Jama Software is always looking for news that would benefit and inform our industry partners. As such, we’ve curated a series of customer and industry spotlight articles that we found insightful. In this blog post, we share an article, sourced from Engadget, titled “TSMC is building a second chip plant to meet US semiconductor demand” – originally published on December 6, 2022, and authored by Steve Dent.
TSMC is Building a Second Chip Plant to Meet US Semiconductor Demand
The expansion marks one of the largest direct foreign investments in the US.
Future Publishing via Getty Images
The White House and Taiwan Semiconductor Manufacturing co. (TSMC) have announced plans to build a second chip plant in Arizona, AZCentral has reported. That will boost the company’s investment in the state from $12 billion to $40 billion, while heavily reducing US reliance on semiconductor imports.
Both TSMC factories combined will produce 600,000 wafers per year. “At scale, these two [plants] could meet the entire U.S. demand for U.S. chips when they’re completed,” the National Economic Council’s Ronnie Chatterji told CNBC. “That’s the definition of supply chain resilience. We won’t have to rely on anyone else to make the chips we need.”
The newly announced factory will produce cutting-edge 3-nanometer chips by 2026. The expansion marks one of the largest direct foreign investments in the US and the largest in Arizona. TSMC recently upgraded its plans at its first facility as well, announcing it will now manufacture 4-nanometer instead of 5-nanometer wafers. The first chips are set to be manufactured there starting in 2024, with Apple and NVIDIA reportedly among the first customers.
The CHIPS and Science Act allotted $52.7 billion in loans and other incentives, plus billions more in tax credits, to encourage US semiconductor manufacturing investment. The legislation aims to boost private financing in chip manufacturing in the US.
President Joe Biden is set to visit the site of TSMC’s first plant later today, but the White House announced other related news yesterday. The US Department of Commerce and the European Commission are striking a deal to implement an “early warning mechanism” related to semiconductor chain disruptions following a pilot program last summer. The aim is to improve forecasting of semiconductor supply and demand to achieve a balance between the two.
At the same time, the EU and US are implementing a “transparency” mechanism around public support provided to the chip sector. In other words, one side won’t blindside the other with unexpected semiconductor subsidies that could put either at a competitive disadvantage. A similar issue came up during a recent visit by French President Macron, as EU leaders complained that the US Inflation Reduction Act was unfair to non-American companies.
https://www-dev.jamasoftware.com/media/2022/12/Semiconductor-1.png5121024Jama Software/media/jama-logo-primary.svgJama Software2022-12-27 03:00:222023-06-21 10:33:34TSMC is Building a Second Chip Plant to Meet US Semiconductor Demand
As we enter 2023, Jama Software asked selected thought leaders – both internal Jama Software employees and our external partners – across various industries for the trends and events they foresee unfolding over the next year and beyond.
In the fourth part of our five-part series, we asked Shawnnah Monterrey, CEO at BeanStock Ventures – Romer De Los Santos, Senior Consultant at Jama Software – Vincent Balgos, Director of Medical Device Solutions at Jama Software – Michelle Wu, Medical Device Consultant at Wu Consulting – and Ivan Ma, Medical Device Program Leadership – to weigh in on medical device product development trends they’re anticipating in 2023.
Read more about the authors and their organizations at the end of this blog.
2023 Predictions for Medical Device Product Development
What are the biggest trends you’re seeing in the medical device and life sciences industry?
Shawnnah Monterrey: Biggest trends we are seeing include a rapid migration to the cloud this includes: IoMT, Digital Health, Digital Therapeutics and Big Data such as Genomics, Biotech, and Pharma.
We are seeing a rapid shift towards newly derived clinical insights using pre-existing data from existing medical devices, such as:
Companion diagnostics which combine a diagnosis outcome with a therapeutic and monitoring of that treatment
Digital therapeutics which use software ONLY to treat patients as opposed to a drug or instrument
Novel clinical insights where two or more measurements are combined to produce a clinical determination
AI based diagnostics which often consume numerous inputs that could be measured, demographical or even genetic to derive new clinical insights
Romer De Los Santos: Digital health continues to be a major source of growth as personalized medicine, wearable devices, and mobile health gain wider acceptance. Cloud computing, AI, and machine learning are improving patient outcomes by encouraging innovation and making personalized medicine possible. As these constantly evolving technologies continue to grow in complexity the regulatory framework around medical devices that incorporate them are also evolving to keep up.
For many years, medical device manufacturers secured their devices by disabling or designing out interconnectivity. The rise of electronic medical record keeping has forced manufacturers to support limited interconnectivity. They usually depended on security measures taken by their customer’s IT department as the primary risk control measure. That’s no longer acceptable in our interconnected world. The FDA requires manufacturers to consider cyber security threats and to design controls to reduce these risks as much as possible. This has led to developers having to learn more about threat modeling to limit touch points into their software and to creating plans on how to handle data breaches.
The 21st Century Cures Act amended the definition of a medical device to exclude certain software functions. The FDA intends to focus oversight on software functions that affect patient data and therefore pose the greatest threat to patient outcomes. Wise developers architect their software systems based on clearly defined software functions that can be individually evaluated for risk, leading to a reduction in the regulatory burden. Designing and documenting modular software facilitates re-use and therefore faster time to market for novel medical devices.
Michelle Wu: AI and Machine Learning: I continue to see AI and Machine Learning as a trend for 2023. Any pitch competition I attend includes multiple products that are incorporating AI or machine learning. There’s attention now on companies to look for and counteract bias in the data sets and algorithms.
Health equity: A spotlight on health inequities shines brighter since the pandemic and fortunately many companies are looking to do good and do well. Telehealth, remote patient monitoring, digital health apps, are the top areas of innovations that I see to address these disparities.
Vincent Balgos: The pandemic continues to drive the industry, regulators, and the market for COVID-19 related products and services, so I would expect continual development in these areas as new SARS-CoV-2 variants emerge, or other as other diseases arise.
Continual integration of medical life products, and interoperability amongst devices. As software to grows as a critical part of medical device industry, whether standalone SW or integrated with other components, there are many areas for 2023 innovation such as:
Software as a Medical Device (SaMD), Software in a Medical Device (SiMD)
Cybersecurity
Complex data analysis such as bioinformatics, genomic sequencing, imaging processing
Artificial Intelligence (AI) and Machine Learning (ML)
New or modified regulations (EU IVDR, EU MDR, and potential US VALID Act) continue to change the landscape in how medical device and life science organizations develop, manufacture, and maintain products.
The new FDA Computer Software Assurance (CSA) guidance that revisits validation in context of the current Computer System Validation (CSV) approach. Many medical companies are looking at this new risk-based approach to streamline their activities, documentation and outputs as the current standard practice can be complex and cumbersome.
Biggest Challenges – What are some of the biggest challenges you think medical device and life sciences companies will be working to overcome in 2023?
Monterrey: Two of the biggest challenges I see are: monetization and regulatory clearance.
Medical devices revenue models rely heavily on reimbursement from CMS which require a CPT code. Obtaining a new CPT code requires a significant investment and burden on the medical device manufacturer to provide clinical evidence which not only shows efficacy but also provides A reduced cost of care when compared to existing methods and treatments. We are seeing that digital therapeutics are struggling in this area. One strategy has been for digital therapeutics to partner with an existing reimbursed pharmaceutical via revenue sharing. But on the upside CMS has recently provided a new code which allows prescription digital behavioral therapy to be reimbursed as a medical benefit which is trailblazing the path for other digital therapeutics to follow.
