assurx

NERC Debuts Enhanced Alert Mechanism, Reviews Challenging 2009

May 13, 2010 By assurx 1 Comment

NERC NERC just rolled out its NERC Alert System (NAS), which gives NERC/ES-ISAC the ability to alert and notify NAS-registered entities of the bulk power system (BPS) of vulnerabilities, threats, and/or abnormal events/conditions that could impact the BPS. It is also designed to enable rapid Alert creation and dissemination of alerts and provides for quick acknowledgment and response from Alert recipients via a secure Web browser portal.

“It’s pretty good,” says Paul J. Fricke, CQMgr, CQA Quality Manager/Project Manager at AssurX, Inc. “It sets up a direct and rapid communication to registered entities on when to send alerts and to have the mechanism to do it effectively.”

When registered entities receive an alert, they’ll then log into a secure site to receive the full update details.

There are three levels of alerts, in rising levels of seriousness:

Level 1 – Advisory – information only

Level 2 – Recommendations to Industry – usually requires that a questionnaire be completed and submitted back to NERC

Level 3 – Essential Action – these require information back from the registered entity – highest level of alert, seriousness

NERC also set up a fairly straightforward means of labeling how carefully to protect information contained in an alert:

Green – Public

Yellow – Private

Red – Sensitive

Black – Confidential

NERC also just released its report for 2009 which addresses a year of transition (changes at the top) and a broader kind of transition: It’s “one of focus as we enter our third full year as the entity responsible for developing and enforcing compliance with mandatory reliability standards,” says Gerry Cauley, NERC’s new President and CEO.

Cauley’s ambitious vision is “to broaden our focus from a compliance organization to a learning organization, one that fosters learning and facilitates growth, both within our organization and across the industry.”

Given all that NERC is trying to do – some well, some maybe not so well – we’ll keep you posted on how they deliver on some tough promises in 2010.

No News is Big News: SaaS is Configurable!

April 22, 2010 By assurx 1 Comment

cloudcomputing1 “There’s nothing to see here folks, move along. Nothing to see here.”

That’s what police usually say when a crowd gathers to watch something new, unusual or just plain interesting.

Reminds me of an article I recently ran across declaring that Software as a Service (SaaS) technology was indeed configurable. The jist of it was that NetSuite CEO Zach Nelson was attempting to shatter some of the common misperceptions about SaaS during his keynote address at a company’s partner conference in San Francisco last week.

The WebCPA article covering Zach’s speech went on, “Addressing claims that most SaaS solutions are not customizable, Nelson claimed that there are currently 6,600 users utilizing NetSuite’s enterprise resource planning functions, the majority of which are customizable features.”

Extra! Extra! Read all about it: SaaS is configurable, says Zach. And we’ve blogged about this before, too.

But is this news to anyone?

Apparently it is in some circles. So why has SaaS gotten a bad rap as inflexible?

Blame it on the early days of SaaS, when some providers offered more rigid, “pigeon-holed” solutions, says AssurX Operations Manager Karl Kleinkauf, who’s been in this business nearly twenty years. “In the old days there was something of a ‘take it or leave it’ attitude,” Karl adds.

But that’s all changed in recent years, Karl notes. For starters, the technology has improved and ample bandwidth is more widely available today. Both factors help make SaaS more configurable. But consumer demand also helped make it happen, Karl notes.

In fact, as his own customers get more adept using SaaS for regulatory compliance, they often see other uses for it. “I’ve helped many use our SaaS system for document control and customer complaint handling after they’ve gotten comfortable with it on the compliance side,” Karl says.

So let’s recap: SaaS is flexible, multi-faceted and configurable.

Remember, you didn’t read it here first.

Filed Under: Quality Management, SaaS & Cloud Computing Tagged With: AssurX, Karl Kleinkauf, Quality Management, SaaS

NERC Unveils Improved Standards Development Process

April 15, 2010 By assurx 3 Comments

vegetationmgmt The NERC project to develop Results-Based Reliability Standards addresses stakeholder’s recommendations that the industry should focus existing standards on areas that will lead to the greatest improvement in bulk power system reliability. You can read about it here.

The entities feel they are spending too much time documenting compliance and not enough time verifying compliance to pertinent requirements that have a more direct impact on system reliability, says VP of Enterprise Solutions at AssurX, Sal Lucido. Last January the committee selected standard FAC-003-2 (Transmission Vegetation Management Program) as the initial proof-of-concept for the project.

