Jama Software is always looking for news that would benefit and inform our industry partners. As such, we’ve curated a series of customer and industry spotlight articles that we found insightful. In this blog post, we share an article, sourced from Innovation News Network, titled “Why penetration testing is critical to every robust cyber security strategy” – originally published on November 2, 2023.
A big “Thank You!” to Chris Dickens for a great article. As part of our security program here at Jama Software, we have a layered approach to security tests and scans. Scans are done on every build, automated tests are run on every build, and active PEN tests are done multiple times per year. As the only SOC 2 Type 2 product in the space, we have set a high bar for ourselves because we know the importance of security to our customers.
Why Penetration Testing is Critical to Every Robust Cyber Security Strategy
Chris Dickens, Senior Solutions Engineer at HackerOne, outlines an effective penetration testing strategy.
Digital transformation has become an essential requirement for any business that wants to remain competitive in an increasingly digital global landscape.
However, it’s not always straightforward. In many cases, digitizing key processes can expose businesses to a wide array of new cyber security risks they aren’t used to, potentially leading to damaging breaches, attacks and/or loss of sensitive data if they aren’t careful.
In order to protect against such threats, a well-rounded cyber security strategy needs to be put in place alongside any digital transformation initiative.
However, cyber security isn’t a ‘one and done’ activity, strategies must be continuously evaluated and tested to ensure they remain effective.
Cyber criminals constantly evolve their attacks, so cyber security must also evolve. Whatever works now will likely be outdated in just a few weeks or months.
One of the best ways to stay ahead is through regular penetration testing (pentesting), which can give companies a fast, accurate snapshot of the current state of their cyber defences. This point in time activity features ethical hackers putting themselves into the shoes of malicious actors in an attempt to breach a system’s security for the purpose of vulnerability identification.
Typically, both humans and automated programs are used to research, probe, and attack a network using various methods and channels known to be used by cybercriminals.
But too many still don’t fully understand how pentesting works, or how they can effectively implement it into their wider security strategy.
The era of secretive, closed-door penetration testing is a thing of the past. In those days, you had to depend on the skills and schedules of usually big companies, enduring long waits, and limited insight into the results and tester’s actions.
Nowadays, penetration testing has evolved significantly. It often commences within a few days and is typically conducted on a smaller scale more frequently. This transformation is credited to innovative platforms that offer real-time transparency into the testing process and a more inclusive approach when bringing testers on board.
The emphasis is now on results and experience from the ethical hacking community rather than formal education and certification. The creation of new AI-based hacking methods and willingness to test source code has also greatly improved the output.
While this may sound quite daunting for the business involved, pentesting is an incredibly effective way to discover major vulnerabilities in their security before they can be exploited, which is critically important for keeping sensitive data safe.
Arguably, penetration testing’s best advantage, however, is its thorough coverage and documentation. Due to its in-depth and refined testing, in most cases, vulnerabilities are discovered and documented, including details on how the bug can be exploited, its impact on an organisation’s compliance, and advice on how to remediate the issues.
Unlike other offensive security engagements, pentesting also allows organisations to test internal systems alongside unfinished applications – this is especially useful when leading up to a new product announcement or organisation acquisition.
Using pentests to inform both present and future security strategies
As mentioned, pentesting is a great way for businesses to gauge the effectiveness of their existing security defences at that moment in time.
However, too many organisations tend to treat it as though it’s the beginning and the end of the process, which it isn’t.
Pentesting is a tool, not a strategy, and as valuable as they are, pentests are only useful if the results are translated into an effective overall security strategy for the future.
An effective modern pentesting strategy should contain the following elements:
Establish key security priorities- First and foremost, businesses must determine what they need to protect. While it’s impossible to protect everything all the time, key assets should be prioritized based upon the damage the asset would cause if it was to be compromised. Typically, highly sensitive information such as proprietary IP, competitive and legal information, and personally identifiable information (PII) will be top of the list.
Get security buy-in from all employees- A sustainable security culture requires buy-in at all levels of an organization, from the executive board to the reception desk. If every employee takes responsibility for company security, it’s much easier to build a model where risks are shared, and teams across the company can scale securely.
Use pentesting as a regular security touchpoint- Regular penetration testing is a great way to promote a more proactive approach to security. All too often, organizations aim to meet only the minimum requirements for compliance – and believe themselves to be secure, which is a highly risky strategy. By contrast, combining regular pentests with bug bounty programs provides a continuous feedback loop that allows companies to quickly identify new vulnerabilities and deal with them before they come to the attention of malicious actors.
Make robust cyber security a strategic differentiator- A recent study by PwC found that 87% of global CEOs are investing in cyber security as a way of building trust with customers. If the lifeblood of the digital economy is data, its heart is digital trust. Organizations with a sound security strategy can quickly turn it into a strategic differentiator for their brand, which is invaluable in highly competitive business sectors and industries.
The best cyber security strategies can quickly adapt to change
Modern enterprise security is not easy. As more businesses embrace digital transformation and cloud computing becomes the new normal, reliance on IT is at an all-time high.
Consequently, even a small data breach can potentially have a devastating impact. On top of this, attack surfaces are exponentially larger than they were just a few years ago and continue to grow at an alarming rate.
The best practice approach for security teams is to color outside of the lines by infusing new and independent thinking. With this in mind, penetration testing offers much more than just a scan and definitely more than a tick-box compliance requirement.
By developing a cyber security program that employs an agile approach, organizations can prioritize flexibility and make rapid changes when needed.
Engaging ethical hackers enables organizations to deploy an army of specialized experts that will work around the clock to identify vulnerabilities and conduct pentests for both regulatory compliance and customer assessments. In today’s highly competitive and volatile business environment, few organizations can afford to forego such a crucial security advantage.
Contributor Details Chris Dickens – Senior Solutions Engineer, HackerOne
https://www.jamasoftware.com/media/2024/01/spotlight-ad.jpg5121024Jama Software/media/jama-logo-primary.svgJama Software2024-01-18 03:00:552024-01-19 15:24:03Why Penetration Testing is Critical to Every Robust Cyber Security Strategy
2024 Predictions for Product and Engineering Teams
As Product and Engineering Teams move into 2024, we aim to gain a deeper insight into the factors driving transformation in the development of products, systems, and software and explore how teams within this industry are adapting to meet the challenges posed by these evolving complexities.
We like to stay on top of trends in other industries as well. Read our predictions for Automotive predictions HERE, Aerospace & Defense HERE, Industrial & Consumer Electronics (ICE) HERE, Medical Device & Life Sciences HERE, and SoftTech HERE.
Design Trends – What are the biggest trends you’re seeing in your industry right now? How will they impact product & engineering teams through product, systems, and software development?
Josh Turpen: Software continues to eat hardware. This trend is accelerating in the complex product space, particularly in automotive. This is driving companies to be “agile” but at the cost of quality.
Preston Mitchell: The big trend will be how to focus using the emergent Artificial Intelligence (AI)/ Large Language Models (LLM) solutions so they actually help the team be more efficient or profitable. Plenty of emerging tech in the AI space but remains to be seen how “useful” it will be. There is a huge opportunity to leverage this in ways that are beneficial for teams with the right focus. For example, we’re just starting down this path at Jama Software® with Jama Connect Advisor™, which helps train business analysts/product managers / engineers on how to write their requirements in more concise fashion with less ambiguity.
Biggest Challenges – What are some of the biggest challenges you think product & engineering teams will be working to overcome in 2024?
Turpen: Quality at scale and speed will continue to be a problem. This is exacerbated by the increasing complexity in software.
Opportunities – What are some of the biggest opportunities you think product & engineering teams should be considering in 2024?
Mitchell: Automation. Consider where automation can reduce the complexity and time needed to deliver large scale products. I’ve worked with hundreds of companies that build very complex products and I’m still amazed at how many of their internal processes are manual. AI will certainly be the 2024 buzzword – but currently most AI tools are still beta and rely on a human to prompt for an answer – not exactly automating a repeatable process. When I mean automation opportunity I’m talking about the low-hanging fruit of manual business processes – for example, automating task links between multiple engineering tools.
Regulations – What changing regulatory guidelines do you anticipate having an impact on companies in 2024?
Turpen: Companies that seek to identify risks (not just in products, but in process) will come out on top. Anti-fragile product development pipelines are the logistical super-power for the next phase of product development.
Tool Innovation – From a product & engineering toolset perspective, what are some of the processes you think forward-thinking organizations will be working to leverage or incorporate into their process and why?
Turpen: Moving from the individual engineer to the team/product pipeline will give management the opportunity to intervene early to reduce risk. Products that are focused on a best-of-breed world will give companies a leg up on legacy vendors and their suite approaches.
Mitchell: Forward-thinking orgs will adopt data-driven assessment of the product development lifecycle. Today there are no generally accepted measurements of Research and Development (R&D) efficiency. It’s hard for organizations to predict if a product will be delivered on time and without defects. Launch delays and regressions are common and almost generally accepted. Organizations commonly measure a product’s performance after it is launched (revenue, profit, adoption.) Why don’t we measure what happens before it is launched? Why don’t we measure the R&D lifecycle? Forward thinking orgs will adopt ways to measure their development lifecycle to they can better predict success or failure…and some may not like what they find.