While digital health applications that are intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease are medical devices and have been regulated by the FDA for many years, there has been new entrants in the recent years that have gone under the radar. With the recently issued guidance from the FDA on Clinical Decision Support Software, FDA attempts to make it clear which products are regulated medical devices, and which are not. This will slow the reduction in the barrier to entry as many digital health applications begin to play catchup.
Ivan Ma: The supply chain for components and materials continues to remain constrained. With lead times stretching well past 6 months, and sometimes getting close to 12 months. Programs should plan for contingencies and with expectations that milestones that require physical materials will be impacted by the last part in. Be wary of strategies that start early but require more total effort to execute.
In terms of product and systems development, what do you think will remain the same over the next decade? What will change?
De Los Santos: The need to ensure traceability between requirements, testing, risk, and design will continue to be important in the next decade. Changes in what is considered medical device software will lead to revised regulatory strategies by companies agile enough to take advantage of these changes. Documentation must become more modular to match the software they describe.
Balgos: Based on my past 17 years in medical product development, the time pressures to launch safe and effective products quickly to the market has always been a constant theme.
Many attempt the “faster, better, cheaper” approach, but schedule has always been the driver when comes to the project’s managements iron triangle (scope, budget, schedule). While this “faster, better, cheaper” approach may work for other industries, the medical field is especially constrained in that a patient’s safety is non-negotiable.
What will change is how companies adapt to the complexities of the regulation landscape, innovative technologies, and ever growing knowledge of diseases, illnesses, etc. The adaption for advanced tools, processes, and digitization of information will continue to grow industry as scientists/engineers evolve their practices.
What changing regulatory guidelines do you anticipate having an impact on companies in 2023?
Monterrey: In addition to FDA’s guidance on Clinical Decision Support Software there are a few other draft guidance in the works such as Computer System Validation (CSA), Cybersecurity, and AI.
Tools that are used to implement part of all the quality system require validation to ensure that the tool is fit for purpose and mitigates the risk of failures that could pose undetected harm in the medical product. We have seen many of our clients spend significantly more effort on validating tools that do not pose significant risk to their medical device than the medical device itself. FDA’s Computer Software Assurance for Production and Quality System Software draft (CSA) guidance provides great insight on how to take a risk-based approach when validating your tools.
Cybersecurity affects all products in development and on-market, regardless of if they are fully embedded or even connected. For medical devices manufactures that have many legacy devices on-market, this new guidance can pose a significant risk and cost.
Artificial Intelligence and Machine Learning (AI/ML) Software as a Medical Device Action Plan provides some additional insights into FDA’s current thinking behind AI. Although there is no current guidance from the FDA, AI devices continue to be cleared under existing guidance increasingly year or over.
Balgos: The US VALID ACT could have major disruption to lab developed tests (LDT’s) and how they are regulated in the US market. The additional restrictions may impact the growth of new tests, but provide additional oversight to help improve safety. This controversial topic has been a continual discussion point in industry, and that the new VALID ACT provides some additional clarification and guidance.
How do you foresee regulations shifting in medical device and life sciences over the next decade?
De Los Santos: There is a growing understanding among regulatory bodies that cloud computing companies are developing technology that will significantly improve patient outcomes.
Tool Innovation – From a medical device and life sciences engineering toolset perspective, what are some of the processes you think forward-thinking firms will be working to leverage or incorporate into their process and why?
Monterrey: From an engineering toolset perspective – finding automated tools that support the regulation and the team’s ability to be agile for the full development cycle will have a significant impact. Typically, we see our clients taking 6 to 18 months back tracking design activities in order to satisfy the FDA when the product is almost completed. If development is done in a more automated and iterative way – time to market can be significantly reduced, more predictable and lead to higher quality products.
Wu: Tools that make regulatory compliance more efficient. The best tools make it easy for companies to enhance, instead of hampering, their product development and business strategy.
Human centered design. While not a new concept, it is not universally practiced and incorporated. Those that do this well have medical devices that resonate with users and have better product adoption.
Ma: Requirements matter more than ever. Avoid building the wrong thing by keeping track of requirements and risks management using a tool like Jama Connect. If you are paper tracing, you’re operating in the 20th century.
Any major disruptions to the medical device and life sciences industry you’re anticipating in 2023?
De Los Santos: AI, machine learning, and cloud computing were instrumental in the response to the pandemic but have far bigger implications for improving patient health. As companies shift focus away from the pandemic, I expect more innovation around personalized medicine and clinical decision support software, both of which take advantage of these emerging technologies.
Balgos: The US VALID ACT could have major disruption to lab developed tests (LDT’s) and how they are regulated in the US market and industry.
What sorts of process adjustments do you think development teams will need to make to be successful in 2023?
De Los Santos: Development teams should take advantage of the guidance on software functions to improve the architecture of their code and their documentation. The sooner development teams create re-useable code and documentation building blocks, the better.
Balgos: Aligning with new regulations, such as the potential VALID ACT, and new FDA draft guidances such as CSA, Human Factors, and others
For the EU market, organizations need to start early. Notified Bodies engagement as the backlog continues to be longer than expected for re-certification for Medical Devices and IVD’s to the new regulations.
In your opinion, what are the biggest differences between a medical device or life sciences company that survives to see 2030, and one that doesn’t?
Monterrey: Companies that strive to maintain agility while being regulated leveraging tool automation as opposed to paper-based and stage gate processes will have a competitive advantage and higher chance of survival by having the ability to:
Address cybersecurity demands in an ever-changing eco-system
Derive new clinical insights using real-world data
Innovate by releasing product and features in more frequent cadences
Stay ahead of obsolesce issues
De Los Santos: The ability to organize software, hardware, and documentation into re-useable building blocks are key to winning in this kind of environment. You must be fast while maintaining a level of quality that ensures patient safety.
Ma: Products that bring true clinical value will win in the long run. The challenge is finding organizations and sources of capital that are methodical enough to identify true clinical value and have the grit and determination to stick with programs that take more than 5 years to reach human use.
Balgos: Adapting to the environment will be key for a company’s survival. Whether new regulations, innovative technologies, or another global event changes in how industry operates, companies that has the ability, resources, and willingness to pivot will likely survive.
What role will cybersecurity play in medical device development in the coming year and beyond?
De Los Santos: Cybersecurity is here to stay! The FDA requires device manufacturers to document how they handle cyber security threats and breaches. Companies can’t depend solely on risk control measures made by the customer’s IT department.
What advice would you give to new companies entering the medical device and life sciences industry?
Monterrey: Invest in tools, training, and infrastructure upfront and hire industry and technological experts to help you navigate the complexity of the cloud environment and regulated space.
De Los Santos: Take some time to define a simple design and development process. Don’t overdo it! You don’t get extra credit for adding extra process work. Use a risk-based approach to determine how much is too much.
Wu: Understand that the path to commercialization is much longer for a regulated medical device or therapeutic as compared to a consumer good.
Gain an appreciation for the regulations, what claims you want to make for your product, and how those two impact your timeline.
Human-centered design, including addressing diversity and inclusion, will differentiate your product from others.
Ma: A mentor told me that medical devices are a hard but worthwhile sport. Play the sport with the intent to bring positive clinical value to people everywhere. The rest, as they say, will take care of itself.
Balgos: Understand the market, regulations, and intended use of products/services and the associated risks.
Encourage good documentation practices early and consistently, as documentation is the lifeblood of the industry. Because if it wasn’t documented, it never happened.
What topic(s) do you wish companies were paying more attention to?
Monterrey:
FDA requirements pre-development – implementing a QMS and following a design process.
Customer needs – developing with the end user in mind.
Software as a profit center – focused on the revenue opportunity software can bring.
Tool validation – focus on value-add activities, if you’re spending more time and money validating tools that verifying your medical device you should revisit your QMS for inefficiencies.