You can view the status of this project at this link:

The Transmission Vegetation Management Team is now responding to comments received on the draft standard. “This project should greatly improve the standards development process and result in clearly written, verifiable standards and requirements,” Sal notes. The approach starts with making sure a standard has a clear statement of purpose and that each requirement is clear and measurable. The team is also looking to eliminate requirements that don’t have an impact on the reliability of the bulk power system.

Initially, these standards were voluntary. But as NERC has shifted them to being mandatory, they’ve come under closer scrutiny from industry, in part because of the monetary enforcement associated with violations. The project also states that the standards development team “should strive to achieve a portfolio of performance, risk, and competency-based mandatory reliability requirements that support an effective
defense-in-depth strategy.”

Sal adds that the team is instructed to ensure that each requirement “should identify a clear and measurable outcome.” This means that the requirement should have at least one of the following:

A stated level of reliability performance
A reduction in a specific reliability risk or,
A necessary competency

This new approach to standards development represents almost a year’s worth of work in a partnership between industry and NERC. It will be interesting to watch the results of the first project, which should be followed by improvements to the other critical standards.

Filed Under: Electric Reliability, Regulatory Tagged With: Electric Reliability, NERC, Regulatory Compliance

NERC Policy Statement Powered with Common Sense, Clarity

April 13, 2010 By assurx 1 Comment

electricitylightbulb We’ve got some slightly bad news and some really good news.

The bad news is you only have until April 19 to file your comments on NERC’s just-issued Bulk Power System Critical Infrastructure Policy Statement.

The good news: It is so clear and grounded in common sense that your only comment may be “nice job.”

Reminds me of what baseball players and managers say about umpiring: We can live with almost any reasonable interpretation of the strike zone, we just want clarity and consistency in your calls.

Well, NERC seems to have accomplished that – at least in the big picture sense.

“Yes, it is high level,” says AssurX NERC expert Paul Fricke, but it lays “good ground work.” NERC’s approach here “makes me feel more secure,” Paul adds. “The policy statement is absolutely grounded in common sense.”

Specifically, it mandates that NERC and its members address cyber security, physical security, and other high impact threats.

The statement calls for a multi-element strategy that addresses asset prioritization, risk information management, standards, prevention and detection, resilience, readiness, response, restoration, roles and authorities, communications, evaluation and testing, technical studies, interdependencies and funding.

NERC’s new umbrella statement may be in response to the heat the Department of Homeland Security and other government officials have publicly put on NERC, FERC and other keepers of the infrastcture. Their concern: The nation’s vital systems are still vulnerable to threats, both internal (natural disaster, for example) or external (think terrorism). Or in NERC-speak, “A significant concern is the potential for disruptions impacting large portions of the bulk power system, whether by intentional attack or natural event, from which restoration and recovery may be challenging and prolonged.”

Fricke believes the relatively short comment period is also a result of that pressure. “DHS is very mindful of the threats to the power grid and they want companies to show they have controls and checks in place to protect high-priority assets in particular.”

We don’t expect there to be any earth-shattering comments from industry, but we’ll keep you posted.

Filed Under: Electric Reliability, Regulatory, Risk Management

NERC Clarifies Its Expectations For Registered Entities

March 12, 2010 By assurx Leave a Comment

electricitylightbulb Scratching your head a bit when you read those new issues from NERC? You aren’t alone. Yes, it’s a complicated issue, but arguably NERC isn’t making things easier with its sometimes vague, sometimes complex regulatory writing.

Lucky for us we’ve got Paul Fricke, Quality Manager with AssurX, to act as our interpreter.

His overall take? “We got some clarification and some elaboration, but bottom-line there really is not that much in these new issues,” Paul says. Paul cites a few relatively minor changes that are worth taking a quick look at, e.g., what are “appropriate parties” in CIP-001-1a, clarification about “end points” in CIP-005-1a and CIP-005-2a and Electronic Security Perimeters/Physical Security Perimeters in CIP-006-1c and CIP-006-2c.

Paul elaborates on what it all means, “the big take away is that NERC is active in adding interpretations to NERC Standards to aid in ensuring that registered entities understand the intent of the requirements and how they expect them to be applied.”

It’s also important to note that these new issues aren’t exactly a done deal. They are issued by NERC but are waiting for regulatory approval, with a “TBD” effective date.

Stay tuned.

Editor’s Note: Got a question about all of this? Reach out to Paul at pfricke@assurx.com

Click here for more information about NERC compliance.

