I’ve got to admit, despite months (or years?) of hearing from those inside and close to the FDA that the agency intended someday to begin actual enforcement of 21 CFR Part 11, I was beginning to have my doubts.

No one likes to be told he’s crying wolf or acting like Chicken Little squawking about the sky falling.

Finally, however, the FDAs CDER division issued a blandly worded release that may have some serious repercussions for regulated drug companies:

The FDA “will be conducting a series of inspections in an effort to evaluate industry’s compliance and understanding of Part 11 in light of the enforcement discretion described in the August 2003 ‘Part 11, Electronic Records; Electronic Signatures — Scope and Application’ guidance (Guidance). The Agency intends to take appropriate action to enforce Part 11 requirements for issues raised during the inspections that do not fall under the enforcement discretion discussed in the Guidance.”

That’s about all they said publicly, but it’s a mouthful after waiting a long long time for any agency activity backing the Part 11 rule.

While this announcement focuses on drugs, don’t be surprised to find a similar action coming soon on the device side.

“I’d expect FDA inspectors to focus on Part 11, too, when they inspect device manufacturers,” agrees former FDA inspector Ken Miles.

When it comes to preparing for FDA inspections, Ken says he’s a big fan of the Boy Scouts motto: Be prepared.

We’ve heard in the past that many FDA inspectors weren’t comfortable yet inspecting or enforcing Part 11 provisions. The result: Very few inspections, and some inconsistent inspectors.

In the coming weeks, we’ll report back on what kind of inspections FDAers are conducting, and how you can best prepare for them.

In less than a year the sweeping changes to the NERC CIP requirements will become effective. The changes will require that all registered facilities be considered, to some degree, a critical asset. There are going to be three levels of criticality when it comes to CIP – High, Medium & Low. According to NERC, the process and criteria currently being used today for identifying critical assets in the electric system are inadequate.  For example, the current system labels less than 5% of the existing generation facilities around the country to be critical assets, so NERC has identified a new approach in the new CIP-010-1 standard.

The scoping process in the existing CIP-002 standard calls for identification of critical bulk electric system assets, then the associated critical cyber assets.  In CIP-010, there are no “out of scope” bulk electric system assets; instead a categorized list of those assets and their related cyber systems is required.

Framework
NERC has decided to use the NIST 800-53 framework when they are developing the CIP requirements from now on. The National Institute of Standards and Technology (NIST) is the U.S. Government’s defacto standard for Information Technology Security. You can download a full copy here. NIST provides standards and technology to protect information systems against threats to the confidentiality of information, integrity of information and processes, and availability of information and services in order to build trust and confidence in Information Technology systems.

The NIST framework:

• Provides a specification for minimum security requirements for information systems included in the CIP requirements using a standardized, risk-based approach.
• Defines minimum information security requirements (management, operational, and technical security controls) for information and information systems in each such category that are included in the CIP requirements.
• Identifies methods for assessing effectiveness of the CIP security requirements.
• Brings the security planning process up to date with key standards and guidelines developed by your security team using the NIST framework.
• Provides your security team with assistance in determining what needs to be done and in chronological order.
• Evaluates security policies and technologies developed by your security team.

Major Changes
Be warned, there are many major changes coming. One of the most interesting is that CIP-002-2 through CIP-009-2 will be removed and replaced with CIP-010-1 and CIP-011-1. CIP-011-1 is almost 30 pages and combines CIP-003-2 through CIP-009-2 into a single requirement and includes new requirements as well. The following is a list of some of the major changes on the horizon:

• Every requirement will be auditable and not just addressable. This means that you must complete all required tasks in the CIP requirements as they will pertain to you and not be a nice-to-have or addressable.
• There is currently a 3-year review/audit cycle set up and because the BES does not change too much or too often that cycle is going to be shortened to be between 12 months and 24 months.
• A new feature in CIP-011 is how the requirements are presented, which is based on applicability/impact on the reliable operation of the BES.  There are several subject areas identified in CIP-011, including: security governance and policy; personnel training, awareness, and risk assessment; physical security; electronic access control; etc.
• Each requirement has several characteristics identified, and each requirement is assigned to one of the subject areas.
• The need for more than paper evidence of compliance has lead to actual need to demonstrate compliance in the updated version of the CIP requirements. For example, current requirements call for paper demonstration rather than allow for actual demonstration of the protection system; the latter improves security and therefore an entity will have to demonstrate their compliance rather than state it.

