August 21, 2014

The Six C’s of Complaints Management Best Practices for Life Sciences

Jeff Mazik, Vice President, Life Science Solutions, AssurX

Jeff Mazik, Vice President, Life Science Solutions, AssurX

Companies in the Pharmaceutical, Medical Device, and Biotech industries must meet many regulatory requirements for a number of regulatory agencies. Chief among these are requirements from the FDA, as well as from ISO, plus they must meet expectations from a number of other regulatory agencies, depending on the particular market. Implementing best practice solutions for a company’s quality processes is essential to insure compliance and quality for the organization.

When it comes to Complaints Management, a best practice approach can be summed up into the Six C’s of Complaints Management. These six terms help identify the areas that need to be addressed when initiating a best practice complaints management system.

The Six C’s are:

Collection: Collect as much information at intake of the complaint as possible. This is a major customer “touch point” in the complaints resolution process, so don’t waste it. Furthermore, the collection of incoming complaints must be reviewed to determine if the communication is truly a complaint. Depending on the determination of that review, handle the situation accordingly.

complaintConsistency: Incoming complaints must be recorded with consistency in the information collected. To help facilitate this, questions to ask the customer must be designed to be consistent across similar events, allowing for accurate trending of product problems. Also, steps taken downstream in resolving the complaints process should be guided by providing consistent information to all people in the complaint resolution process.

Communication: Information collected during intake and throughout the process must be easily available to everyone in the complaint resolution process. Furthermore, those people in the complaints resolution process that are assigned tasks must be provided communication and reminders to insure their tasks are being completed on-time and never “fall through the cracks”. From a customer satisfaction perspective, the customer reporting the event must be informed of the status of the complaint using form letters or via online queries using a web portal.

Compliance: The electronic system must meet all applicable regulatory requirements. Furthermore, a consistent approach must be used to determine how soon complaints should be reported to the applicable regulatory agency.

Control: As with any validated system, changes to the process need to be controlled and managed under change control procedures. However, controlling one’s business in terms of allocating available resources, trending historical complaint attributes, and proper management of returned products is also essential for the business to succeed.

Configurability: The solution you use should be easily configured, maintained, and updated, breaking you from a strong reliance on costly programmers, consultants, and specialized IT resources to make a change or to add a step to the process.

If you are interested in getting more detailed information on the Six C’s of Complaints Management Best Practices please request to view our recent 60-minute “Life Science Best Practices for Handling Complaints” Webinar here.

 

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

FERC Order to Impose Stricter Physical Security Standards on Electric Utilities

Trey Kirkpatrick, Vice President, Energy & Utilities Compliance, AssurX Inc.

Vice President, Energy & Utilities Compliance, AssurX Inc.

On March 7th, FERC released a new order (Docket No. RD14-6-000) directing the North American Electric Reliability Corporation (NERC) to develop new reliability standards for the NERC registered entities, the owners and operators of the Bulk-Power System, to address the risks due to physical security threats and vulnerabilities.

“Because the grid is so critical to all aspects of our society and economy, protecting its reliability and resilience is a core responsibility of everyone who works in the electric industry.” FERC Acting Chairman Cheryl LaFleur said. “Today’s order enhances the grid’s resilience by requiring physical security for the facilities most critical to the reliable operation of the Bulk-Power System. It will complement the ongoing efforts of FERC and facility owners and operators to ensure the physical security of the grid.”

In the Commission’s release the order directed the owners and operators of the Bulk-Power System to take at least three steps to protect physical security.

Gerry Cauley, NERC President and CEO, released a statement on NERC’s website:

FERClogo2“On Friday evening, March 7th, FERC issued a directive to NERC to develop reliability standards to address risks due to physical security threats and vulnerabilities. As you know, FERC Acting Chairman Cheryl LaFleur asked NERC to work with her staff to determine the need for a mandatory standard for physical security. I believe we identified a path forward that focuses on the most critical assets, incorporates risk assessment and further affirms foundational physical security efforts, while providing enough flexibility to avoid prescriptive, lock-step regulation. Any standard must be dynamic and adaptable to the constantly changing threat environment. As we review the order, I take seriously the comments made by all the Commissioners to ensure that a standard achieves the goals identified in a cost effective manner.”

