Tag Archive for: Product Development & Management

Jama Software is always looking for news that would benefit and inform our industry partners. As such, we’ve curated a series of customer and industry spotlight articles that we found insightful. In this blog post, we share an article, sourced from AECMagazine, titled “Cyberattacks: safeguarding contractors” – originally published on May 22, 2024, and written by Ben Wallbank.

Cyberattacks: Safeguarding Contractors

It’s every construction firm’s biggest nightmare: criminals taking control of their data and holding them to ransom. Ben Wallbank, Trimble, shares some best practices to mitigate cyberattacks

Cybersecurity and cybercrime often conjure up images of hackers in dark hoodies, sneaking in the digital back door. In reality, nearly 90% of corporate cybercrime, such as phishing or ransomware attacks, is a result of employee error.

The UK construction industry is no exception and could be an even greater target than other industries. Protecting massive amounts of data, including warranty and latent defect remediation periods, makes contractors attractive to cyber criminals. Cybersecurity is so crucial to construction that the National Cyber Security Centre produced a construction industry-specific guide, along with the Chartered Institute of Building (CIOB).

Cybercriminals who target the construction industry usually do so by accessing, copying, and sharing data illegally or by installing malware on a company’s computers and network, taking control of files, and holding them for ransom. It’s called ransomware, and it’s probably the most common and one of the most debilitating types of cybersecurity breaches in the construction world.

Each year, we hear of new cyberattacks, taking critical infrastructure offline and crippling construction businesses worldwide, including many here in Europe. These attacks cost billions of pounds a year and can cause whole cities, businesses, and services to grind to a halt.

UK contractors should follow these best practices to safeguard against cyberattacks and improve outcomes in case of an attack.

Create a business continuity plan

Preparing for the worst puts your business in the best position moving forward because you can act quickly and have more control of the outcome. A solid cyber security disaster plan can get quite detailed. It should be consistently reviewed, practiced, and updated to net the best results in case of an incident. At a minimum, a business continuity plan should include the following:

  • Name of a leader to act as a central resource to manage disaster recovery across multiple departments.
  • A communication plan for sharing key messages and managing crises with employees, clients, and additional project stakeholders.
  • A maintenance plan for a continually updated (and backed up) list of employee contact information and asset inventory.

RELATED: Six Key Challenges in the Architecture, Engineering, Construction, and Operations (AECO) Industry and How to Solve Them with Jama Connect®

Backup all data

A crucial aspect of any good cyber security plan is to make sure that everything is backed up, preferably on the cloud or physically on an offsite server that’s not on your network. Backups should be frequent and automated, so ask your IT provider to set them up so that they either happen in real-time (if you’re backing up to the cloud) or that they run daily after everyone has left the office.

Secure mobile devices

Mobile devices are more challenging to secure than other data systems, but just as critical. Utilizing an enterprise management platform, such as Cisco Meraki, allows you to maintain enterprise-level control over all of your devices. These kinds of platforms ensure that individual devices are still managed centrally, and contractors can limit software installation, track devices using GPS, disable devices, and more.

Protect software and servers

When it comes to software and security risks in construction, contractors should choose platforms and software providers that take security seriously. Granular permissions, user-friendly management systems, and multi-factor authentication, for instance, are all must-haves in any construction software.

By using cloud-based, connected construction software, contractors shift the responsibility of maintaining servers, ensuring SOC 2 Type II compliance, and data backup and storage. Project and business data backups happen automatically, providing daily protection, with costs often included or rolled into users’ subscription costs. New software features and security functionality are also rolled out automatically.

By coupling the backups with cybersecurity protections, cloud vendors use the latest technologies to thwart cybercriminals and provide an extra level of protection not otherwise achieved through in-house backups. When shopping for business software, make security one of your first discussion points.

Additionally, your web and email servers need to be properly protected to avoid online attacks. Physical network servers need to be secured, and you need to ensure that any cloud-based solutions you’re using also implement rigorous security protocols.

RELATED: Jama Connect® Amazon Web Service (AWS) GovCloud US Hosting

Assure employee buy-in

Cybersecurity protection in construction requires every employee at every level to be fully engaged and actively vigilant. There are several steps to take to make that happen:

  • Ensure all employees receive regular cybersecurity training, especially if online workflows or procedures change.
  • Welcome feedback from team members and update cybersecurity policies and processes as needed.
  • Counsel employees on everyday things to look for before opening email, like spelling and grammar errors, verifying sender’s email address, and never opening unexpected attachments.

Take the first step: get started

The most important step is the first one. The UK government offers two certifications – Cyber Essentials and Cyber Essentials Plus – that are crash courses in the basics to keep businesses safer from cybercrime. While they don’t replace a cybersecurity risk assessment, they will show you how to do one and how to select the security measures your business needs.

Anywhere your data is stored or used is a potential entry point into your company’s digital existence. It only takes one slip to allow malicious code or ransomware in, and once it’s there, it can cause millions of pounds worth of damage.

Jama Connect® Strengthens its Lead as the #1 Requirements Management Solution in G2®’s Summer 2024 Report

We are thrilled to announce that Jama Connect® has once again been named the overall leader in the G2 Grid® Report for Requirements Management Software for Summer 2024.

G2’s rankings are based on authentic user reviews and data gathered from online sources and social networks, analyzed through their unique v3.0 algorithm. The Summer 2024 G2 Grid® Report reflects scores calculated up until June 4, 2024.

In addition to being recognized as the top requirements management software, Jama Connect® has earned several other accolades for Summer 2024:

  • Overall Leader
  • Enterprise Leader
  • EMEA Leader
  • Europe Leader
  • Small-Business Leader
  • Mid-Market Leader
  • Momentum Leader

Learn more about the Summer 2024 G2 Grid for top Requirements Management Software products:
DOWNLOAD IT HERE

Jama Software® is honored to receive this recognition, which highlights the value we bring to our customers, especially those moving from document-based approaches to complex product, systems, and software development. We are grateful to our customers for their valuable feedback on our product, services, and support.

