urgency Behind Automotive Cybersecurity?

Adrian Rolufs: So within the framework of ISO 21434 there are specific areas that have the biggest impact to your requirements management process. The first one is within the cybersecurity activities and assessments. There are planning documents, there’s a cybersecurity case that has to be developed, and there are work products that have to be managed to be compliant with ISO 21434. And a lot of those have an impact to the work that would typically be done in a requirements management solution. So we’ll be looking at taking those requirements into account in how you would use a requirements management solution. The really core piece of it is the concept and product development phases of ISO 21434. Those directly result in new requirements that need to be managed, designed, that needs to be implemented to meet those requirements and verification and validation activities. And these are the core activities that are typically managed in a requirements management solution, like Jama Software’s Jama Connect.

This is also a really important area to avoid creating silos in an organization. It’s very easy to create different organizational structures for managing cyber security from traditional requirements management processes. And it’s our belief at Jama Software that all requirements should be managed in a comprehensive and consistent way so that development teams can easily see what all the requirements they need to meet, and the organization can track all requirements in the same way. This leads to higher quality products, leads to more consistency, and it leads to more on time delivery. So as we’ll see today, we have developed a framework that allows you to manage these requirement design and verification and validation artifacts that are specifically required for cyber security in the same way as you would manage other requirements in verification and validation.

Related: Design Transfer: Best Practices for Translating Your Device Design into Manufacturing Specifications 

Adrian Rolufs: So another standard that a lot of organizations are following when they’re thinking about cyber security is ISO 26262. So this is the standard for functional safety and road vehicles, and it’s very common that a product or a system that needs to adhere to the cybersecurity standards also will have functional safety considerations as well. And so it’s very common to have a process that needs to accommodate both of these standards. Fortunately, there are quite a few similarities between them so it’s quite easy to develop a process that can allow you to build systems that meet both standards. Both of the standards start from the identification of an item, which is also commonly the system that you are analyzing, and help you identify the risks to functional safety or to cybersecurity, and then derive new requirements on your system in order to be able to mitigate against those risks.

They both define a V model that allows you to organize requirements and validation and verification according to system engineering best practices. And they both cover the development of a conceptual system, the full system, and then the hardware and software within those systems. And specifically, they both focus on the electronics and the software that runs on those electronics as opposed to mechanical systems, which typically don’t really have a functional safety or a cybersecurity consideration.

So in order to bring those aspects of those standards into a requirements management data model, we need to take a look at what those standards require and how is that similar or different than how you would typically implement requirements management without taking those standards into consideration. So let’s take a look at the key aspects that feed into product development. So for many organizations, they’re already considering functional safety analysis as an input to their product development. So developing a new product starts with market analysis, understanding what the needs in the market are, understanding what types of products you could build to meet those needs. And that’s the key driver for the business justification for developing the products in the first place, and building a product that’s going to meet the needs of the market. So, that’s always the first and foremost consideration.

To watch the full webinar, visit: Implementing Requirements Management for ISO 21434


Risk Medical

In this blog, we recap the “Understanding Integrated Risk Management for Medical Device” webinar.

Companies involved in developing medical devices understand the importance of risk management, but their approaches can vary significantly in terms of the time it takes to manage risk, the ability to connect risks to specific requirements and tests, and the capacity to pull together relevant documentation for an audit. To meet these challenges, medical device developers need a comprehensive approach to risk management.

In this presentation, industry and solution experts will explore how teams can integrate risk-based thinking into their product development lifecycle.

Attendees will learn more about:

  • Risk management in the medical device industry
  • Guidance and best practices to follow
  • How to manage risk analysis
  • The importance of risk traceability throughout project activities

Below is an abbreviated transcript and a recording of our webinar.

Understanding Integrated Risk Management for Medical Device

Mercedes Massana: So today we’re going to talk about risk management. First, we’ll start with the basics, the things we need to know to understand risk management, then we’ll talk about the elements of a risk management process, about some risk management tools that we can use, and then we’ll end with risk management and incorporating that into your traceability matrix.