There are many, many other updates, improvements and additions to the upcoming CIP requirements known as Version 4. It is my opinion that a registered entity may want to begin preparing now because the requirements may prove to be difficult to handle.

James Holler is founder of Abidance Consulting.

Geologists, archeologists and the like usually examine things in terms of hundreds of thousands of years: Think the Paleolithic Era which they measure from the introduction of stone tools by pre-humans or hominids such as Homo Habilis about 2.6 million years ago, to the introduction of agriculture around 12,000 years ago. That’s nearly the whole time folks like us have been walking around the planet on two legs.

But for us FDA watchers, those trends tend to be a bit shorter in duration. For example, just as Earth goes in and out of ice ages into relative warm periods and back to colder climates, it looks like we’re coming out of a 20-30 year period of relatively light FDA regulation into something new and, for medical device companies, a little scary.

Device makers, pharmaceutical companies and even food manufacturers “got used to a certain regulatory treatment from the FDA in the past twenty to thirty years,” notes industry expert and Creo Quality LLC Principal Jon Speer.  Translation: The FDA generally went a little easier on the industries it regulates.

But that sound you hear might be the ice freezing up again.  As spelled out recently in an excellent Minneapolis Star Tribune commentary by Arne Carlson about possible FDA alterations to the way it regulates medical devices, “changes should accelerate innovation, not hamstring it. Medical device companies, physicians and venture capitalists are investing time and money on new devices, agreeing to clinical study rules the agency outlines at the start. But in too many recent cases, the FDA has delayed its feedback to the companies, then determined in the end that the company needs to meet new milestones before the agency will consider clearing the device. That isn’t right.”

And earlier this week at an FDA “Town Hall” meeting that’s part of a three-city listening tour many speakers lamented a lack of predictability in the FDA approval process, which they say chokes funding for start-up companies. Device makers detailed what they criticize as bloated timelines and an unprepared, unresponsive agency staff that is often hostile to industry input.

Is it time for medical device companies to panic? Yes and no.

“At present I do not believe there are any new rules affecting device innovation; there is however a fear of new rules to come,” says Sheppard Mullin Partner at Peter Reichertz. “In addition, there is a new attitude at FDA resulting from fear of Congressional oversight as well as newer less experienced employees who tend to be stricter and more conservative in their review of premarket notifications,” he adds.

But Reichertz sees this going further, “FDA seems bent on making changes to the 510(k) process that would make it more difficult to either develop improvements in currently marketed devices by their current manufacturers, as well as to allow for the development of products that improve on existing products due to fear of what they refer to as ‘device creep’. While changes in these rules are not yet known, all of the industry assumes that it will make it more difficult to innovate, and companies may already be deciding not to proceed with innovation because they are not sure what the new scheme will require.”

“I can see both sides of the equation,” notes Speer. He points out that the FDA is charged with protecting consumers while medical device companies are under investor pressure to get their products to market. Get more of his insight by following his Twitter postings.

But potential FDA moves are making it “extremely challenging for start-ups,” Speer notes. He works regularly with medical device companies to help negotiate the increasingly treacherous FDA regulatory minefield.  He cites anecdotal examples of companies that recently waited 267 days for FDA clearance, and another that even had a predicate product already in the market, yet still waited almost 100 days for agency approval.

“In the last 18 months medical device companies have come under tremendous additional regulatory scrutiny,” suggests Jerry Chase, CEO with Lantronix (NASDAQ:LTRX), a provider of equipment that network-enables medical devices (both embedded and external to the human body). He’s worked with a lot of medical device companies that produce infusion pumps and glucose meters, and seen them cowering over potential FDA rules they fear will stifle their innovations.