Cybersecurity – What role will cybersecurity play in product & engineering development in the coming year and beyond?
Turpen: Cybersecurity will be baked into requirements and, therefore, products for everything from thermostats to ADAS.
Survival Factors – In your opinion, what are the biggest differences between product & engineering companies that will survive to see 2030, and ones that don’t?
Turpen: Agility tempered with quality will be the common trait of survivors. We’re already seeing companies get slapped with criminal charges based on their inability to see and manage risk.
Mitchell: With the hot economy and low interest rates before recent inflation there was a lot of investment in new startups and emerging technologies — think self-driving cars and AI. The economy is still doing well, but tempered with higher interest rates, so the investors of years past are looking for a return on their prior investment and will be more tempered with any new bets they place. The companies that survive to see 2030 will be the ones that find clear use cases that people are willing to pay for in these emerging technologies. New products and tech just “because it’s cool!” will not survive without a commercialization path.
Advice – What advice would you give to new product & engineering teams entering the market?
Turpen: Move fast and KNOW what you’re going to break.
Mitchell: Ask questions and seek advice from your peers or mentors who have built something before in your industry. Determine who your ideal “first customer” would be and work hard to speak with them, show them your early prototypes, and validate your assumptions about what they need.
Emerging Topics – What topic(s) do you wish companies were paying more attention to?
Turpen: Management of the engineering process.
Mitchell: Solving very easy efficiency problems in the engineering process like automating flow of data between disparate systems. I just spoke with a customer whose testers were redundantly logging defects in two different systems! Come on! Set aside some time to automate that process!
Identifying Mistakes – What is the biggest mistake you see product and engineering teams making right now?
Turpen: Throwing money at hard problems with little understanding of success and no management of the outcome.
Mitchell: Assuming a tool will solve their problems. Process first, then tool.
Innovation – What is the most innovative thing you’ve seen with product and engineering teams this year that you anticipate other companies following suit in coming years?
Turpen: Moving away from the “big meeting” to an asynchronous, stateful collaboration process.
Predictions – What do you think will remain the same in your industry throughout 2024?
Turpen: Companies who think the answer to their engineering process problems is a monolithic tool will continue to lose ground and engineers to their competitors.
Do you think there will be any major disruptors for product & engineering teams in the coming year? How do you think it will impact the industry?
Turpen: We’ll see the first set of major Intellectual Property (IP) lawsuits based on uncontrolled LLM. This will force companies to think about security and IP protections in their own AI development.
Mitchell: This will not happen in one year, but I foresee AI solutions replacing the need for traditional learning assets like static help guides, training videos, and maybe even support sites. Users don’t need to read a help guide, watch a tutorial, or submit a support ticket if an AI assistant is guiding them in the process and available for quick questions. Effort to build those types of traditional learning assets will be redirected to investments in AI assisted “on the job” learning while using the product.
What do you predict for product & engineering regulations in 2024?
Turpen: A continued increase in the importance of security/safety regulations in the automotive/medical industries with more penalties for poor performance.
Will those trends still be prevalent 5 years from now? 10 years?
Turpen: Yes, this is an area that will only grow in complexity and impact.
https://www.jamasoftware.com/media/2024/01/2024-1-11-2024-product-and-engineering-predictions-2.jpg512986Jama Software/media/jama-logo-primary.svgJama Software2024-01-11 03:00:472024-01-12 18:27:472024 Predictions for Product and Engineering Teams
In this blog, we recap our webinar, “Critical Alignment for Security, Safety & Product Development Team” – Click HERE to watch it in its entirety.
Critical Alignment for Security, Safety & Product Development Teams
Break down silos to unite teams for the future of vehicle technology!
Safety, security, and development teams tend to work in silos due to differing objectives, tooling, and methodologies; historical contexts; educational backgrounds; and even fundamental terminology.
The increasing interconnectivity of vehicles makes it hard to separate safety and security from development. In the complex world of software, teams must break down silos, foster collaboration, and streamline documentation to ensure agile development and adapt to evolving demands.
In this webinar you will learn:
Why it’s important to have compliance teams speaking the same language
What we’re seeing and expecting from the industry to bring these specialized teams closer
How to keep security, safety, and development teams aligned using Live Traceability™
How to avoid rogue development and keep track of progress with Traceable Agile™ practices
Discover how Jama Connect® can empower Automotive and Semiconductor development teams to improve their end-to-end lifecycle and avoid costly rework.
Below is an abbreviated transcript of our webinar.
Kevin Dibble: I’d like to talk about the agenda for today and focus on the word alignment because that’s where we’re going to cover how we bring together cybersecurity teams, safety teams, product development teams, and even project management.
There’s a lot of siloing and opportunities in organizations for these specialized groups to work separately. But we’re going to talk about the importance of bringing these teams together and show some enabling technologies around live traceability and traceable Agile practices. So that’s the focus for today. But first, let’s start with the problem, and I want to isolate safety and security to begin with. So how are teams working today in these two functional areas?
With the puzzle piece in the middle, I’m trying to communicate that these teams want to work together, but the puzzle doesn’t quite fit yet. So let’s look at some of the underlying reasons why.
First, with functional safety, the standards for functional safety in automotive, ISO 26262, has been around since 2011, and the safety work’s been around even longer than that. So for OEMs, tier ones, and even some tier twos, the organizational competency, processes tool, the culture of safety are quite mature.
But on the right side, we have cybersecurity, which in automotive is a new discipline, with new standards, new audits, and assessment requirements, and requirements coming very rapidly from OEMs and tier ones worldwide.
Dibble: These teams are going through training. The processes for doing product development according to standards like ISO 21434 are new or in development still. The discipline itself is new and transforming out of IT security. And so this helps to understand perhaps some of the underlying factors of why these teams might be working separately or not working exactly on the same page.
Which leads to a silo situation. And I’ve got functional safety on the right and cybersecurity on the left. Both of those standards and both of those disciplines require automotive V-Model development, with strict requirements for documentation, quality, and compliance with the V-Model.
And so what’s happening is that the organizations pulling together these disciplines along with product development are doing some sharing in risk analysis, and basically handing requirements to product development teams, and not yet in a stage where they’re fully collaborating. And that presents some problems. And it adds some risk.
A couple of examples here are both safety and security risk-based standards for understanding how we mitigate the risk of something wearing out like hardware or defects that could cause safety issues on the one. And then on the cybersecurity side, how do we mitigate the risk of an attacker using a threat to infect or change the behavior of a system?
The controls or the mitigations for those two types of risks might result in conflicting requirements. For example, how to handle a communication channel, and I’ve given you an example right here.
Those two teams have to work together along with product to solve those differences, as well as to build an integrated system that at the end of the product release cycle we’re not finding surprises in terms of conflicting requirements and implementations that don’t work together cohesively. And so that’s one of the areas cyber and safety silos can cause problems.
Dibble: Now, we’ve heard about safety issues, recalls, and unfortunately crashes and fatalities for years. But I want to highlight some of the things that are being written in the press even recently about the threats that cybersecurity is now trying to address. From taking control of fleets of vehicles to shutting down production lines to causing safety-related hazards potentially, these are very real threats, and this is why the industry is moving so quickly to adopt the new cybersecurity standard.
To be able to tie together the disciplines of safety and security as well as product development, communication is critical. These safety analysis and threat analysis can’t happen in a vacuum. The teams have to work together, and this is where that alignment concept becomes so important.
Also, both these standards, 21434 and ISO 26262 require the establishment of communication channels between safety, security, and other disciplines like quality. So the developers of these standards certainly were aware of the need for these teams to talk and to achieve alignment.
https://www.jamasoftware.com/media/2024/01/Copy-of-compliance-made-easy.png5121024Jama Software/media/jama-logo-primary.svgJama Software2024-01-10 03:00:332024-04-05 13:30:52[Webinar Recap] Critical Alignment for Security, Safety & Product Development Teams
In this blog, we’ll recap our eBook, “What You Need to Know: ANSI/AAMI SW96:2023 — Medical Device Security” – Click HERE to download it in its entirety.
What You Need to Know: ANSI/AAMI SW96:2023 — Medical Device Security
A comprehensive guide to understanding ANSI/AAMI SW96:2023 and mitigating security risks
Introduction
Managing risk around a medical device’s entire lifecycle has become increasingly complex. Many devices use third-party components, which is especially true for devices that require a network to operate. This increased need for connectivity, along with other emerging threats, is putting security at the forefront of medical device industry standards.
A recent report titled “2023 State of Cybersecurity for Medical Devices and Healthcare Systems” found 993 vulnerabilities in the 966 medical products it examined—a 59% year-over year increase from 2022. Software applications, including those that medical devices relied on to work, accounted for 64% of the vulnerabilities found.
With device vulnerability increasing, new standards aim to keep up with emerging threats. As a result, ANSI/AAMI SW96:2023 was created to help protect against threats, understand risk, and guide manufacturers in taking the most appropriate actions to enhance security. However, because the standard is relatively new, many device manufacturers are still finalizing the interpretation on how this impacts their organizational processes. If you’re still working to get familiar with the standard, we’ve created a complete guide to make the task easier.