Filed Under: Electric Reliability, Regulatory Tagged With: Electric Reliability, Energy, NERC, Regulatory Compliance

FDA Meeting on 510(k) Highlights Differing Views

February 25, 2010 By assurx Leave a Comment

Brad Ryba, Publisher, www.my510k.com

Much has changed in the FDA over the past year, and it appears more change is to come. Issues surrounding device approvals under the 510(k) process were front-and-center in a public meeting this past Thursday. The meeting was titled by the FDA, “Strengthening the Center for Devices and Radiological Health’s 510(k) Review Process” and the agenda included a full day of discussion. FDA invited 30 speakers including industry executives, physicians, and policy advocates. Preceding the speakers, FDA did make some presentations citing its challenges under the current system. This was followed by a round-table discussion, along with some open Q&A sessions. From this meeting, it seemed two clearly differing agendas will shape policy changes over the coming months.

The FDA was clearly laying out the case for why it wants to make changes, while trying to broaden its powers beyond the current 510(k) process. When Dr. Donna-Bea Tillman, Director for CDRH Office of Device Evaluation made her presentation, she seemed to be open minded, stating that, “Trying to find the right balance between a regulatory process that enables us to foster innovation and at the same time ensures reasonable assurance of safety and effectiveness is the challenge we are here to talk about today.” Christy Foreman, CDRH Deputy Director for Engineering and Science Review was a bit more wary of industry, particularly in areas where FDA does not have as much authority. She contended, “Submission for [510(k) ] modifications are based on firm’s determination regarding the effect on safety and effectiveness. ” Ms. Foreman seemed to be hinting that this was an area she and FDA wanted to see addressed. Their concern is that documentation for incremental device changes is currently only kept in a firm’s internal files rather than defaulting to an FDA evaluation. Many other suggestions by FDA speakers indicated that The Agency wants increased oversight into clinical trials and labeling regulation. Further, the Director of 510(k) staff, Heather Rosecrans suggested that FDA needs broader powers to more easily rescind a 510(k) clearance if necessary. Many more comments and side issues emerged during the presentations, and these comments did not go unanswered by the industry representatives in attendance.

Most of the participants from the medical device industry advocated for the continuation of the 510(k) process, with a focus on consistency and transparency. Medtronic’s Chief Regulatory Officer, Susan Alpert highlighted the result of a cumbersome 510(k) process citing, “Our products go more quickly into other markets under other schemes than under this scheme”. She and her counterparts at the round-table discussion offered several suggestions to help the program evolve, while stressing that the current process works well for the majority of devices. Putting it another way, Craig Coombs, Head of Coombs Medical Device Consulting argued, “It’s not the 510(k) process. It’s what our interpretations are… predictability is really what needs to be there in order for us to comply.” These messages were echoed by many of the other industry speakers, and it is clear that this topic will continue to receive much further discussion.

FDA will continue to hear comments on the 510(k) process, and a Working Group is scheduled to submit its report to CDRH Director, Jeff Shuren, by the end of May 2010. The docket for comments on 510(k) process will remain open until Mar. 19, 2010. Comments are also being compiled by the community at my510k.com and on Twitter. While suggestions are being taken by FDA, their position seems clear that “Strengthening the 510(k) Review Process” means getting tougher on industry.

Filed Under: FDA Regulated, Medical Devices, Regulatory Tagged With: 510K, Brad Ryba, FDA, Medical Devices, Regulatory Compliance

UPDATE: FDA Signals Renewed Commitment to Risk Management

February 17, 2010 By assurx Leave a Comment

In Washington, D.C., experts tracking the political shifting sands often advise you to watch what someone does, not what they say. Applying that to the FDA suggests the agency is starting to take risk management enforcement a bit more seriously.

Here’s a good example. Earlier this week (Feb. 16) the agency approved a risk management program to inform healthcare providers and their patients about the risks of a class of drugs called Erythropoiesis-Stimulating Agents (ESAs) manufactured by Amgen Inc. The company’s risk management program or Risk Evaluation and Mitigation Strategy (REMS), requires health care professionals to provide their patients receiving an ESA with a Medication Guide that contains information for patients on how to safely use a drug.

And earlier this month, the agency requested a 23% hike in its budget to help it more aggressively pursue food, drug and device safety (plus its new tobacco initiative).

More action and more dollars could add up to a more active FDA in 2010.