Customer Feedback Highlights

“Jama [Connect] is not only a ‘document-oriented’ ALM tool, it gives the organization the ability to map the project structure the product structure making it an easy entry point for R&D folks. Configured properly, it is a real technical and regulatory ‘single source of truth.” – Frederic Fiquet, Director, Systems Engineering

 

“Product Design teams need a requirements management tool like Jama [Connect]. Using Jama Connect allows our software development team to have a well-organized and well-written set of requirements. It allows us to more easily maintain a baseline of features in our continuously evolving software.” — Mark M., Mid-Market

RELATED: Traceable Agile™ – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries

Our commitment is to provide the best possible experience for our users, and being named the overall leader is a testament to their satisfaction and success with Jama Connect.

From all of us at Jama Software, thank you!

How to Overcome Development Challenges: Proving Regulatory Compliance in Complex Product and Systems Development

As we enter the second half of 2024, development of complex products and systems often encounters the intricate web of regulatory compliance. From medical devices and automotive components to aerospace systems and software applications, ensuring adherence to stringent regulations is critical for both market access and consumer safety. However, proving regulatory compliance presents a multitude of challenges that can impede development timelines, inflate costs, and complicate project management. Fortunately, tools like Jama Connect® offer robust solutions to these challenges, streamlining the compliance process and enhancing overall efficiency.

The Challenges of Proving Regulatory Compliance

1: Diverse and Evolving Regulation

  • Complexity: Different industries are governed by a myriad of regulatory bodies, each with its own set of rules and standards. For example, the medical device industry must comply with FDA regulations in the U.S., CE marking in Europe, and various other international standards.
  • Evolution: Regulations are not static; they evolve to keep pace with technological advancements, emerging risks, and geopolitical changes. This continuous evolution necessitates constant monitoring and adaptation.

2: Traceability and Documentation

  • Traceability: Ensuring traceability from requirements through to testing and validation is essential for demonstrating compliance. This involves linking every design decision, change, and test result back to the initial regulatory requirements.
  • Documentation: Regulatory bodies demand extensive documentation as proof of compliance. Managing and organizing these documents can be a herculean task, particularly in large-scale projects with numerous stakeholders.

3: Collaboration and Communication

  • Interdisciplinary Teams: Complex systems development typically involves interdisciplinary teams, including engineers, designers, testers, and compliance officers. Effective collaboration and communication across these teams are crucial for ensuring that compliance is maintained throughout the development lifecycle.
  • Stakeholder Alignment: Aligning all stakeholders on compliance goals and processes can be challenging, especially in large organizations with decentralized teams.

4: Risk Management

  • Identification: Identifying potential risks related to regulatory compliance early in the development process is critical. These risks can stem from technological uncertainties, supply chain issues, or changes in regulatory requirements.
  • Mitigation: Developing and implementing strategies to mitigate identified risks requires a proactive and systematic approach, integrating risk management into the overall development process.

RELATED: Traceable Agile™ – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries

How Jama Connect® Helps Overcome These Challenges

Jama Connect is a comprehensive requirements management platform designed to address the complexities of regulatory compliance in product and systems development. Here’s how it helps teams navigate and overcome these challenges:

“We develop complex products that require multidisciplinary work and V-cycle traceability. A tool like Jama Connect is required, and Jama Connect does the job well.” – Nicolas Ohlmann, CTO, CIXI

1: Centralized Requirement Management

  • Unified Platform: Jama Connect provides a centralized platform where all requirements, tests, and risks can be managed and tracked. This unified approach ensures that all compliance-related information is easily accessible and up-to-date.
  • Real-Time Updates: With real-time updates and version control, teams can ensure that everyone is working with the most current information, reducing the risk of compliance breaches due to outdated data.

“Jama Connect is a modern solution for requirement management. Other tools are either outdated, cheap, modern-looking clones of IBM DOORS, or insufficient in functionality.” – Requirement Manager, Professional Services Company

2: Enhanced Traceability

  • End-to-End Traceability: Jama Connect enables end-to-end traceability by linking requirements, design decisions, test cases, and validation results. This comprehensive traceability ensures that all regulatory requirements are met and can be easily demonstrated during audits.
  • Audit Trails: Detailed audit trails provide a clear record of all changes and decisions, facilitating smoother and more efficient compliance audits.

3: Collaboration and Communication Tools

  • Cross-Functional Collaboration: Jama Connect fosters collaboration across interdisciplinary teams through its integrated communication tools. This ensures that all team members are aligned on compliance objectives and can easily share information and updates.
  • Stakeholder Engagement: The platform supports stakeholder engagement by providing customizable dashboards and reports, enabling clear and effective communication of compliance status and progress.

“Investing in a good requirements management tool is a logical step to avoiding the common pitfalls of software development projects. Jama Connect provides the necessary tools to allow a team to manage huge amounts of requirements.” – Director, Solutions Delivery

4: Robust Risk Management

  • Risk Identification and Assessment: Jama Connect includes tools for identifying and assessing compliance risks, integrating risk management into the overall development process from the outset.
  • Risk Mitigation Plans: The platform supports the development and tracking of risk mitigation plans, ensuring that potential compliance issues are addressed proactively and systematically.

“I have used various requirements management tools throughout my career spanning over two decades and Jama Connect scores big when it comes to user interface. It is very easy to onboard the tool into the system with minimal training needs for the user groups. This does not belittle the functional core that a creator could do with the tool configuring it. I highly recommend Jama Connect for any organization working on safety-critical systems.” – Senior Manager, Biotechnology Company

RELATED: Buyer’s Guide: Selecting a Requirements Management and Traceability Solution

Conclusion

Proving regulatory compliance in complex product and systems development is fraught with challenges, from navigating diverse and evolving regulations to ensuring traceability and effective collaboration. Jama Connect provides a powerful solution to these challenges, offering a centralized platform for requirement management, enhanced traceability, robust collaboration tools, and comprehensive risk management capabilities. With Jama Connect, teams can keep up with the ever-changing regulations thanks to our solutions developed and updated by our leading industry experts. By leveraging Jama Connect, teams can streamline the compliance process, reduce risks, and ultimately deliver high-quality, compliant products to market more efficiently.