Third-party components may increase security risk, with one study finding that software alone accounted for 64% of noted vulnerabilities.
What is ANSI/AAMI SW96:2023?
ANSI/AAMI SW96:2023 guides security risk management for medical devices, aligning with the processes included in ISO 14971:2019.
The new standard addresses the entire lifecycle of a medical device, including areas such as design, production, and post-production. It’s intended for use with AAMI TIR57 Principles for Medical Device Security – Risk Management, which addresses cybersecurity analysis, and AAMI TIR97, Principles for Medical Device Security, which guides processes for managing medical devices in the post-market space.
The goal of the new standard is to support manufacturers in ensuring that medical devices are reliable, work as intended, and don’t cause harm to patients, operators, or the environment. It also focuses on mitigating any potential risks around device failure.
What is ANSI/AAMI
SW96:2023? The standard includes policies, procedures, and best practices designed to evaluate, control, and monitor potential risks involved with a medical device.
Security has always been important to medical device manufacturers, which is why considerations are included in ISO 14971:2019. However, ANSI/AAMI SW96:2023 aims to deepen security-related standards.
Addressing potential security risks throughout the entire product lifecycle, including design, production, and post-production, enables manufacturers to identify and mitigate potential risks through a more focused and proactive approach. It helps manufacturers continually identify, review, and safeguard against fast-evolving threats.
Understanding the security risk management process
As you get up to speed with ANSI/AAMI SW96:2023, the “security risk management process” section includes details for mitigating potential threats. It includes six major sections, everything from
security risk analysis to production and post-production activities. Each section contains a detailed framework, but for the sake of simplicity, we’ve highlighted a few main points for each.
The 6 Sections of Security Risk Management
Security risk analysis. It focuses on selecting product security standards, performing threat modeling, and establishing capabilities to identify and detect security vulnerabilities across a medical device’s entire lifecycle.
Security risk evaluation. Establishes a security assessment strategy and testing processes.
Security risk control. Identifies, designs, and implements security risk control measures, as well as verifying the implementation effectiveness of any security risk control measures.
Evaluation of overall security residual risk acceptability. Determine if the “security residual risk” of a device is acceptable.
Security risk management review. A security management report is prepared.
Production and post-production activities. Potential vulnerabilities are monitored to identify any new security risks. Also, it establishes processes to stay aware of new threats, creating security incident response plans and other measures to identify ongoing vulnerabilities.
Section 1: Security Risk Analysis
The security risk analysis focuses on selecting product security standards, performing threat modeling, and establishing capabilities to identify and detect security vulnerabilities across a medical device’s entire lifecycle. It covers:
Security risk analysis process: It suggests that manufacturers perform a security risk analysis, and the results are recorded in the “security risk management file.”
Intended use and reasonably foreseeable misuse: The “security risk management” file includes reference documents developed in compliance with clause 5.2 of ISO 14971. It needs to account for “the use of a medical device in a way not intended by the manufacturer, but which can result from readily predictable behavior.”
Identification of assets and characteristics related to security: You’ll also identify potential medical device vulnerabilities such as third-party components, hardware, and software.
Security risk estimation: You will estimate the associated “risks” for each of the identified security vulnerabilities and potential impacts on areas like confidentiality and integrity.
Section 2: Security Risk Evaluation
The security risk evaluation establishes a security assessment strategy and testing processes. A few areas it considers:
Evaluation of each security risk: Identify each security risk area, determining if a “security reduction” is required.
Evaluation of security risks with a potential safety impact: Consider every potential risk to determine any potential safety impacts.
This section is focused on identifying, designing, and implementing security risk control measures, as well as verifying the implementation effectiveness of any security risk control measures, including:
Security risk control option analysis: Determine if a security risk control measure is appropriate for mitigating security risks to an “acceptable level.”
Implementation of security risk control measures: Security risk measures are selected based on the prior step.
Security residual risk evaluation: After the security risk control measures are implemented, the manufacturer evaluates the security residential risk and records this evaluation in the security risk management file.
Benefit-risk analysis: If a security residual risk is found to be “acceptable” using the criteria created in the security risk management plan, and further security risk control isn’t practical, the manufacturer conducts benefits versus security risk analysis.
Risks arising from security risk control measures: The manufacturer reviews the effects of the security risk control measures to understand whether new security vulnerabilities and threats are introduced that could impact security, safety, or privacy.
Completeness of security risk controls: The manufacturer periodically reviews security risk control activities to ensure all vulnerabilities and threats are considered and security risk control activities are complete.
Section 4: Evaluation of Overall Security Residual Risk Acceptability
After the security risk controls are implemented and verified, the manufacturer determines if the overall “security residual risk” created by the medical device is acceptable.
Section 5: Security Risk Management Review
The standard recommends a review of the execution of the security management plan before releasing a new device. According to ANSI/AAMI SW96:2023, the review should ensure:
The security risk management plan has been appropriately implemented.
The “security residual risk” is at an acceptable level.
Methods are in place to gather and review details in the production and post-production phases, and leadership has reviewed and approved the plan.
Section 6: Production and Post-production Activities
The final section is focused on establishing, documenting, and maintaining a system to monitor, assemble, and review information about medical device security in the production and post-market phases. Also, it establishes processes to stay aware of new threats, creating security incident response plans and other measures to identify ongoing vulnerabilities.
https://www.jamasoftware.com/media/2024/01/2fe8f5c4-37b4-47b3-b012-1ca0b0d208a1.jpeg512986Jama Software/media/jama-logo-primary.svgJama Software2024-01-09 03:00:592024-01-17 17:10:17What You Need to Know: ANSI/AAMI SW96:2023 — Medical Device Security
2024 Predictions for Medical Device & Life Sciences Product, Systems, and Software Development
As the medical device & life sciences industry transitions into 2024, we aim to gain a deeper insight into the factors driving transformation in the development of products, systems, and software and explore how teams within this sector are adapting to meet the challenges posed by these evolving complexities.
In part four of this six-part series, we asked the following industry experts to weigh in on the medical device & life sciences product, systems, and software trends they are anticipating in the coming year:
We like to stay on top of trends in other industries as well. Read our Automotive predictions HERE, Aerospace & Defense HERE, Industrial & Consumer Electronics (ICE) HERE, SoftTech HERE, and Product & Engineering Teams HERE.
2024 Predictions for Medical Device & Life Sciences Development
Design Trends – What are the biggest trends you’re seeing in your industry right now? How will they impact medical device & life sciences development?
Shawnnah Monterrey: We are seeing a significant increase in healthcare innovations, especially with in-vitro diagnostics, and clinical decision support software.
The ability to connect medical devices to share medical device data through emergence, evolution of cloud computing, and the increase in data storage capability has led to the derivation of new clinical insights, in diagnostics, and clinical decision support. Artificial Intelligence (AI) and Machine Learning (ML) are being applied to clinical and patient data in unique and novel ways, such as in-vitro fertilization, cancer treatment recommendations, and the automation of status-quo manual clinical processes.
The increase in research allocated to understanding our DNA, and its relationship on our health, has led to the rapid adoption of DNA-based clinical tools utilizing next-generation sequencing and other DNA detection technologies such as DNA nanotechnology tools, chip-based digital Polymerase Chain Reaction (PCR) detection, Clustered Regularly Interspaced Short Palindromic Repeats (CRISPR) diagnostic technology, etc. to aid in the diagnosis and treatment of complex diseases such as cancer, neurodegenerative diseases and dementia and even behavioral, and psychiatric disorders.
Vincent Balgos: As we’re seeing in other industries, a common trend in the medical industry is that organizations are refreshing their internal processes to scale, integrate, and increase efficiency. With extrinsic pressures (market, financial, and regulatory), there is continual effort to optimize organization activities, specifically around product development processes, and leverage previous work as much as possible.
Biggest Challenges – What are some of the biggest challenges you think medical device & life sciences companies will be working to overcome in 2024?
Monterrey: A few of the biggest challenges companies will face in 2024 include but are not limited to:
Being competitive and innovative in a highly regulated environment
Understanding regulatory requirements in new or less mature regulated areas
Obtaining funding to support regulatory and development efforts
Companies who are focused on aligning their product roadmap with a sound regulatory strategy will not only unlock funding but obtain revenue faster, which will allow them to leap ahead of the competition.
Regulations – What changing regulatory guidelines do you anticipate having an impact on companies in 2024?
Monterrey:U.S. Food & Drug Administration (FDA) is not known to be fast, but within recent years, the FDA has released a record number of guidances and have even changed the medical device regulation in a few areas. While the industry is playing catchup on hundreds of new guidances in areas such as:
Software as a Medical Device (SaMD)
Cybersecurity
Clinical Decision Support Software
Mobile Applications
The FDA is working on furthering the regulation and guidance around many areas including, 510(k) Third Party Review Program, In Vitro Diagnostics (IVDs), AI/ML, and the use of real-world and simulated data in pre-market submissions.
It would be wise for companies to start understanding and applying new draft guidances that are relevant to their products in advance of the final draft. Once a final version is issued it could drastically interrupt your product development and launch plans.
