Understanding ISO/IEC 27001: A Guide to Information Security Management
In today’s interconnected world, the importance of securing sensitive information cannot be overstated. Organizations face numerous threats to their information assets, ranging from cyberattacks to data breaches. To address these challenges, many businesses turn to internationally recognized standards for information security management, with ISO/IEC 27001 standing out as a cornerstone in this field.
ISO/IEC 27001 is a globally recognized standard that provides a systematic approach to managing sensitive information, ensuring the confidentiality, integrity, and availability of data within an organization. Developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), this standard outlines best practices for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).
Key Principles:
Risk Management: ISO/IEC 27001 is fundamentally built on the concept of risk management. Organizations are required to identify and assess information security risks, implement controls to mitigate those risks, and continuously monitor and review the effectiveness of these controls.
PDCA Cycle: The Plan-Do-Check-Act (PDCA) cycle is at the core of ISO/IEC 27001. Organizations plan their ISMS, implement the plan, check its effectiveness through monitoring and measurement, and act to continually improve the system.
Scope and Requirements:
Scope Definition: Organizations must clearly define the scope of their ISMS, specifying the boundaries and applicability of the standard within their operations.
Risk Assessment: A comprehensive risk assessment is a critical component. This involves identifying assets, evaluating vulnerabilities and threats, and determining the potential impact of information security incidents.
Control Objectives and Controls: ISO/IEC 27001 provides an Annex A, which includes a set of control objectives and controls covering various aspects of information security, such as access control, cryptography, and incident management. Organizations choose and implement controls based on their specific risk profile.
Implementation Process:
Leadership and Commitment: Senior management plays a crucial role in the successful implementation of ISO/IEC 27001. Leadership commitment ensures that information security is integrated into the organization’s culture and business processes.
Documentation: Proper documentation is essential to demonstrate compliance with the standard. This includes the Information Security Policy, risk assessment reports, and records of monitoring and measurement activities.
Training and Awareness: Employees need to be aware of their role in maintaining information security. Organizations should provide training programs to enhance the awareness and competence of personnel.
Certification Process:
Third-Party Certification: Organizations can undergo a certification process conducted by accredited certification bodies to validate their compliance with ISO/IEC 27001. This certification provides assurance to stakeholders, customers, and partners that the organization has implemented a robust ISMS.
Benefits of ISO/IEC 27001:
Risk Reduction: By identifying and addressing potential risks, organizations can significantly reduce the likelihood of security incidents.
Enhanced Reputation: ISO/IEC 27001 certification enhances an organization’s reputation, demonstrating a commitment to information security best practices.
Legal and Regulatory Compliance: Adherence to ISO/IEC 27001 helps organizations comply with various legal and regulatory requirements related to information security.
Competitive Advantage: Certification can be a differentiator in the marketplace, giving organizations a competitive edge by assuring customers of their commitment to information security.
Continual Improvement:
Monitoring and Review: Regular monitoring and review of the ISMS ensure its ongoing effectiveness. This includes conducting internal audits and management reviews to identify areas for improvement.
Feedback Loop: ISO/IEC 27001 emphasizes the importance of feedback mechanisms, ensuring that lessons learned from incidents or changes in the business environment are incorporated into the ISMS.
ISO/IEC 27001 provides a robust framework for organizations to establish and maintain an effective Information Security Management System. By adopting this standard, businesses can mitigate risks, enhance their reputation, and demonstrate a commitment to safeguarding sensitive information in an ever-evolving digital landscape. As information security continues to be a top priority, ISO/IEC 27001 remains a valuable tool for organizations seeking a comprehensive and internationally recognized approach to managing information security.
Note: This article was drafted with the aid of AI. Additional content, edits for accuracy, and industry expertise by Matti Gray, Mandi Walker, and McKenzie Jonsson.
https://www-dev.jamasoftware.com/media/2024/04/2024-04-09-iso-iec-27001-information-security-managment_1024x512.jpg5121024Jama Software/media/jama-logo-primary.svgJama Software2024-04-09 03:00:262024-04-05 10:35:04Understanding ISO/IEC 27001: A Guide to Information Security Management
Jama Connect® Features in Five: Automated Testing
Learn how you can supercharge your systems development process! In this blog series, we’re pulling back the curtains to give you a look at a few of the powerful features in Jama Connect®… in about five minutes.
In this Features in Five Integration Series video, Steven Pink – Senior Solutions Architect at Jama Software® – demonstrates an integration of automated test results with Jama Connect® through a Python Script and our open REST API.
VIDEO TRANSCRIPT
Steven Pink: Hello and welcome to the Features in Five Integration series. My name is Steven Pink, and I’m a Senior Solutions Architect here at Jama Software. Today we’ll be walking through a live demo of integrating some existing automated test results with Jama Connect through a Python script using our open REST API.
We make it possible for you to integrate Jama Connect with your preferred best-of-breed software to achieve Live Traceability™ across the end-to-end development cycle. Live Requirements Traceability is the ability for any engineer, at any time, to see the most up-to-date and complete upstream and downstream information or any requirement, no matter the stage of systems development or how many siloed tools and teams it spans.
This enables significant productivity and quality improvements and dramatically reduces the risk of product delays, cost overruns, defects, rework, and recalls, and ultimately results in faster time to market.
Pink: The goal of integrating automated test results is typically to better visualize test coverage for requirements. Jama Connect can identify and call out gaps in test coverage, as we see here, while also visualizing and reporting on the test results using filters, dashboards, and exportable reports.
Automated testing can be performed in a variety of ways, including the usage of automation servers and different frameworks. But regardless of the approach, all we need to integrate is to add requirement identifiers to our automated test results, so that they can be traced back to the requirements they cover and then make a call to the Jama Connect REST API to submit the latest results and traceability.
All right, now I want to talk about automated testing in Jama Connect. In this example project that we’re looking at, it’s a simple software development project where we’re gathering requirements, breaking those down into epics and stories, and then performing manual and automated tests.
In this example, our manual tests are being performed in Jama’s testing environment, but we have automated tests, that are actually automated test scripts, that we’re populating results into Jama with traceability, as a part of the automated test script, so that we have end-to-end traceability through our automated test results.
If I look at my manual test cases in the project hierarchy, we can see these manual tests have been created, some of them have been run, and results have been recorded. But if I switch over and look at my automated test cases, we’ll see there aren’t any yet. That’s because I haven’t run any automated test scripts.
Pink: Now what I’m going to do is I’m going to execute an automated test script that will record some results for a few different tests. I’m going to run this module, and it’s going to start executing. And if we give it just another minute now.
If I go to my automated test cases, I’ll refresh this and you’ll see it’ll populate. We now have four automated test results that have been populated into Jama. We can populate these items with any kind of information from those automated test results, whether that be issues that arose during the execution or execution data. We can also keep track of whether they passed or failed, if we have a specific pass or fail parameter we can track through them.
The benefit of integrating automated testing with Jama Connect is that we can keep track of our traceability proactively as we run our automated tests. If I look at any one of these automated tests, you’ll see under the relationships, because in our test script we associated the test with a user story, that traceability has been built into this proactively. So when we execute our automated test, the results populate into Jama Connect with traceability.
Thank you for watching this Features in Five session on integrating automated test results to show requirement test coverage in Jama Connect. If you are an existing customer and want to learn more, please reach out to your customer success manager or consultant. If you’re not yet a client, please visit our website at jamasoftware.com to learn more about the platform and how we can help optimize your development process. Thanks for watching.
https://www-dev.jamasoftware.com/media/2024/04/FIF-Automated-Testing-Integration.jpg10801920Steven Pink/media/jama-logo-primary.svgSteven Pink2024-04-05 03:00:142024-04-02 14:58:22Jama Connect® Features in Five: Automated Testing
Jama Software is always looking for news that will benefit and inform our industry partners. As such, we’ve curated a series of customer and industry spotlight articles that we found insightful. In this blog post, we share an article, sourced from Med Device Online, titled “Navigating EU MDR Compliance: Overcoming Challenges To Sustain Your Certification” – written by Hilde Viroux and Maggie Chan (PA Consulting) and Dona O’Neil (Northeastern University) and originally published on March 19, 2024.