Stressing that he shares the FDA’s goals to protect patients, Chase called on the FDA to listen carefully to the concerns of the medical device industry. “The FDA needs to understand that what it seems to be proposing now is too broad” and is more likely to ill-serve consumers by slowing valuable medical devices rather than protect the public. He remains optimistic, though. “Obstacles can be opportunity,” Jerry says.  For more, check out Jerry’s blog.

Meantime, if you are a medical device company, it might be time to hone your arguments for a healthy debate with the FDA. And don’t forget to bring a really warm coat.

NERC just rolled out its NERC Alert System (NAS), which gives NERC/ES-ISAC the ability to alert and notify NAS-registered entities of the bulk power system (BPS) of vulnerabilities, threats, and/or abnormal events/conditions that could impact the BPS. It is also designed to enable rapid Alert creation and dissemination of alerts and provides for quick acknowledgment and response from Alert recipients via a secure Web browser portal.

“It’s pretty good,” says Paul J. Fricke, CQMgr, CQA Quality Manager/Project Manager at AssurX, Inc. “It sets up a direct and rapid communication to registered entities on when to send alerts and to have the mechanism to do it effectively.”

When registered entities receive an alert, they’ll then log into a secure site to receive the full update details.

There are three levels of alerts, in rising levels of seriousness:

• Level 1 – Advisory – information only
• Level 2 – Recommendations to Industry – usually requires that a questionnaire be completed and submitted back to NERC
• Level 3 – Essential Action – these require information back from the registered entity – highest level of alert, seriousness

NERC also set up a fairly straightforward means of labeling how carefully to protect information contained in an alert:

• Green – Public
• Yellow – Private
• Red – Sensitive
• Black – Confidential

NERC also just released its report for 2009 which addresses a year of transition (changes at the top) and a broader kind of transition: It’s “one of focus as we enter our third full year as the entity responsible for developing and enforcing compliance with mandatory reliability standards,” says Gerry Cauley, NERC’s new President and CEO.

Cauley’s ambitious vision is “to broaden our focus from a compliance organization to a learning organization, one that fosters learning and facilitates growth, both within our organization and across the industry.”

Given all that NERC is trying to do – some well, some maybe not so well – we’ll keep you posted on how they deliver on some tough promises in 2010.

See also:

NERC Unveils Improved Standards Development Process

The Top 10 FERC Enforceable Standards in 2009

Well, we told you 2010 was going to be a big year for the FDA.

While most of us were enjoying holiday treats or making new year’s resolutions, a leading FDA official said the agency was developing new guidelines designed to establish stricter standards for the data received from tests with human subjects used by medical device makers when they seek approval for a new or altered device.

Dr. Jeffrey Shuren, the acting director of the Center for Devices and Radiological Health, told The New York Times recently that the FDA most likely will soon urge device makers to take steps like using more sharply defined targets to measure the success of clinical trials. The agency may also urge producers to more closely follow patients enrolled in such trials to determine whether the targets are met, Shuren told The Times.

That sound you hear is the new drumbeat saying that the FDA hasn’t been tough enough on medical devices in the past, at least according to JAMA and an article published in the American Journal of Therapeutics which suggest the agency has to get stricter to better protect the public.

AdvaMed, the big medical device trade group, is taking a “wait and see” approach, at least publicly.

Or as Janet Trunzo, AdvaMed’s executive vice president, technology and regulatory affairs, told us recently, “FDA has not released any formal proposals or guidance regarding changes to the premarket approval (PMA) process.  When the agency does so, we look forward to reviewing and commenting on them.  In general, we support efforts to better clarify FDA submission requirements and to ensure patients have timely access to life-saving and life-enhancing medical technology.

Trunzo went on: “It is important to note that the FDA’s approval process for Class III devices is the agency’s most stringent.  On average, the agency spends roughly 1,200 hours reviewing each application, and has the authority to demand additional data and to refer the application to an expert panel for review.  To obtain FDA approval through the PMA process, a manufacturer must submit a detailed application that contains full reports of all investigations of the safety and effectiveness of the device; a full statement of the components, ingredients, properties, and principles of operation of the device; a full description of the methods used in the manufacture and processing of the device; information about performance standards of the device; samples of the device; specimens of the proposed labeling for the device; and any other relevant information.