De Los Santos: I wish companies would take a little more time cleaning up their processes. Where are you wasting effort? Putting band-aids on your development process costs you more in the long run. What is a working medical product with a poor or non-existent design history file? It’s a brick. It’s a very expensive brick that will require months of remediation work. Design documentation created after the fact is always poor and you’ll also have trouble retaining great engineers if they must spend months remediating documents.
Wu: Women’s Health: While women make up 51% of the population, less than 1% of VC funding is going to FemTech. With an estimated market size of $1.186 Trillion by 2027, the medical device industry is slowly taking notice of the unmet need and market potential of innovation focused on women. Consumer product goods, digital health, and diagnostics are top three product addressing issues unique to women, including menstruation, maternal health, and menopause1. It’s an under tapped area that continues to be prime for disruption.
What do you think will remain the same in this industry throughout 2023?
Monterrey: I think we will continue to see slow economic recovery as a result of the side-effects of COVID as it relates to supply chain, pivots, and lower year end earnings. The businesses that end up striving will be those who are focused on long term strategy as opposed to short term reactions to the economy. Reinvestment and patience will be essential to staying ahead competitively.
What do you predict for regulation in the medical device and life sciences industry in 2023?
Monterrey: There will be a watchful eye on cybersecurity, additional thinking around AI and significantly longer wait times for approval.
Wu: While not significant changes in regulation, the change to MDR and IVDR in the EU continues its impact to the industry, especially as companies’ previous MDD certifications lapse, but have yet to obtain their MDR certifications. As of a July 2022 MedTech Europe Survey Report, >85% of existing medical devices that had MDD certification have received MDR. And unfortunately, it is the patients and public that live in the EU that will be affected when they no longer have access to the same medical devices and diagnostics that they had previously. With the 13–18-month time-to-certification with MDR-designated Notified Bodies, nearly double the time historically needed, this influences the worldwide go-to-market strategy of companies.
Will those trends still be prevalent 5 years from now? 10 years?
Monterrey: Digital health applications will begin to dominate the market over traditional hardware devices with new and innovative, diagnostics treatments and therapies leveraging cloud, AI and real-world data. FDA trends over the next 5 to 10 years will move towards harmonization to reduce complexity and improve ease of use. The reduce wait times the FDA will continue to extend devices in the break-through designation and rely on the use certification bodies or 3rd party FDA reviewers like BeanStock Ventures.
Where do you see Jama Software fitting in as the product development landscape evolves, and what can our customers expect as 2023 approaches?
De Los Santos: When properly configured and coupled with a simple design control process, Jama Connect significantly reduces the documentation burden for our customers. In the same way that a good source code management system facilitates code reuse, Jama Connect facilitates re-use of requirements, test cases, and risk documentation. There have been some recent improvements to the Jama Connect that I’ve been requesting since I was a Jama Software customer. I hope people take time to take advantage of them.
Shawnnah Monterrey – CEO, Beanstock Ventures
20+ years’ experience in the medical industry, Shawnnah Monterrey knows a thing or two about guiding innovative products to market.
Prior to founding BeanStock Ventures, she obtained a bachelor’s degree in computer science from the University of California, San Diego and an executive MBA from San Diego State University, then went on to hold product development management positions across numerous global firms, including Illumina, Invetech, Medtronic and Carl Zeiss Meditec. Through this work, she continued to develop a passion for innovation in medical devices, life sciences, and biotechnology.
BeanStock Ventures
BeanStock Ventures is 1 of 9 FDA-accredited Third Party Review Organizations globally which provides software development and regulatory compliance products and services to minimize complexity, and reduce cost and time to market of innovative medical devices.
BeanStock Ventures has over 140 years of combined experience in software development for the healthcare and life science space.
833.688.BEAN (2326)
marketing@beanstockventures.com
Michelle Wu – Principal Consultant at Michelle Wu Consulting
Michelle Wu is a senior leader with 20 years of experience in the medical device and life sciences industries with roles in executive leadership, product and process development, manufacturing, and quality. Michelle has a history of successful medical device product development, strategic planning and execution, building teams, process evolution, and managing organizational change. She values a collaborative and diverse, equitable, and inclusive environment, believing that diverse perspectives lead to the best ideas, more cohesive teams, and better results.
Ivan Ma
Ivan Ma has nearly two decades of experience in the medical device industry holding leadership and design positions spanning a wide range of medical devices; from single use devices and active implantables to complex surgical robotic systems. Ivan specializes in bringing early phase projects through development in preparation for FDA submission and human use by introducing balanced discipline to an inherently chaotic process.
Vincent Balgos
Vincent Balgos currently leads the Medical Solution at Jama Software. Prior to joining Jama Software, he worked in the medical device / IVD industry for over 17 years with roles in systems engineering, product development and project management. Vincent has successful history in launching new products to the global regulated market, and is experienced in product development, risk management, quality systems, and medical device regulations.
Romer De Los Santos
Romer De Los Santos has been developing software and firmware in the medical device industry since 1999. He is proud to have been involved in the development of a wide variety of medical devices including insulin infusion pumps, continuous glucose sensors, solid state mobile SPECT cameras, sequencers, liquid handling robots, and various IVD assays. He’s served in the roles of software developer, product owner, scrum master, internal auditor, systems engineer, software project lead, core team leader, and technical product manager before joining Jama Software as a senior consultant this past February.
https://www-dev.jamasoftware.com/media/2022/12/2022-12-22-2023-predictions-medical-product-development-1.jpg5121024Decoteau Wilkerson/media/jama-logo-primary.svgDecoteau Wilkerson2022-12-22 03:00:052023-01-12 16:46:022023 Predictions for Medical Device Product Development
In part two of our blog series, we cover the second half of our eBook, “A Guide to Road Vehicle Cybersecurity According to ISO 21434” – Click HERE for part one.
Much like other automotive standards, ISO 21434 defines a system engineering V-model to be followed for the development of cybersecurity features.
Concept Development
The cybersecurity V-model starts with the definition of the exact “item” that will be developed. The item is a component or set of components that implement functionality at the vehicle level and is defined in an item definition. In many cases, the same item definition may be used for both functional safety analysis and cybersecurity analysis.
Once the item has been clearly defined, a Threat Analysis and Risk Assessment (TARA) is performed to identify what cybersecurity threats exist for the item and what the risk of those threats are. For threats where the risk must be reduced, concept level requirements are developed, known as cybersecurity goals. Cybersecurity goals form the highest-level requirements for the system being developed from a cybersecurity perspective. For risks that will remain after cybersecurity goals are achieved, cybersecurity claims are documented to explain what, if any, risks still exist and why they can be accepted.
After defining cybersecurity goals, a cybersecurity concept is created. This documents the high-level concept that will be used to achieve the cybersecurity goals. The concept takes the form of cybersecurity requirements as well as requirements on the operating environment.
Product Development
Once a cybersecurity concept has been developed, the system must be designed in a way that will satisfy the cybersecurity requirements. Any existing architecture must be updated to consider the cybersecurity requirements. Each component of the system should be designed to support the cybersecurity requirements.
Although ISO 21434 provides an example of developing a system in two layers of abstraction, no specific number of layers is required. Instead, the standard leaves it to the product development organization to define a process appropriate for the complexity of their system. This ensures that organizations can adapt the standard to a wide range of systems and, for many, means that their existing system engineering process will satisfy ISO 21434.
Once the components of the system have been designed and integrated, the system must be verified to ensure that it meets the cybersecurity requirements.
The methods for verifying the system can include:
Requirements-based testing
Interface testing
Resource usage evaluation
Verification of the control flow and data flow
Dynamic analysis
Static analysis
The integration and verification activities should be documented in a verification specification and the results of verification documented in a verification report.