As mentioned in a previous AssurX blog, NERC and Industry Move in the Right Direction for Greater Reliability, security vulnerabilities of the electric grid has been a focus for the regulators and registered entities since the attack by gunmen at a California (Metcalf) substation.

Commissioner John Norris, writing a separate opinion, wants Congress to act on protecting sensitive security information “I believe that our success in developing a comprehensive approach to addressing physical vulnerabilities relies at least in part on Congress taking steps to ensure the confidentiality of sensitive security information regarding the physical vulnerabilities of our grid. Currently, industry remains concerned that confidential security information submitted to the Commission would be subject to disclosure through Freedom of Information Act requests. These concerns have understandably left industry reluctant to provide the Commission with its most sensitive security information related to potential physical threats or vulnerabilities to our power grid. A reliability standard will likely have limited impact if industry, NERC, and the Commission remain unable to safely and securely exchange such information. Thus, I urge Congress to act expeditiously by creating a clearly-defined exemption to the Freedom of Information Act to allow for such exchange of information without fear of disclosure.”

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

CDRH 2014 Strategic Priorities Promise Improved IDE, PMA Regulatory Climate

Tamar June

Tamar June, VP, Strategic Marketing, AssurX, Inc.

The Center for Devices and Radiological Health (CDRH) will focus on encouraging medical device innovation and speeding clinical trials in the coming years, according to its 2014-2015 Strategic Priorities report released Feb. 5.

To help encourage that innovation, CDRH says it’s going to work to improve the consistency of the Investigational Device Exemption (IDE) process, especially in the areas of consistency and speed with which it handles applications. CDRH also pledges to find ways to encourage more early IDE studies — especially for those with medical devices aimed at the U.S. patient marketplace.

The report also says CDRH will try to find a better balance between premarket and postmarket data requirements.

CDRH sets measurable metric goals for improving IDE cycles:

  • By September 30, 2014, reduce the number of IDEs requiring more than two cycles to an appropriate full approval decision by 25 percent compared to FY 2013 performance.
  • By September 30, 2014, for disapproved IDEs, offer all sponsors a teleconference or in-person meeting to occur within 10 business days of the IDE decision.
  • By June 30, 2015, reduce the number of IDEs requiring more than two cycles to an appropriate full approval decision by 50 percent compared to FY 2013 performance.

Time to IDE Approval:

  • By September 30, 2014, reduce the overall median time to appropriate full IDE approval by 25 percent compared to FY 2013 performance.
  • By June 30, 2015, reduce the overall median time to full appropriate IDE approval to 30 days.
  • In FY 2013 (as of 12/11/2013), 45% of IDEs received a full approval decision within 2 cycles and median time to full IDE approval was 174 days.

2014 ClockBy June 30, 2015, the report says CDRH intends to increase the number of early feasibility/first-in-human IDE studies submitted to each premarket division compared to FY 2013 performance. CDRH promises several action steps here, including:

  • Establish in the Office of Device Evaluation a premarket clinical trials program responsible for the oversight and performance of the IDE Program and the development and implementation of policies that contribute to the timely initiation and successful execution of medical device clinical trials.
  • Formalize the incorporation of our benefit-risk framework, including patient-specific factors such as tolerance for risk and perspective on benefit, into the IDE process.
  • Establish a process to efficiently and objectively resolve application-specific IDE issues to reduce the number of multi-cycle IDEs.
  • Develop a clinical trials education and training program for CDRH review staff, managers, and industry.
  • Develop real-time metrics to track CDRH and industry IDE and clinical trial performance.

Turning to premarket and postmarket data requirements, the CDRH call to arms lays down more goals:

  • By December 31, 2014, review 50 percent of device types subject to a PMA that have been on the market to determine whether or not to shift some premarket data requirements to the postmarket setting or to pursue down classification, and communicate those decisions to the public.
  • By June 30, 2015, review 75 percent of device types subject to a PMA that have been on the market to determine whether or not to shift some premarket data requirements to the postmarket setting or to pursue down classification, and communicate those decisions to the public.
  • By December 31, 2015, review 100 percent of device types subject to a PMA that have been on the market to determine whether or not to shift some premarket data requirements to the postmarket setting or to pursue down classification, and communicate those decisions to the public.