So let’s start with the basics. So what is risk management? It’s the systematic application of management policies, procedures and practices to the task of analyzing, evaluating, controlling and monitoring risk. And in this case, we’re talking about product risk, not so much project risk, right? So all medical devices carry some level of risk, no matter how simple they are. There’s always some level of risk for the medical device, and we need to consider who can be hurt by the medical device. Who does this risk apply to? And that can be obviously the patient, but it can also be the operators or clinicians, right? The nurses. It could be bystanders, it could be service personnel working on the device. It could be even other equipment if we interfere with other medical equipment, and it could even be the environment.

Related: Requirements Debt: A Medical Product Program Risk

Mercedes Massana: It is the responsibility of the manufacturer to determine how much risk they’re willing to accept, or the market is willing to accept for the intended use of the device. So the regulatory agencies don’t tell you what is acceptable from a risk perspective, but it’s up to the manufacturer to determine that.

So why do we practice risk management? Well, first of all, it’s so that we can produce safe products and release only safe products, right? So we want to prevent safety-related problems in the field. Having to recall product is very bad for companies, right? There have been companies that have gone out of business because of safety issues in the field. Having a good, well-documented risk management file can substantiate due diligence if somebody tries to sue you, so you have the documents that can help support that you did the right things.

It can also encourage a defect-prevention mindset. So when you start practicing risk management early on in development, you start designing with defect prevention in mind. You want to prevent defects that can cause harm and risk. It helps you identify potential safety issues early while you can still influence the design, right? And then, from a regulatory perspective, documents from your risk management files are always needed for submissions, and in audits, most likely these documents would be presented in audits.

And then it also allows risk-based decisions to be made throughout the product life cycle. So we think of risk management just as the product and things we need in order to get regulatory approval or to have in an audit, but really, having a robust risk management file can help us make decisions and verification, validation in manufacturing, even for our suppliers and what controls we ask them to implement. So having a robust risk management file can really help us in every facet of product development.

Related: 3 Ways Requirements and Risk Management Continue After Market Launch 

Mercedes Massana: So compliance is a big part of risk management. ISO 14971 is the application of risk management to medical devices. It is an FDA-recognized standard. It’s actually even called out in a couple of guidance documents from FDA, and it is referenced by a number of IEC standards. So we need to be compliant with ISO 14971 in order to get through FDA, and in order to achieve the CE mark. ISO 13485 mentions risk management 15 times, and it says that we must consider risk in supplier controls, for verification, for validation, in testing and traceability, for CAPA, even for training of personnel.

So this tells you how important risk management is to having a medical device, developing a medical device, and maintaining a safe device in the field. So risk management should be practiced first as a system-level activity, so we should start risk management from the top down. That means that very early in development, when we start our design efforts, we analyze the risk that the system can perform, just by knowing the intended use. We don’t even need to have a design. Then we attempt to mitigate those hazards and we drive risk controls through requirements that then get implemented in our design, so only the system can actually cause a hazard. The system might have many components, but unless I have all of the system put together, I can’t cause a hazard.

To watch the full webinar, visit: Understanding Integrated Risk Management for Medical Device


reduce risk product development

In this blog, we will recap a webinar on reducing risk in product development

Over the last 20 years, product development complexity has expanded exponentially, creating innovations in areas such as space tourism, autonomous vehicles, satellite communications, and more. In this webinar, Kemi Lewis, Senior Consultant at Jama Software, will demonstrate how Jama Connect© creates Live Traceability™ through siloed development, test, and risk activities to effectively reduce risk in the product development process.

In addition to a walkthrough of the platform and our Live Traceability dashboard, we’ll cover:

  • The critical challenges to reducing risk in product development
  • Why deeming requirements “good enough” to allow teams to proceed with an acceptable level of risk culminates in static requirements, unplanned rework, and compounded product risk
  • How “Project management” activity is a fallacy — it is the management of requirements, people, risks, change, opportunities, expectations, resources, commitment, and suppliers

Below is an abbreviated transcript and a recording of our webinar.