“We use Jama Connect for requirements, risk, and verification/validation management, as well as integrating Jira and Enterprise Architect. Having traceability in one tool is going to be so helpful for our product development.” – Principal Systems Engineer, Health Care Providers & Services Company

Whether you’re developing cutting-edge medical devices, innovative automotive systems, or advanced software applications, Jama Connect can help you navigate the complexities of regulatory compliance and achieve your development goals with confidence.

Note: This article was drafted with the aid of AI. Additional content, edits for accuracy, and industry expertise by McKenzie Jonsson, and Mark Levitt.

TÜV SÜD Certification

The Top Six Things You Should Know About

In the quest for innovation, product testing, compliance, and safety certifications remain key to accessing markets and gaining customers. No one wants to buy a product, service, or process that hasn’t been thoroughly vetted by an independent body. In the context of global markets, few certifications carry the importance or significance of those from TÜV SÜD, but in the United States, the various companies that are part of the TÜV Association are not widely known. So, what is TÜV SÜD, and why is it so important to product development?

1: What does TÜV SÜD stand for?

“TÜV” stands for “Technischer Überwachungsverein,” which translates to “Technical Inspection Association” in English. There are several independent companies that are part of the TÜV Association; TÜV SÜD is headquartered in Munich and employs approximately 25,000 people around the globe.

2: What type of company is TÜV SÜD?

TÜV SÜD is focused on protecting people and the environment through rigorous testing, certification, auditing, and advisory services. The company helps ensure regulatory compliance of new and updated technologies, especially in automotive innovation and development, and it functions as a notified body in Europe for medical devices. The TÜV companies trace their origins back to the 1860s when they were first formed to oversee the safety of steam engines.

3: What is the difference between TÜV SÜD and TÜV Rheinland?

TÜV SÜD and TÜV Rheinland are different companies that both provide similar services. All TÜV companies are at least 25.1% owned by the TÜV Association. There are currently six main members of the TÜV Association, all of whom are denoted by the brand “TÜV” plus the regional suffix, such as SÜD or Rheinland. The other TÜV companies include TÜV Nord, TÜV Thüringen, TÜV Saarland, and TÜV Austria.

RELATED: Traceable Agile™ – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries

4: What is a TÜV SÜD Certification?

A TÜV SÜD Certification assures governing bodies and consumers that a product, service, or process has passed relevant safety testing and meets relevant compliance requirements. The certification process is rigorous and comprehensive and involves multiple steps, including steps to review requirements and establish processes followed during development.

5: Why is achieving TÜV SÜD Certification so important?

TÜV Certification is recognized internationally as a sign of quality and thorough review—similar to an ISO or UL certification. Although it originated in Germany, it is regarded globally as evidence that your product, service, or process has attained high standards of safety, quality, and sustainability. With a TÜV SÜD Certification, you can achieve access to additional markets and give your customers peace of mind.

6: Is Jama Connect® certified by TÜV SÜD?

Jama Connect received its first TÜV SÜD certification in 2016. Jama Connect is TÜV SÜD certified for developing safety-related products according to ISO 26262 (up to ASIL D) and IEC 61508 (up to SIL 3). Jama Software is the first vendor that is both SaaS and Agile to receive the certification. In 2019, Jama Software completed additional certification for Jama Connect as a software tool for the development of medical devices according to IEC 62304 and railway applications according to EN 50128.

RELATED READING: Simplify Compliance With Proactive Risk Management Software

Don’t neglect important certifications. Even if you are already pursuing other certifications, the TÜV SÜD Certification could be an important addition to your automotive, medical, or railway products and services. Jama Connect can help you meet the requirements tracing and process needs that will set you up to achieve the TÜV SÜD Certification and expand to new markets and customers. To learn more, contact us.

This image portrays a digital background with a banner reading, "SysML is Not Enough: Why You Still Need a Requirements Management Tool"

SysML is Not Enough: Why You Still Need a Requirements Management Tool

All engineering process models (Agile, waterfall, spiral development, V-model, concurrent engineering, iterative…) describe managing requirements as the most critical key to success. Well-understood requirements provide a single connection point for communication across the engineering teams. Using a Systems Modeling Language (SysML) tool alone to manage requirements instantly creates a silo between engineering teams.

Requirements, tests, architectures, and risks are utilized by every stakeholder when developing a new product or building or modernizing a new system. Customers generate needs and requirements and care what the development status of those are and whether the development team is following the necessary process especially if it requires contract adherence or must meet regulatory laws or industry standards.

Software, hardware, and testing teams also access requirements to be able to analyze, develop, and test. Additionally, they are creating requirements at their given subsystem level too.

Systems Engineers work across all levels of requirements and coordinate the other engineering disciplines. NASA best describes it as, “Systems engineering is a holistic, integrative discipline, wherein the contributions of structural engineers, electrical engineers, mechanism designers, power engineers, human factors engineers, and many more disciplines are evaluated and balanced, one against another, to produce a coherent whole that is not dominated by the perspective of a single discipline.” – NASA

As you can imagine functionality such as configuration management of requirements, traceability between needs, requirements, tests, risks, and architecture are necessary. Systems engineers have been using various tools and even manual techniques for decades to do this.

RELATED: Buyer’s Guide: Selecting a Requirements Management and Traceability Solution

The Advertised Purpose of SysML

SysML is a graphical modeling language that is used within some systems modeling tools (such as Dassault’s Catia Nomagic) that enables systems engineers to perform “engineering” of the system. SysML “supports the specification, analysis, design, verification, and validation of a broad range of systems and systems-of-systems.” – Wikipedia

SysML is only a decade old; already a new, more complex version has recently been released; and SysML is yet to be widely adopted. It is widely thought to hold promise for the discipline of model-based systems engineering (MBSE). It is not the only language in use for MBSE though; LML and OPM are examples of modeling languages too, being used within other systems modeling tools.