“Clinical trial data is but one piece of the overall approval process for medical devices, as the FDA requires data to determine biocompatibility, mechanical strength testing, among others, which are not available through clinical trials.  American patients have access to life-saving, life-enhancing technology because the FDA carefully balances the risks and benefits of each new device or advancement in a given technology.”

But Dan Walsh, a senior member of PA Consulting Group‘s Life Sciences & Healthcare practice, says there will definitely be tougher standards, and some level of more stringent human clinical trial results.  However, he believes there is room for straightforward 510(k) cleared products that make no substantial claims beyond equivalence to currently marketed products.  Dan specializes in technology strategy and acquisition, medical device product development and improving the effectiveness of commercial launch of new medical technologies.

According to Walsh, another repercussion is that the 510(k) will be more narrowly applied, and there likely will be an extended use of ’510(k) with clinicals’ submissions because these trials have not required the same statistical power or clinical depth (high in placebo or alternative therapy arms, etc.)

“If all products were required to obtain PMA approval with robust clinical trials, it would likely impede innovation and use of new technologies,” Walsh told us.

“Since the FDA has mandates for both protection of the public health and the oversight of launch of new therapies for unmet or underserved needs, an all or nothing approach is not feasible or practical,” he adds. “If all submissions required clinicals, one could add at least six months and many millions of dollars to the development time and cost for a medical device, all other things being equal.”

Kim Egan a partner with DLA Piper in Washington, D.C. and an expert in this arena who sits on the advisory board of Life Sciences Law & Industry Report, a publication for lawyers, business executives, directors of research and regulatory specialists practicing in health care-related life sciences fields, gave us some interesting observations, too:

• This development is not overly surprising given the open letter to President Obama that FDA scientists sent last year alleging corruption in the medical device approval process.  The division head stepped down year as well.  FDA is under strong Congressional pressure to reform.
• This report is based on a review of cardiovascular devices only — we can expect similar reviews of additional therapeutic areas over the coming months.
• Industry will want to take an active role in the comment period that will follow FDA’s issuance of draft guidance on new requirements.
• The impact on industry may be limited to products that require full PMA approval.  Devices that rely on 510(k) approval need not submit clinical data, so providing the predicate device is unaffected by FDA’s review, the bulk of new devices on the market should not be affected by the new guidelines.
• The NY Times article contains an error regarding personal injury lawsuits.  The reason personal injury lawsuits are limited is not because of the Riegel decision — that decision simply upheld existing law that provides federal preemption to medical device manufacturers, particularly on failure to warn claims.  Because Congress has expressly preempted failure to warn claims for medical device manufacturers, such claims cannot proceed on state law theories.  This is unlike the pharmaceutical area, where there is no Congressional preemption of state law.

It’s a fine line between regulations with teeth that protect the public without slowing valuable new medical devices. Just ask John Hanley, an attorney at Steptoe & Johnson in LA. He represents two medical device companies that have been significantly impacted by the highly conservative approach now being taken by the FDA.

“They have both decided to pursue clinical approval outside of the U.S. before continuing to attempt to navigate the very difficult road to approval here in the U.S.,” Hanley said of the two companies who wished to remain anonymous.

“In fact, it is disappointing to note that even where these companies have had multiple years of clinical data from activities outside the U.S., the FDA has not approved their pursuing expedited routes through the FDA approval process,” Hanley adds.  “Unfortunately, the FDA’s recently adopted strict stances have resulted in the American public being denied the benefit of new medical technologies.  Moreover, it is expected that the FDA’s conservatism will eventually lead to less investment in medical device companies domestically and thus, less medical device innovation in the U.S.”

Yes, 2010 is already shaping up to be an interesting year at the FDA.

Don’t touch that dial, we’ll keep you posted as this story moves ahead.