Reducing Risk in Product Development

Kemi Lewis: Today’s agenda covers a deep dive into the critical challenges to reduce the risk in product development, what are the viable solutions to this problem, key takeaways, and wrapping up with a question and answer session at the end of the webinar

Let’s get right into it. What are the main critical challenges that product development teams are facing? In my experience, the main factors that lead to adverse product outcomes and risk are, number one, no upfront and iterative collaboration during requirements and design creation and review stages due to limited customer and cross-functional team involvement in the review and approval of requirements. This lack of cooperation results in missed and misunderstood requirements driving the product design into severely costly errors later on.

Second factor, no digital thread connecting the product and team to the end to end product life cycle process. What do I mean by the digital thread? A digital thread is a data driven architecture that links together information generated from across the product life cycle and is envisioned to be the primary and authoritative data and communication platform for a company’s product at any instance in time. Without this digital thread, there’s no ability to track the life of a requirement through development, test and release.

Related Reading: What Is the Definition of a Digital Thread

Kemi Lewis: This missing digital thread results in static requirement documents rarely viewed by critical stakeholders maintained in Word, Excel or standalone tool used only by a few as a repository. I’ve personally experienced this at companies where only the systems engineers were accessing the repository and the rest of the product development team from product managers down to testing and integration engineers never accessed it.

You can only imagine how this turned out. Countless rework during testing and integration in addition to postlaunch rework this early, which was severely costly to the customer and left them very unhappy. So lacking this digital thread leads to no management visibility into crucial metrics for the end to end process and no identification of process risk patterns, such as delays in development, multiple test failures, rework cycles, etc.

Third main factor is having a low level of requirements management maturity. Let’s discuss this in more detail. Level zero: There are no formal requirements. So no documentation exists for user or system requirements. Instead, development operates off of user stories with no clear distinction between the functionality of the system being built and expected user experience. Level one: Document based requirements. Static requirement documents are created and most often maintained by each author on their desktop with various emails, slack comments containing more information. This especially gets fun when you have to merge 10 different versions of the same document from 10 different people from 10 different timeframes, none of which have visibility to each other’s feedback in real time. I’ve seen this at several companies where they lose technical product proposals due to this inefficiency of being able to get a proposal out in time representing the right design specifications of their product.

Related Reading: Bridge Engineering Silos with Living Requirements Management in Jama Connect

Kemi Lewis: Level two: Siloed requirements tool. A standalone tool in place to draft review, track comments, version and store static requirements documents, compliance steps, limited reuse, defects and recalls. Level three: System based compliance. Compliance is the forcing function to shift from static to live traceability to meet standards for requirement validation, verification and traceability into a single end to end system. Level four: Product risk reduction. A process centric focus to reduce the likelihood of all forms of product risk via a system enabled live traceability. This requires detection and alerts for specification and functional changes, process exceptions and test failures with resulting impact analysis. The risks mitigated include failure to meet the needs of the customer, failure to perform specific functions, delays, cost overruns, defects, compliance and regulatory gaps, delays and fines in addition to recalls.

And the last level of maturity, level five: Development process improvement. Moving past compliance and risk into the spirit of standard based on quality management and process control. These stages place focus on measuring, managing and improving the product development process. The unintended result of this fragmented process is that critical function such of requirement, traceability, verification, validation, risk mitigation, product integration and compliance are often fraught with information gaps, defects, delays, reworks, recalls, missed requirements and significant manual effort. This includes all areas of the complex product system and software delivery life cycle that can experience negative outcomes and should be actively managed to reduce the likelihood of appearance, such as performance.

Watch the full webinar to learn more about Lessons Learned for Reducing Risk in Product Development

One of the early steps I advise my clients to take when developing their medical device is to determine the class and classifications of their medical device. In conjunction with the complexity of the device, understanding the class and classification sets the foundation for your product development timeline and effort. 

This post gives a basic introduction to FDA medical device classes and classifications and the implications for your product development schedule and requirements management. 

What are FDA medical device class and classifications? 

The FDA established three regulatory classes based on the level of control necessary to assure the safety and effectiveness of the device. Classification is based on the intended use of the device and indications for use, as well as the risk the device poses to patients and users.   

There are three classes: Class I, Class II, and Class III. Class I devices are those with the lowest risk, Class II devices have a greater risk, and Class III includes devices with the greatest risk.   

