Subscribe to AssurX blogNews FeedSubscribe to AssurX blogComments

Browse > Home / Electric Reliability, Michael Causey, Regulatory / Here’s Hoping NERC Doesn’t Follow the 21 CFR Part 11 Model

Here’s Hoping NERC Doesn’t Follow the 21 CFR Part 11 Model

0

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

If 21 CFR Part 11 had a favorite song, it might be The Beatles “The Long & Winding Road,” though Sheryl Crow’s “Everyday is a Winding Road,” is also a pretty good guess for any DJ hitting the classic rock archives.

We all know the two steps forward, one step (or more) backward path that Part 11 has taken in the past ten-plus years.

Now we’ve got the makings of an interesting parallel in the NERC world.

In testimony [http://www.nerc.com/news_pr.php?npr=359] July 21 before the U.S. House of Representatives’ Committee on Homeland Security hearing on securing the modern electric grid from physical and cyber attacks, NERC VP and Chief Security Officer Michael J. Assante made a valiant, and somewhat successful attempt to articulate NERCs view and expectations for others in the industry subject to its regulation and audits.

As we’ve blogged about before, NERC is confronting some major issues surrounding the very safety of the United States power grid. It’s obviously one of the most important tasks out there for regulators.

And like the FDA when it comes to the importance of Part 11 vis-a-vis the efficacy and integrity of electronic records for medical devices and drugs, NERC needs to do whatever it takes to get this right – from issuing clear guidelines, to enforcing the rules with efficient audits.

And it’s those audits that are of most interest to Sal Lucido, Vice President at AssurX. Sal’s theory is that NERC is setting the bar very high (and a little vague) in testimony and other public pronouncements and documents, but that when it comes down to audits, the agency may well take a more common sense approach. In other words, if the company being audited has an intelligent, well-thought out approach to compliance based on effective risk management, they should be okay.

“NERC’s vagueness works in your favor,” if you can construct and implement your own strong, defensible risk management plan, Sal notes. “The Part 11 guidelines gave us all trouble when the FDA got into nitpicking.”

But AssurX’s Paul Fricke hopes for more clarity from NERC in the coming weeks. Reviewing Assante’s NERC testimony, Paul told us it was “very good, but a few key things could be improved that I think they are missing and has been confirmed in my numerous discussions with electric utility customers as well as consultants – namely the need for well organized, clear, and concise requirements/standards.”

Fricke hopes that NERC gets more input from across the industry. “I understand they can’t ‘give the keys to the bad guys’ by giving them enough information help them get around the safeguards,” Fricke says. But NERC also should not come up with guidelines in a vacuum.

That’s part of what doomed 21 CFR Part 11 to years of delay and its ultimately slowing the adoption of technology it was designed to advance.

As Fricke notes, “Many people are confused (specifically with CIP standards) and NERC are assuming that the industry has the years of experience in drafting procedures to be effective across all these ‘sections’ and” follow the Hippocratic Oath by first doing no harm. “The industry does not have extensive experience in this area,” Paul adds.

Paul adds, “The [current] CIP standards jumble up so many processes and areas of responsibility in each of the existing standards that companies need to create entire sets of processes just to organize what each individual standard demands.”

That said, Paul also sees a lot of positives in how NERC is tackling its admittedly tough tasks.

“The other efforts underway seem very well planned and organized as well as appropriate. They need to bring system/process experts into the plans to help them categorize, clarify, and add clarity to the CIP standards once the key needs are refined, confirmed and other outputs from teams are determined. This will help them (NERC) meet the need for all sectors and more accurately meet the ‘do no harm’ need as well as help utility comply with the full text and intent of the standards.

We’ll keep you posted as this travels its own long and hopefully not too winding road.

  • Twitter
  • Delicious
  • LinkedIn
  • Digg
  • Yahoo Buzz
  • NewsVine
  • Google Bookmarks
  • Facebook
  • Technorati Favorites
  • StumbleUpon
  • PrintFriendly
  • Share/Bookmark

Posted by Michael Causey on Wednesday, July 29, 2009 at 8:37 am 
Filed under Electric Reliability, Michael Causey, Regulatory · Tagged with ,

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!