Make sure to read our previous post: Risk Management Matures Beyond the Spreadsheet

Filed Under: FDA Regulated, Regulatory, Tamar June Tagged With: FDA, Regulatory Compliance, Risk Management

Faster Clinical Trials in Plain English

February 15, 2010 By assurx Leave a Comment

Brad Ryba, Publisher, www.my510k.com

Before all this talk of “Snowmaggedon”, a beaming headline posted late last week stating that, “FDA Issues Guidance to Help Streamline Medical Device Clinical Trials”. If you were hoping to learn how it works, you were in for a statistics lesson on Bayesian methods for designing studies and analyzing clinical data. (Wait, don’t leave!) Good news is you don’t need a statistics lesson, to simplify the main point. FDA is now advocating the use of prior clinical data and even post-market data from a prior device to justify shorter clinical studies and/or smaller sample sizes. This is a huge change from the same Agency that has demanded more data and more time to review device approval applications. How can this be? Why does Bayesian probability allow us to do this? The answer is not rocket science.

Bayes’ Law basically views probability as just “degree of belief” that an event will occur today, given knowledge of prior events. Think of it this way…Have you ever “tried” to flip heads on a coin, or roll an 8 with dice? How is this possible, if the probability of coins and dice are already known? Since we know the physical act of flipping the coin can affect its outcome, it may not be a simple 50-50 probability. The Bayesian idea of prior beliefs, allow us to set constraints and make conclusions beyond the actual data. Humans are quite good at intuitively making predictions on very little information. Bayes just put this into mathematical notation. (not to diminish the significance of Bayes’ Law in any way.)

Now, before this starts to sound like a “free pass” to shorter clinicals, be sure to finish reading the FDA guidance. Once again for the sake of time, we can summarize… It makes sense that statistical theory cannot replace sound clinical science. The FDA is quick to caution that patient data from prior studies rarely are 1-to-1 exchangeable with the patients in the current study. Instead, a test can be applied to find their “borrow strength” from the previous studies. Also, FDA will require that you still submit to their reviewers, your rationale for considering such prior clinical data. All of the same requirements apply when filing for an Investigational Device Exemption (IDE), and all methods and assumptions will need to be reviewed before the study can begin.

That said, the fact that good prior information on clinical device use exists, and that a Bayesian approach may enable smaller-sized or shorter-duration trials is welcome news to the industry. In the official press release, FDA Commissioner, Dr. Margaret Hamburg says, “This is a terrific example of regulatory science in practice at FDA.” We at my510k.com hope to see these kinds of developments continue, balancing regulation enforcement with sound scientific practices.

Join the community at Brad Ryba’s website: http://www.my510k.com

Filed Under: FDA Regulated, Medical Devices, Regulatory Tagged With: 510K, FDA, Medical Devices, Regulatory Compliance

Toyota Woes Highlight Importance of Supplier Quality Management

February 10, 2010 By assurx 6 Comments

Welcome to the 894,302nd and counting piece about Toyota’s fall from manufacturing grace.

We don’t need to devote a lot of space here to recounting Toyota’s problems. You probably know the story: After months of hemming and hawing, the once-proud carmaker finally acknowledged the obvious this month and said it was recalling a boatload of cars that have accelerator pedal problems.

But it gets worse: Yesterday (February 9, 2010) Toyota added that it was also recalling over 400,000 Prius, Lexus because of a brake problem as well as additional problems with the Camry and possibly the Corolla, too. For now, the jury is still out on exactly what went wrong (beyond how badly Toyota handled the PR side of this).

Yet we’re writing about this today because, even as Toyota’s massive problems are being probed, analyzed and dissected by experts from various industries, the issue of supplier quality management (SQM) doesn’t seem to be coming up much.

By enabling the capture, analysis, and assessment of quality related issues, Supplier Quality Management (SQM) creates total transparency and visibility into the supply chain. It provides instant traceability and real time monitoring across the supplier network.

That’s too bad, because one of the few good things that could come out of all of this is reminding car manufacturers, medical device makers, pharmaceutical companies, food manufacturers and a host of other businesses that supplier quality management is key to being a profitable, effective company that only gets good headlines (See box below, Sal’s Tips).

“Gone are the days when manufacturers can say suppliers can’t have an impact on their success” or, perhaps in the case of Toyota, a spectacular failure, says Dun & Bradstreet analyst Jim Lawton. He also has a background working on medical device issues with Hewlett Packard.

Lawton’s first lesson gleaned from Toyota is that companies should strongly consider focusing on their core competencies and outsourcing other stuff. For example, companies should work hard with partners to understand risk and develop procedures and programs to mitigate it.

“Unfortunately, the medical device industry is not out in front when it comes to managing supplier quality,” worries Jim. “They are all about taking out costs,” he adds. For more of his excellent insights, check out his recent interview with Industry Week.