The FDA also established classifications for over 1,700 generic types of medical devices and grouped them into 16 panels, or medical specialties. Example panels include Cardiovascular Devices and Radiology Devices. Each of the generic types is assigned as Class I, Class II, or Class III. 

RELATED POST: Complying with FDA Design Control Requirements Using Requirements Management

Impact of the device class and classifications 

The class and classification of the device impacts what FDA premarket submission or application is required for clearance to market. The common premarketing submission or application for each class are:  

Note: These are the common regulatory submission and applications for each class of device. There are exemptions, limitations on those exemptions, special controls that may apply, and exceptions, so be aware whether any of these applies to your device. For example, about a quarter of Class I devices are not exempt, and a 510k premarket submission is required. 

As the process for the 510k submission is 30-90 days, and the process for the more in-depth PMA submission is 180 days to accept or reject, this time should be understood and planned into your product development schedule.   

RELATED POST: Customer Story: Medical Device Startup, Proprio, Chooses Jama Connect® to Drive Innovation

Similarly, expect elements from the required design control process and design history file to be included as part of a 510k and PMA. Also keep in mind that when design controls are required for your device classification, the full design history file can be scrutinized as part of an FDA inspection of your organization. Since the FDA evaluates whether a device is effective and ensures the risk to the patients and users is appropriately addressed, good requirements and risk management is key. It’s important to have an organized manner in which to demonstrate and document that risk management and user needs are successfully traced through design inputs, design verification, and design validation. A requirements management tool like Jama Connect™ allows for this traceability in an efficient, collaborative, and regulatory-compliant manner. 

Understanding your device class and classification is a key step to understanding the path for FDA regulatory clearance and subsequent design control requirements for your medical device development. Knowing those expectations up front will make for a smoother medical device development journey.  

Learn more about developing medical devices with Jama Connect!

Risk Management

Medical Device Risk Management

Medical device developers must ensure risk is addressed as a core activity. The ISO 14971 standard, which has been revised three times, provides a proven and flexible framework around which developers can effectively manage the risk of devices for patients and stakeholders. Knowing the standard and applying some aspects, in a reactive way, is not sufficient to create a safe product. Implementing an effectively proactive process and achieving live traceability throughout development, while adhering to the standard will result in a higher quality and safer product fit for market use.

In this blog, I will share how proactive risk management along with Live Traceability™ are two key areas that every medical device developer should focus on when it comes to risk management.

Reactive vs. Proactive

A lot of medical device developers do not prioritize risk evaluation throughout the different design stages, but instead, consider risk a checkbox activity at the end of development. With important prototype deadlines, limited funding, and resource constraints, it’s very easy to make excuses for not running risk evaluations of initial user needs but waiting until entire subsystems have been designed. This may seem like a minor hiccup, but the lack of ongoing risk assessment from an early stage can be very risky for FDA approval, future patients as well as your business’s bottom line and reputation. The later that risk is addressed, the more expensive changes are to incorporate. Delays become the norm as well as budget overruns.

Jama Connect Enables Live Traceability™ Across Your Development Process: Learn more!

Live Traceability

The number one cause of inspectional observations, product recalls & delays, increased CAPAs, and cost overruns is the lack of live traceability throughout different development stages. With complex medical devices, there can be thousands of user needs, product requirements, risks, mitigating requirements, tests being executed, and defects logged. At Jama Software, we’ve noticed that a lot of medical device developers are using different technologies and applications to store this information including Excel, Jira, Word, and others. The below image depicts that and shows the siloed world a lot of engineering teams are living in:



Unless you have a real-time system that can interface with spreadsheets, tools like Jira and other applications, it’s impossible to get a holistic view of development. This can cause several issues, some of the most critical being:

  • Late identification of defects/coverage gaps due to lack of visibility throughout the development process​
  • Lack of requirement coordination and change management between hardware/software​
  • Lack of ongoing risk assessment and change management​
  • Cumbersome and risky effort to produce trace reports and other DHF artifacts

RELATED POST: Avoid the Most Common Challenges of the Design History File

Without Live Traceability, risk teams can’t be effective in mitigating potential failures or hazards. Outdated and manually updated trace reports and spreadsheets can’t be relied upon. What if there was a way to get a real-time view of traceability throughout development?