CDRH plans several specific actions to help attain those targets, including:

  • Develop and seek public comment on a framework for when it is appropriate to shift premarket data collection to the postmarket setting.
  • Conduct a retrospective review of all PMA device types to determine whether or not to shift some premarket data requirements to the postmarket setting or to down classify device types in light of our current understanding of the technology.
  • Implement a mechanism to prospectively assure the appropriate balance of premarket and postmarket data requirements for new devices subject to a PMA.
  • Using existing authorities, develop and seek public comment on a new pathway to market for devices subject to a PMA that address an unmet public health need by shifting appropriate premarket data needs to the postmarket setting and incorporating features of the Innovation Pathway pilots.

The medical device industry no doubt applauds the majority of these goals. Now it’s time for CDRH to roll up its sleeves and get them done.

 

 

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

NERC and Industry Move in the Right Direction for Greater Reliability

Trey Kirkpatrick, Vice President, Energy & Utilities Compliance, AssurX Inc.

Vice President, Energy & Utilities Compliance, AssurX Inc.

There is a different feel out there in the NERC world, the Electric Reliability Organization (ERO) and the registered entities are working together more than ever since the mandatory implementation of the NERC standards in June 2007. I attended the NERC Member Representatives Committee (MRC) and Board of Trustees (BOT) meetings in Phoenix, AZ on February 5-6, 2014. There are many initiatives that are being implemented and proposed to the registered entities. Not only are the registered entities trying to keep up with very important and impacting standard changes such as COM-002, PRC-005, and the CIP version 5; they are also focused on some serious changes to their existing compliance programs.

Even as we were attending the NERC management meeting in Phoenix, the story of the serious physical attack on a California substation, not far from my own office headquarters, hit the news.

Registered entities have been working hard to manage the ongoing challenges with a struggling economy impacting revenues, more competition, environmental regulations, and cyber security threats. Never has it been more important for large, medium, and small registered entities to focus on risk-management and their internal controls. As the NERC staff was making presentations to the NERC Compliance Committee, the MRC and the NERC BOT, it was obvious that the registered entities have opportunities to improve their overall compliance programs and working relationships with NERC and the Regional Entities.

Some of the ERO’s key initiatives that are:

  • Definition of BES implementation
  • Reliability Assessment Initiative (RAI)
  • Risk-based Registration Assessment Project
  • Cyber Security
  • Human Performance

Electric UtilityIf you have never had the opportunity to experience a NERC MRC and/or BOT meeting, I really encourage you to go to one. You can go to regional workshops and NERC Standards and Compliance workshops, but there is no better way to understand the goals and vision of the ERO unless you are there first hand. There are open discussions, shared industry experience and lessons learned not only from NERC subcommittees, but also the North American Transmission Forum (NATF) and the North American Generator Forum (NAGF) leadership.

Gerry Cauley, NERC President and CEO, also provides a comprehensive overview of the goals, accomplishments, and direction of the ERO. The Regional Entities’ senior management staffs are there and dialogue between industry members is encouraged.

Mr. Cauley highlighted the ERO Enterprise’s top strategic 5 goals:

  • Goal #1: Develop clear, reasonable and technically sound mandatory Reliability Standards in a timely and efficient manner.
  • Goal #2: Be a strong enforcement authority that is independent, without conflict of interest, objective and fair and promote a culture of reliability excellence through risk-informed compliance monitoring and enforcement.
  • Goal #3: Promote a culture of compliance that supports reliability excellence within industry.
  • Goal #4: Identify the most significant risks to reliability, be accountable for mitigating reliability risks and promote a culture of reliability excellence.
  • Goal #5: Improve transparency, consistency, quality and timeliness of results; operate as a collaborative enterprise; and improve efficiencies and cost effectiveness.

These goals have been communicated in prior meetings and workshops, but never to the degree of actual implementation and working with the industry to accomplishing these goals. The real challenge for FERC, the ERO, and the registered entity is the identification of significant risks to reliability and mitigating these risks (Goal #4).

It is extremely important for the registered entities to be engaged in these initiatives and start developing their own risk-management program, the appropriate internal controls, and corrective action programs. Currently, there are pilot programs going on with registered entities and the ERO. Their results along with newly revised auditor handbooks, risk-based registration (not treating every functional entity the same), the RAI program will improve the focus on the critical issues regarding reliability.