However, a SysML model is difficult even for those trained in the language. Some indicate the learning curve is steep and the mechanics in the tools are difficult as cited in a recent article by Technology Strategy Partners. Additionally, the variety of tools that support SysML don’t consider themselves as a replacement for a true requirements management tool either. Capabilities from a dedicated requirements management tool such as Jama Connect have built-in collaboration, configuration management, baselines, managing traceability across multiple levels of objects, managing the verification and validation activities, controlling access and change to objects using role-based permissions, and showing real-time workflow states at the object level.

“What SysML lacks is its usage during key Systems Engineering (SE) phases like detail design or implementation phases wherein specific solutions like CAD, Software coding or network design for embedded systems are used,” said Kiran Jacob, Dassault Systems.

Also challenging is usage by software teams during later-stage design phases. Communication of the model (its requirements) becomes critical when needing to validate requirements with the customer, with product managers, and with other engineering disciplines outside of the SysML Scribe (tool jockey). The greater responsibility of the systems engineer as a cross-disciplined communicator requires the use of tools outside of the SysML tool to communicate. Effective communication of requirements is best represented in dedicated requirements management tools.

RELATED: Traceable Agile™ – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries

Conclusion

In conclusion, while SysML and other modeling languages offer significant promise for the discipline of model-based systems engineering, they are not without their challenges. The complexity of SysML, along with its steep learning curve and the limitations of the tools supporting it, often hinders its effectiveness in later stages of design and implementation. As such, relying solely on SysML can create silos within engineering teams, impeding the critical communication and coordination necessary for successful systems engineering.

Effective requirements management remains the cornerstone of any engineering process, ensuring all stakeholders — from customers to software and hardware teams — are aligned and informed. Dedicated requirements management tools, such as Jama Connect, offer robust features like collaboration, configuration management, and traceability, which are essential for managing the multifaceted aspects of modern engineering projects. These tools facilitate clear communication of requirements, verification, and validation activities across all engineering disciplines, thereby supporting the holistic, integrative approach championed by systems engineering.

Ultimately, the synergy between specialized requirements management tools and SysML can provide a comprehensive solution, leveraging the strengths of both to enhance the efficiency and success of engineering projects. As the field continues to evolve, adopting a balanced approach that incorporates the best practices and tools from both domains will be key to navigating the complexities of modern systems engineering.

In this blog, we recap our webinar, “Expert Perspectives: A Deep Dive Into Risk Management and Designing for Cybersecurity & Patient Safety” – Click HERE to watch it in its entirety.

Expert Perspectives: A Deep Dive Into Risk Management and Designing for Cybersecurity & Patient Safety

Welcome to our Expert Perspectives Series, where we showcase insights from leading experts in complex product, systems, and software development. Covering industries from medical devices to aerospace and defense, we feature thought leaders who are shaping the future of their fields.

With more than 30 years of experience and a mission to elevate knowledge and proficiency in medical device risk management, Bijan Elahi has worked with both startups, and some of the largest medical device companies worldwide.

In this presentation on Risk Management and Designing for Cybersecurity & Patient Safety, Bijan covers:

  • Significance of a comprehensive risk management approach, including safety & security, for medical devices
  • Interfaces between safety and security risk management processes, and how they interact/complement each other
  • Upcoming industry trends that impact risk management (safety, security) like AI/ML, rise in connected devices, wearables devices

Below is a preview of our webinar. Click HERE to watch it in its entirety.

The following is an abbreviated transcript of our webinar.

Kenzie Jonsson: Welcome to our Expert Perspective series where we showcase insights from leading experts in complex product, systems, and software development. Covering industries from medical devices to aerospace and defense, we feature thought leaders who are shaping the future of their fields. I’m Kenzie your host, and today I’m excited to welcome Bijan Elahi, a world-renowned expert on safety risk management for medical technology. With more than 30 years of experience and the mission to elevate knowledge and proficiency in medical device risk management, Bijan has worked with both startups and some of the world’s largest medical device companies. Without further ado, I’d like to welcome Bijan who’ll be presenting on risk management and designing for cybersecurity and patient safety.

Bijan Elahi: Hello. My name is Bijan Elahi. I’m delighted to be speaking to you about cybersecurity and medical device risk management. Before I start, I’ll briefly introduce myself. I am a technical fellow, a professor, and the founder of MedTech Safety, an education and advisory company. To give you a little background about myself, I come from the industry and have been a medical device product developer for most of my career. Most of the products that I have developed have been class III implantable devices such as pacemakers, defibrillators, and deep brain simulators. Now I’ve also developed a kidney dialysis system, which includes disposables. I’m based in Florida, but I teach and advise worldwide. Risk management is my passion. I have trained over 10,000 individuals worldwide in the latest knowledge and best practices in risk management.

RELATED: Jama Connect® for Medical Device & Life Sciences Development Datasheet

Elahi: The companies that have benefited from my training range from small start-ups to the largest MedTech companies in the world. And here’s the sampling. I am also active in academia, for example, at Delft University of Technology and Eindhoven University of Technology in the Netherlands where I teach a graduate course to doctoral students in engineering. I am also an affiliate professor at Drexel University Graduate School of Biomedical Engineering and Health Science, where I teach safety risk management for medical devices. And lastly, I’m a contributor to the standard ISO 14971, and the author of two very popular books on medical device risk management published by Elsevier Publishing in the UK under the label of academic press. My publisher tells me that my books are bestsellers in the genre of medical books for them, and they’re available at all major booksellers such as Amazon.