At Jama Software, we’ve created the capability for our product development platform to integrate seamlessly with tools like Excel, Jira, and others straight out of the box, and we are proud to be the only vendor on the market that can help engineering teams realize Live Traceability. Risk should be a priority, not a checkbox item!

Get in touch with us to see how we can help you.

This is Part 2 of a series examining the role legacy requirements management solutions, such as IBM® DOORS®, play in introducing project risk to the product development process. To read Part 1,  visit Why Migrate, Why Now?: Part 1

5 Common Migration Myths Debunked

Transitioning to a new solution doesn’t have to be challenging; however, there are some assumptions that mislead us into thinking that difficulty is inevitable. Consider the following myths:

MYTH 1: Migrating away from IBM solutions will be more expensive. The amount of work that goes into upgrading to IBM DOORS Next or transitioning to a new RM solution is the same, differentiated only by the quality of the tool and services available to help with migration. An option other than the DOORS family is most often a better fit for your organization.

MYTH 2: Customization will carry over to DOORS Next. You spent a lot of time customizing IBM DOORS and may believe those customizations will transition seamlessly to DOORS Next. However, this isn’t the case and is the reason selecting a different solution doesn’t involve more work.

MYTH 3: DOORS is already deployed and cheap to maintain. Continuing the current path with IBM DOORS is an expensive option in the long term, and often requires dedicated personnel. Switching to an alternative RM solution can improve efficiency while saving money.

MYTH 4: Business disruption is too difficult. The right RM tool will empower teams to effectively hit deadlines, collaborate, and improve business outcomes.

MYTH 5: The user experience will suffer. Many people refuse to use DOORS due to a challenging user experience. DOORS Next is a completely new tool with a new user experience. Adopting a user-friendly solution allows teams to collaborate far more effectively as team members can accelerate concepts, designs, and validations for faster times to market.


The fact is, IBM® DOORS® is extremely outdated, and at some point, updates and support will inevitably end.

If you’re currently using DOORS, you likely know that moving to a different solution is necessary, and you might be considering DOORS Next. However, fast-shifting market dynamics require a new approach to accelerate innovation. As a modern alternative to traditional legacy platforms, Jama Connect® enables digital transformation with a more efficient and user-friendly approach to managing risk and compliance.

Customers agree, naming Jama Connect the overall leader (#1) in requirements management software on G2, outranking IBM DOORS Next for implementation time, adoption, ROI, and market presence.

Jama Connect is a proven IBM DOORS alternative with flexible and reliable solutions, including:

  • Operation in an IBM DOORS supply chain.“Innovative companies leverage Jama Connect to get up and running fast with a modern requirements management process that tightly aligns with industry standards and practices that support regulatory compliance. Organizations can connect to customers and suppliers that use IBM DOORS through Data Exchange for Jama Connect.”
  • Integration services. Jama Connect provides integration with key product development lifecycle tools.
  • Coexists with IBM DOORS. IBM DOORS is embedded in many organizations and may take some time to migrate completely. Progressive teams and divisions can get started on Jama Connect quickly while the larger organization works toward replacing existing programs over time. This approach is supported through a mix of integration, migration, and exchange services.

“Jama Connect lowers the complexity and burden of having to manually keep requirements, architecture and specifications all in sync and traced to each other. It’s a formidable problem that is virtually eliminated courtesy of Jama without the hassle of having to learn a clunky UI (IBM DOORS).” Alan M., Chief Product Officer

Jama Connect® created Live Traceability™ management which reduces project development risk by forming a digital thread through siloed development, test, and risk activities. The flexible platform is designed to support the end-to-end product development process with:

  • A simple, single repository so it’s easy for remote teams to gather, review and execute on requirements.
  • Structured reviews and collaboration — teams can elicit feedback, review product features in real-time with stakeholders and track critical decisions across teams and locations.
  • Change management throughout product development — end-to-end traceability and real-time collaboration improve visibility and make it easier to adapt to changes and track their impact.
  • Integrations across the ALM-PLM ecosystem.

Moving from IBM® DOORS® Next to Jama Connect® for Requirements Management

To adapt to shifting and ever-increasing challenges and complexities and keep pace with the competition, innovative organizations are now requiring best-in-class software to scale development, reduce risk, save time, and ensure compliance to quality and safety regulations.