Navigating EU MDR Compliance: Overcoming Challenges To Sustain Your Certification
Since the introduction of the EU MDR in 2017, the medical device industry has learned just how challenging obtaining initial MDR certification truly is. According to a survey of notified bodies, the number of certificates issued as of June 2023 covers roughly one-third of the applications submitted. Taking into account that it can take months to have an application approved, and then six months to two years before the certificates are issued, it is no surprise that there is a lot of fatigue with EU MDR in general. The requirements keep being updated, timelines extended, and the EU database for medical devices, EUDAMED, is still not up and running. Notified bodies are also struggling to keep up with the demand for reviews of MDR certificates, consequently impacting the ability to accurately predict certificate approval timeline and budget.
Sustaining Certification Is An Ongoing Task, Not A One-Time Finish Line
There is the misperception that obtaining the MDR certification is an end point, and budget and resources can be redirected. However, EU MDR creates a “new normal” for medical devices manufacturers. The continuous evolution of regulatory standards and frequent guidance updates creates a dynamic landscape, demanding ongoing diligence to comprehend and adhere to changing requirements. Sustaining compliance involves addressing various challenges, including establishing a streamlined process for updating all regulatory documentation, reallocating resources with specialized training for optimal risk management, aligning documentation with the latest regulatory demands, developing systems to ensure effective communication and transparency across the organization, and formulating a strategic plan that aligns with global regulations to minimize the cost of maintaining compliance across various geographical regions.
Due to the additional requirements of EU MDR, especially in the post-market phase, the cost of business year over year to maintain compliance for product in the market has increased significantly and the impact may not be well understood at the senior management level. As we go into 2024 with significant headwinds impacting the medical device industry and continuing with a soft economy, resources for EU MDR compliance are even more stringent, forcing companies to reevaluate the value proposition of their products and their long-term desire to maintain CE marks in the EU market. Moreover, manufacturers need to balance delivering innovative technology while ensuring existing products maintain the highest standards of safety and quality.
Already while working toward EU MDR compliance, manufacturers of medical devices should be thinking how to set up the organization in the post-certification phase in an efficient way. You need to think about how to establish robust processes that can adapt to evolving regulatory requirements, as well as to ensure procedures, trained resources, and systems are in place to efficiently incorporate updates/modification from the latest regulations.
EU MDR and supporting guidance give strict timelines for the updates of the various documents such as the Clinical Evaluation Report (CER), the Periodic Safety Update Report (PSUR), and the Risk Management Report (RMR), all supporting the life cycle activities for medical devices. Apart from the update frequency defined in the regulation or guidance, there are external factors that may trigger an unscheduled update, such as a Field Safety Corrective Action (FSCA). Under MDD, these reports didn’t exist, or no update frequency was defined.
The RMR, CER, and PSUR are part of the technical documentation, which in turn has to be kept “continuously” up to date, putting even more pressure on the various functions to ensure the updates are aligned to avoid discrepancies in the technical documentation.
The responsibilities for dealing with the device life cycle activities per EU MDR are typically distributed over various functions who don’t operate under the same timelines or priorities. For example, the clinical teams may be dealing both with life cycle management activities such as post-market clinical follow-up and with clinical data collection for products in the pipeline, supporting innovation. Quality or medical safety may be dealing with complaints and incident reporting while they also have to generate the PSUR.
Budget
Maintaining compliance after EU MDR certification will require companies to allocate budget. The size of the budget will depend on how well the organization is prepared. If your company has looked into effective governance for management, optimized the documentation governance process, and established a centralized system to ensure communication and transparency among different stakeholders, the process may be smoother, with less resources required. Companies also can consider outsourcing some life cycle management activities. The risk with outsourcing is that some of the “know how” may be lost to the company and that critical information gained from the post-market surveillance activities is not circled back in an efficient way to the proper groups in the organization.
Additional budget for the life cycle maintenance activities will impact the cost of goods, which, in turn, impacts pricing of the devices in the market. Minimizing these costs by implementing the most efficient solution for the company may lead to a competitive advantage in the market.
Other Regulatory Bodies Soon To Follow Suit
Many other regions follow the EU when it comes to regulating medical devices. They are coming with similar requirements in both the pre- and post-market phases, specifically surrounding QMS, clinical evidence, and post-market surveillance requirements. The continuous evolution of regulatory standards and frequent guidance updates create a dynamic landscape demanding ongoing diligence to comprehend and adhere to the changing requirements. Ensuring the device documentation meets the appropriate standards will facilitate and speed up access to market in other regions than the EU. It also creates an opportunity to gain efficiencies when requirements are aligned, as it reduces rework and rewriting of submission documentation and labelling changes.
A common perception is that once certification is achieved, the workload for sustaining it decreases for reasons such as the strategy has been set, less literature will need to be reviewed, and fewer PMS data sets will need to be analyzed during the update frequency. While this may be true in theory, the effort will only decrease with a streamlined process that supports strong interdependency between risk, quality, regulatory, and clinical affairs.
Sustaining compliance involves tackling diverse challenges, including establishing a streamlined approach for updating clinical and post-market documentation, reallocating resources with specialized training for consistent risk management, aligning documentation with the latest regulatory demands, and formulating a strategic plan that aligns with global regulations to minimize the cost of maintaining compliance across various geographical regions. Moreover, given the significant headwinds that the medical device industry is facing, manufacturers will have to balance delivering innovative technology while ensuring existing products maintain the appropriate standards of safety and quality put forth by international regulations.
As we progress into 2024 and swiftly approach the initial MDR implementation date of May 2024, manufacturers should be shifting their focus to how their remediation efforts can be applied to sustaining compliance: What are essential functions and where is there room to trim?
About the Authors:
Hilde Viroux is a medtech expert at PA Consulting and is an expert on the European Medical Devices Regulation. She has broad experience in regulations, quality, manufacturing, supply chain, and project management in the pharmaceutical and medical device industry. She has an MSc in medical technology regulatory affairs from Cranfield University in the U.K. and a BS in biochemistry engineering.
Maggie Chan is a life sciences and regulatory expert at PA Consulting. She focuses on leading process and operation improvement for medical device and pharmaceutical companies. She has led labeling remediation and e-labeling process design projects in compliance with global medical devices regulation for both implantable and non-implantable medical devices. She has been supporting companies by building capabilities and designing processes to ensure they comply with ISO 13485, EU MDR, 21 CFR, etc., in line with the product portfolio. She has a Master of Science in law from Northwestern Pritzker School of Law in the U.S. and a BS in biology.
Dona O’Neil is an industry EU MDR expert and an adjunct professor for Northeastern University’s master’s program in regulatory affairs. She has experience developing and implementing EU MDR clinical evidence requirements across many therapeutic areas and all device classifications. O’Neil has an MPH (healthy policy concentration) from George Washington University and is certified as a clinical research professional by SOCRA.
https://www-dev.jamasoftware.com/media/2024/03/Navigating-EU-MDR-Compliance-Overcoming-Challenges-To-Sustain-Your-Certification.jpg5121024Jama Software/media/jama-logo-primary.svgJama Software2024-04-04 03:00:392024-03-28 15:34:23Navigating EU MDR Compliance: Overcoming Challenges To Sustain Your Certification
In this blog, we recap our webinar, “Best Practices for Writing Requirements” – Click HERE for the full version.
Best Practices for Writing Requirements
“Needs.” “Features.” “Requirements.”
Regardless of what terminology your teams use to identify and define requirements, the purpose of good requirements is to create a shared understanding of the promise, functionality, appearance, and value for the products you develop across all stakeholders.
In this insightful session, our industry experts will guide participants through the different ways teams can write better requirements to remove ambiguity and improve development outcomes. In this webinar you will learn how to:
Create a simple, systematic, and standardized process that your teams can follow
Separate requirements from design and establish hierarchy
Ensure traceability of requirements during development
Below is an abbreviated transcript of our webinar.