Balgos: There are a few regulations that will start or continue to have an impact on the industry:
FDA’s Final Guidance on Cybersecurity for Medical Devices – Continuing the focus on Software (SW) in previous years, this new final guidance will require ongoing discussions on the new security requirements (ex: Software Bill of Materials (SBOM)), activities, and expected documentation.
FDA’s proposed ruling on Laboratory Developed Tests (LDT) – In the latest turn of events in this long running topic, this new proposed rule to transition away from Enforcement Discretionary (ED) to more explicit LDT oversight by FDA will have significant impact to the laboratory industry. Industry feedback has been active and complex, so will be interested to see if there will be a resurgence of the previous VALID Act or will the new proposed ruling stand as is.
Based on FDA’s proposed 2024 list of prioritized guidances, there will be additional information around AI/ MLin context of lifecycle management, pre-submissions, and change management considerations.
In the EU, both the Medical Device Regulation (MDR) and In-Vitro Dianostics Regulation (IVDR) will continue to impact companies as they transition to these new rulesets. Even with the time extension on MDR, companies are continuing to struggle in converting their processes to comply with the new regulations as 2024 rolls out.
Romer De Los Santos: The FDA just released the final guidance on cybersecurity in medical devices that includes additional tasks and deliverables that medical device manufacturers must start to implement. Design and development procedures for software that is part of or is a medical device itself will need to be updated with this new guidance in mind. Software Bill of Materials (SOBM), security risk assessments, threat modeling, and consideration of the entire lifecycle for security risks and mitigations are just some of the things that are required in today’s interconnected world.
Tool Innovation – From a medical device & life sciences engineering toolset perspective, what are some of the processes you think forward-thinking firms will be working to leverage or incorporate into their process and why?
Monterrey: Product development costs, regulatory complexity, and time-to-market are all increasingly trending topics in the medical device industry. Companies that are thinking ahead of these trends are focusing on their competitive advantage, which includes their innovation or core Intellectual Property (IP) and leveraging the support of industry experts and built–for–purpose tools.
This includes:
Investing in existing regulatory and quality management frameworks, including software, built-in processes, and training
Hiring regulatory and quality experts who understand the regulatory landscape and have domain expertise related to their products
Integrating medical/clinical grade or complaint platform software, components, and development tools
De Los Santos: Firms will need to leverage tools like Jama Connect to start to track security risks, SBOM, and the documentation for a multitude of software variants, upgrades, and patches. While the tools enable compliance with regulatory requirements, medical device manufacturers need to create a robust and lightweight design and development process that leverages the capabilities of their tools. For many firms, this means looking at the total development lifecycle holistically instead of tacking on quick fixes to their procedures to meet current regulatory requirements.
What role will cybersecurity play in medical device & life sciences development in the coming year and beyond?
Monterrey: Per the current FDA guidance, obtaining per-market approval/clearance for a medical device with firmware or software, connected, or not connected all require some level of cybersecurity compliance, especially around risk management. This has put an extra strain on medical device manufacturers because the guidance is very technical and rigorous and currently does not provide guidance around the level of application based on the risk of the device. I hope to see a future revision that accommodates lower risk devices, but for now it’s worth investing in cybersecurity experts who can help you certify your device and associated processes.
Balgos: As noted in a recent FDA webinar around cybersecurity, there is continual discussion in how to regulate this topic, and the expected deliverables to the agency. One area is SBOM and how to properly document all the elements of software for a medical device.
De Los Santos: Cybersecurity will play a starring role as manufacturers start to revise their design and development processes to include it.
In your opinion, what are the biggest differences between medical device & life sciences companies that will survive to see 2030, and ones that don’t?
Monterrey: Those who survive to see 2030 will respect the regulatory landscape and put in place proper attention and investment, instead of those trying to delay, resist, or evade the inevitable. Although it might not feel like it, the changes being put in place are to our benefit, with the intent of providing the industry with a clearer pathway for new innovations. It will just take a while for the regulations to harmonize and for the industry to adopt to the new ways of thinking by leveraging data, tools, and expertise to rapidly innovate.
De Los Santos: Companies that are adaptable and innovative with not only their products, but their design and development process will survive to see 2030.
What advice would you give to new companies entering the medical device & life sciences industry?
Monterrey: Build your product for the industry – align your product development efforts with your business model and regulatory strategy and do not try to obtain premarket approval for your device without the support of experts in the industry unless you have done so successfully before.
De Los Santos: Keep it simple.
What topic(s) do you wish companies were paying more attention to?
Monterrey: I wish more companies would focus on defining their regulatory strategy early in the development lifecycle and not wait until they have only six months or less to start thinking about getting their device approved or cleared. Depending on the complexity of your device, regulatory compliance efforts could take 12-36 months, with most of the efforts around verification and validation. Six months prior is often too late and could be detrimental to your business launch plans that do not meet your stakeholder expectations.
De Los Santos: I wish companies would focus on fixing their process problems instead of patching them. A little more front-end work will save future teams lots of time.
What is the biggest mistake you see companies in medical device & life sciences making right now?
Monterrey: Two biggest mistakes I see are:
Trying to make a medical device not a medical device, even though it is a medical device
Not narrowing down a product’s intended use for the first launch
Balgos: Cutting corners for short-term gain, but in reality, these cuts will actually cause long-term consequences exponentially. Example: Documentation. Time and time again, our technical customers (and from my own personal experience) are being pressured to get products out the door and do the documentation later. There are several issues with that: 1) technical documentation and files are required for regulatory submissions for market clearance, 2) this generally conflicts with most good Engineering and Quality practices as they will need time for review/approval, and 3) it’s much harder to document something long after it’s happened. These issues culminate in taking much longer to complete the documentation, and thus impacts the long term.
De Los Santos: Companies should not make their procedures more complex than they need to be.
What is the most innovative thing you’ve seen in medical device & life sciences this year that you anticipate other companies following suit in coming years?
Monterrey: The most innovative things I have seen is the creative use of simulated and real-world data to support pre-market approval and the novel application of AI, which uses data from multiple unrelated devices to diagnose, treat, or support various diseases and medical conditions. I am seeing more products provide a technology platform for multiple intended uses. Companies that are successful, understand the long game and focus on the easiest-to-launch intended use first, generate revenue, and then focus on further product applications, including innovations that require a more rigorous regulatory pathway.
Predictions –
What do you think will remain the same in your industry throughout 2024?
Monterrey: I think 2024 will be a very innovative year meaning there are more changes to come, and we will continue to see new and novel clinical innovations continue to disrupt the industry. 2024 is going to be an exciting and unprecedented year!
Do you think there will be any major disruptors in medical device & life sciences in the coming year? How do you think it will impact the industry?
Monterrey: Major disruptors will come from those focusing on diseases and conditions that have previously been ignored or neglected. One area I would like to see advance is the use of software as a therapeutic as opposed to prescription pharmaceuticals, devices, or surgery. Because of limitations in reimbursement and the non-traditional use of software as a therapeutic device, this area has experienced challenges which has delayed its adoption.
Balgos: The emergence of AI/ML has the potential to become an industry disruptor, dependent on its application or intended use. We can see its impact already in non-medical software, so it is only a matter of time before its influence is felt in the medical industry. Hence, there are continual discussions from FDA, industry bodies and experts, in how to regulate, develop and manage AI/ML for medical devices.
What do you predict for regulation in the medical device & life sciences industry in 2024?
Will those trends still be prevalent five years from now? 10 years?
Monterrey:As I stated last year, I still see progress around the harmonization of guidances and standards, which will eventually allow for a more standard way to approach pre-market approval — but I stated previously, this will be messy and complex before it clears itself out. I primarily see the increased use of simulated and real-world data as a new way to validate devices. Animal and in-human use will decrease, and publicly available and validated datasets will become available to quickly assess new medical devices for safety and efficacy.
https://www.jamasoftware.com/media/2023/12/2023-12-28-2024-medical-predictions.jpg512986Jama Software/media/jama-logo-primary.svgJama Software2023-12-28 03:00:452024-01-17 17:20:552024 Predictions for Medical Device & Life Sciences Product, Systems, and Software Development
In this blog, we recap our webinar, “DO-326 Airborne Security Assurance, Threat Modeling, and DevSecOps” – Watch the entire thing HERE.
Cyber vulnerabilities can have a significant impact on safety-critical systems.
Today there is an unprecedented level of digital interconnectivity in everything from vehicle sensors to rovers on the surface of Mars. The aerospace industry has a high degree of cyber connectedness where a negative impact could cause harm to not only aircraft but financial systems, company reputations, international relations, or even physical harm to humans and property.
During this informative session, Cary Bryczek, Director of Aerospace & Defense Solutions at Jama Software®, discusses how Jama Software applies a cybersecure-by-design approach to meeting DO-326A/DO-356A for aircraft systems and how this can be extended to the defense domain.