So now let’s talk about cybersecurity and safety risk management. The threat of cybersecurity on medical devices is a rising concern as there’s an ever-increasing interconnectivity, interoperability, and reliance on digital technologies. Medical devices such as pacemakers, insulin pumps, and imaging systems often contain sensitive patient data and are integral to patient care. Cyber attacks on these devices can lead to severe consequences, including tampering with the device functions, unauthorized access to patient information, and destruction of critical healthcare services. The potential for harm is significant. For example, incorrect diagnosis, treatment delays, or even direct physical harm to patients. As cyber threats become more sophisticated, we need robust security measures, smart designs, and continuous monitoring to protect these vital components of modern healthcare systems. The safety impact of cybersecurity exploits must be considered in the overall residual safety risk of medical devices.

Safety risk management is distinguished from cybersecurity risk management. Safety risk management is primarily concerned with the safety of patients, users, and the performance of medical devices. This involves identifying, evaluating, and controlling the risks of harm to patients or users due to device malfunctions, use errors, or adverse interactions with the human body. The focus is on ensuring that the device functions safety and effectively under normal and fault conditions. On the other hand, cybersecurity risk management is focused on protecting the device and its data from malicious cyber-attacks and unauthorized access, which may have nothing to do with safety. Many hospital systems are currently under ransomware attacks with the intention of financial exploitation. Security risk management involves implementing measures to protect the data confidentiality, integrity, and availability of healthcare systems. Although these topics are distinct, there is an overlap between them.

RELATED: Mastering ISO/IEC 27001: A Guide to Information Security Management

Elahi: As mentioned before, there are different exploits that cyber attackers seek. Some are not safety-related. For example, private patient data, software codes or algorithms, financial data, money, et cetera. A famous example is the WannaCry cyber attack, which unfolded in May of 2017 causing widespread disruption across the globe. It all started on the 12th of May 2017 when many organizations began to notice that their computer systems were being encrypted and locked by ransomware demanding payment in Bitcoin to unlock them. The ransomware known as WannaCry exploited invulnerability in Microsoft Windows. The attack affected hundreds of thousands of computers in over 150 countries. Major organizations and institutions were hit, including the UK’s National Health Service, also known as NHS, FedEx, and many others. The impact on the NHS was particularly severe because medical staff were unable to access patient records leading to significant disruptions in healthcare services.

As you can see, this was a cyber attack with the intention of financial exploitation, but it ended up having a patient safety impact as well. A comprehensive risk management strategy for medical devices must integrate both safety and security measures. This ensures not only that devices are safe from operational risks, but also that they are protected against growing threats of cyber attacks, thereby safeguarding patient health and data integrity in a holistic manner. An interesting side note to the WannaCry story is that this vulnerability was known by Microsoft and they had released a security patch in March of 2017, two months before the cyber attack, but many hospitals and organizations have not applied the patch and remain vulnerable. This is a common issue even today, and many medical devices and healthcare systems remain vulnerable despite the available protections.

CLICK HERE TO WATCH THIS WEBINAR IN ITS ENTIRETY:
Expert Perspectives: A Deep Dive Into Risk Management and Designing for Cybersecurity & Patient Safety

 

This image portrays a title page for an instructional video with a title stating the demo topic is Azure DevOps Integration with Jama Connect.

Jama Connect® Features in Five: Azure DevOps Integration

Learn how you can supercharge your systems development process! In this blog series, we’re pulling back the curtains to give you a look at a few of the powerful features in Jama Connect®… in about five minutes.

In this Features in Five Integration Series video, Susan Manupelli, Solutions Architect at Jama Software® – will demonstrate the Azure DevOps integration with Jama Connect®.

VIDEO TRANSCRIPT

Susan Manupelli: Hello, and welcome to the Features in Five Integration series. My name is Susan Manupelli, and I’m a Senior Solutions Architect at Jama Software. Today, we will be walking through Azure DevOps integration. We make it possible for you to integrate Jama Connect with your preferred best-of-breed software to achieve Live Traceability™ across the end-to-end development cycle.

Live Requirements Traceability is the ability for any engineer at any time to see the most up-to-date and complete upstream and downstream information for any requirement, no matter the stage of systems development or how many siloed tools and teams it spans. This enables significant productivity and quality improvements, dramatically reduces the risk of product delays, cost overruns, defects, rework, and recalls, and ultimately results in faster time to market.

RELATED: Jama Connect® Integrations for Live Traceability™

Manupelli: Before I demonstrate the integration, I’d like to share a slide that depicts the flow of information. The top represents our process as defined in Java Connect through relationship rules. At the bottom, we’re depicting Azure DevOps. This slide illustrates an implementation task in the form of a user story that syncs up into Jama Connect, as well as a defect created in Jama Connect that syncs down to Azure DevOps. The beauty of this integration is that developers can stay in their tool of choice, in this case, ADO. Product owners can stay in Jama Connect, yet both sides have access to the details of the task. More importantly, the task and related status become part of what’s Live Traceable in Jama Connect. Let’s demo this.

Here we are in Jama Connect. The integration can be configured as a bidirectional sync, so it doesn’t matter whether I create the task in Jama Connect or ADO. First, we’ll decompose a software requirement into a development task that’s in the form of a user story. Here we have a login requirement software requirement. I’m gonna go ahead and add a related downstream user story, which will bring up the form to create a new user story. Notice the editor template feature in Jama Connect prepopulates these with standard user story verbiage. So as a user, I need to log in so that I can view my account. We’re gonna go ahead and set the status to new, and then we’re gonna save and close.

Jama Connect is prompting me to where I wanna save this, so I am going to go ahead and save this where the user stories live in my hierarchy. Notice that upon saving, automatically, the relationship widget indicates the fact that I have traceability, and I could see that traceability back to the software requirement. Within seconds, this user story will flow into ADO.

And you can see that it’s completed already. The integration URL has been populated, and I can navigate this URL, which will open up the item ADO. Let’s take a look.  Here we are in ADO. You can imagine the developer has been assigned to implement the user story. They may add some context to the description. They may go ahead and add a comment, And they may go ahead and indicate that they’re starting to work on this user story by changing the status to active.