Best Practices for Writing Requirements
Patrick Garman: Hello everyone, let me introduce myself and my co-host. I am Patrick Garman, I’m a Principal Solutions Consultant here at Jama Software, and I work with customers across multiple industries to optimize requirements management practices to help innovators succeed. Before coming to Jama Software, I had 10 years of product development experience and I’ve led teams to successful product launches in soft tech, consumer electronics, logistics, healthcare, government and public sector, and the financial services industries. And now I serve as the services lead for improving requirements quality at Jama Software. Joining me today as well is Danny.
Danny Beerens: Hi. Thank you, Patrick, for introducing me. I’m Danny Beerens, Senior Solution Consultant here at Jama Software, and I will be assisting Patrick today. I have nearly two decades of experience in system engineering, and I have successfully implemented, trained, maintained, and supported application lifecycle management application, specifically requirements management application. Throughout my career, I have worked on projects and collaborated with customers in the medical device, aerospace and defense, automotive, and semiconductor industries.
Beerens: So let’s start off today. Jama Software’s purpose is to help innovators succeed, as Patrick already mentioned. And the key to successful innovation is writing high-quality requirements for your products. We want you to walk away from this session with an understanding of why requirements are important and give you a useful framework from which to build your requirements-authoring skills. Basically, we are setting the groundwork here. We’ll expose you to the challenges in product development as they relate to requirements, and we will talk about how requirements help to bridge communication challenges. We’ll also provide you with important information and tools for authoring better requirements. So helping you write better requirements is why we are here, but what does that matter, why are we really here?
What we want and what I suspect you want too is to build safe and high-quality products, and requirements are an essential element in defining, designing, and developing great products. So yes, we want you to write better requirements, but writing better requirements is a means to a better end, a high-quality safe product, and good requirements also mean getting that great product with hopefully less communication friction, reduced rework, and building a work environment that encourages collaboration, transparency, and focuses on quality.
Beerens: So, let’s start with talking about why requirements are important. Requirements are the building blocks of product development and strong requirements lead to better products. Conversely, vague and unclear requirements cannot only lead to product issues but also to safety concerns. These quotes you see here from the US Food and Drug Administration Design Control Guidelines for Medical Device Manufacturers, and highlight the importance of quality requirement management in delivering safe products to the market. But these justifications for requirements can be applied to any industry or product. Keep in mind, that design control activities are intended to drive quality and safety into the product development process. And here, they are stating that requirements are the foundation to those safety activities.
Of course not all benefits of proper requirements management are related to safety, these also call out the impact to later product development lifecycle activities, finding that missing requirements or even ill-defined requirements can cause expensive redesign and rework, which makes sense considering the later issues are found in the product lifecycle, the more expensive the issue is to resolve, as you’ll need to circle back to previous phases to identify and address the issue at the root, and their impacts along the way. Requirements management activities are a way to avoid these issues from the start, thus reducing rework and redesign, and improving your quality. It also ensures you make the time to market. While the specific regulations and standards may vary, the same requirement management practices and principles are applicable to any industry.
https://www-dev.jamasoftware.com/media/2024/03/Best-Practices-Webinar-Recap-Blog.png5121024Jama Software/media/jama-logo-primary.svgJama Software2024-04-02 03:00:222024-03-28 15:13:59[Webinar Recap] Best Practices for Writing Requirements
In this blog, we recap our whitepaper, “Applications of Systems Engineering in Healthcare” – Download the complete paper HERE.
Applications of Systems Engineering in Healthcare
When it comes to healthcare, time to market is one of the most crucial aspects of success or failure. However, medical product development teams face several challenges that slow product development, and in the quest to speed up the process, some teams are turning to systems engineering to improve the process.
In this whitepaper, we’ll look at the challenges healthcare development teams face, the difference between market-driven and contract-driven industries, and how the power of simplicity can help healthcare systems engineering teams strike a perfect balance to adapt, innovate, and succeed.
The Challenges of Healthcare Systems Development
To understand how systems engineering can help, it’s important to first look at the challenges development teams face.
The shifting regulatory landscape presents more challenges, including the increased cost of adherence to such regulations as Software as a Medical Device (SaMD), Software in a Medical Device (SiMD), Medical Device Regulation (MDR), and In Vitro Diagnostic Regulation (IVDR). At one of the top medical device development firms, for example, their product developers had to monitor approximately 8,000 regulations. Ensuring that products meet quality, safety, and performance standards has a significant financial impact; getting it wrong can cost billions of dollars. Across the industry, non-routine quality events cost between $2.5 and $5 billion per year.
In addition to increasing design complexity, there is also an increase in process complexity. Software development teams have gone from between 20 and 40 people to hundreds of people. Artificial intelligence (AI), machine learning (ML), and other new technologies represent complexity inside devices. Organizations are getting more complex as well, with a heavy focus on acquisition, which means constantly integrating new teams and cultures, sometimes dispersed across the globe.
Systems engineering can help product developers in healthcare manage these complexities and streamline development to keep them competitive in a rapidly changing market.
To understand how systems engineering can improve speed to market, it’s important to first understand the difference between a “market-driven” and a “contract-driven” industry.
In a market-driven industry, the first mover tends to get the lion’s share of the profits. Market-driven industries have many customers, and the stakeholders are internal to the business. Budget, time, and requirements are negotiated within the organization.
In a contract-driven industry, success means satisfying the contract. Budget and time are fixed by the contract with one (or very few) customers. In this scenario, requirements are a key commitment negotiated within formal design control.
The two different industry models present very different requirements challenges. In a market-driven industry, requirements are an internal business tool that helps communicate across business functions. They must be validated, but the development team decides on timing and features. If a team member develops a new, innovative feature, everyone can agree to take extra time to develop it. In a contract-driven industry, that likely wouldn’t be possible given the constraints of the contract.
Systems engineering can help the market-driven industry turn ambiguous needs into clear and feasible solutions to be implemented by hardware and software teams.
Systems Engineering: From Needs to Solutions
Product developers in a market-driven industry receive a lot of input from the various stakeholders within the organization. Their task is to turn that input into marketable products that work seamlessly on day one, day fifty, and years later. The key value produced is the seamless integration of those products into every customer’s workflow and work systems. Every installation and every service event must produce a uniform, high-quality, high-performing product.
Within those constraints, developers need to optimize the business value. When there are multiple options, marketing will inform the team of the customer value of these options. The implementation teams will pass on the delivery and product costs of those functions. The role of systems engineering is to make trade-offs between those and optimize the business impact based on the cost of implementing them. Associated with that is managing technical risks and scaling costs by risk.
The key value of systems engineering is making sure design decisions are identified and closed predictably with one voice across the team. Decisions are framed, the options are agreed to, the decision criteria are agreed to, and the final decision is closed, and stays closed even as stakeholders change. Once the team has a frozen design, integration or quality problems can be found and resolved prior to moving on to the next phase. By creating time to react, teams allow themselves space to adjust design early in the program rather than rushing to fix quality issues before shipping.
Winning products happen when systems thinkers are effective. When everyone across the program engages in systems thinking, the team will maximize the creativity of the entire program.
As a process example, at one leading US-based medical device development company, engineering teams start with the end customer’s performance requirements, such as delivering excellent image quality in their imaging
products or the proper humidity and temperature for neonatal products. As part of delivering that essential performance, teams must ensure safety and regulatory compliance.
Their product teams also put a high emphasis on usability, ensuring that their products are easy to use and delight the customer. The teams define the right implementation requirements and reliability strategy, and they ensure that their products can be installed and serviced properly.
While there is tremendous diversity in products and programs across most medical device and life sciences companies, there are several commonalities across the product teams as well. Teams have common program milestones and a common systems’ lifecycle based on the V-model with iteration and Agile built in.