In this webinar, we covered:
Applying the Airworthiness Security Assurance Process
Threat (attack) modeling methods
Tracing security measures to requirements and tests
The role of requirements in DevSecOps tool ecosystems
DO-326 Airborne Security Assurance, Threat Modeling, and DevSecOps
Cary Bryczek: What we’re seeing today is just an unprecedented level of digital interconnectivity in seemingly every system out there. The aviation industry has a high degree of cyber connectedness where a negative impact could really cause harm to not just humans and property, but company reputations, international relations, or financial systems.
What we’re going to see today is how Jama Connect can provide a cyber secure-by-design approach to meeting the many aspects of DO-326 and DO-356, or ED-202 and ED-203 in Europe, the Middle East, and Africa (EMEA.) What we’re going to see is we’re going to apply the airworthiness security process that’s inside of DO-326, and use Jama Connect’s Live Traceability™ to trace security measures to security requirements, trace security requirements to testing, look and see how a threat analysis can all be incorporated into a single platform.
What is Cybersecurity by Design? So one of the things that we see a lot is in the tool ecosystem is a very disconnected set of processes and tools. So whether you’re tracing and using tools that do requirements identification, tracing those to verifications and hardware and software designs, or whether you’re using tools to do aircraft security analysis and tracing those to security architectures and security V&V, we’re noticing the disconnectedness of the processes in the tool ecosystem is causing product delays, cost overruns, product failures, audit failures, late identification of defects, and lack of visibility because the ecosystem is very disconnected, is taking place. There’s poor requirement coordination. Change management is hard between software and hardware, and you have a high degree of manual effort required to produce the traceability that’s required for certification. And you’re seeing this after the fact and Excel is used everywhere. Desktop tools are prevalent in the engineering of these systems, and it’s difficult to integrate desktop tools and Excel files into and across the ecosystem for product development.
Bryczek: So what is Live Traceability? Live Traceability in Jama Connect gives the ability for any engineer at any time to see the most up-to-date upstream and downstream information for any requirement, no matter the stage of the systems development or however many siloed tools it spans. Now, this Live Traceability is important because it’s required by the industry standards like we’ve seen in aviation development and Live Traceability delivers a huge productivity improvement and it reduces the risk and the delay that happens when you have a disconnected tool environment.
So we’re going to talk about DO-326. DO-326 is really a set of standards jointly developed by RTCA and EUROCAE. It came about in 2006. It includes a few separate standards. DO-326 and ED-202 really is about the airworthiness security process specification. It explains the fundamental concepts behind airworthiness cybersecurity. DO-356 and ED-203, the airworthiness security methods and considerations, this explains how to perform cybersecurity investments, how to evaluate threats, and security measures of the system. How do you apply the mitigation measures? DO-355, we’re not going to really talk about that one today, but it’s applicable to if there are changes in an already certified system. So one of the most relevant documents you’re going to start with even before you start down the path for cybersecurity, is creating your product information and security risk assessment document. You’re going to perform an analysis of this, and this analysis should be conducted according to the standards.
So what exactly is airworthiness? So airworthiness security is the protection of the airworthiness of the aircraft from intentional unauthorized electronic interaction. So existing safety processes don’t consider intentional disruption. They look at the faults and failures of an aircraft or the aircraft system on a whole. But DO-326 is specifically looking at intentional human-initiated actions with the potential to affect the aircraft due to some unauthorized access or disclosure or causing some denial or disruption of the information systems, the networks, and the software that’s running on these aircraft systems. So this also might include things like malware or infected devices or the logical effects of any external systems. So the purpose of the airworthiness security process within DO-326 is to establish that when subjected to this unauthorized interaction, the aircraft is going to remain in a condition for safe operation.
So like I said earlier, DO-326 describes the what and DO-356 is the how. I’m sure that you guys have carefully looked at both of these guidelines and these are images from the guidelines. But I just wanted to point out what we’re going to talk about today. We’re going to talk about how the airworthiness security process and threats are mapped in Jama and how you can have security assurance and the risk assessment process from DO-356, how those can be conducted in Jama Connect itself. As you know, DO-326 live in its own. You’re having supporting processes from the development of the aircraft, the development of the system, DO-178, ARP-4754 are all interacting and being conducted at the same time. So there’s no linear, do this first, do this next, do this later. All of these processes are taking place pretty much simultaneously or iteratively as you design and develop the aircraft system.
So the airworthiness security process from a basic level, it’s again, it’s the protection of the aircraft from intentional unauthorized electronic interaction. There are four steps for the basic process. We’re going to first identify the system assets and its parameters. The second step is to identify the threats for all of those assets, identify those risks for each of the threats, so what might happen, and then create controls and mitigations for those risks. You’re going to be adjudicating the degree of harm and assigning a security assurance level, the strongest being SAL3 or the least would be a SAL zero where there’s this limited or protection needs required. So there’s a way to grade those as well.
Bryczek: The inside of Jama Connect itself, this image describes essentially the architecture of what you’re going to see that what we have in the product. We have a template that you can use to facilitate this. It sits alongside of our template that’s used for ARP-4754, and DO-178, or DO-254. The orange assets essentially is the data model that we’re using to capture the different types of things in the system. So we have assets, we have vulnerabilities. Those are tied to different threat assessments or a threat assessment is performed on these types of objects. We have security measures, we have the security architecture elements, and those feed into the security requirements. This comes pre-configured out of the box. We also have an area where you going to capture the data for that kind of thing.
Having this sort of a data model enables engineers to really perform the analysis to understand, all right, which assets have I not assessed yet? What’s the workflow? Who has reviewed the threat assessment? Have the security measures been satisfied by security requirements? Have we done security testing of the system? So this sort of data model enables the traceability to be instantiated and allows engineers to really more easily create the kind of a content. So one of the benefits you see of using Jama is that the security process is not disconnected from the design and development of the aircraft system itself. It’s done alongside. So that way you have that earlier touch points between the functional aircraft, design engineers and the security engineers. So you’re building in that secure by design approach.
2024 Predictions for Aerospace & Defense Product, Systems, and Software Development
As the aerospace & defense industry advances into 2024, we aim to gain a deeper insight into the factors propelling transformation in the development of products, systems, and software, and explore how teams within this sector are adapting to meet the challenges posed by evolving complexities.
Jama Software® asked selected thought leaders — both internal Jama Software employees and our external partners — across various industries for the trends and events they foresee unfolding over the next year and beyond.
In part two of this six-part series, we asked the following industry experts to weigh in on the aerospace & defense product, systems, and software trends they are anticipating in the coming year:
We like to stay on top of trends in other industries as well. Read our Automotive predictions HERE, Industrial & Consumer Electronics (ICE) HERE, Medical Device & Life Sciences HERE, SoftTech HERE, and Product & Engineering Teams HERE.
Design Trends – What are the biggest trends you’re seeing in your industry right now? How will they impact aerospace & defense product, systems, and software development?
Francois Couadau: There is a lot of attention, both in academia and within the industry, around Artificial Intelligence (AI) / Machine Learning (ML.). These technologies promise many exciting applications, such as single-pilot operations for cargo and commercial flights or supercharged Intelligence, Surveillance, and Reconnaissance (ISR) capabilities for the defense sector. They have a long way to go before they’re certified for flight, but experiments are everywhere.
Guilherme Goretkin: Big trends towards more modular and loosely coupled architectures with open systems approaches like Modular Open Systems Approach (MOSA) and PYRAMID Reference Systems (PRA) utilizing open publicly available interoperability standards like Future Airborne Capabilities Environment (FACE) and ARINC 661 with the goals of reducing program risk, more software interoperability, reuse, and better sustainability.
Cary Bryczek: The biggest design trend is figuring out ways to incorporate AI into systems and products in a safe way.
Karl Mulcahy: I’m also seeing a need to work together as a consortium to deliver a product for an end customer. It’s fascinating to see how companies are approaching this, and working together across different networks, countries, and even industries.
Biggest Challenges – What are some of the biggest challenges you think aerospace & defense companies will be working to overcome in 2024?
Couadau: In the avionics projects domain, growing complexity and ever-shorter timelines go hand in hand and are the main challenge.
Bryczek: The biggest challenges are protecting against intellectual property (IP) loss and preventing security incidents from adversaries. Both the United States and European countries defense organization have set forth mission statements to protect technology advantage and counter unwanted technology transfer to ensure warfighter dominance through assured, secure, and resilient systems and a healthy, viable innovation base.
Mulcahy: On top of IP protection like Cary mentions, I believe there is a desire to modernize ways of working to help drive efficiencies in existing operations, but also to attract / retain new and emerging talent. By having best–of-breed tools, it can help attract best-of-breed talent and facilitate an easier way to realize innovation.
Regulations – What changing regulatory guidelines do you anticipate having an impact on companies in 2024?
Couadau: In keeping with the trends, AI/ML is currently not certifiable due to lack of specialized standards. Standardization efforts are ongoing, and we should see the first documents emerge soon.
Unstable global geopolitics may also play a part. Sanctions and embargoes may change the shape of markets.