Notice that the developer can traverse a URL back to Jama Connect to see the requirements that are driving the user story. These links are handy, but the real advantage is the fact that the changes the developer made within seconds will be visible to anyone working in Jama Connect. Let’s flip back to Jama Connect and take a look. Notice the changes the developer made are now visible here in Jama Connect. The product owner can view and respond to the developer’s comment, and notice that the status has also been updated.

RELATED: Traceable Agile™ – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries

Manupelli: The updated status is reflected in a trace view that we can see here automatically, as well as any dashboard reports we have for user stories. So that’s Live Traceability in action. As a reminder, this thing can be configured by directional. So if your process varies and you create user stories in ADO, we support that use case as well.

Here we are in ADO. Let’s create a new user story. Let’s give it a title and give it a description, and let’s go ahead and save this. Within fifteen seconds, this user story will flow into Jama Connect. Here we are back in Jama Connect’s dashboard. Notice the widget showing these stories that are missing upstream relationships? That new user story has shown up here. Let’s open it.

Now let’s relate to existing and find the requirement that the user story fulfills, and we’re gonna go ahead and relate. Notice the traceability is updated automatically. This completes the traceability between the requirement and the user story.

Thank you for watching this Feature in Five session on the Azure DevOps integration for Jama Connect. If you are an existing customer and wanna learn more, please reach out to your customer success manager or consultant. If you’re not yet a client, please visit our website at jamasoftware.com to learn more about the platform and how we can help optimize your development process.

To view more Jama Connect Features in Five topics, visit:
Jama Connect Features in Five Video Series

In this blog post, we summarize our Whitepaper titled “How to Manage Cybersecurity in Jama Connect® for Automotive and Semiconductor Industries” – Written by Kevin Dibble and Jama Software. Click HERE to read the full thing.

How to Manage Cybersecurity in Jama Connect® for Automotive and Semiconductor Industries

Learn how automotive and semiconductor teams use requirements management tools to support meeting ISO/SAE 21434 while increasing visibility, collaboration, and review-cycle efficiency.

Security threats such as malware, ransomware, and data breaches impact many industries, but with expanded connectivity in the automotive and semiconductor sectors, increased urgency exists to safeguard against fast evolving risks.

Research shows that 91% of vehicles are connected, and that number is expected to rise to 96% by 2030. With more automobiles and semiconductor devices being connected, attack surfaces (cybersecurity vulnerabilities) are expanding quickly, and the ISO/SAE 21434 standard aims to understand and safeguard against potential threats.

However, managing a cybersecurity case within the standard requires many steps, and cross-team visibility and collaboration are often challenging. As a result, some teams are turning to requirements management tools to help improve visibility and increase transparency in review cycles.

If you haven’t used a formal requirements management tool before, understanding the benefits, advantages, and how it works helps determine if it’s right for your team.

RELATED: A Guide to Road Vehicle Cybersecurity According to ISO 21434

Why manage a cybersecurity case in a requirements management tool?

A cybersecurity case is a structured argument supported by the evidence of work products to detail why risks found within the Threat Analysis and Risk Assessment (TARA) are reasonable.

Creating a cybersecurity case for ISO/SAE 21434 is a complex process with many moving parts. Using a requirements management tool has many benefits, including improved traceability, easier collaboration, and improved functionality for reviews.

Here are several ways a tool can help.

1. Improved collaboration between OEMs and tier 1 and 2 suppliers. A requirements management tool, such as Jama Connect®, supports requirements interchange format (ReqIF), which can be used for bidirectional communication of requirements, item definitions, and more. Using the tool, you can support improved collaboration workflows.

2. Provides “trace as you go” visibility. You don’t want traceability to be an afterthought handled by your requirements engineer at the end of the project, especially when that project is complex. A purpose-built requirements management tool, like Jama Connect, allows you to create requirements tracing to parent requirements, design blocks for requirements allocation, and more. It supports a trace-as-you-go methodology.

3. Access impact analysis to handle midstream project changes more effectively. Jama Connect provides access to an impact analysis, a powerful capability supporting the trace-as-you-go approach. Running an impact analysis as project changes happen midstream allows for greater understanding and visibility.

4. Automatically generate test coverage reports. With Jama Connect, you can allocate requirements to design blocks or interconnect the requirements management system to design tools. Using tools like Design Architect provides powerful analytics and test coverage reports that are automatically generated.

5. Connect tools and avoid disjointed tooling challenges. Disconnected tools are often a source of visibility issues. Jama Connect links disparate tools and offers a “toolchain view” for more seamless tool functioning and visibility, like with the Design Architect example above.

6. View exactly where you’re at in a project in real-time. As you move through the management of a case, it’s important to see where you are in the process so you can stay on track. Jama Connect can provide analytics that clearly indicate where you’re at in a project, including allocated requirements, tests that have been covered, and more.

RELATED: Traceable Agile™ – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries

How does a requirements management tool fit with the ISO/SAE 21434 standard?

Traceability, collaboration, and improved review processes are all benefits of a purpose-built requirements management tool, but to understand how it works, it helps to have an example. In the details below, we’ve used the Jama Connect platform as an example to see how it works – from product-dependent cybersecurity management to threat analysis and risk assessment methods.

ISO/SAE 21434 is organized by clauses and subclauses, broken out below.

The right requirements management tool will enable your teams to optimize the development process in many of the above areas. Specifically, here’s a breakdown of how the Jama Connect platform supports each of them, as indicated by the box’s color.

Green. These areas are fully supported and recommended to be implemented in Jama Connect. For example, when viewing section 9 in the chart above under the “Concept” heading, Jama Connect supports the item definition, cybersecurity goals, and cybersecurity concept.