After spending years in the industry and consulting with dozens of customers ranging from large to small utilities, co-ops and generators, it is encouraging to see registered entities working to identify their risks, implementing stronger compliance programs from industry experience and lessons learned, and developing internal controls. The transition will be challenging for everyone involved, but companies that build strong internal programs, controls, and focus on human performance will end up as industry leaders, have less burdensome oversight, and most importantly, provide a reliable bulk electric system for their customers and North America.

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

Medical Device Makers Urged to Play Nicer by Sharing Data

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

You shouldn’t need Barney the giant purple dinosaur to remind you of the playground mantra “sharing is caring,” but maybe the medical device industry needs to do some quick Netflix streaming of back episodes.

The Institute of Medicine (IOM), already working with more than a dozen drugmakers, the FDA and the National Institutes of Health (NIH), wants to see a little more enthusiasm from the medical device community when it comes to data sharing in device clinical trials. To be fair, this requires some delicate balance: Everyone wants to advance the public health, but it’s not fair to expect a drug or device company to just give away all of its hard-earned, costly proprietary data, either.

IOM understands that, it appears. Yet the medical device industry won’t be doing itself any favors by trying to ignore this issue. Beside the bad PR hit the industry could take, what happens if the FDA

info

decides to just swoop in and impose something on industry? The drug folks have had their input; the medical device industry would be well advised to speak up, too.

Industry and anyone else with interest in the issue has a few ways to get involved. Comments on IOM’s proposed framework for getting this right can be sent here until March 24.

For those in the area or looking for a nice trip, there are also two open workshops in Washington D.C. on Feb. 3-4 and May 5.

Seems like the medical device industry has a clear choice here. Speak up now, or don’t complain later.

Reminds me of another useful slogan: Silence is consent.

IOM’s proposed framework is can be found here.

Info on the public workshops is here.

 

 

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

Analysis: No Need For State of the Union Analysis

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

Those of us in and around Washington D.C. like to tell folks leading up to a president’s State of the Union (SOTU) address that the speeches rarely matter and are generally forgotten while the teleprompter’s still warm.

Then we analyze them to death for a few days. I don’t mean to sound cynical, but it does tend to help cable TV ratings and maybe even sell a few of those funny flat things called newspapers.

First, a little perspective might be in order. The good folks at the History Channel remind us that most SOTUs are remembered for reasons less to do with policy and more to do with current events. They point out that Harry Truman’s SOTU was kind of a big deal because…it was the first ever televised. Bill Clinton’s second was also a big deal…because everyone wanted to hear if he’d resign because of Monica Lewinsky and her blue dress.

President’s Reagan and Bush II delivered memorable SOTUs, among others, but in both cases they came after significant events — the Reagan assassination attempt, and 9/11, respectively — and they will probably be remembered more for emotional and not policy reasons.

Still, if CNN, MSNBC, FOX and everyone else can breathlessly analyze them seconds after they’re delivered, why not do it here from a medical device perspective.

It might be interesting to start with something President Obama didn’t talk about in his 2014 address: The Medical Device Excise Tax. It’s still out there, and its prospects of becoming the law of the land have ebbed and flowed over the past year, but the President chose not to bring that one up.

To be sure, the President did devote a lot of the SOTU to domestic issues including healthcare. However, that focus was mostly on the Affordable Health Care Act. That one’s not going away anytime soon, and we’re not going anywhere near that here today.

Now back to the SOTU and the medical device community.

state_of_the_unionSmart communications professionals who work for trade associations and private companies listen closely to the SOTU for anything, anything they can connect their industry to in order to get media coverage. This time, when President Obama spoke about the general need for innovation in this country, some saw the opportunity.

“The President is absolutely correct that investments in innovation will help the United States remain the global economic leader in the 21st century,” Medical Device Manufacturers Association (MDMA) President and CEO Mark Leahey said after the SOTU. “While there will be numerous debates on how we can improve our economy, there is widespread agreement that high tech job creation and reducing the cost of health care play a central role. Medical technology innovators have a proud tradition of meeting these important goals, but we cannot take for granted that this will always be the case.”

Meanwhile, the folks at the Advanced Medical Technology Association (AdvaMed) took a similar approach — but added a whack against the Medical Device Excise Tax in their response to the SOTU.

Its President, Stephen J. Ubl, commended the other President, “AdvaMed applauds the President’s support for the growth of high technology manufacturing jobs and the importance of innovation to economic growth in [Obama's] State of the Union.