Goretkin: Cybersecurity. “DoD [Departement of Defense] policy generally requires all acquisitions containing mission-critical or mission-critical IT systems to have a cybersecurity strategy” – GAO-23-106059 Weapon Systems Annual Assessment June 2023
Bryczek: In the US the Department of Defense will continue providing more guidance on its 2023 DoD Cyber Strategy. In 2024 you will see more guidelines provided to Defense Components as well as instructions in contracts to encourage the increase of collective cyber resilience by building the cyber capability of allies and partners. Lessons learned from the war in Russia-Ukraine has sparked commentary from Assistant Secretary of Defense for Space Policy John Plumb to say. “It has driven home the need to work closely with our allies, partners, and industry to make sure we have the right cyber capabilities, cyber security, and cyber resilience to help deter conflict, and to fight and win if deterrence fails.”
Mulcahy: With sustainability a renewed global focus, especially with recent initiatives such as the 28th meeting of the Conference of the Parties (COP28), more focus will be turned to sustainability, efficiency, and developments in greener technology such as electronic / hydrogen / hybrid airborne travel. It’s exciting to see many start-ups in this domain.
Maybe we’ll see something around unmanned aerial systems regulations come to fruition – again with the increase of use cases in civilian / defense markets for these unmanned aerial vehicles (UAVs.)
Tool Innovation – From an aerospace & defense engineering toolset perspective, what are some of the processes you think forward-thinking firms will be working to leverage or incorporate into their process and why?
Couadau: Model-Based System Engineering tools and methods are continuing to mature and are a key pillar for complex aerospace projects. Generative AI, applied at key spots during design, is also a key design accelerator.
Bryczek: Forward-thinking organizations will be focusing their processes and supporting tools around these areas of systems engineering: Digital Engineering, Modular Open Systems Approach (MOSA), Agile DevSecOps Development, and Mission Engineering (ME). Each of these areas touch aspects of systems engineering lifecycle management and require tools to support the newer techniques. Data integration across disparate tools such as software code version control, enterprise architecture modeling tools, requirements tools, mission simulation tools, and a variety of specialized analysis tools are some of the keys to success. Open standards such as the newest version of SysML 2.0 is driving new tool innovation from both long-standing tool vendors and companies that are new to the marketplace. Processes such as mission simulation will take place much earlier in the lifecycle and will reduce the cost of some of the Verification & Validation (V&V) efforts from traditional approaches.
Mulcahy: With digitization a big focus to start / advance with in 2024, we anticipate more discussions around MBSE (in line with SysML 2.0), but also Digital Engineering** – to connect with other tools in house and work towards a Digital Twin.
Not only could this include tools that help develop software, manage parts / simulations / detailed design aspects, but also ones that ensure validation and verification are undertaken sufficiently, proving out compliance to various industry mandates — especially when it comes to safety critical systems.
With many mergers and acquisitions continuing to be a part of this industry, re-use, collaboration, and auditability will increasingly become important. Knowing who changed things, why they were changed, and a record of the associated discussion will be invaluable as new products are designed — whether they have been designed from scratch or using existing IP. Not only would this save time understanding the complexities, but also help capture that knowledge to be able to transfer it to other organizations or teams who may not have been involved in original projects.
What role will cybersecurity play in aerospace & defense development in the coming year and beyond?
Bryczek: Cybersecurity is being prioritized nearly above all else in developing every type of system, from vehicles, to satellites, to commercial and military aircraft, and the systems that perform command and control. Any system that is connected to a network or connects to other computer systems via a removable cable, whether it is operating in an air-gapped environment, embedded within an aircraft, or touching the public internet are equally scrutinized for known vulnerabilities and are being required to adhere to security policies during development. DevSecOps strategies are putting security at the forefront during all stages of the lifecycle now instead of just being a post development process. In addition, we’re seeing organizations, more often now than ever, providing human-centric training to employees around good cybersecurity practices.
In your opinion, what are the biggest differences between aerospace & defense companies that will survive to see 2030, and ones that don’t?
Couadau: Adaptability is the name of the game. In addition to the market pressures, we are used to, the aviation industry is tasked with ambitious carbon reduction goals. International Air Transport Association (IATA) predicts that 1.8 gigatons of carbon will need to be abated yearly by 2050**. Companies that embrace this change now are bound to find success in a low-carbon future.
Bryczek: The aerospace and defense companies that retain top talent, spend design dollars wisely, and make winning partnership decisions will help companies survive to 2030.
Mulcahy: Embracing modern ways of working to enhance competitive advantage by delivering projects on time / to scope.
What advice would you give to new companies entering the aerospace & defense industry?
Bryczek: New start-ups need to embrace design-thinking principles right from the outset. Early collaboration involving the target end users such as military personnel together with the engineers, designers, and data scientists will lead to faster validation of the design’s requirements and ensure that the new capability is solving the needs of the users. Companies will also need to embrace new technologies like AI, machine learning, 3D printing, and multi-scale and multi-physics simulation.
Mulcahy: With ever-changing regulations, work with experts to help your company adhere to them. Embrace help and guidance from industry experts to allow you to focus on your new innovation to the market and not re-invent the wheel.
Furthermore, working with best-of-breed tools will allow you to attract new talent and help achieve innovation quicker.
What topic(s) do you wish companies were paying more attention to?
Bryczek: As systems become more software-centric, security regulations, especially those related to cybersecurity become increasingly more relevant and unavoidable. The updates to security frameworks such as the National Institute of Standards and Technology (NIST) – and Network and Information Systems (NIS) in EMEA — as well as cybersecurity frameworks such as Cybersecurity Maturity Model Certification (CMCC) are no longer applicable only to government organizations but now extend to any contractor that is performing work for governments as well. As challenging and expensive as it might be to implement security practices and design security into applications throughout development and operations, not doing so from the beginning will cost more in the long run and in some cases might prevent going to market.
What is the biggest mistake you see companies in aerospace & defense making right now?
Bryczek: The biggest mistake I see companies make is assuming their legacy tools are good enough for today’s design and development environments. They simply aren’t. Legacy tools were built around document-based processes and not model-based or simulation techniques used in modern development environments. In the long run it costs more in man hours and license costs than the switch to more modern tooling.
Mulcahy: Agree here with Cary. Legacy tools prohibit companies from real collaboration and are often customized to outdated ways of working where support can no longer be given.
With more tools now available today, and in the future – the need to be open for integrations is more crucial than ever as we aspire towards the digital world
What is the most innovative thing you’ve seen in aerospace & defense this year that you anticipate other companies following suit in coming years?
Couadau: Many of the experienced players have already embraced Digital Engineering and are using it to come up with automated frameworks that alleviate certification activities. I expect that the industry will align around these practices. The entry ticket is expensive but the shortened time to market is worth it.
Bryczek: The most innovative thing I personally saw was a large aerospace company making use of internal generative AI to assist with developing specifications and planning documentation. Heavy documentation which previously took four months to author, review and approve, took only a couple of weeks. AI is spreading into many other areas of the business including training and simulation. It is most certainly being used today by warfighters in Gaza and Ukraine to create realistic training simulations to predict outcomes of various defense strategies and enhance preparedness.
Mulcahy: For an industry that is very security conscious, I’m seeing more companies embrace the cloud to get better total cost of ownership, scalability, and performance from their engineering tools. Furthermore, an increase in consortium working together to break boundaries and define new ways of working together (often across time zones and cultures) I think will become more of the norm. In addition, we see organizations utilizing companies / partners to provide strength in specific and unique areas of expertise to develop groundbreaking technology.
Do you think there will be any major disruptors in aerospace & defense in the coming year? How do you think it will impact the industry?
Couadau: We have discussed many influencing factors already: emerging technologies, environmental goals, and a changing geopolitical context are all strong forces that can challenge the status quo.
What do you predict for regulation in the aerospace & defense industry in 2024?
Will those trends still be prevalent five years from now? 10 years?
Couadau: We should see the first standards emerge around AI and Machine Learning. On our end, we happen to be contributing to SAE ARP6983. We expect these standards to lay a solid foundation for safe, observable, and certifiable AI in aeronautics for the coming decades.
Bryczek: The aerospace and defense industry will continue to be challenged with environmental decarbonization initiatives such as the Paris Agreements. More to come here.
Mulcahy: Many of our customers are working on new systems in the Aerospace Industry. Whether that’s for UAV’s, Electric Vertical Take-Off and Landing (eVTOL), AirTaxis, etc, there will need to be more regulations developed here for the development of UAVs for example, but also to govern usage of the products in the sky. Furthermore, as these start to become more of the norm, regulation will need to be established for the surrounding infrastructure, usage, and purchase of these for the consumer market.
As more companies near release dates, more will be developed regarding these regulations, with of course current regulations also enhanced to better serve today’s needs.
With more global conflict at the forefront of our lives, and with other tensions continuing to escalate, I expect defense spending to be increased in anticipation of future conflicts, with new products being developed to gain advantage.
Linking with the above, I see Space being an area of further exploration in the defense sense, but also commercialization — whether it’s advancing the space race or decluttering space (as an example). I anticipate more startups in this sub-industry.
https://www.jamasoftware.com/media/2023/12/2023-12-14-2024-ad-predictions-1.jpg512986Jama Software/media/jama-logo-primary.svgJama Software2023-12-14 03:00:022024-06-14 11:09:212024 Predictions for Aerospace & Defense Product, Systems, and Software Development
In this blog, we recap our webinar, “Effective Strategies and Solutions for Successful SaMD Project Execution”. Click HERE to watch the entire webinar.