What differs in product teams are the levels of safety hazards and FDA risk. Teams develop everything from anesthesia technology, which could easily kill a patient, to ultrasound, which is non-ionizing equipment operated with light, handheld probes. To accommodate these different levels of risk, teams adjust the process rigor so that higher-risk modalities have higher process rigor.
Additionally, systems engineering teams can look very different across the world. Many organizations operate in different locations with different cultures and different organizational sizes. Systems engineering teams can vary from fewer than ten engineers to over one hundred engineers. The scale of the programs can range from just a few engineers over a few months to many hundreds of engineers applied to a program that might last three years and is based on technology developed over the prior decade. (Even in that research phase, teams should apply some systems engineering thinking.) Organizations can be product-centralized or decentralized within an organization.
https://www-dev.jamasoftware.com/media/2024/03/2024-02-08_applications-of-systems-engierring-in-healthcare-whitepaper-2.jpg5121024Chris Unger/media/jama-logo-primary.svgChris Unger2024-03-28 03:00:232024-03-26 14:32:48Applications of Systems Engineering in Healthcare
Jama Software is always looking for news that will benefit and inform our industry partners. As such, we’ve curated a series of customer and industry spotlight articles that we found insightful. In this blog post, we share an article, sourced from IndustryWeek, titled “Cybersecurity Concerns for Manufacturers in 2024” – written by Dennis Scimeca and originally published on January 15, 2024.
Cybersecurity Concerns for Manufacturers in 2024
The more networked and data-centric manufacturing becomes, the more manufacturing leaders ought not consider cybersecurity as something that only concerns the IT department. New SEC reporting rules and high-profile hacks against manufacturers with multimillion-dollar price tags last year curtly demonstrate the point.
Org-wide planning provides the best defense against cyberattack. Knowing what to expect in 2024 and taking proactive steps against threat actors may make the difference between publicly admitting your company wasn’t prepared and accordingly losing money and prestige, or not.
Educate Your Workforce
Human beings decidedly provide the weak links in cybersecurity hygiene. Erecting digital gates and demanding identification checks do nothing if your employees hand over virtual ID cards without realizing they’ve done it.
“Cyberattacks in 2024 will look EXACTLY as they have in the previous three-to-four decades. Most will involve social engineering. About a third will involve unpatched software or firmware. About 10-to20 percent will involve weak password issues. Those three root attack methods will make up 99% of the attacks against most people and organizations,” says Roger Grimes, data-driven defense evangelist at KnowBe4.
“To defend against them, aggressively focus more on preventing social engineering,” he adds. “This means deploying technical cyber defenses that prevent social engineering from reaching users. Because technical defenses will never be perfect, you must train your users in how to recognize the signs of social engineering, how to defeat it, and how to appropriately report it.”
Recognize OT as an Attack Surface
In addition to the best practice, general cybersecurity hygiene pertinent to any business, manufacturers must contend with the vulnerability of their operational technology (OT). Every networked machine on the floor provides a possible avenue for intrusion into your larger IT system.
“Lack of segmentation between IT and OT environments and lack of awareness into these systems provide key avenues for threat actors to cause impacts and outages. Organizations need to mitigate as much risk as possible by focusing on quality backups of not just corporate data, but OT configurations and data needed to restore systems, all with secure encryption,” says Tom Marsland, VP of technology at Cloud Range.
The question of whether to place responsibility for OT cybersecurity within the IT department, or instead to spin out a separate OT group, is not just organizational says Marty Edwards, Deputy CTO for OT/IoT at Tenable.
“CFOs and CISOs will look at the cost-benefit analysis of investing in IT vs. OT security, and they’ll see there’s more benefit to investing in OT than IT in 2024 that at any point until now. For every $1 spent in OT, organizations get more than what they get with $1 in IT security investment. OT investments buy down your risk much more so than IT security,” Edwards says.
Amir Hirsh, head of Tenable OT Security, wants manufacturers to acknowledge how green initiatives that involve OT monitoring can increase cybersecurity risks.
“With the growing attention and increase of costs and penalties around energy usage and carbon emissions, companies will turn to smarter management of their operations, which will increase OT-based sensor deployment and controls. We’ll see more and more IoT and OT devices in smart buildings, factory management and building management systems. These trends will expose companies to further risk as they will expand their attack surface and often connect these environments to the internet,” Hirsh says.
Integrating AI into OT carries specific risks and benefits, says Chaz Lever, senior director of security research at Devo.
“As we move into 2024, it’s imperative for manufacturers to place a strong emphasis on the security of their AI implementations. AI represents a new attack surface, and in the case of OT, attacks on AI systems could result in impacts that cross the cyber-physical barrier. Great care needs to be undertaken to make sure AI interacting with OT systems guards against the myriad of potential AI threats (e.g., prompt injection, adversarial examples, model inversion, etc.),” Lever says.
AI also has the potential to help protect OT systems through its integration into security operations. AI’s capability of sifting through massive quantities of security data and isolating high-priority alerts is becoming increasingly sophisticated. This enables AI to augment the capabilities of analysts in monitoring systems, conducting forensic investigations and proactive threat hunting,” Lever adds.
Kurt Markley, managing director for the Americas at Apricorn, points out that bad actors may also use AI to create ransomware tools, the most popular avenues for attack against manufacturers. Generative AI-powered ransomware attacks doubled against healthcare, municipalities and education orgs between August 2022 and July 2023, says Markley.
Manufacturers could be next on the list. Protecting critical data mitigates the risk.
“While almost all IT leaders say they factor in data backups as part of their cyber security strategies, research we conducted [in 2023] found that only one-in-four follow a best practice called the 3-2-1 rule, in which they keep three copies of data on two different formats, one of which is stored offsite and encrypted. Furthermore, this same research found that more than half of respondents kept their backups for 120 days or less, far shorter than the average 287 days it takes to detect a breach,” says Markley.
“The likelihood that AI-driven ransomware will impact far-higher numbers of organizations, it will be more important than ever in 2024 that organizations have a strong cyber resiliency plan in place that relies on two things: encryption of data and storage of it for an appropriate amount of time. IT leaders need to embrace the 3-2-1 rule and must encrypt their own data before bad actors steal it and encrypt it against them,” Markley adds.
Beware the Cloud?
Touted for many years for scalable data architectures and cost-effectiveness compared to on-premises infrastructures, manufacturers like Nissan have learned the cloud also carries cybersecurity risks. Don’t think that offloading data to the cloud means offloading related cybersecurity concerns to your cloud technology provider.
“It’s estimated that 30% of cloud data assets contain sensitive information. All that data makes the cloud a juicy target and we expect that 2024 will continue to show that bad actors are cunning, clever, and hard-working when it comes to pursuing data. The industry has seen triple the number of hacking groups attacking the cloud, with high-profile successes against VMware servers and the U.S. Pentagon taking place [in 2023],” Markley says.
As IT teams spend more on moving and storing data in the cloud, organizations must spend the next 12-to-24 months auditing, categorizing and storing it accordingly. They need to gain deeper visibility into what data they have stored in the cloud, how data relates to each other, and if it is still meaningful to the operations of the organization. In doing so, they are advised to create specific security policies about how, where and for how long they store their data. These policies, when actively enforced, will help organizations better protect their most valuable asset – their data,” he adds.
Effective cybersecurity’s layered, multi-faceted structure and accompanying price tag make it attractive for manufacturers to deprioritize, but the sooner they get on board with proper cybersecurity hygiene the sooner they can stop worrying about ever cutting a fat ransomware demand check…or what they’re going to tell the SEC in the annual 10-K filing.
“Ultimately, it’s crucial for security teams to collaborate closely with their organizational leadership to find an optimal equilibrium between security, user convenience, and technological innovation,” says Lever.
Grimes provides a checklist for basic, first cybersecurity steps:
Use phishing-resistant multifactor authentication (MFA).
If you can’t use MFA, use a password manager which will create and use long and complex, different passwords for every site and service you use.