Validation of Cybersecurity Goals
While the focus of verification is ensuring that the item meets the cybersecurity requirements, validation ensures that the item achieves the cybersecurity goals. This is done by first validating that the cybersecurity goals are adequate and then validating that the item achieves the cybersecurity goals. Validation may involve reviewing work products, performing penetration testing and reviewing all the managed risks previously identified. A rationale for the validation activities is required. The completed validation is documented in a validation report.
Even after product development is complete, the cybersecurity lifecycle continues.
Production
During the production phase, the item that has been developed is manufactured and assembled. A production control plan is required to ensure that cybersecurity requirements for post-development that were identified earlier in the lifecycle are applied to ensure that no vulnerabilities are introduced during production.
Operations and maintenance
Once an item has been integrated into a vehicle and the vehicle is on the road, new cybersecurity threats can still be identified. ISO 21434 requires organizations to have a plan for how to respond to this scenario.
Organizations must create a cybersecurity incident response plan each time a new cybersecurity incident occurs. This plan includes what remedial actions are required and how they will be performed. The response may range from providing new information to vehicle owners, to over-the-air updates, to recalls where the owner must bring the vehicle in for service.
End of cybersecurity support and decommissioning
Given that the cybersecurity lifecycle continues after vehicles have been sold to consumers, a method for ending cybersecurity support for those vehicles is needed. ISO 21434 focuses on developing a plan for communicating with customers when cybersecurity support ends. Since decommissioning can occur without the organization’s knowledge and in such a way that decommissioning procedures cannot be enforced, ISO 21434 only requires making documentation available to explain how to decommission the item with regards to cybersecurity, if this is even required.
Integrating the Cybersecurity with Overall System Engineering
ISO 21434 defines many cybersecurity-specific requirements and requires personnel with specific cybersecurity knowledge and skills. Because of this, it may be tempting for organizations to silo cybersecurity engineering activities from other engineering activities, but this would be a mistake. While risk analysis required by ISO 21434 can be considered as a separate activity from other system engineering activities, a single product still must be developed that meets a wide range of requirements, including cybersecurity requirements. For this reason, it is best to manage a unified database for requirements, architecture, and design, rather than tracking cybersecurity artifacts separate from others.
To support this, think of cybersecurity analysis as another input to product development, just like functional safety analysis and market analysis.
By taking a unified approach, a single system engineering V-model can be implemented that describes an overall product development process that incorporates cybersecurity without creating silos. While specialists will be focused on performing cybersecurity analysis, implementing known best practices and validating the final system achieves cybersecurity, this must be done in cooperation and coordination with the rest of product development.
How Jama Connect® Supports Cybersecurity Engineering
One way to implement a unified requirements, architecture, and design database is by using Jama Connect®. Jama Connect for Automotive provides a framework that incorporates the key requirements of ISO 21434 into a single project structure along with overall system engineering.
Specifically, Jama Connect for Automotive provides guidance on supporting the following activities:
TARA Cybersecurity goals
Cybersecurity concept
Design Integration and verification
Validation
An example of the framework is shown below:
Conclusion
ISO 21434 introduces a robust framework for organizations to apply the state-of-the-art in cybersecurity to their product development. This framework is necessary from both a market and regulatory perspective. The high-level of connectivity available in vehicles today means that there many ways for someone to maliciously change a vehicle’s operation. While many consumers may be unaware of the risks today, if there are ever accidents that result from cyber-attacks, that will change quickly. A vehicle OEM’s brand will surely be impacted by such as incident. In addition, regulators have already imposed strong cybersecurity requirements in many regions. ISO 21434 is quickly becoming an essential regulation for companies developing products at all levels of the automotive supply chain.
Whether your team is young or seasoned, small, or large, all together or scattered across boundaries, Jama Connect for Automotive can help improve processes, reduce costs, improve time to market, and help achieve ASPICE compliance. To learn more about Jama Connect for Automotive, download our datasheet.
Interested in learning more about how Jama Connect for Automotive can help provide your team meet market demands more quickly and efficiently?
According to this EU survey, 17,095 valid medical device and IVD certificates are set to expire in 2024 and 2025. Now is the time to get your requirements management and documentation in order, so you’re in the best position to meet with notified bodies and update your certification.
Euro Roundup: MDCG publishes guidance on MDR, IVDR authorized representative requirements
The Medical Device Coordination Group (MDCG) has published guidance on the role and requirements of authorized representatives under the new medtech regulations. In the guidance, MDCG unpacks what the Medical Devices Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR) mean for authorized representatives, manufacturers and other economic operators.
EU regulations require manufacturers without a presence in a member state to appoint a sole authorized representative who serves as their EU contact person and is central to ensuring compliance . MDR and IVDR outline the obligations of authorized representatives and enhance their responsibilities.
“The manufacturer and the authorized representative are free to configure the structure of their contractual relationship as they see appropriate, as long as there is a written mandate that meets the minimum requirements of Article 11(3) of the Regulations and the content of which is agreed between the parties. A mandate should be drawn up irrespective of whether the authorized representative is independent/outside of or is part of the same larger organization as the manufacturer,” according to the guidance.
Article 11(3) requires the authorized representative to perform tasks specified in their mandate with the manufacturer. Upon request, the authorized representative must provide a copy of the mandate to the competent authority. The article also describes the minimum tasks that the mandate should cover, but the authorized representative can agree to take on additional activities. Certain responsibilities cannot be delegated by manufacturers to authorized representatives.
The responsibilities of authorized representatives include verifying the existence of EU declaration of conformity and technical documents and, if applicable, that an appropriate conformity assessment procedure has been carried out by the manufacturer. Authorized representatives may inform their manufacturers if they have reason to believe the conformity assessment procedure is inappropriate for the device in question. Other tasks include keeping a copy of the EU declaration of conformity.
Authorized representatives need to comply with the registration obligations set out in MDR and IVDR, for example by registering their details in EUDAMED. The regulations require authorized representatives to update their information within one week of a change.
Three pharma trade groups have warned that EU proposals on wastewater treatment will jeopardize access to medicines without helping the green transition.
The Commission sees applying a “polluter pays” policy to the pharmaceutical and cosmetics industries as a fair response to evidence that the sectors “are jointly responsible for 92% of the toxic load in wastewaters,” notably because there is “sufficient evidence on the existence of micropollutants from these products in wastewater and there are treatments to remove their harmful residues.”
AESGP, EFPIA and Medicines for Europe, trade groups that represent different types of drugmakers, see things differently. In a joint statement, the bodies branded “blanket levies on medicinal products based on patient excretion levels” as “unprecedented, disproportionate, unfair and ineffective.” The trade groups warned the proposal will be “very detrimental to society, if increased burdens on companies mean that many essential medicines are no longer viable and result in shortages.”
“It is frustrating that duplicative and unworkable proposals for levies on medicines to address wastewater management are thrown at the pharmaceutical industry. This undermines our efforts to reduce our environmental footprint and more worryingly, negatively impact patients who need medicines. It is a lose-lose proposal,” said Adrian van den Hoven, director general at Medicines for Europe.
Few active pharmaceutical ingredients pose risks to the environment and “these are very well under control given the concentration levels found in European waterways,” according to the joint statement. As “pharmaceuticals are only a small fraction of the substances that an improved wastewater treatment would remove,” the proposal would see drugmakers finance wastewater treatment upgrades that would remove micro-pollutants from other “unaccounted” sources of water contamination.
PRAC recommends restricting use of JAK inhibitors in inflammatory disorders
The Pharmacovigilance Risk Assessment Committee (PRAC) has proposed restricting the patients who receive JAK inhibitors for chronic inflammatory conditions to mitigate risks linked to the molecules.