Empower your teams with insights and solutions that transcend the challenges of medical device software development.
Navigate the complex terrain of medical device software development and learn crucial insights and practical solutions to propel your projects forward.
In this webinar, Romer De Los Santos, Senior Consultant at Jama Software®, guides you through:
The new SaMD Framework, which features ISO-aligned document templates and customization capabilities
Variant Management in Jama Connect®, the key concepts required, and how it can revolutionize your workflow
Insights into the nuances of navigating complex medical device software projects
A brief exploration of the impact of US and EU regulations shaping the software landscape
Below is an abbreviated transcript of our webinar.
Effective Strategies and Solutions for Successful SaMD Project Execution
Romer De Los Santos: During this presentation, I’ll go over the challenges facing development teams working on medical device software, the key features of the Jama Connect SaMD Framework, and how you can use Jama Connect’s categories and reuse and sync features to manage releases and variants. A successful software development project in the medical device industry is a careful balancing act between documentation and development activities. Development teams have tight deadlines that are driven by market conditions. At the same time, they’re responsible for generating the required quality records according to each region where their device will be marketed. Since this isn’t a regulatory discussion, we’ll just focus on the EU and US as examples.
Medical device software development in the EU is governed by IVDR and MDR regulations. The risk classification in some software activities will differ depending on the regulation it falls under. Unlike in the US, there is no specific distinction between SiMD and SaMD software. It’s all considered medical device software. You’ll need to consider if the software you are developing is an accessory to a medical device or if is it a medical device on its own. If it is an accessory, it’ll need its own technical file. If it is sold as an integral part of the system, it should be included in the system’s technical file.
De Los Santos: In the US, there is a distinction between software in a medical device and software that is a medical device on its own. With the advent of AI, machine learning, cloud computing, and other innovations, the FDA has been drawing up new guidance to help modernize oversight on software development. The concept of device software functions are a key part of its modernization efforts. Each device software function has its own risk classification. The FDA has indicated that they intend to target their oversight over software that is an extension of one or more medical devices, software that transforms a mobile platform into a medical device by using attachments, displays, sensors, or including functions like a regulated medical device, software that performs patient-specific analysis and provides specific outputs or directives used in the diagnosis, treatment, mitigation, cure, or prevention of a disease or condition.
The Center for Devices and Radiological Health (CDRH) at the FDA created the Digital Health Policy Navigator to help manufacturers determine if their product’s software functions may be the focus of FDA oversight. This past September, the FDA released its new guidance on cybersecurity in medical devices. The guidance encourages the use of a secure product development framework when building software. It specifies some new deliverables such as a security risk analysis that is distinct from and in addition to the safety risk analysis specified in ISO14971.
Manufacturers will need to analyze security risks from the design and development phase through device maintenance and eventually to product end-of-life. Manufacturers are encouraged to use threat modeling to analyze security vulnerabilities in the environment where the device will be used. You’ll also need to consider all interfaces to and from the system and the Off-The-Shelf software (OTS) and Software of Unknown Provenance (SOUP) components that the system depends on. Software Bill of Materials (SBOMs) must be generated and analyzed for potential vulnerabilities. This represents more work for teams but is absolutely required in today’s interconnected world. In addition to all the required documentation for the design history file, developers also need to consider how to manage their fast development iterations, how to handle parallel development and variant and release management, how to properly triage and disposition defects, and how to manage third-party components that are part of their system.
De Los Santos: The Jama Connect SaMD Framework is intended to alleviate some of the documentation burden while each company has its own procedures. The framework provides basic document templates that comply with requirements specified in IEC62304 and ISO14971. Furthermore, each document template includes a customizable export template for your convenience. It’s designed to keep things as simple as possible by minimizing the number of different item types and fields. The framework is versatile and includes the ability to trace to items outside of Jama Connect. This framework is designed to cover the most common use cases and is intended as a starting point for your own process. Jama Connect can easily be configured so that the tool adapts to your process rather than the other way around.
https://www.jamasoftware.com/media/2023/12/Effective-Strategies-and-Solutions-for-Successful-SaMD-Project-Execution-1.png5121024Romer De Los Santos/media/jama-logo-primary.svgRomer De Los Santos2023-12-05 03:00:392024-01-17 17:36:25[Webinar Recap] Effective Strategies and Solutions for Successful SaMD Project Execution
Jama Connect® Features in Five: Space Systems Framework
Learn how you can supercharge your systems development process! In this blog series, we’re pulling back the curtains to give you a look at a few of the powerful features in Jama Connect®… in about five minutes.
In this Features in Five video, Cary Bryczek – Director, Aerospace & Defense Solution at Jama Software® – we will explore the Space Systems Framework available for Aerospace & Defense teams in Jama Connect.
VIDEO TRANSCRIPT
Cary Bryczek: Hi. I’m Cary Bryczek, Director of Aerospace & Defense Solutions at Jama Software. In this video, I’m going to introduce you to our Space Systems Framework available in Jama Connect. In this video, we will explore the benefits of using our pre-built template to get started with managing requirements, test cases, and architecture using our best practices inspired by industry standards and guidance from organizations like NASA and the European Space Agency.
With space systems exponentially growing in complexity, shortening development timelines due to mission need and customer demand, and cost reductions influencing the capabilities able to be delivered with the final design. Programs need to be able to get started quickly and begin the real work of engineering the system. Development and engineering tools need to be robust enough to tackle that complexity easy enough to deploy and then not get in the way of the real work of engineering the system.
Jama Connect and our Space Framework come preconfigured with a ready-to-use template. The framework is comprised of a requirements data model that provides requirements leveling and decomposition, a verification of validation data model that provides traceability to those requirements, an architecture data model that provides mechanisms to support systems architecture system functions, and allocation of requirements, and a data organization method that follows industry guidance with the best practices of data organization in Jama Connect. Let’s see what this looks like in Jama Connect.
Bryczek: The Space Framework comes with two pre-built requirement data models. The one I’m showing now represents a full spacecraft product breakdown structure. The example shows how Jama Connect can handle the complexity of a full NASA or ESA space program. The requirements data model allows needs and requirements to be flowed down and fully traced from the stakeholder expectations, to the concept of operations, to system level requirements, down to segment element subsystem and component requirements.
This trace data model, what Jama calls the relationship model, provides a mechanism to enforce consistency and creation of data as well as a consistent method to trace that data. This allows you to do faster analysis, measurement of expected versus actual traceability, complex filtering, and easy trace matrix generation and reporting.
The left side of the screen is the exploratory and is where the data is organized. The Space Framework comes with this pre-built spec tree ready for users to start authoring content right away. You can see that it too is organized hierarchically from the highest level of abstraction at the mission level and then down to the component level. You can navigate this traceability in the tree as well.
We recognize that not every space system will be developed by a single entity that requires this combined breath of customer implementing requirements and those of the implementing organizations. Your organization might be merely developing only a component of a larger space system. For this, we have a second Space Framework for integrated systems. Let’s look at this one more closely.
Bryczek: In this CubeSat example that comes with the framework, it’s easy to see how the data is organized in the exploratory in a system, subsystem configuration. Inside each of the subsystems, you can see the specific requirements, their verifications, architecture, and design descriptions. Traceability throughout the entire project can easily be analyzed at any level.
What I’m showing is the traceability from the stakeholder expectations all the way down the decomposition tree. I can see the system requirements verification and validation test cases. I can see the architecture, the subsystem requirements, and even the test runs, these real-time trace views not only show requirements decomposition, but test covers as well as allocation to architecture.
The framework supports, as I said, not just requirements, but architectures, V & V, even risk management and security. We’ve preconfigured the way you organized that here in the tree. So if I wanted to see the system architecture, I am able to see all of the elements that are going into making up the system architecture of this CubeSat I can also see how I’ve organized by system subsystem within the tree itself. That enables me to reuse easily and do variant management in this particular CubeSat security.
So, if you need to have security requirements or if you need to do heavy cyber security and you wanna import things like NIST 800 you can easily do that kind of a thing. Risk management threats and risks moving the development cycle with security earlier in that life cycle is a big deal, or understanding how safety is influencing the design. We easily allow you to track risk management and threat analysis in Jama as well.
The intent of this is to provide ready-to-use solutions based on customer feedback, industry trends, and best practices, such as those of ESA and NASA. This enables engineers to tackle the complexity of space systems develop faster and collaborate at the speed of need. If you would like to learn more about how Jama Connect can optimize your product development processes, Please visit our website at www.jamasoftware.com. If you are already a Jama Connect customer and would like more information on the Space Framework, please contact your customer success manager or Jama Software consultant.
https://www.jamasoftware.com/media/2023/11/FIF-Space-Systems-Framework.png10801920Cary Bryczek/media/jama-logo-primary.svgCary Bryczek2023-12-01 03:00:462024-01-17 17:42:25Jama Connect® Features in Five: Space Systems Framework
In part 3 of this three-part blog series, we will overview our whitepaper, “Software Defined Vehicles: Revolutionizing the Future of Transportation” Download the entire thing HERE and click here for part 1 and here for part 2.