“The organizations that focus on these core, necessary defenses correctly and don’t get sidetracked by a hundred other less useful shiny objects will significantly decrease cybersecurity risk,” Grimes says. “The organizations that don’t, will likely be hacked.”
https://www-dev.jamasoftware.com/media/2024/03/spotlight-ad-5.jpg5121024Jama Software/media/jama-logo-primary.svgJama Software2024-03-26 03:00:192024-03-25 10:41:48Cybersecurity Concerns for Manufacturers in 2024
Ready, Set, Launch: Welcoming the New Jama Software® User Community
We are excited to announce the launch of our new Jama Software® User Community! Hosted on Higher Logic’s Vanilla platform, this community will be based on their successful framework model and will serve as an improved hub for collaboration, discussion, and support. To learn more about the history of Jama Software®’s user community, which was first created in 2015, visit Empowering Customer Success: The Vital Role of Support and User Communities.
In preparation for the launch of this exciting new space, we interviewed Amanda Jennewein – Senior Manager of Customer Support at Jama Software, to find out what existing and new user community members can expect from this transition.
What were the main reasons or goals for relaunching the Jama Software Customer Community?
Amanda Jennewein: Launching the new Jama Software® User Community is a strategic initiative aimed at improving customer engagement and satisfaction, driving innovation, and strengthening the company’s brand presence in the digital space.
Enhanced Customer Engagement: Our goal is to strengthen customer relationships and create a supportive ecosystem by fostering a sense of belonging and collaboration. Building a vibrant online community allows customers to engage with each other, share experiences, and exchange best practices.
Knowledge Sharing and Support: As we recently shared, a community is valuable for users to access documentation, tutorials, and troubleshooting guides. By centralizing knowledge and expertise, Jama Software empowers customers to find solutions independently and receive support from peers and experts within the community.
Feedback Collection and Product Improvement: The community provides a channel for customers to provide feedback, suggest enhancements, and vote on feature requests. By soliciting input directly from users, we gain valuable insights into customer needs, preferences, and pain points, which can inform product development and roadmap prioritization.
Customer Success and Adoption: A thriving community contributes to customer success by facilitating collaboration, learning, and adopting Jama Software products and solutions. We aim to drive user satisfaction, retention, and advocacy by promoting engagement and self-service support options.
Brand Building and Thought Leadership: Hosting a vibrant community reinforces our position as a software development and requirements management leader. By curating valuable content, facilitating discussions, and showcasing customer success stories, we strengthen our brand reputation and thought leadership within the industry.
When will the new community be available for users to see?
Jennewein: The new community was officially launched on March 18, 2024. Users can now join the new community and explore its features.
What improvements can users anticipate from our new community?
Jennewein: The migration to Higher Logic Vanilla represents a significant upgrade for the Jama Software Customer Community, offering improved usability, performance, collaboration tools, and integration possibilities. These enhancements allow users to anticipate a more engaging and productive community experience.
Enhanced User Experience: Vanilla offers a modern and intuitive user interface, making it easier for community members to navigate, discover content, and engage with others. The platform’s clean design and user-friendly features create a more enjoyable and efficient user experience.
Improved Performance and Reliability: Vanilla’s infrastructure is designed to deliver better performance and reliability than the previous platform. Users can expect faster page loading times, smoother browsing experiences, and minimal downtime, ensuring uninterrupted access to community resources and discussions.
Streamlined Content Discovery: Vanilla provides robust search functionality and content categorization tools, enabling users to find relevant discussions, articles, and resources quickly. Advanced search filters and tags make locating specific topics of interest easier, facilitating knowledge sharing and collaboration within the community.
Federated search: Vallina connects to other tools to surface relevant content, regardless of where it lives.
Enhanced Customer Support Integration: Further integration of the community with customer support processes and systems to streamline issue resolution, facilitate peer-to-peer support, and provide faster access to assistance. Automation and self-service options will empower users to find solutions independently and reduce their dependency on traditional support channels.
Will users from our previous community notice any significant changes? Will they still be able to find the same information as before?
Jennewein: Overall, the structure and organization of the new customer community will prioritize usability, accessibility, and engagement, aiming to provide a valuable and enriching experience for users seeking support, knowledge sharing, and collaboration within the Jama Software community.
Homepage: The homepage serves as the central hub of the community, featuring essential announcements, latest discussions, and popular topics. It provides a snapshot of community activity and directs users to relevant sections and resources.
Discussion Categories: Discussions are typically organized into categories or topics based on themes, product features, or user needs. Precise categorization helps users find discussions relevant to their interests and expertise, promoting participation and knowledge sharing.
Digital Onboarding Guide: A dedicated section for articles, guides, tutorials, and other resources.
Q&A: Users can ask and answer questions within a community to facilitate self-service support and develop brand advocated.
Ideation: Provide feature requests while collaborating with peers by voting and commenting on ideas.
Events and Announcements: Information about upcoming events, webinars, product updates, and community announcements may be featured prominently to keep users informed and engaged.
User Profiles and Recognition: User profiles allow community members to personalize their experience, showcase their expertise, and connect with peers.
Search Functionality: Robust search functionality lets users quickly find relevant discussions, articles, and resources. Advanced search filters and tagging systems improve the discoverability and accessibility of content.
Community Guidelines and Support: Clear guidelines and rules for community participation help maintain a positive and respectful environment. Support resources, FAQs, and help documentation should be readily available to assist users and address any issues they encounter.
Verticalized Resources: Solution spaces for Automotive, Medical Devices & Life Sciences, Robotics, and Airborne Systems will be available to customers who have purchased additional licenses. These spaces offer industry resources, downloadable materials, and specific discussion areas.
Additional Downloadable Resources: Customers may purchase additional licenses to access downloadable content for:
Data Exchange
Jama Validation Kit (JVK) – Test cases and coverage reports
Functional Safety Kit (FSK) – ISO certifications, defects, and safety manuals.
Jama Connect Interchange™
How will the new community be moderated and managed to ensure a positive experience for members?
Jennewein: To ensure a positive experience for members, the new community will be moderated and managed through a combination of proactive measures, clear guidelines, and responsive support.
Clear Community Guidelines: Clear guidelines and rules for community participation help maintain a positive and respectful environment.
Designated Moderators: The community will have moderators responsible for overseeing discussions, enforcing community guidelines, and addressing any issues or concerns members raise. These moderators will be experienced and knowledgeable individuals who can maintain a respectful and inclusive environment within the community.
Prompt Response to Concerns: Our community encourages its members to report any concerns or violations of community guidelines to the moderators. Upon receiving such reports, the moderators will promptly investigate the issue thoroughly and take appropriate action to address the concern. This may involve removing inappropriate content, issuing warnings, or taking other necessary steps to ensure that our community remains a safe and welcoming place for all.
Transparent Communication: Moderators will communicate openly and transparently with community members, explaining decisions and actions. Transparent communication helps build trust and confidence among members and demonstrates a commitment to fairness and accountability.
Educational Initiatives: Besides taking enforcement actions, moderators will also undertake educational initiatives to encourage positive behavior and cultivate a culture of respect and collaboration among community members. This may include providing guidance on best practices for constructive communication, conflict resolution, and effective participation.
How will we address and resolve issues or concerns raised within the customer community?
Jennewein: Support resources, FAQs, and help documentation will be available to assist users and address any issues they encounter in partnership with moderators and the Online Community manager.
What plans does the company have for any additional future growth and evolution of the customer community?
Jennewein: The company’s plans for future growth and evolution of the customer community are focused on creating a vibrant, inclusive, and value-driven ecosystem that empowers users, fosters collaboration, and drives customer success with Jama Software products.
Expansion of Community Features: Continuously evaluate and introduce new features and functionalities to enrich the community experience.
Community Advocacy and Ambassador Programs: Identify and cultivate community advocates and ambassadors passionate about Jama Software products and actively contribute to the community. Recognize and reward these advocates for their contributions and empower them to champion the community, share their experiences, and advocate for the brand.