That can be a case of being penny wise and pound foolish, agrees Sal Lucido at AssurX. ‘Supplier quality management has not gotten the attention it should, because it’s complicated; involving the processes and politics of other companies. It’s hard enough to manage your own company’s issues let alone those of your global suppliers,” Sal says, adding that he believes lessons can be learned from Toyota’s missteps.

Sal’s Tips: Lessons Learned From The Toyota Fiasco

Toyota’s pain could be others gain, IF they learn from what happened to a once-lauded manufacturer. Sal lists some lessons:

The costs associated with the loss of your company’s reputation are incalculable.

Product quality includes both the actual and the PERCEIVED view customers hold of your product.

Ensure you have visibility to the data you need to detect problems early. Prevention is an order of magnitude less costly than late reaction.

Don’t rely solely on return on investment calculations to direct your process improvement efforts. Sal states as an example that, “ROI calculations are effective when it comes to making decisions such as purchasing automation equipment, but they can fall short when it comes to upstream process improvement investments such as SQM.”

SQM often also gets short shrift because it is harder to calculate in terms of the return on investment (ROI), Sal notes. “When supplier issues are addressed with band aids and tape, they can be hidden from view – for a while. But the day of reckoning always comes.” This is one of the lessons we all may be able to learn from Toyota’s predicament. “The further back in the supply chain, the less attention it gets,” says Sal.

But the Toyota case might make it easier for others to calculate their return on investment in supplier quality. “Decades of reputation building (not to mention billions of dollars) by Toyota has been washed away in a matter of days! It’s very sobering if you are a manufacturer,” Sal points out.

Some good can come out of Toyota’s very public problem if we use it as a wake up call to look at our own house and make sure the processes are sound throughout, starting with supplier quality.

Filed Under: Michael Causey, Quality Management Tagged With: Michael Causey, Quality Management, Supplier Quality Management

Registration Now Open for AssurX's Electric Reliability Virtual Summit

January 14, 2010 By assurx 1 Comment

WHEN: Thursday, January 28, 2010 – 10 am – 2pm (Pacific)

REGISTER: https://www2.gotomeeting.com/register/554360930

WHO SHOULD ATTEND: All AssurX Energy/Utility Customers

AGENDA:

How to Manage NERC CIP Workflows & Documentation
NERC CIP Compliance Management – CIP-002 thru CIP-009 reached the Auditably Compliant stage July 1st, 2009. In this talk we will take a look at best practices for managing CIP workflows including configuration change management and process/plan review workflows.

How to Manage a NERC Compliance Framework
Part of a NERC audit includes submitting information about how your internal documentation (i.e. procedures, policies, etc.) relates to each applicable requirement. This presentation will demonstrate how CATSWeb ER can be used to establish this compliance framework.

NERC Standard Update Service
View how the NERC Standard Update Service is used to import new NERC standards and file attachments into your CATSWeb ER system.

Self Certification
Using the new CATSWeb 16Q Service Pack rules engine, view how your self-certification preparation process can be automated to create and assign all Gap Analysis records and monitor when all Gaps have been completed.

Using CATSWeb for PRC-005-1 Compliance
Demonstration of CATSWeb configured as a standalone system as well as an integration hub with various Work Order Management, ERP and Test Systems assuring that assets which effect the BES are in PRC-005-1 compliance.

Taking your CATSWeb ER system beyond your expectations
An opportunity to learn how companies use CATSWeb ER to steamline the management of documents, assets, approvals, certifications, testing, exceptions, etc.

Sessions will last anywhere from 20 – 45 minutes each and will be followed by a 5 – 10 minute Q&A, as well as a midway break. This four hour event will be recorded and available for replay shortly afterwards. Presentations will be available for download immediately following the event.

Filed Under: Company News, Electric Reliability, Regulatory, Tamar June Tagged With: AssurX, Electric Reliability, Energy, Regulatory Compliance

NERC Debuts Enhanced Alert Mechanism, Reviews Challenging 2009

No News is Big News: SaaS is Configurable!

NERC Unveils Improved Standards Development Process

NERC Policy Statement Powered with Common Sense, Clarity

NERC Clarifies Its Expectations For Registered Entities

FDA Meeting on 510(k) Highlights Differing Views

UPDATE: FDA Signals Renewed Commitment to Risk Management

Faster Clinical Trials in Plain English

Toyota Woes Highlight Importance of Supplier Quality Management

Registration Now Open for AssurX's Electric Reliability Virtual Summit

News and Updates

Recent Posts

Webcasts and Events

AssurX Related Sites

AssurX Twitter Feed

AssurX Categories

AssurX Archive

Site Admin

Useful Links

AssurX

Other Links

Copyright