JAK inhibitors including AbbVie’s Rinvoq and Pfizer’s Xeljanz are used to treat inflammatory conditions such as rheumatoid arthritis. However, regulators are wary of the side effects caused by the class of molecules, leading the US Food and Drug Administration to apply boxed warnings and PRAC to review the EU rules to ensure the benefits outweigh the risks.
The European Medicines Agency (EMA) committee recommends that patients aged 65 years or above, people at increased risk of major cardiovascular problems, individuals who smoke or have done so for a long time in the past, and those at increased risk of cancer should generally receive other treatments. Those patients should use JAK inhibitors only in the absence of suitable alternatives.
PRAC’s proposed restrictions reflect the findings of a clinical trial of Xeljanz, which linked it to a higher risk of major cardiovascular problems, cancer, venous thromboembolism, serious infections and death than TNF-alpha inhibitors. Some developers of JAK inhibitors have sought to differentiate their molecules based on safety, but the PRAC recommendation covers five drugs for chronic inflammatory disorders.
Notified body survey quantifies the 2024-25 bottleneck for medical device, IVD certifications
An EU survey has revealed the number of medical device and IVD certifications that are set to expire in 2024 and 2025, respectively. Notified bodies have identified the years as a potential bottleneck in the transition to MDR and IVDR.
While the EU has countered the threat of MDR and IVDR causing near-term supply disruption, the delays have potentially only pushed the problems out by a few years. The EU survey of notified bodies shows that 17,095 valid certificates issued under the old device directives will expire in 2024, compared to 1,387 this year and 4,311 in 2023.
As of October, companies had filed 8,120 MDR applications, up from 6,188 in April. Applications are growing faster than MDR certifications, which rose from 1,069 in April to 1,990 in the latest survey.
EDQM strikes agreement with EU to support substances of human origin regulatory framework
The European Directorate for the Quality of Medicines & HealthCare (EDQM) has agreed to enhance its cooperation with the EU on substances of human origin (SoHO) such as blood, organs, tissues and cells.
Under the terms of a jointly financed agreement that will run to 2024, EDQM will “contribute to providing all Council of Europe member states, including the EU 27, with a coherent European regulatory SoHO framework and to supporting professionals of the sector in implementing this framework and in strengthening their SoHO systems.”
The agreement builds on decades of collaboration with the EU, including technical cooperation on SoHO that dates back more than 10 years. EDQM and the EU framed the expanded scope of the agreement to make “the best use of their respective strengths and resources.”
In part 1 of this 2 part blog series, we overview our eBook, “A Guide to Road Vehicle Cybersecurity According to ISO 21434” – We will link to part 2 here when it publishes.
As the automotive industry becomes more complex and more connected, cybersecurity is emerging as a major concern, and therefore a priority for development teams.
One standard, in particular, has been developed to address cybersecurity risks in the design and development of car electronics — ISO SAE 21434 “Road vehicles — Cybersecurity Engineering.”
In this guide, we cover:
An overview of ISO SAE 21434
The urgency behind automotive cybersecurity
How Jama Connect® supports cybersecurity engineering
Introduction
As the automotive industry becomes more complex, and more connected, cybersecurity is emerging as a major concern, and therefore priority, for development teams.
While vehicles have been traditionally isolated systems that had to be physically accessed to tamper with, increasingly, more and more vehicles include wireless connectivity. According to Juniper Research, the number of vehicles with wireless connectivity will rise from 110 million in 2020 to an excess of 200 million by 2025. These vehicles pose a much greater cybersecurity risk than previous designs.
One standard in particular has been developed to address cybersecurity risks in the design and development of car electronics – ISO SAE 21434 “Road vehicles — Cybersecurity Engineering.”
In this guide, we will examine this important automotive cybersecurity standard, how it is impacting automotive development, and lastly how Jama Software® can help.
What is Automotive Cybersecurity?
Cybersecurity, within the context of road vehicles, is the protection of automotive electronic systems, communication networks, control algorithms, software, users, and underlying data from malicious attacks, damage, unauthorized access, or manipulation.
What is ISO 21434?
Regarded as one of the most comprehensive approaches to connected vehicle cybersecurity, ISO 21434 specifies engineering requirements for cybersecurity risk management regarding concept, product development, production, operation, maintenance, and decommissioning of electrical and electronic (E/E) systems in road vehicles, including their components and interfaces.
This standard supports the implementation of a Cybersecurity Management System (CSMS).
The first edition of ISO 21434 was published in 2021 and automotive suppliers and OEMs should strongly consider integrating ISO 21434 into their current process.
What is a Cybersecurity Management System (CSMS)?
A Cybersecurity Management System is a systematic risk-based approach defining organizational rules and processes, security policies, resources, and responsibilities to manage risk associated with cyber threats to vehicle road users and protect them from cyber-attacks.
ISO 21434 provides vocabulary, objectives, requirements, and guidelines for cybersecurity engineering in the context of electrical and electronic systems within road vehicles. The goal of the standard is to enable the engineering of electrical and electronic systems to keep up with the state-of-the-art technology and evolving cybersecurity attack methods. Adhering to the standard will allow organizations to define cybersecurity policies and processes, develop a cybersecurity culture, and manage cybersecurity risk.
The structure of the standard is as follows:
14 clauses, 11 are normative
Similar structure and vocabulary as ISO 26262
Each clause has at least one requirement and one work product
Some clauses have RC (recommendations), and PC (permissions)
Nine informative appendixes
Terminology
To achieve the goal of a common vocabulary within cybersecurity engineering for road vehicles, ISO 21434 defines a number of terms.
Asset: A part of an item that has cybersecurity properties (ex: OBD II port, safety requirements)
Attack Path: A series of steps that an intruder could use to compromise an asset
Cybersecurity Goal: Top level product requirement resulting from the TARA (see below for TARA definition)
Cybersecurity Claim: An identified risk that will be accepted, typically mitigated by liability transfer
Cybersecurity Concept: Cybersecurity requirements on the item and operating environment that implement controls to protect against threats
Damage Scenario: The potential damage to a road user caused by the realization of a threat scenario
Item: A component or a set of components that implements a function at the vehicle level. Could be identical to the functional safety item
TARA: Threat and Risk Assessment. Assets with cybersecurity properties are identified and damage scenarios are identified if the asset is compromised. Threat scenarios are identified and supported with attack paths. Risk values are assigned, and cybersecurity goals are established for unacceptable risk
Threat Scenario: Potential cause of the compromise of the cybersecurity properties of one or more assets that leads to a damage scenario
Lifecycle
ISO 21434 defines a cybersecurity lifecycle that starts with the definition of a new vehicle system and ends with that vehicle system being decommissioned or support by the OEM ending.
This means that cybersecurity activities continue after a system is put into production to ensure that new vulnerabilities that are discovered after a system enters production are still identified and mitigations added if necessary.
ISO 21434 defines requirements for an entire organization developing automotive systems to ensure that the necessary cybersecurity governance and culture are in place to support cybersecurity engineering. This includes ensuring that the organization acknowledges that there are cybersecurity risks, executive management is committed to the management of the risks, and that the organization has defined rules and processes to implement the requirements of ISO 21434.
In addition, the organization must have personnel in cybersecurity roles that are competent, policies that define how information can be shared both internally and externally, an appropriate quality management system, management of all product development tools, and robust information security. Audits must be performed to ensure that the organization achieves the objectives.