Feedback-driven Iterative Improvements: Continuously solicit feedback from community members through surveys, polls, and feedback forums to identify areas for improvement and prioritize future enhancements. Use this feedback to inform iterative updates and enhancements to the community platform, ensuring that it evolves in alignment with user needs and expectations.
Content Expansion and Diversification: Invest in expanding and diversifying the content available within the community, tailoring content to address community members’ evolving needs and interests, covering a broad range of topics related to Jama Software products and industry trends.
Conclusion
We are always working to improve and refine our customer experience, aiming to provide excellence in every interaction. If you are a current customer and would like to learn more, please contact your customer success manager or consultant. If you are not yet a client, please visit our website at jamasoftware.com to learn more about our platform and how we can help optimize your development process.
Important: Password Change Required for returning members to access the New Community Site
With the new site launch, returning members must update their password to access the new community site. This is an important step that needs to be taken for security reasons. We appreciate your cooperation. To change your password and gain access to the new Community site, please visit: community.jamasoftware.com
https://www-dev.jamasoftware.com/media/2024/03/2024-3-20-new-user-community-2.jpg512986Amanda Jennewein/media/jama-logo-primary.svgAmanda Jennewein2024-03-20 10:30:262024-03-20 10:17:10Ready, Set, Launch: Welcoming the New Jama Software® User Community
In this blog, we recap our webinar, “Traceable Agile™ – How to Achieve Speed and Quality with Software Delivery” – Click HERE to watch it in its entirety.
In this insightful session, Professor Paul Meadows MSc, PMP, CSM and Steven Meadows, Principal Solutions Lead at Jama Software®, explore Traceable Agile™, as well as best practices in terms of Agile processes, helping you ensure that your team is achieving the right balance between quality and speed.
You will learn about:
Best Practices and Tooling: Learn about the best practices in implementing effective agile processes and recommended tooling to enhance your team’s performance.
Balancing Speed and Quality: Strategies to ensure your software delivery is both fast and shipped with fewer defects
Implementing Traceable Agile: Dive deep into Traceable Agile, a methodology that promotes speed while maintaining a comprehensive historical and current view of your development process, enabling early issue detection.
Real-World Applications: Gain insights into how Traceable Agile is being implemented in various industries, and the benefits it has on software and hardware integration.
Below is an abbreviated transcript of our webinar.
Traceable Agile™ – How to Achieve Speed and Quality with Software Delivery
Professor Meadows: Well, first of all, I’d like to say thank you for inviting me to the webinar. Steven, I’m looking forward to this. Just in terms of my background, I’ve first of all completed a full career in the British Army and since then I’ve over 20 years of project management experience, really based in mostly world-class, global enterprises, building and managing project management offices, developing and executing project management policies and standards. I’ve got a master’s degree in project management from Liverpool University. I’m a certified project management professional with the Project Management Institute and I’ve been a certified scrum master for over eight years.
I’ve taught project management for Columbia University in New York City and I am currently the lead faculty professor for the master’s degree in project management at NYU, also in New York City.
Steven Meadows: Great, thanks for that introduction. Just as a brief introduction for myself here, my name is Steven Meadows. I’m a principal solutions lead and I represent my company Jama Software and we’ll be touching on what Jama Software is and the solutions that we offer shortly. I also have around about 12 to 13 years experience in solution architecture, solution implementation. I’m also certified in Agile development using Jira software as well as Jira project administration too. So I’ve helped out or helped a lot of different Agile teams implement Agile solutions and implement while using tools. I do briefly want to introduce Jama Software, our company, and also solutions that we develop.
So Jama Software really provides a suite of solutions that spans the entire product and systems development lifecycle, things like capturing and managing requirements’ traceability to ensuring collaboration across different departments and different teams throughout the software development lifecycle. Also, across other verticals as well. Now you’ll see some of the verticals on this slide that we support, including regulated industries like medical device and aerospace and defense, as well as pure software development and industrial manufacturing too.
Now, some of the ways that we really help our customers realize value with our tools by reducing development cycle times, increasing process efficiency, gaining visibility and control and so on. So with that then, Professor Meadows is now going to provide an overview on Agile, the Agile Manifesto, and some of the principles as well.
Professor Meadows: Thanks Steven. So here we are on the Agile overview page. We’re going to talk about some of the benefits, but as Agile development methodologies and frameworks become more and more the choice of organizations as we see here, they recognize the significant productivity improvements that can be achieved. It’s important here though, Steven, to really draw the distinction between waterfall requirements management and Agile requirements management. As we know, the strength of Agile is in the collaborative development that’s achieved with constant stakeholder and development team interaction over the more traditional approach where requirements are captured upfront largely and changes are not only unwelcome but actually considered disruptive.
And where they do occur generally they have to follow a fairly formal process of review and approval before they’re accepted. So in today’s very dynamic marketplaces, you can see clearly this is not going to help organizations achieve and maintain competitive advantage. So the four foundational values we see here were developed as part of the Agile Manifesto way back in 2001, and they’re really designed to efficiently elicit requirements and turn those requirements into functioning software. It’s about responding to change over following a plan.
And when you look at that in the context of the value placed in working software over comprehensive documentation, we really start to get to understand the challenges that emerge in trying to make sure our stakeholders and their needs are being met by what we deliver. This becomes even more complex when we start to look at the 12 Agile principles in more detail next. Before we move on to there, let me give you a little bit more detail about these values though. So individuals and interactions over processes and tools. Well this value itself emphasizes the importance of focusing on people and obviously their interactions with the team rather than solely relying on processes or tools.
But I don’t want to underestimate the value of processes and tools and we will definitely talk more about that through this webinar. This one really highlights the significance of effective communication, collaboration, and teamwork in delivering successful outcomes. Agile teams prioritize building strong relationships and that’s really one of the strengths that’s looked for as you build a team is that ability to build strong relationships and really fosters open communication, empowering individuals to make decisions that contribute really to the overall project success. Moving on to working software over comprehensive documentation.
Again, this is another one of those values we’re going to dig a lot deeper into through this webinar. But this value really underscores the importance of delivering functional software that meets the needs of the customer over extensive documentation, is the way it’s worded. And while documentation itself has its place in software development, tangible results are in the form of working software. Agile teams strive really to deliver value early and often. Today we’re seeing continuous delivery in many of the firms you’ve implemented successful Agile.
https://www-dev.jamasoftware.com/media/2024/03/Traceable-Agile-Webinar-3.png5121024Steven Meadows/media/jama-logo-primary.svgSteven Meadows2024-03-19 03:00:192024-03-18 10:47:28[Webinar Recap] Traceable Agile™ – How to Achieve Speed and Quality with Software Delivery
Understanding IATF 16949: A Quick Guide to Automotive Quality Management
In the ever-evolving landscape of the automotive industry, ensuring product quality and safety is paramount. One key standard that plays a crucial role in this pursuit is IATF 16949. In this article, we will delve into the intricacies of IATF 16949, exploring its significance, key elements, and benefits.
What is IATF 16949? IATF 16949, or the International Automotive Task Force 16949, is a globally recognized quality management standard specifically designed for the automotive sector. This standard is based on ISO 9001 and incorporates additional requirements tailored to the automotive industry. IATF 16949 was developed by the International Automotive Task Force (IATF) to promote quality, consistency, and continual improvement throughout the automotive supply chain.
Key Elements of IATF 16949:
Customer Focus: IATF 16949 places a strong emphasis on meeting and exceeding customer requirements. This includes understanding customer needs, providing defect-free products, and consistently delivering high-quality services.
Process Approach: The standard adopts a process-oriented approach to quality management. Organizations are encouraged to identify, manage, and optimize key processes to enhance efficiency and effectiveness in meeting objectives.
Risk Management: IATF 16949 requires organizations to identify and address potential risks within their processes. This proactive approach helps in preventing issues, ensuring product safety, and maintaining a robust quality management system.
Supplier Quality Management: Recognizing the interconnected nature of the automotive supply chain, IATF 16949 places a significant focus on supplier quality management. Companies must work closely with their suppliers to ensure that quality standards are consistently met throughout the supply chain.