“In support of that goal, we urge Congress to act promptly to repeal the medical device excise tax. America’s medical technology companies are leading the world in the development of innovative, life-saving, life-enhancing medical progress – but that lead is eroding. Repealing the medical device tax would support the bipartisan goal of helping companies large and small reinvest in R&D, hiring or expanding.”

President Obama didn’t mention medical devices specifically anywhere in the speech, but what the heck. SOTU’s rarely mean as much as we in the media like to tell you, remember?

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

Medical Device Industry Identifies Some Problems with Agency’s UDI Initiative

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

Let’s start with what most everyone agrees on: The Unique Device Identification (UDI) program is a swell idea.

It gets a little trickier after that.

In extensive comments, the Advanced Medical Technology Association (AdvaMed), Boston Scientific, and Merck, among more than a dozen others, generally voice support for the UDI concept, while finding lots and lots to say about where the FDA’s September Draft Guidance could use improvement.

Noting that implementing UDI will be a “costly proposition,” AdvaMed stresses that the length and complexity of the implementation plan demands a “living document” approach that will allow industry and the FDA to update and improve the guidance as both sides learn more during set-up. AdvaMed follows with 61 specific comments, with suggested changes.

Coviden, manufacturer of medical devices and medical supplies, echoes AdvaMed’s comments, and tosses another 22 into the mix, including a request that the guidance remain open for feedback and comment until the September 24, 2014 implementation deadline.

Merck, among other commenters, requested clarification and summarization regarding the scope of products for which data must be submitted to the Global Unique Identification Database (GUDID). Merck also asked FDA to add information regarding deadlines for submitting data to GUDID.

X-ray of hipBoston Scientific, noting that its medical devices already bear unique identification via HIBCC or GS1 standards, calls FDA out for what it labels “inconsistencies” with the FDA UDI Rule.

To pick one of their examples, and joining several other commenters in making this point, Boston Scientific claims the data elements column “Required?” is unclear because it fails to clarify if it is required to follow the rule based on regulatory requirements or validation requirements. “The meaning of ‘required’ should be clarified so that BOTH regulatory and system validation requirements are clearly identified in this guidance.”

FDA’s got its work cut out for it here, particularly with the recent departure of its UDI guru, Jay Crowley, for the greener fields of consultantdom.

We can offer some small consolation though: Crowley leads a webinar on UDI implementation from his new professional perch. Information is here:

 

Final UDI rule as published in Federal Register

FDA’s UDI page

Previous AssurX blog on UDI

The entire comment letter line-up is available here

 

 

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

FDA’s 2014 Promises Increased International Operations, Label Enforcement

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

Given the fact that the FDA probably doesn’t know what it plans to do in 2014, predicting their actions is challenging, to put it mildly.

With that slightly weasel-like caveat, it’s worth noting three events in 2013 that will almost certainly impact 2014:

1) CDRH’s Office of Compliance Reorganization: With the addition of a Division of International Compliance Operations, watch for the FDA to shift focus and some budget funds to increased inspection and audits of foreign device manufacturers, and increased crackdowns on promotional claims (see below). Steve Silverman, Office of Compliance Director, is making the public relations rounds of late with events at a trade shows and the like. He’s stressing that the new “look” OC will better harmonize and broaden enforcement efforts. We’ll keep an eye on this and report back.

FDAlogo2) Device Off-Label Enforcement: If the old expression “the past is prologue” holds true, device makers would be well advised to take a good hard look at any public claims they, or a surrogate such as a doctor at a trade show, make about the wonderful things its gizmo can or will do for patients. Between May 1, 2012 and April 30, 2013, CDRH averaged two letters per month hitting device makers for making claims outside their 510(l) clearance and making claims requiring additional data they didn’t provide, among other issues. Early anecdotal evidence suggests this trend of more focus and more warning letters will continue to climb in 2014. Again, we’ll keep an eye out.

3) UDI Finally: FDA issued the long-awaited Unique Device Identification (UDI) Final Rule in September. Its driving force and 27 year FDA veteran Jay Crowley, has since left the agency for a consulting gig. It remains to been seen what impact, if any, his departure will have on an issue that’s vexed industry and the agency for many moons. I can’t think Crowley leaving is any kind of net plus in terms of helping to fine-tune the rule. Time will tell. Then we’ll tell you.