Yellow. These are optional and can be implemented in Jama Connect. For example, you’ll see subclauses 5.4.3 “Information sharing” and 5.4.4. “Management systems” fall into this category.

Yellow-green. These are partially supported in the tool. In other words, Jama Connect can support some of the requirements but not all of them. As an example, 10.4.1 “Design” and 10.4.2 “Integration and verification” are included in this category.

Red boxes. These are not recommended for support in Jama Connect and are usually handled with an in-house tool instead—in that some are processes that expand throughout the organization, and some are activities or work products suited for alternative best-of-breed tools. The progression of these work products can, however, be brought back to Jama Connect to reflect status through the Cybersecurity case. An example is the areas under the “post-development phases, including 12 “Production” and 13 “Operations and maintenance.”

One of Jama Connect’s most powerful capabilities is supporting the green and yellow categories through document building and generation. The tool supports the process of building and reviewing documentation with real-time collaboration as well as creating documentation with a single click and no post-processing.

TO DOWNLOAD THIS WHITEPAPER IN ITS ENTIRETY, VISIT:
How to Manage Cybersecurity in Jama Connect® for Automotive and Semiconductor Industries

This image depicts components of the Machinery Directive 2006/42/EC to Machinery Regulation EU 2023/1230.

Navigating the Shift: From Machinery Directive 2006/42/EC to Machinery Regulation EU 2023/1230

Change is inevitable, especially in regulatory frameworks governing industries. In Europe, the transition from the Machinery Directive 2006/42/EC to the new Machinery Regulation EU 2023/1230 marks a significant step forward in ensuring safety, innovation, and harmonization in the machinery sector. This transition brings both challenges and opportunities for manufacturers, regulators, and stakeholders alike. The new regulation will go into effect in January of 2027. In this blog post, we’ll delve into the key aspects of this transition and explore its implications.

RELATED: Jama Connect® for Automotive

Understanding the Machinery Directive 2006/42/EC

Enacted in 2006, the Machinery Directive 2006/42/EC aimed to harmonize safety standards for machinery across the European Union (EU). It established essential health and safety requirements (EHSRs) that machinery must meet before being placed on the EU market or put into service. The directive provided guidelines for manufacturers to ensure that their machinery was designed and constructed to be safe for use.

Challenges and Limitations

While the Machinery Directive 2006/42/EC was a milestone in ensuring safety standards, over time, certain challenges and limitations became apparent. Rapid technological advancements, emerging risks, and inconsistencies in interpretation and application highlighted the need for a more robust regulatory framework.

The Machinery Regulation EU 2023/1230

A Step Forward: Recognizing the need for an updated and enhanced regulatory framework, the EU introduced the Machinery Regulation EU 2023/1230. This new regulation builds upon the foundation laid by its predecessor while addressing the shortcomings identified over the years.

Key Changes and Enhancements:

  • Scope Expansion: The Machinery Regulation EU 2023/1230 expands the scope to cover a wider range of products, including certain partially completed machinery and safety components. This broader scope ensures that all relevant products are subject to uniform safety standards.
  • Risk Assessment and Mitigation: The new regulation emphasizes a risk-based approach to safety, requiring manufacturers to conduct comprehensive risk assessments throughout the machinery’s lifecycle. This proactive approach aims to identify and mitigate potential hazards more effectively.
  • Digitalization and Connectivity: With the rise of Industry 4.0, the Machinery Regulation EU 2023/1230 addresses the integration of digital technologies and connectivity in machinery. It sets out requirements for cybersecurity, data protection, and interoperability to ensure the safe and secure operation of digitally enabled machinery.
  • Market Surveillance and Enforcement: Enhanced market surveillance measures and stricter enforcement mechanisms are integral parts of the new regulation. Authorities are empowered to monitor compliance more closely and take swift action against non-compliant products, safeguarding the safety of end-users.
  • Implications and Considerations: The transition from the Machinery Directive 2006/42/EC to the Machinery Regulation EU 2023/1230 presents both challenges and opportunities for stakeholders. Manufacturers need to adapt their processes and products to meet the updated requirements, investing in research, development, and compliance measures. Regulatory bodies must ensure smooth implementation and provide guidance to facilitate the transition for businesses.

RELATED: Traceable Agile™ – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries

The transition from the Machinery Directive 2006/42/EC to the Machinery Regulation EU 2023/1230 signifies a proactive response to evolving challenges and opportunities in the machinery sector. By embracing enhanced safety standards, risk-based approaches, and digitalization, the EU aims to foster innovation while prioritizing the safety and well-being of users. As stakeholders navigate this transition, collaboration, adaptability, and adherence to best practices will be essential for ensuring a smooth and successful implementation of the new regulatory framework.

Note: This article was drafted with the aid of AI. Additional content, edits for accuracy, and industry expertise by McKenzie Jonsson and Matt Mickle.

In this blog, we recap our webinar, “IVDR Common Errors: Navigating Notified Body Expectations” – Click HERE to watch it in its entirety.

IVDR Common Errors: Navigating Notified Body Expectations

Explore the notified body process and IVDR technical documentation with experts Margot Borgel, Director of IVD Global Regulatory Affairs at RQM+, and Vincent Balgos, Director of Medical Device Solutions at Jama Software®.

You will gain a thorough understanding of these topics and more:

  • The notified body’s approach to technical reviews
  • Key considerations from the notified body’s perspective
  • Common mistakes made when compiling technical documentation

Below is a preview of our webinar. Click HERE to watch it in its entirety.

The following is an abbreviated transcript of our webinar.

IVDR Common Errors: Navigating Notified Body Expectations

Margot Borgel: Hello, everybody. I am Margot Borgel. I’m the Director of IVD Global Regulatory Affairs for RQM+. My role at RQM+ is to support clients in their IVD regulatory journey. So this includes making sure that our projects are meeting regulatory requirements, and providing regulatory leadership to other RQM+ consultants and CRO team members. I provide regulatory support and guidance through the entire product lifecycle from design concept through clinical studies, regulatory submissions, and approvals.