Continuous Improvement: The standard promotes a culture of continual improvement, urging organizations to regularly assess and enhance their processes. This commitment to ongoing refinement helps companies stay ahead in a competitive market.
Benefits of Implementing IATF 16949:
Global Recognition: Achieving IATF 16949 certification provides organizations with global recognition, enhancing their credibility and opening doors to new business opportunities.
Improved Efficiency: By adopting the standard’s process-oriented approach, organizations can streamline their operations, reduce waste, and enhance overall efficiency.
Enhanced Customer Satisfaction: Meeting IATF 16949 requirements ensures that products and services consistently meet or exceed customer expectations, leading to higher satisfaction levels.
Risk Mitigation: The focus on risk management helps organizations identify potential issues before they escalate, reducing the likelihood of defects and recalls.
Competitive Advantage: IATF 16949 certification provides a competitive edge in the automotive industry. Many OEMs (Original Equipment Manufacturers) prefer working with suppliers who adhere to this globally recognized standard – and many companies are required to comply.
Companies that are part of the automotive supply chain, including manufacturers, suppliers, and service providers, may be required to comply with IATF 16949. This includes organizations involved in the production of automotive parts, components, and assemblies.
Key stakeholders in the automotive industry, such as original equipment manufacturers (OEMs) and their suppliers, often seek IATF 16949 certification to demonstrate their commitment to quality and compliance with industry standards. Certification to this standard is often a prerequisite for becoming a supplier to major automotive companies.
It’s important for organizations in the automotive sector to assess their specific contractual requirements and the expectations of their customers to determine whether compliance with IATF 16949 is necessary for their business. Certification to IATF 16949 is typically achieved through a third-party audit process conducted by accredited certification bodies.
What is a Quality Management System?
A Quality Management System (QMS) is a comprehensive framework of policies, processes, procedures, and records that an organization establishes and maintains to ensure its products or services consistently meet or exceed customer expectations. The primary goal of a QMS is to enhance customer satisfaction by consistently delivering high-quality products or services while also meeting regulatory requirements. It encompasses various elements such as quality planning, control, assurance, and improvement. A well-implemented QMS helps organizations identify and document their processes, set quality objectives, and monitor performance against these objectives. It often involves the use of standardized methodologies, documentation, and quality tools to foster a systematic approach to quality management, ensuring that every stage of the product or service lifecycle is controlled, measured, and continually improved upon. Certification to internationally recognized QMS standards, such as IATF 16946 and ISO 9001, provides external validation of an organization’s commitment to quality and can enhance its credibility in the marketplace.
Jama Connect® is a powerful tool that plays a pivotal role in assisting teams in meeting the requirements of a QMS within various industries, particularly those with stringent regulatory standards.
Here are several ways in which Jama Connect facilitates compliance with QMS requirements:
Documenting and Managing Requirements: Jama Connect provides a centralized platform for documenting and managing requirements throughout the product development lifecycle. It allows teams to create, review, and collaborate on requirements, ensuring clarity and consistency. This centralized approach enhances communication among team members, reducing the risk of misunderstandings and improving overall requirement management efficiency.
Enabling Risk-Based Thinking: The platform supports risk-based thinking by providing tools to identify, assess, and mitigate risks associated with product development. Teams can systematically evaluate potential risks, assign risk levels, and implement mitigation strategies. This proactive approach aligns with the risk management requirements of QMS standards, contributing to safer and more reliable product development.
Assisting with Change Management Processes: Change management is a critical aspect of QMS, and Jama Connect streamlines this process. Teams can efficiently capture and evaluate proposed changes, assess their impact on requirements and other project elements, and implement changes in a controlled manner. This ensures that changes are documented, reviewed, and tracked, promoting transparency and accountability in the change management process.
Enabling Traceability of Processes and Products: Jama Connect offers robust traceability features, allowing teams to establish and visualize relationships between requirements, tests, and other project artifacts. This traceability is crucial for demonstrating compliance with QMS standards, as it provides a clear linkage between various stages of the development process, from initial requirements to final product validation.
Easy Documentation for Evidence for Audits: Jama Connect simplifies the documentation process required for audits. The platform enables teams to generate comprehensive reports, traceability matrices, and documentation trails that serve as evidence of compliance with QMS standards. This facilitates smoother and more successful audits, as auditors can easily review and verify the necessary documentation.
Supporting a Continuous Improvement Process: Continuous improvement is a fundamental principle of QMS, and Jama Connect supports this by providing analytics and insights into project performance. Teams can analyze data on requirements, testing, and other project metrics to identify areas for improvement. This data-driven approach fosters a culture of continuous improvement, aligning with the principles of QMS standards.
Supporting a Customer Focus with Traceability to Customer Needs: Jama Connect helps maintain a strong customer focus by establishing clear traceability from requirements to customer needs. This ensures that the final product aligns with customer expectations and requirements. The platform’s traceability features provide a visual representation of how each requirement contributes to meeting customer needs, strengthening the customer-centric approach advocated by QMS standards.
IATF 16949 is a critical standard for the automotive industry, emphasizing quality management, risk mitigation, and continuous improvement. Organizations that invest in achieving and maintaining IATF 16949 certification position themselves as reliable partners in a highly competitive and demanding market, ensuring the production of high-quality automotive products.
Note: This article was drafted with the aid of AI. Additional content, edits for accuracy, and industry expertise by Matt Mickle and McKenzie Jonsson.
https://www-dev.jamasoftware.com/media/2024/03/2024-3-14-udnerstanding-iatf-16949-1-1.jpg512986Jama Software/media/jama-logo-primary.svgJama Software2024-03-14 03:00:152024-03-13 11:13:17Understanding IATF 16949: A Quick Guide to Automotive Quality Management
Decoding The FDA’s Draft Guidance On Computer Software Assurance For Medical Devices & Bio/Pharma
The current state of validation is seen as a hindrance to quicker deployments, with an emphasis on adhering to thorough documentation practices instead of building systems that align effectively with their intended use.
A risk-based approach to validation has been around for some time. However, life sciences companies have been challenged with identifying software risks and the desired level of validation effort. Simultaneously, medical device manufacturers have expressed a desire for greater clarity regarding the FDA’s expectations for software validation.
In a rapidly evolving landscape of technology and regulation, the FDA released a draft guidance on computer software assurance in 2022 that promises to reshape the validation of automated data processing system and quality system software in the pharma/medical device industry and to enhance the quality, availability, and safety of medical devices. In this article, I will walk you through the key elements of the guidance, providing valuable insights for professionals navigating the complexities of automated processes and quality system software.
Guidance Supersedes Section 6 Of Software Validation Guidance Of 2002
The forthcoming guidance is set to supersede Section 6 of the general principles of software validation guidance from 2002, signaling a paradigm shift in the approach to validating automated data processing system and quality system software. This guidance provides crucial recommendations applicable to the requirements of 21 CFR 820.70(i), focusing on automated processes integral to production and quality systems.
Understanding The Regulatory Scope
The guidance emphasizes the necessity for manufacturers to validate software used in production or the quality system for its intended use. However, it explicitly excludes software as a medical device (SaMD) or software in a medical device (SiMD) from its scope. The document prompts manufacturers to thoroughly assess whether the regulatory requirement applies to their specific software.
A central theme revolves around a risk-based approach, urging manufacturers to delve into the intended use of individual features, functions, and operations within their software. The guidance recognizes the complexity of software used in production or the quality system, often comprising multiple intended uses. It encourages manufacturers to conduct different assurance activities tailored to these specific elements based on a meticulous risk assessment.
The guidance outlines the components of a robust record of assurance activities, stressing the need for objective evidence. It recommends capturing the intended use, risk determination, details of assurance activities conducted, issues found, and a conclusion statement declaring the acceptability of results.