I didn’t even factor in the possibility of more budget shenanigans in Washington, D.C. I’m a naive romantic, and I’m not going to go there until I have to.

Happy new year!

 

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

FDA VCIP Program: Too Much Stick, Not Enough Carrot?

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

It’s a growing trend in these United States: paying extra for convenience such as bypassing the riffraff in airport security lines, or whizzing past mere mortal motorists on pristine for-pay express lanes.

Where I live in the Washington, D.C. area, the new express road program in Northern Virginia’s clotted traffic arteries appears to be a hit. For a buck or two, you get out of the more crowded free lanes. And you are allowed to go 65 miles an hour, while the peasants are held to 55 mph!

On the other hand, the express lane program at Reagan National Airport doesn’t appear to be generating much traffic.

If the FDA’s new VCIP (Voluntary Compliance Improvement Program) is trying to ride the “pay for convenience” bandwagon, early anecdotal evidence suggests they’re resembling airports more than highways. We’re hearing many in industry say the VCIP program doesn’t offer enough of an incentive to take on the extra work.

Undaunted, FDA released earlier this week a document that reads like a nice, bureaucrat gently trying to convince industry to give the program a try.

The joint pilot project housed in the Center for Devices and Radiological health (CDRH) and Office of Regulatory Affairs (ORA) “differs from the FDA’s traditional oversight model by allowing firms to voluntarily self identify and correct possible regulatory violations instead of undergoing FDA inspection.”

Regulated entities have to apply to participate, but those with violations that raise “imminent” public health concerns needn’t bother.

Here’s the FDA’s big carrot: “The FDA supports using new approaches to help companies come into compliance. These approaches benefit industry and may decrease the number of inspections that the FDA performs or permit the agency to focus on manufacturers with serious and ongoing problems.”

Pacemaker150Hmm. I guess I’m not super surprised that initial industry enthusiasm appears weak. To my knowledge, FDA has not released any statistics about participation. I’m basing my very early days’ assessment on discussions with medical device firms and consultants at recent trade shows and the like. I could be wrong, and VCIP might turn out to be a big hit.

If you want to get picked, know that FDA will identify manufacturers eligible to participate in VCIP through its 2014 inspection work plan and offer them an opportunity to apply rather. For the pilot, the FDA will choose three to five applicants. Of course, their feedback, whether official or in trade show hallway conversations, will tell us a lot about the merits of VCIP.

While it promises some benefits down the road, initial participation in VCIP sounds like it will just add another layer to a device manufacturer’s compliance program. VCIP participants will be required to retain an outside expert consultant to assess their manufacturing and quality assurance systems and to monitor and certify that they are following program requirements. Firms must also demonstrate the ability to define problems, analyze root causes, create appropriate corrective actions, and verify that the actions taken were effective.

If a firm does not meet its commitments under the VCIP, or if the FDA and the firm disagree about any of the results, then the firm may be removed from the program and undergo FDA inspection, which could lead to regulatory action. If a manufacturer ends its participation in the VCIP, it would be subject to FDA inspection and any resulting regulatory action.

FDA gets to the potentially big benefits toward the end of the new VCIP document. If you are selected and pass the tests, your firm “will not be subject to routine surveillance inspection while program participation is underway.” The exemption will be good for two years after a manufacturer successfully completes the program. FDA says it will also expedite review of export certificate requests and prioritize device and pre-amendment determination requests from program participants.

Clearly it’s too early to judge whether VCIP will be a success. And FDA is to be applauded, I think, for trying something a bit new.

Still, here’s hoping VCIP becomes the equivalent of sailing down the relatively empty highway at 65 mph, while others are slogging through heavy traffic at lower speeds.

 

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

The Much-Anticipated CIP Version 5 Final Rule Released by FERC

Trey Kirkpatrick

Vice President, Energy & Utilities Compliance, AssurX Inc.

At the FERC Commission meeting on November 21, 2013, the Commission approved the CIP version 5 Standards that addresses the cyber security of the bulk electric system.  As stated in the FERC final rule, these standards are an improvement over the current effective CIP version 3 Standards.  CIP version 5 requires the industry to adopt new controls and expands the scope of systems that are protected by the CIP standards.  The Commission also approved definitions associated with the CIP Standards and directed NERC to make modifications to CIP version 5 and submit informational filings back to FERC.