Project-Specific
Each project that develops or updates a road vehicle system or component must manage the cybersecurity engineering activities specific to that project. This includes the following considerations:
a) Assigning the responsibilities regarding the project’s cybersecurity activities to specific individuals
b) Planning the cybersecurity activities that will be performed during the project
c) Creating a cybersecurity case that provides the argument for the cybersecurity of the system or component
d) Performing a cybersecurity assessment if the project risks deem it necessary
e) A decision of whether the system or component can be released for post-development from a cybersecurity perspective.
Thank you for reading part 1 of this 2 part blog series. We will link to part 2 here when it publishes.
https://www-dev.jamasoftware.com/media/2022/12/2022-12-06-guide-to-road-vehicle-cybersecurity-1.jpg5121024McKenzie Jonsson/media/jama-logo-primary.svgMcKenzie Jonsson2022-12-06 03:00:052023-01-12 16:46:06A Guide to Road Vehicle Cybersecurity: Part 1
Jama Software is always looking for news on our customers that would benefit and inform our industry partners. As such, we’ve curated a series of customer spotlight articles that we found insightful. In this blog post, we share a press release, sourced from Cision Distribution by PR Newswire, about one of our customers, magniX titled “magniX Powers First Point-To-Point Flight of an All-Electric Helicopter” – originally published on November 4, 2022.
magniX Powers First Point-To-Point Flight of an All-Electric Helicopter
Flight of Battery-Powered Robinson 44 Helicopter Accelerates Path to Sustainable Delivery of Life-Saving Organs
EVERETT, Wash., Nov. 4, 2022 /PRNewswire/ — magniX, a manufacturer of electric propulsion solutions for aviation, is pleased to have powered the first fully-electric helicopter flight between airfields, in partnership with Tier 1 Engineering. The modified electric Robinson 44 (eR44) helicopter powered with a magniX magni250 electric propulsion unit (EPU) made its historic journey from Jacqueline Cochran Regional Airport to Palm Springs International Airport, arriving on 29 October 2022 at 11:00am PST, in a flight that lasted approximately 20 minutes.
magniX Powers First Point-To-Point Flight of an All-Electric Helicopter
Tier 1 Engineering is developing the magniX-powered eR44 for Lung Biotechnology PBC, a subsidiary of United Therapeutics Corporation, a biotechnology company dedicated to addressing the severe shortage of transplantable organs in the U.S. The magniX EPU was retrofitted into the helicopter together with a battery system developed by Tier 1 Engineering, specialists in the design and development of electric aircraft. The eR44 is designed to deliver human and manufactured organs for transplant with zero carbon emissions at the point of use.
“Building from our first flight of the eR44 helicopter last June, the successfully completed point-to-point flight takes us a step closer to the sustainable transport of life-saving organs,” said Nuno Taborda, CEO of magniX. “magniX is excited to be part of an initiative that will positively affect those in need of urgent medical care. This is only the start of the applications for electric helicopters, which have a bright future as low-cost, carbon-free, reliable alternatives to combustion engine models.”
magniX Celebrates Another Industry First
Since December 2019, magniX has also provided the technology to power a number of first flights, including that of Harbour Air’s “eBeaver”, a Cessna “eCaravan” and, most recently in September 2022, Eviation’s all-electric commuter aircraft, Alice. This point-to-point flight of an electric rotary aircraft represents the latest first for the industry-leading electric solutions company. Tier 1 Engineering is currently working with the FAA on the eR44 project to obtain a Supplemental Type Certificate (STC). Lung Biotechnology PBC plans to acquire a fleet of sustainable aircraft to transport transplant organs.
“We are committed to charting a new path forward for the zero-carbon delivery of life-saving organs,” said Dr. Martine Rothblatt, one of the helicopter’s pilots and CEO of United Therapeutics Corporation. “Saturday’s point-to-point flight proves that the technology necessary for our mission is already here, as we actively work with the FAA to certify the eR44 helicopter.”
“Together we achieved an incredible outcome for the world’s first airport-to-airport cross-country all-electric helicopter flight,” said Glen Dromgoole, President of Tier 1 Engineering. “magniX has again demonstrated the reliability and power of its electric propulsion units, and we’re proud to continue this journey to create sustainable options for organ donation and, ultimately, help save lives.”
About magniX
Headquartered in Everett, Washington State, U.S., magniX is dedicated to leading an era of environmentally-friendly and sustainable aviation. magniX has developed a family of flight-proven electric propulsion units (EPUs) and is fast maturing its energy storage systems (ESS) for commercial aviation. With high levels of reliability, unparalleled performance and operational practicality, magniX is leading the aviation industry into a sustainable future. magniX is a subsidiary of the Clermont Group, an international business group headquartered in Singapore. For further information, please visit www.magnix.aero.
https://www-dev.jamasoftware.com/media/2022/11/magniX-Customer-Spotlight.png5121024Decoteau Wilkerson/media/jama-logo-primary.svgDecoteau Wilkerson2022-11-21 03:00:542023-01-12 16:46:09magniX Powers First Point-To-Point Flight of an All-Electric Helicopter
In this blog, we recap our press release on Jama Software® becoming the ONLY requirements management vendor that is SOC 2 Type 2 compliant on the application layer and data center offerings.
Jama Software® Receives SOC 2 Type 2 Attestation
Jama Software is the only vendor in the requirements management and traceability space that is SOC 2 Type 2 compliant both on the application layer and the data center offerings.
Jama Software®, the leading requirements management and traceability solution provider, has announced that it has completed its SOC 2 Type 2 audit, performed by KirkpatrickPrice. This attestation provides evidence that Jama Software has a strong commitment to security and to delivering high-quality services to its clients by demonstrating that they have the necessary internal controls and processes in place.
“The SOC 2 audit is based on the Trust Services Criteria. Jama Software delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on Jama Software’s controls.” Joseph Kirkpatrick, President, KirkpatrickPrice
A SOC 2 audit provides an independent, third-party validation that a service organization’s information security practices meet industry standards stipulated by the American Institute of Certified Public Accountants (AICPA). During the audit, a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system are tested. The SOC 2 report delivered by KirkpatrickPrice verifies the suitability of the design and operating effectiveness of Jama Software’s controls to meet the standards for these criteria
“We take great pride in being the first and only multi-tenant, pure-SaaS offering in our space. And now, with SOC 2 compliance, Jama Connect customers have additional validation and confidence that they are getting unparalleled best-in-class security, business continuity, and can further mitigate risks and scale with compliance.” Marc Osofsky, Chief Executive Officer, Jama Software
Click below if you wish to learn more and start using Jama Connect:
About KirkpatrickPrice
KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over a thousand clients in North America, South America, Asia, Europe, and Australia. The firm has more than a decade of experience in information security by performing assessments, audits, and tests that strengthen information security practices and internal controls. KirkpatrickPrice most commonly performs assessments on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and FERPA frameworks, as well as advanced-level penetration testing. For more information, visit www.kirkpatrickprice.com.
About Jama Software
Jama Software is focused on maximizing innovation success. Numerous firsts for humanity in fields such as fuel cells, electrification, space, autonomous vehicles, surgical robotics, and more all rely on Jama Connect® to minimize the risk of product failure, delays, cost overruns, compliance gaps, defects, and rework. Jama Connect uniquely creates Live Traceability™ through siloed development, test, and risk activities to provide end-to-end compliance, risk mitigation, and process improvement. Our rapidly growing customer base of more than 12.5 million users across 30 countries spans the automotive, medical device, life sciences, semiconductor, aerospace & defense, industrial manufacturing, financial services, and insurance industries. Visit us at jamasoftware.com.
Jama Software is always looking for news on our customers that would benefit and inform our industry partners. As such, we’ve curated a series of customer spotlight articles that we found insightful. In this blog post, we share content, sourced from WIRED, about one of our customers, Illumina titled “The Era of Fast, Cheap Genome Sequencing Is Here” – originally published on September 29, 2022, by Emily Mullin.