The guidance distinguishes between process risks and medical device risks. Process risks pertain to potential compromises in production or the quality system, while medical device risks focus on the potential harm to patients or users. The document emphasizes the FDA’s concern for software features, functions, and operations that pose both high process risk and a consequential medical device risk, aligning assurance activities with the severity of potential issues.
Manufacturers are encouraged to leverage existing process controls throughout production, particularly for lower-risk software features. The guidance emphasizes the importance of data and information collected by the software for continuous monitoring and issue detection post-implementation. It highlights the use of computer system validation tools, iterative testing cycles, and continuous monitoring as integral elements of a comprehensive assurance approach.
FDA always recommended leveraging all the vendor documentation when we were using computer system validation (CSV); now, in computer software assurance (CSA), FDA is strongly recommending leveraging all the vendor documentation and performing the remaining portion of testing in scripted and unscripted testing that is not covered in vendor testing.
FDA introduced new nomenclature for testing methods in CSA, scripted testing and unscripted testing, which are adopted from EC/IEEE/ISO 29119-1 First edition 2013-09-01: Software and systems engineering – Software testing – Part 1: Concepts and definitions, Section 4.94 to stay aligned with current practices and standards from IEEE for software testing.
The terms IQ, OQ, PQ relate to the original general principles of software validation guidance. The discussion at that time emphasized that IQ, OQ, and PQ, while relevant from a process standpoint and process-validation perspective, may not be directly applicable when dealing with software validation cases. It’s not a situation where these terms are irrelevant or inapplicable. Manufacturers always have had the freedom to structure their processes to meet the requirements of their quality system or business objectives. The use of these terms is optional, and if they provide clarity for the organization, they are free to adopt them. However, it hasn’t been explicitly stated before that these terms are crucial or necessary in the context of software validation.
Now, let’s dive into what unscripted testing and scripted testing are in terms of current software testing and how we can adapt to CSA activities.
Unscripted Testing
Unscripted testing is a software testing approach characterized by the absence of predefined test scripts or detailed test cases.
For context, current software testing practices say we don’t need any documentation, but in regulated companies we need to have minimum documentation. You are still laying out some objectives that need to be exercised, accomplished, or captured in some way, shape, or form. And within that context, there is a lot of flexibility with regard to developing a protocol established in 21 CFR 820.70(i), which states, “When computers or automated data processing systems are used as part of production or the quality system, the manufacturer shall validate computer software for its intended use according to an established protocol.”
Unscripted testing is divided into three types:
Ad hoc testing: Ad hoc testing2 is an informal and unstructured software testing type aimed at disrupting the testing process to identify potential defects or errors in the early stages. This type of testing is typically unplanned in that it does not follow any documentation or test design techniques to formulate test cases. This type of testing tests features and functions with no test plan.
Error guessing: Error guessing3 is a testing technique based on the tester’s experience, where they use their expertise to speculate or guess about potential problem areas within the application. This method requires a skilled and experienced tester. This type of testing tests failure modes with no test plan.
Exploratory testing: Exploratory testing4 is a manual software testing technique conducted without a formal plan, allowing testers to deviate from scripted routines (repetitive and monotonous). It empowers testers to apply their skills creatively. Successful exploratory testers need critical thinking, creativity, and strong domain and technical knowledge.
While exploratory testing may seem unplanned, it isn’t random. It involves applying knowledge and expertise. Deep knowledge of the system under test is crucial for effective exploratory testing.
Establish high-level test plan objectives (no step-by-step procedure is necessary). Benefits of exploratory testing include:
Identifying edge cases and unexpected defects that scripted testing might overlook.
Testing from a user perspective to enhance user experience and usability.
Encouraging critical thinking among testers, preventing monotony, and improving software quality.
Increasing test coverage by exploring various scenarios and uncovering new defects.
Testing software in its early development stages to catch bugs early, even without formalized, scripted tests.
Providing flexibility to try new testing techniques, contributing to overall testing improvement.
Scripted Testing
Scripted testing refers to a software testing approach where the tester follows a predefined set of written instructions or scripts during the execution of test cases. Scripted testing includes both robust and limited scripted testing.
1: Robust scripted testing
This method of testing emphasizes ensuring that the testing process is not only thorough but also capable of being repeated consistently, traces back to defined requirements, and can be audited for transparency and accountability. The focus is on establishing a strong and reliable testing framework that contributes to the overall quality and reliability of the computer system or automation under examination. The test script should contain the following at a minimum:
test objectives
test cases (step-by-step procedure) ·
expected results
independent review and approval of test cases
2: Limited scripted testing
This method of testing customizes the testing strategy based on the risk profile, utilizing scripted testing for high-risk features or operations, while employing unscripted testing for low- to medium-risk elements. The goal is to create a balanced assurance effort that addresses varying levels of risk within the computer system or automation, optimizing testing resources accordingly. The test script should contain the following at a minimum:
test cases (step-by step procedure) identified
expected results for the test cases
Identification of the unscripted testing applied
independent review and approval of test plan
Leverage Technological Advances For Automated Traceability Testing
The guidance acknowledges the advancements in digital technology, advocating for electronic records over manual or paper-based documentation for efficiency. Delve into the meticulous documentation requirements outlined in the draft guidance. Discover how advances in digital technology can streamline the documentation process. Explore the FDA’s recommendation to leverage automated traceability testing and electronic records, reducing reliance on manual or paper-based documentation.
Embrace A Risk-Based Approach
The FDA’s draft guidance on computer software assurance is a call for a risk-based approach to instill confidence in automation used for production or quality systems. The four-step approach involves identifying the intended use, determining a risk-based strategy, selecting appropriate assurance activities, and establishing a comprehensive record. The guidance also invited manufacturers to actively engage, provide comments, and seek clarity on this transformative document that aims to harmonize technology and regulatory expectations in the ever-evolving medical device industry.
Is the draft guidance only for medical device companies that use software as a part of medical device production? No, it also applies to any other software applications. This draft guidance was prepared by the CDRH, CBER in consultation with CDER, Office of Combination Products, and Office of Regulatory Affairs. Specifically, this draft guidance provides recommendations regarding the requirements outlined in 21 CFR 820.70(i).5
This will supersede Section 6, “Validation of Automated Process Equipment and Quality System Software”, of the FDA’s software validation guidance, but it doesn’t replace “General Principles of Software Validation.”
Leverage the testing that is already completed by vendors or any testing that was done as part of your SDLC; don’t repeat the testing and always take credit for whatever is already completed.
CSA does not replace the existing computer system validation (CSV); instead, CSA is the lean approach of doing CSV by leveraging/using the existing vendor documentation.6
Using screenshots to establish the record associated with the assurance activities is not necessary, as you can use any system logs, audit trails, and any other electronic sources of data generated by the system.
Regulated companies don’t have to wait until this CSA draft guidance becomes effective; they can start implementing CSA immediately, as per the FDA.
Conclusion
If implemented correctly, CSA has the potential to significantly impact the industry and business operations. It can lead to a substantial return on investments, reducing costs by 50% (in my experiences) and saving both time and resources. Moreover, CSA contributes to enhancing the overall quality process through the application of critical thinking.
This article reflects the author’s viewpoints, opinions, and personal experience, and does not necessarily reflect those of his company or shareholders.
About The Author:
Hemadri Doma is a seasoned life sciences professional with more than nine years of expertise in the pharmaceutical and medical device industry. He is a subject matter expert in computer systems validation (CSV), computer software assurance (CSA), data integrity, equipment validation, process automation, artificial intelligence, pattern recognition techniques, and facilities validation. He has served in roles spanning engineering, facilities, information technology (IT), QC laboratory systems, process automation, validation, and quality processes. Doma currently holds the position of QA computer system validation engineer III at Tolmar Inc.
https://www-dev.jamasoftware.com/media/2024/03/Curated-Med.jpg5121024Jama Software/media/jama-logo-primary.svgJama Software2024-03-07 03:00:252024-03-05 11:17:41Decoding The FDA’s Draft Guidance On Computer Software Assurance For Medical Devices & Bio/Pharma