A little bit about me is that I joined RQM+ after four years at BSI Notified Body, where I was a member of the IVD technical team, specifically working on IVDR, IVDD, and UKCA certifications. I’ve worked with many different IVDs across most technologies and many, many device manufacturers. Prior to that, I spent about eight years in the industry for an IVD manufacturer. In that organization, I performed duties in research and development, manufacturing, technical support, and product transfer, as well as manufacturing.

Just a little bit about RQM+. RQM+ is a global MedTech service provider, that provides expertise across the full product lifecycle for both medical devices and IVD companies. We provide end-to-end solutions across the complete medical device product life cycle. And that includes many different aspects of the MedTech life cycle. We have a variety of different business units that support different projects, so regulatory and quality consulting, laboratory services, clinical trial services, reimbursement, and technology as well with our Fern.ai solution.

So we’re here today to talk mostly about IVDR technical files. So we’re going to first go through IVDR technical review and certification by the Notified Body. Then we’ll get into how a Notified Body is going to approach a tech file review. And common errors that are seen during that technical file review process.

RELATED: Jama Connect® for Medical Device & Life Sciences Development Datasheet

Borgel: Okay, so the first thing we have to do before we can really get into this is talk about the IVDR transition timeline. So the timelines have recently been updated. They were approved a few weeks ago by the EU Commission. And so I’m just going to go through those very quickly. We have a date of application which passed 26 May of 2022. We’re about two years past that now. But there is some transitional provisions for devices that are currently certified either by the Notified Body or self-certified under IVDD with a declaration of conformity signed before that May 2022 date. So, basically, from the last transition provisions, everything has been pushed out by 2.5 years.

So for Class D devices and devices with existing IVDD certificates, the new transition deadline is the 31st of December 2027, and then each class is pushed out another year. So Class C is 31st December 2028, and Class B and Class A sterile are 31st December 2029. But there are some provisions that come along with this. The main one that is brand new is that you must lodge a formal application with a Notified Body two and a half years before those final deadlines. So May 2025 for Class D and existing IVDDs. May 2026 for Class C and May 2027 for Class B and Class A sterile. On top of that, there are some other provisions, mainly that you must be complying with the IVDR PMS and vigilance requirements as of the 2022 date of application. You cannot put any new products on the market except under IVDR. All Class A devices must be IVDR compliant. And then, recently added, is that you must have an IVDR-compliant QMS system in place by May of 2025.

Okay, so as an IVD manufacturer under IVDR, there are a lot of obligations for manufacturers. This is covered in Article 10 of the IVDR. One of those requirements is that you will maintain and keep up-to-date technical documentation for your device.

And so what does that look like? The requirements are pretty consistent across classes, with a few differences as you have lower-risk and higher-risk devices. But for all devices, you must have that compliant QMS system. You must have a tech file meeting Annex II requirements. And you must meet all of the GSPRs. You must have a performance evaluation plan and report and PMPF plan. For Class A devices, you’re self-declared so you don’t have to worry about Notified Body requirements. But all other devices, from Class A sterile up to Class D, require a Notified Body assessment and certification. Class A and Class B devices need a post-market surveillance report, whereas Class C and D need periodic safety update reports. The difference in content is pretty small, but there are some differences in where you put those documents, who you provide them to, and things like that.

And then Class C and D also require a summary of safety and performance. If you have a companion diagnostic that would fall under Class C, you’re also going to need to do an EMA consultation for that CDx. And for Class D devices, you’ll need to adhere to common specifications, or potentially go through expert panel review. And you’ll need to interact with the EU Reference Labs, which includes product verification and batch release.

This slide is just an overview of all of the technical documentation that is required under IVDR. I’m not going to go into every single thing on this list right now, but that’ll be here for your information. And it’s mainly covered in Annexes II and III of the IVDR.

RELATED: Traceable Agile™ – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries

Borgel: Okay, so, now, I’m going to talk a little bit about Notified Body processes. Each Notified Body is going to have its own nuance to this process, but this is generally how it will go. So you, as the manufacturer, will submit your application to the Notified Body. There will be some back and forth there as you talk about your devices, what classifications they are, what kind of groups are going to get set up, and things like that. And once that’s all situated, you will sign a contract, and then you’ll be officially under contract with the Notified Body. They will do what’s called an application review. This is covered in Annex IX of the IVDR. They’ll basically just make sure they have everything that they need, that they agree with the classifications that you’ve provided, that they have assigned the right codes to your devices, and things like that.

After that is complete, the actual conformity assessment activities will start. So QMS audit and technical review, different Notified Bodies are going to do this slightly differently. Some don’t have any constraints. They can do one or the other at the same time, separately. There are no contingencies. Others have some requirements that the QMS audit happen either before or after the tech review, or that you have to have certain aspects of your technical file complete before the QMS audit occurs. And that’ll be something you’d discuss with your Notified Body. Once those two things are complete, there’ll be a certificate recommendation and then some sort of a review and approval process. So this is like a panel review at some Notified Bodies or a decision-maker review. And then, after that, the certificate will be issued.

When we break down that technical review into a little bit more detail, this is what it looks like. So you submit the documentation to the Notified Body. Most Notified Bodies do what’s called a completeness check, where they just look at what you’ve submitted and make sure they have all the documents they need, and sort out any deficiencies. If it’s a Class D device, you’ll need to make sure that you’re meeting certain requirements for those. So, mainly, have you met common specifications, or is it a first-of-type Class D without common specs? So then we’ll get into tech review. That will go through three rounds of questions, typically, for most Notified Bodies, where you’ll be able to resolve deficiencies in your technical file. That’ll go back and forth. While that’s happening, if you do have a Class D, that first-of-type expert panel review process will be ongoing.

CLICK HERE TO WATCH THIS WEBINAR IN ITS ENTIRETY:
IVDR Common Errors: Navigating Notified Body Expectations