Download this paper to learn how Jama Connect stands out above DOORS Next in the G2 Summer 2021 report for requirements management in the following areas:

  • Overall satisfaction
  • Implementation
  • User adoption
  • ROI

Go live with Jama Connect 2.7x faster than IBM® DOORS Next®

In Conclusion

Products, systems, and software development are only getting more complex and not modernizing your requirements management process will increase the probability of negative outcomes in your product development process.

As your team requires the ability to adapt, innovate, and grow, continuing to use IBM DOORS will become more difficult and will introduce significantly more risk in your product development process. Think about DOORS as a landline rotary phone that stopped being on the receiving end of upgrades after the industry switched to marketing push-button touchtone phones. (And now there are smartphones available, which are mobile and make you even more connected and productive.)

Transitioning to new technology provides your teams with the tools required to innovate, meet deadlines, and succeed. A modern requirements solution can help you to define, manage, and validate complex systems requirements while eliminating the risks and inefficiencies associated with documents and legacy systems.

Hear about the experiences of the more than 50 companies that have made the switch from IBM DOORS to Jama Connect.

Connect with us today to learn how you can enable end-to-end compliance, risk mitigation, and process improvement with our intuitive, award-winning requirements management platform.

To read this series in its entirety, visit this whitepaper: Why Move Away from IBM Doors Legacy and Why Now


Requirements and Risk Management

Congratulations!  Your organization has gained regulatory approval and launched its medical device product.  The ‘History’ in Design History File may elicit impressions that all those design and development requirements are now done and considered part of the past.  However, several components of the DHF continue as a reference and evolve, including requirements and risk management.  Here are 3 ways active management of requirements and risk continues after commercialization:

1: Post-market surveillance

Once your medical device is on the market, post-market surveillance programs, including complaint management processes, must now be exercised.  That includes evaluating feedback, determining if it is a complaint, investigating complaints, and determining whether to initiate corrections or corrective actions.  As part of this process, requirements and risk management are being used in 2 ways, 1) as a resource to evaluate complaints and 2) a living document to be updated with the experience gained.

As a resource, it is important to reference risk management files to determine if the frequency of occurrence and types of failure modes documented during design and development matches the infield data being gathered.  A more frequently occurring failure or new failure mode indicates an investigation is warranted and re-evaluation of the risk.  Depending on the outcome, corrective action may be needed.

For example, during design and development, it was determined that a sensor failure leading to customer annoyance occurred rarely, leading to a low risk rating at the time of market launch.  The first year on the market, reports of this failure occurred rarely, matching the occurrence rates in the risk management file.  Given the low risk and lack of trend, further failure investigation and corrective action were not taken.  However, one year later, a change in supplier coincides with a change in occurrence from rarely to frequent, leading to a medium risk.  This increase in risk prompts an investigation to determine why the sensor failure rate is higher and to determine corrective actions and controls with the new supplier.

As a living document, the risk management files are to be updated with the observed occurrence rates, new cause(s) of the failure mode of the sensor, mitigations and controls put in place, resulting verifications, and revised risk rating.

2: New Products

Another reason requirements and risk management continue once a product is commercialized is to aid in the development of new products, including line extensions, new models, and next generation platforms and portfolios.

The existing product’s requirements and risk management, supplemented with what is learned from post-market surveillance and other feedback from the field, provide the foundation for new products.  A requirements and risk management tool like JAMA Connects® can simplify the management of requirements and risks shared between products to keep teams aligned and prevent requirements or risks being missed during the transfer from one product’s design history file to another.  Likewise, line extensions can be more easily incorporated into an existing design history file if requirements and risk management have been properly updated as needed and are accessible.

3: Change Control Evaluation

Change control evaluations is another way management of requirements and risks continue after commercialization.  Changes to a product and how it is manufactured occur for many reasons, including replacement of a component that has reached its end of life from a supplier, software upgrades to address bugs, duplication of a manufacturing line, and changes that address complaints.