The Era of Fast, Cheap Genome Sequencing Is Here
Illumina just announced a machine that can crack genomes twice as fast as its current version—and drive the cost down to $200 a pop.
Illumina says its NovaSeq X machine will get the price of sequencing down to $200 per human genome. COURTESY OF ILLUMINA.
THE HUMAN GENOME is made of more than 6 billion letters, and each person has a unique configuration of As, Cs, Gs, and Ts—the molecular building blocks that make up DNA. Determining the sequence of all those letters used to take vast amounts of money, time, and effort. The Human Genome Project took 13 years and thousands of researchers. The final cost: $2.7 billion.
That 1990 project kicked off the age of genomics, helping scientists unravel genetic drivers of cancer and many inherited diseases while spurring the development of at-home DNA tests, among other advances. Next, researchers started sequencing more genomes: from animals, plants, bacteria, and viruses. Ten years ago, it cost about $10,000 for researchers to sequence a human genome. A few years ago, that fell to $1,000. Today, it’s about $600.
Now, sequencing is about to get even cheaper. At an industry event in San Diego today, genomics behemoth Illumina unveiled what it calls its fastest, most cost-efficient sequencing machines yet, the NovaSeq X series. The company, which controls around 80 percent of the DNA sequencing market globally, believes its new technology will slash the cost to just $200 per human genome while providing a readout at twice the speed. Francis deSouza, Illumina’s CEO, says the more powerful model will be able to sequence 20,000 genomes per year; its current machines can do about 7,500. Illumina will start selling the new machines today and ship them next year.
“As we look to the next decade, we believe we’re entering the era of genomic medicine going mainstream. To do that requires the next generation of sequencers,” deSouza says. “We need price points to keep coming down to make genomic medicine and genomic tests available much more broadly.”
Reagents and buffer cartridges. COURTESY OF ILLUMINA.
Sequencing has led to genetically targeted drugs, blood tests that can detect cancer early, and diagnoses for people with rare diseases who have long sought answers. We can also thank sequencing for the Covid-19 vaccines, which scientists started developing in January 2020 as soon as the first blueprint of the virus’s genome was produced. In research labs, the technology has become essential for better understanding pathogens and human evolution. But it still isn’t ubiquitous in medicine. That’s in part because of the price tag. While it costs around $600 for scientists to perform sequencing, clinical interpretation and genetic counseling can drive the price to a few thousand dollars for patients—and insurance doesn’t always cover it.
Another reason is that for healthy people, there’s not yet enough evidence of benefits to prove that genome sequencing will be worth the cost. Currently, the test is mostly limited to people with certain cancers or undiagnosed illnesses—although in two recent studies, around 12 to 15 percent of healthy people whose genomes were sequenced ended up having a genetic variation that showed they had an elevated risk of a treatable or preventable disease, indicating that sequencing may provide an early warning.
For now, researchers—not patients—will likely benefit most from cheap sequencing. “We’ve been waiting for this for a long time,” says Stacey Gabriel, chief genomics officer at the Broad Institute of MIT and Harvard, of the new improvements. “With greatly reduced costs and greatly increased speed of sequencing, we can sequence way more samples.” Gabriel is not affiliated with Illumina, but the Broad Institute is something of an Illumina power user. The institute has 32 of the company’s existing machines and has sequenced more than 486,000 genomes since it was established in 2004.
Gabriel says there are a number of ways that researchers will be able to apply added sequencing power. One is to increase the diversity of genomic datasets, given that the vast majority of DNA data has come from people of European descent. That’s a problem for medicine, because different populations might have different disease-causing genetic variations that are more or less prevalent. “There’s really an incomplete picture and a hampered ability to translate and apply those learnings to the full population diversity in the world,” Gabriel says.
Another is to boost the size of genetic datasets. In the early 2000s, when the Broad Institute started a project to search for genes related to schizophrenia, researchers had 10,000 genomes from people with the condition, which didn’t yield many insights, Gabriel says. Now, they have amassed more than 150,000.
A lab technician loads a flow cell onto Illumina’s sequencer. COURTESY OF ILLUMINA
Comparing those genomes to those of people without schizophrenia has allowed investigators to uncover multiple genes that have a profound impact on a person’s risk of developing it. By being able to sequence more genomes faster and more cheaply, Gabriel says they’ll be able to find additional genes that have a more subtle effect on the condition. “Once you have bigger data, the signal becomes clearer,” she says.
“This is the kind of thing that shakes up everything you’re working on,” agrees Jeremy Schmutz, a faculty investigator at HudsonAlpha Institute for Biotechnology, of new sequencing technology. “This reduction in sequencing cost allows you to scale up and do more of those large research studies.” For Schmutz, who studies plants, cheaper sequencing will allow him to generate more reference genomes to better study how genetics influence a plant’s physical characteristics, or phenotype. Large genomic studies can help improve agriculture by accelerating the breeding of certain desirable crops, he says.
Illumina’s sequencers use a method called “sequencing by synthesis” to decipher DNA. This process first requires that DNA strands, which are usually in double-helix form, be split into single strands. The DNA is then broken into short fragments that are spread onto a flow cell—a glass surface about the size of a smartphone. When a flow cell is loaded into the sequencer, the machine attaches color-coded fluorescent tags to each base: A, C, G, and T. For instance, blue might correspond to the letter A. Each of the DNA fragments gets copied one base at a time, and a matching strand of DNA is gradually made, or synthesized. A laser scans the bases one by one while a camera records the color coding for each letter. The process is repeated until every fragment is sequenced.
For its latest machines, Illumina invented denser flow cells to increase data yield and new chemical reagents, which enable faster reads of bases. “The molecules in that sequencing chemistry are much stronger. They can resist heat, they can resist water, and because they’re so much tougher, we can subject them to more laser power and can scan them faster. That’s the heart of the engine that allows us to get so much more data faster and at lower costs,” says Alex Aravanis, Illumina’s chief technology officer.
That said, while the cost per genome is dropping, for now, the startup cost for a machine itself is steep. Illumina’s new system will cost around $1 million, about the same as its existing machines. The high price tag is a key reason they’re not yet common in smaller labs and hospitals, or in rural regions.
Another is that they also require experts to run the machines and process the data. But Illumina’s sequencers are completely automated and produce a report comparing each sample against a reference genome. Aravanis says this automation could democratize sequencing, so that facilities without large teams of scientists and engineers can run the machines with few resources.
Illumina isn’t the only company promising cheaper, faster sequencing. While the San Diego-based company currently dominates the marketplace, some of the patents protecting its technology expire this year, opening the door for more competition. Ultima Genomics of Newark, California, emerged from stealth mode earlier this year promising a $100 genome with its new sequencing machine, which it will begin selling in 2023. Meanwhile, a Chinese company, MGI, began selling its sequencers in the United States this summer. Element Biosciences and Singular Genomics, both based in San Diego, have also developed smaller, benchtop sequencing machines that could shake up the marketplace.
Ultima’s machine design has replaced the traditional flow cell with a round silicon wafer just under seven inches in diameter. Josh Lauer, the company’s chief commercial officer, says the disc is cheaper to manufacture and has a bigger surface area than a flow cell, allowing more DNA to be read at once. Because the disc rotates like a record under a camera instead of moving back and forth like flow cells do, Lauer says it requires smaller volumes of reagents and speeds up imaging. “We think this will enable scientists and clinicians to do more breadth, depth and frequency of genome sequencing,” he says. “Instead of just looking at tiny parts of the genome, we want to look at the whole genome.”