Software Defined Vehicles Part 3: Revolutionizing the Future of Transportation
Future Trends and Considerations in Software Defined Vehicles
Evolution of Software Defined Vehicles
Software Defined Vehicles (SDVs) are continually evolving, driven by advancements in technology and changing consumer expectations. Several future trends and considerations will shape the future of SDVs:
Increased Autonomy: SDVs will continue to progress towards higher levels of autonomy, with advancements in sensor technology, artificial intelligence, and machine learning. Fully autonomous vehicles that can operate without human intervention in specific environments and conditions will become more prevalent.
Connectivity and V2X Integration: SDVs will further integrate with Vehicle-to-Everything (V2X) communication, allowing vehicles to interact with other vehicles, infrastructure, and pedestrians. This connectivity will enable cooperative driving, efficient traffic management, and improved overall safety and efficiency on the roads.
Edge Computing and Cloud Integration: The integration of edge computing capabilities in SDVs will enhance real-time data processing and decision-making at the vehicle level. Additionally, cloud integration will enable seamless access to services, personalized settings, and advanced analytics for vehicle performance monitoring and predictive maintenance.
Advanced User Interfaces and Experiences: SDVs will feature enhanced user interfaces, including augmented reality displays, natural language processing, and gesture recognition. These interfaces will provide more intuitive and immersive user experiences, allowing drivers and passengers to interact seamlessly with the vehicle’s software features and services.
Regulatory and Legal Considerations
The development and deployment of SDVs bring forth a range of regulatory and legal considerations that need to be addressed:
Safety Regulations: Governments and regulatory bodies are actively developing safety regulations specific to autonomous vehicles and SDVs. These regulations aim to ensure the safety of occupants, pedestrians, and other road users, covering aspects such as system performance, emergency response protocols, and liability frameworks.
Data Privacy and Security: As SDVs generate and process vast amounts of data, protecting user privacy and ensuring data security become paramount. Legislation regarding data collection, usage, and storage will need to be in place to safeguard user information and prevent unauthorized access.
Liability and Insurance: The shift towards autonomous driving and SDVs raises questions about liability in the event of accidents or system failures. Clear guidelines and legal frameworks must be established to determine liability and insurance coverage in autonomous driving scenarios.
International Standards and Harmonization: Harmonization of standards across different regions and countries is crucial for the widespread adoption and interoperability of SDVs. Collaborative efforts among governments, industry stakeholders, and standardization bodies are necessary to establish common standards and facilitate global deployment.
Ethical Considerations
The development and deployment of SDVs also raise several ethical considerations that require careful consideration and discussion:
Decision-Making in Critical Situations: SDVs may encounter critical situations where split-second decisions need to be made, potentially involving the safety of occupants, pedestrians, or other vehicles. Determining ethical guidelines and frameworks for decision-making in such situations is essential to ensure responsible and ethical behavior.
Job Displacement and Economic Impact: The advent of autonomous driving technology may impact various industries, including transportation, logistics, and ride sharing. It is important to address the potential job displacement and economic impact of SDVs and explore strategies to mitigate any negative consequences.
Social Equity and Accessibility: SDVs should be designed and deployed in a manner that ensures accessibility and social equity. Considerations should be given to individuals with disabilities, elderly populations, and those who cannot afford traditional modes of transportation, ensuring that SDVs contribute to inclusivity and equitable access to mobility.
Decision-Making in Critical Situations: SDVs may encounter critical situations where split second decisions need to be made, potentially involving the safety of occupants, pedestrians, or other vehicles. Determining ethical guidelines and frameworks for decision-making in such situations is essential to ensure responsible and ethical behavior.
The Road Ahead for Software Defined Vehicles
The future of software defined vehicles holds immense potential for completely transforming the way we commute and interact with transportation systems. Several key areas will shape the trajectory of SDVs in the coming years:
Shared Mobility: SDVs will more than likely play a significant role in shared mobility services such as ride sharing and carpooling. Autonomous SDVs will enable more efficient utilization of vehicles, reduce traffic congestion, and provide cost-effective transportation options for individuals and communities.
Smart Cities Integration: SDVs will be integral to the development of smart cities. Through V2X communication, SDVs will interact with smart infrastructure, traffic management systems, and other vehicles, optimizing traffic flow, reducing emissions, and enhancing overall transportation efficiency.
Electric and Sustainable Mobility: The integration of SDVs with electric and hybrid powertrains will push the adoption of sustainable mobility solutions. Electric SDVs will contribute to reducing greenhouse gas emissions and dependence on fossil fuels, fostering a cleaner and more environmentally friendly transportation ecosystem and mindset.
Mobility as a Service (MaaS): SDVs will be a cornerstone of the Mobility as a Service concept, where transportation is viewed as a service rather than individual vehicle ownership. SDVs will be seamlessly integrated into multi-modal transportation networks, providing on-demand mobility options and personalized travel experiences.
Innovation and Collaboration
The realization of the full potential of SDVs requires innovation and collaboration among various stakeholders:
Industry Collaboration: Collaboration among automotive manufacturers, technology companies, and other industry players is essential for advancing SDV technologies. Partnerships can facilitate the sharing of expertise, resources, and best practices, accelerating the development and deployment of SDVs.
Research and Development: Continued investment in research and development (R&D) is crucial to drive innovation in SDV technologies. R&D efforts should focus on areas such as sensor technology, artificial intelligence, cybersecurity, and human-machine interfaces to further enhance the capabilities and safety of SDVs.
Regulatory Frameworks: Governments and regulatory bodies play a pivotal role in fostering the growth and safe deployment of SDVs. Regulatory frameworks need to strike a balance between safety requirements, innovation encouragement, and flexibility to accommodate evolving technologies and business models.
User Acceptance and Education: User acceptance and education are vital for the successful adoption of SDVs. Public awareness campaigns, educational programs, and interactive demonstrations can help familiarize people with SDV technologies, address concerns, and build trust in autonomous and software-driven systems.
Challenges and Considerations in Implementing Software Defined Vehicles
The implementation of Software Defined Vehicles comes with a set of challenges and considerations that need to be addressed for successful integration and deployment into the world. This chapter explores key challenges and provides insights into addressing them effectively.
Safety and Security
Safety Assurance: Comprehensive testing, validation, and verification processes should be in place to assess the functionality, reliability, and performance of SDV software and hardware components. Rigorous safety standards and protocols must be followed throughout the development lifecycle.
Cybersecurity: SDVs are susceptible to cybersecurity threats, including hacking, malicious attacks, and unauthorized access. Robust security measures, such as encryption, intrusion detection systems, and secure communication protocols, should be implemented to protect SDVs from potential vulnerabilities.
System Failures and Redundancy: SDVs should incorporate redundancy mechanisms and fail-safe systems to handle unexpected software or hardware failures. Redundant sensors, backup power sources, and fail-over mechanisms can enhance the robustness and reliability of SDVs.
Data Management and Privacy
Data Collection and Usage: SDVs generate vast amounts of data that need to be collected, processed, and analyzed. Clear guidelines and policies should be established regarding data collection, usage, and retention, ensuring compliance with privacy regulations and protecting user data.
Data Sharing and Interoperability: SDVs should have the ability to securely share relevant data with other vehicles, infrastructure systems, and service providers to enable efficient traffic management, cooperative driving, and enhanced situational awareness. Common data formats and interoperability standards should be developed to facilitate seamless data exchange.
Infrastructure and Connectivity
Communication Infrastructure: Robust communication infrastructure is crucial for the successful operation of SDVs. Reliable and high-bandwidth connectivity, including 5G networks and dedicated V2X communication channels, should be available to support real-time data exchange and enable effective communication between vehicles and infrastructure systems.
Infrastructure Readiness: The deployment of SDVs requires appropriate infrastructure readiness, including road markings, signage, and intelligent transportation systems. Governments and city planners need to invest in infrastructure upgrades and adaptations to support SDVs and ensure a smooth transition to an autonomous and connected transportation ecosystem.
It’s clear that the emergence of Software Defined Vehicles represents a transformative shift in the automotive industry and the way we perceive transportation and possibilities. SDVs have the potential to improve safety, enhance mobility, reduce congestion, and contribute to a more sustainable and connected future.
However, the successful integration of SDVs into our society requires concerted efforts from various stakeholders. Addressing technical challenges, developing robust regulatory frameworks, investing in infrastructure, and building public trust are crucial for realizing the full potential of SDVs.
As we navigate the complexities and opportunities presented by SDVs, it is essential to prioritize safety, inclusivity, ethical considerations, and public engagement. By fostering collaboration and embracing innovation, we can shape a new future.
This has been part 3 of a three-part blog series overviewing our whitepaper, “Software Defined Vehicles: Revolutionizing the Future of Transportation”
Download the entire thing HERE and click here for part 1 and here for part 2.
https://www.jamasoftware.com/media/2023/11/2023-11-21_software-defined-vehicles-part3.jpg512986Jama Software/media/jama-logo-primary.svgJama Software2023-11-21 03:00:252024-01-17 17:54:57Software Defined Vehicles Part 3: Revolutionizing the Future of Transportation