Changes must be evaluated as to their impact on the form, fit and function of the product, and can have varying degrees of potential impact.  Well managed and active requirements and risk management, with traceability to design outputs and verification, become a strong tool for organizations to evaluate the potential impact more quickly.

For example, say a temperature sensor was added as mitigation to prevent overheating of a medical device; overheating that could result in burns to the patient.  The sensor, including the necessary accuracy, is listed as a control for the risk of overheating and burns.  There’s also a corresponding design requirement, and the sensor and its specification are linked as design outputs.  The supplier of the sensor has recently informed the medical device manufacturer that the sensor is reaching its end of life and will no longer be available in 6 months’ time.  A change owner is assigned to identify and evaluate a new sensor.  This person is most likely not the same engineer who originally designed and selected the first sensor.  And that the original engineer may or may not still be with the organization, and may not remember why that sensor was selected.  This is where having accessible and well managed requirements and risk management becomes important.  The change owner can reference and look up the sensor, see the design inputs and risk with which it’s associated, and understand more quickly the criticality of the sensor and ensure the proper selection and testing are performed on a new sensor.

While change post-commercialization is inevitable, difficult change control management is not.

RELATED POST: Product Development Process: How Confident Are You That You Are Not at Risk?

Beyond Commercialization

Management of requirements and risk extends through the entire life cycle of a medical device, including after a device has gained the necessary regulatory approvals and reached the market.  Thus, take care in selecting the tools and developing the processes your organization uses for requirements and risk management.


Requirements and Risk Management

In this post, we will discuss why start-up medical device companies should prioritize requirements and risk management before a quality management system.

As a medical device product development consultant, I often see start-up companies having trouble deciding what to prioritize – design controls and risk management or the quality management system (QMS).  And what they mean specifically is, which software systems should the company invest in first – the requirements and risk management solution that will aid in building a regulatory compliant design history file, or the electronic-QMS system to establish the FDA required and ISO 13485-compliant QMS?

From my experience over the past 15 years, here are the 3 reasons why I advise start-ups to prioritize requirements and risk management over an eQMS system.

1. Design controls and risk management processes start earlier

For best product, schedule, and compliance success, incorporating design controls should be done proactively instead of reactively.  Companies are typically developing their medical device from day 1.  This is compared to other QMS processes that may not be used until years later when the product is being transferred to manufacturing and being commercially distributed.  A few of these other processes include non‑conforming materials, device master record, product change control, and complaint management.

Thus, purchasing a full eQMS system earlier than necessary results in paying for functionality that may not be used for years.  That is of low value to the start-up closely watching its funds.

In contrast, as the medical device is being developed from the onset of the company, the benefits of requirements and risk management solutions can be realized very quickly and much sooner than a full eQMS system.

2. Requirements and risk management is often unwieldy

Unless your device is ‘simple,’ for example no software, no electro-mechanical parts, low-risk Class 1 devices; thoughtful consideration should be given to the processes and solutions that will manage the various requirements and risk management for your medical device development.  Organizing all the user needs, design inputs, regulatory requirements, requirements from industry standards, system requirements, sub-requirements, and risk management can quickly become unwieldy without proper management.

In my experience, even a Class II electro-mechanical device can easily approach a thousand line items to manage and connect.  Add on embedded software or a digital interface, and that number can easily jump to multiple thousands of line items or more, depending on the complexity of the medical device.  A solution like Jama Connect® has immediate value to ensure all items are linked, traced, verified, and validated for a regulatory complaint design history file and medical device file.

3. In the early years, a company can create and manage a regulatory compliant QMS without an all-electronic system

Does forgoing the eQMS mean settling with a non-compliant QMS?  No.  A company can implement a regulatory compliant QMS without an eQMS system.  SOPs can be implemented in stages, prioritized on the stage of the company.  These SOPs, along with a cloud-based document sharing repository, is often sufficient in those early product development years.  As the company approaches transfer to manufacturing and commercial distribution, then is the time to evaluate whether it’s time to transition to an eQMS system.


In summary, these are the three reasons I advise start-ups to prioritize requirements and risk management first before an eQMS system.  This path allows for the development of a successful product and complaint design history file, as well as establishing the rest of the quality management system, all in a practical manner that maximizes value and meets regulatory expectations.