Ultima Genomics’ sequencing machine. PHOTOGRAPH: ULTIMA
Ultima’s machine isn’t widely available yet, and the company hasn’t released the price, though Lauer says it will be comparable to other sequencers on the market.
The increased competition could be a boon to the genomics field, but research is often slow to translate to health improvements in real people. It will likely take time before patients see a direct benefit from cheaper sequencing. “We’re at the very, very beginning,” deSouza says.
https://www-dev.jamasoftware.com/media/2022/10/Illumnia-Customer-Spotlight.png5121024Decoteau Wilkerson/media/jama-logo-primary.svgDecoteau Wilkerson2022-10-27 03:00:042023-01-12 16:46:14The Era of Fast, Cheap Genome Sequencing Is Here
FDA Updates to the Medical Device Cybersecurity Guidance
With an increase in connected medical devices, cybersecurity has become a hot topic for regulatory agencies. In the last few years, cybersecurity incidents have impacted medical devices and hospital networks disrupting the delivery of medical care and potentially putting patients at risk. Cybersecurity is the process of preventing unauthorized access, modification, misuse, denial of use, or simply the unauthorized use of information that is stored, accessed, or transferred from a product to an external recipient.
The focus on cybersecurity has led to several cybersecurity related guidance documents being published in the last few years. These guidance documents can be used by manufacturers to ensure that they are addressing cybersecurity in a way that meets the expectation of regulatory agencies. Some of the most important guidance documents available include:
The FDA originally released the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices guidance in 2014, which was a total of nine pages long and covered the elements of a cybersecurity process and the core functions of a cybersecurity framework (Identify, Protect, Detect, Respond, and Recover). The April 2022 update to the guidance is forty-nine pages and addresses cybersecurity as part of both the Quality Management System (QMS) and the Total Product Lifecycle (TPLC). According to the FDA, the changes in the guidance are intended to further emphasize the importance of ensuring that devices are designed securely and to be capable of mitigating emerging cybersecurity risks throughout the TPLC, as well as more clearly outline the FDA’s recommendations for premarket submission information to address cybersecurity concerns.
Keeping in mind that the changes to the guidance were to ensure that cybersecurity is addressed as part of the TPLC and the QMS, the following specific requirements have been added to the cybersecurity guidance:
The guidance attempts to ensure that manufacturers are doing everything needed to design devices that are secured. The FDA now requires manufacturers to implement development processes that account for and address cybersecurity risks as part of design controls (21 CFR 820.30). This includes identification of security risks, the design requirements for how the risks will be controlled, and evidence that the controls are effective.
The FDA recommends the implementation and adoption of a Secure Product Development Framework (SPDF) to address cybersecurity throughout the TPLC. An SPDF is a set of processes that reduce the number and severity of vulnerabilities in products throughout the device lifecycle; using an SPDF is one approach to help ensure that QSR requirements are met.
The guidance includes requirements for labeling to provide information pertaining to the device’s cybersecurity controls, potential risks, and other relevant information
The guidance requires a Security Risk Management Process (at an organizational level) to identify, assess and control security risks. The process for performing security risk management should be a distinct process from performing safety risk management as described in ISO 14971:2019. FDA recommends that manufacturers establish a security risk management process that encompasses design controls (21 CFR 820.30), validation of production processes (21 CFR 820.70), and corrective and preventive actions (21 CFR 820.100) to ensure both safety and security risks are adequately addressed. The Safety Risk Management process and the Security Risk Management Process, although separate, must be integrated, so that Security risks that can result in patient harm, once identified, can be evaluated and assessed for risk acceptability using the Safety Risk Management process. When a security risk or control measure could have a possible impact on patient safety or medical device effectiveness, then it should be included in the product risk assessment. Likewise, any risk control that could have an impact on security should be included in the security risk assessment.
FDA recommends that threat modeling be performed throughout the design process to inform and support the risk analysis activities.
The guidance requires that Cybersecurity risks posed by third party software components must be addressed and evidence be included in the Design History File.
The guidance recommends the use of a Software Bill of Materials (SBOM) and specifies the information required to be contained in the SBOM, or as part of the documentation.
The guidance specifies requirements for a Security Risk Management Plan and a Security Risk Management Report.
The guidance requires vulnerability testing and penetration testing, along with verification of effectiveness of security controls.
The guidance specifies a requirement for a Vulnerability Communication Plan, since cybersecurity risks evolve as technology evolves throughout a device’s TPLC, FDA recommends that manufacturers establish a plan for how they will identify and communicate vulnerabilities that are identified after releasing the device. The Vulnerability Communication Plan should also address periodic security testing.
In summary, the new FDA cybersecurity guidance raises the bar on how FDA expects industry to address cybersecurity throughout the TPLC and imposes requirements for additional deliverables, testing, and labeling.
https://www-dev.jamasoftware.com/media/2022/10/2022-10-25-fda-updates-cybersecturity-guidance-1.jpg5121024Mercedes Massana/media/jama-logo-primary.svgMercedes Massana2022-10-20 03:00:252023-01-12 16:46:15FDA Updates to the Medical Device Cybersecurity Guidance
Jama Software is always on the lookout for news on our customers that would benefit and inform our industry partners. As such, we’ve curated a series of customer spotlight articles that we found insightful. In this blog post, we share content, sourced from Mass Device, about one of our customers, Surgalign titled “FDA Clears Surgalign’s Cortera Spinal Fixation System” – which was originally published on August 24, 2022, by Sean Whooley.
FDA Clears Surgalign’s Cortera Spinal Fixation System
Surgalign (Nasdaq:SRGA) has announced that it received FDA 510(k) clearance for its Cortera spinal fixation system.
Deerfield, Illinois-based Surgalign said in a news release that the new flagship Cortera product represents a key product portfolio piece. Surgalign officials see Cotera driving the company’s future growth. It could ensure market gains in the posterior fixation market.
“The Cortera system is a testament to the spine engineering talent and expertise we’ve assembled in very short order, as we moved from zero engineers in the United States following the RTI divestiture two years ago, to approximately 30 today,” said Terry Rich, president and CEO of Surgalign. “Thanks to our team and incredible surgeon partners, we progressed from company inception to FDA 510(k) clearance with a very polished system in approximately 16 months. We are excited with the prospects the Cortera system brings to Surgalign, and those around the world who rely on our technology to drive better patient outcomes.”
Cortera, a 5.5/6mm rod pedicle screw system, offers both open and minimally invasive surgery (MIS) modules, plus a feature-rich screw design with a comparatively low profile and newly designed locking mechanism.
Surgalign designed Cortera to maximize adoption in the spine market, both today and in the future with evolving techniques and technologies. The company added that Cortera demonstrates the ways in which spinal implants will be deployed with technologies like its own HOLO Portal surgical guidance platform.
The company plans to integrate Cortera with HOLO Portal to create what it labeled “an unrivaled user experience for pedicle screw navigation.” Surgalign also has plans for additional implants and instruments to add to the system over the next few years to expand applications into a majority of posterior fixation spinal procedures.
Surgalign will offer Cortera in a limited market release, which it expects to positively contribute to its 2022 fourth-quarter results and in the coming years.
“The system is hands down the most precise, elegant and comprehensive screw that currently exists in my opinion,” said Dr. Jeremy Smith, chief of spine, Hoag Orthopedic Institute. “I find the system has an evolved sophistication that provides a high-quality user experience and enhanced clinical performance in challenging pathologies.”
Are you a Jama Software customer looking to fill open positions at your organization with prospects who have Jama Connect experience? We’d love to help! Tag us on LinkedIn (@jamasoftware) with your job posting and we’ll share it!