FERC LogoOne of the key decisions, as requested by the ERO, was the Commission’s approval to allow registered entities to transition from currently-effective CIP version 3 Standards to compliance with CIP version 5 Standards.  The CIP version 4 approved Standards will not become effective.  CIP version 3 will remain in effect until the effective date of CIP version 5.  The Commission also approved the implementation plan and effective dates proposed by NERC.

Some of the key highlights from the FERC Order:

  • The CIP version 5 Standards identify and categorize BES Cyber Systems using a new methodology based on whether a BES Cyber System has a Low, Medium, or High Impact on the reliable operation of the bulk electric system. At a minimum, a BES Cyber System must be categorized as a Low Impact asset. Once a BES Cyber System is categorized, a responsible entity must comply with the associated requirements of the CIP version 5 Standards that apply to the impact category.
  • The CIP version 5 Standards also include 12 requirements with new cyber security controls, which address Electronic Security Perimeters (CIP-005-5), Systems Security Management (CIP-007-5), Incident Reporting and Response Planning (CIP-008-5), Recovery Plans for BES Cyber Systems (CIP-009-5), and Configuration Change Management and Vulnerability Assessments (CIP-010-1).
  • The Commission directs NERC to remove language found in 17 requirements in the CIP version 5 Standards that requires responsible entities to implement the requirements in a manner to “identify, assess, and correct” deficiencies.   We support NERC’s move away from a “zero tolerance” approach to compliance, the development of strong internal controls by responsible entities, and NERC’s development of standards that focus on the activities that have the greatest impact on Bulk-Power System reliability. However, the Commission is concerned that the proposed language is overly-vague, lacking basic definition and guidance that is needed, for example, to distinguish a successful internal control program from one that is inadequate.

Note the Commission response to the “identify, assess, and correct”

“We would prefer approaches that would not involve the placement of compliance language within the text of the Reliability Standards to address these issues. We understand that NERC has inserted the “identify, assess, and correct” language into the CIP Reliability Standard requirements to move its compliance processes towards a more risk-based model. With this objective in mind, we believe that a more appropriate balance might be struck to address the underlying concerns by developing compliance and enforcement processes that would grant NERC and the Regional Entities the ability to decline to pursue low risk violations of the Reliability Standards. Striking this balance could be accomplished through a modification to the Compliance Monitoring and Enforcement Program. We believe that such an approach would: (1) empower NERC and the Regional Entities to implement risk-based compliance monitoring techniques that avoid zero defect enforcement when appropriate; (2) allow the Commission to retain oversight over the enforcement of Reliability Standards; and (3) ensure that all Reliability Standards are drafted to be sufficiently clear and enforceable.”

  • The Commission directs NERC to develop modifications that address security controls for Low Impact assets. The adoption of the Low Impact BES Cyber Asset category will expand the protections offered by the CIP version 5 Standards to additional assets that could cause cyber security risks to the bulk electric system. Specifically, categorizing BES Cyber Systems based on their Low, Medium, or High Impact on the reliable operation of the bulk electric system, with all BES Cyber Systems being categorized as at least Low Impact, offers more comprehensive protection of the bulk electric system. However, the CIP version 5 Standards do not require specific controls for Low Impact assets nor do they contain objective criteria from which to judge the sufficiency of the controls ultimately adopted by responsible entities for Low Impact assets. The Commission directs that NERC develop modifications to the CIP version 5 Standards to address this concern. While NERC may address this concern by developing specific controls for Low Impact facilities, it has the flexibility to address it through other means, including those discussed below.
  • The Commission directs NERC to submit an informational filing one year from the effective date of this Final Rule that assesses, based on the survey results, whether the BES Cyber Asset definition will, with the 15- minute parameter, cover the assets that are necessary to ensure the reliable operation of the Bulk-Power System.
  • Commission directs NERC to create a definition of communication networks and to develop new or modified Reliability Standards that address the protection of communication networks.  The Commission also directs its staff to include the issue of protecting the nonprogrammable components of communications networks in the staff-led technical conference discussed herein.

For more information: 

NERC CIP Version 5 Implementation Plan

Version 5 Critical Infrastructure Protection Reliability Standards, Docket No. RM13-5-000

Commissioner LaFleur’s comments

Trey Kirkpatrick is Vice President of Energy and Utilities for AssurX, Inc., a leading provider of energy and utility enterprise compliance management solutions.

 

 

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare