Well, we told you 2010 was going to be a big year for the FDA.

While most of us were enjoying holiday treats or making new year’s resolutions, a leading FDA official said the agency was developing new guidelines designed to establish stricter standards for the data received from tests with human subjects used by medical device makers when they seek approval for a new or altered device.

Dr. Jeffrey Shuren, the acting director of the Center for Devices and Radiological Health, told The New York Times recently that the FDA most likely will soon urge device makers to take steps like using more sharply defined targets to measure the success of clinical trials. The agency may also urge producers to more closely follow patients enrolled in such trials to determine whether the targets are met, Shuren told The Times.

That sound you hear is the new drumbeat saying that the FDA hasn’t been tough enough on medical devices in the past, at least according to JAMA and an article published in the American Journal of Therapeutics which suggest the agency has to get stricter to better protect the public.

AdvaMed, the big medical device trade group, is taking a “wait and see” approach, at least publicly.

Or as Janet Trunzo, AdvaMed’s executive vice president, technology and regulatory affairs, told us recently, “FDA has not released any formal proposals or guidance regarding changes to the premarket approval (PMA) process.  When the agency does so, we look forward to reviewing and commenting on them.  In general, we support efforts to better clarify FDA submission requirements and to ensure patients have timely access to life-saving and life-enhancing medical technology.

Trunzo went on: “It is important to note that the FDA’s approval process for Class III devices is the agency’s most stringent.  On average, the agency spends roughly 1,200 hours reviewing each application, and has the authority to demand additional data and to refer the application to an expert panel for review.  To obtain FDA approval through the PMA process, a manufacturer must submit a detailed application that contains full reports of all investigations of the safety and effectiveness of the device; a full statement of the components, ingredients, properties, and principles of operation of the device; a full description of the methods used in the manufacture and processing of the device; information about performance standards of the device; samples of the device; specimens of the proposed labeling for the device; and any other relevant information.

“Clinical trial data is but one piece of the overall approval process for medical devices, as the FDA requires data to determine biocompatibility, mechanical strength testing, among others, which are not available through clinical trials.  American patients have access to life-saving, life-enhancing technology because the FDA carefully balances the risks and benefits of each new device or advancement in a given technology.”

But Dan Walsh, a senior member of PA Consulting Group’s Life Sciences & Healthcare practice, says there will definitely be tougher standards, and some level of more stringent human clinical trial results.  However, he believes there is room for straightforward 510(k) cleared products that make no substantial claims beyond equivalence to currently marketed products.  Dan specializes in technology strategy and acquisition, medical device product development and improving the effectiveness of commercial launch of new medical technologies.

According to Walsh, another repercussion is that the 510(k) will be more narrowly applied, and there likely will be an extended use of ‘510(k) with clinicals’ submissions because these trials have not required the same statistical power or clinical depth (high in placebo or alternative therapy arms, etc.)

“If all products were required to obtain PMA approval with robust clinical trials, it would likely impede innovation and use of new technologies,” Walsh told us.

“Since the FDA has mandates for both protection of the public health and the oversight of launch of new therapies for unmet or underserved needs, an all or nothing approach is not feasible or practical,” he adds. “If all submissions required clinicals, one could add at least six months and many millions of dollars to the development time and cost for a medical device, all other things being equal.”

Kim Egan a partner with DLA Piper in Washington, D.C. and an expert in this arena who sits on the advisory board of Life Sciences Law & Industry Report, a publication for lawyers, business executives, directors of research and regulatory specialists practicing in health care-related life sciences fields, gave us some interesting observations, too:

• This development is not overly surprising given the open letter to President Obama that FDA scientists sent last year alleging corruption in the medical device approval process.  The division head stepped down year as well.  FDA is under strong Congressional pressure to reform.
• This report is based on a review of cardiovascular devices only — we can expect similar reviews of additional therapeutic areas over the coming months.
• Industry will want to take an active role in the comment period that will follow FDA’s issuance of draft guidance on new requirements.
• The impact on industry may be limited to products that require full PMA approval.  Devices that rely on 510(k) approval need not submit clinical data, so providing the predicate device is unaffected by FDA’s review, the bulk of new devices on the market should not be affected by the new guidelines.
• The NY Times article contains an error regarding personal injury lawsuits.  The reason personal injury lawsuits are limited is not because of the Riegel decision — that decision simply upheld existing law that provides federal preemption to medical device manufacturers, particularly on failure to warn claims.  Because Congress has expressly preempted failure to warn claims for medical device manufacturers, such claims cannot proceed on state law theories.  This is unlike the pharmaceutical area, where there is no Congressional preemption of state law.

It’s a fine line between regulations with teeth that protect the public without slowing valuable new medical devices. Just ask John Hanley, an attorney at Steptoe & Johnson in LA. He represents two medical device companies that have been significantly impacted by the highly conservative approach now being taken by the FDA.

“They have both decided to pursue clinical approval outside of the U.S. before continuing to attempt to navigate the very difficult road to approval here in the U.S.,” Hanley said of the two companies who wished to remain anonymous.

“In fact, it is disappointing to note that even where these companies have had multiple years of clinical data from activities outside the U.S., the FDA has not approved their pursuing expedited routes through the FDA approval process,” Hanley adds.  “Unfortunately, the FDA’s recently adopted strict stances have resulted in the American public being denied the benefit of new medical technologies.  Moreover, it is expected that the FDA’s conservatism will eventually lead to less investment in medical device companies domestically and thus, less medical device innovation in the U.S.”

Yes, 2010 is already shaping up to be an interesting year at the FDA.

Don’t touch that dial, we’ll keep you posted as this story moves ahead.

Is it just me, or does it seem like someone must have reminded the FDA that the first part of its name starts with the word “Food”? In the past several weeks we’ve seen a very public and very aggressive FDA take some big steps to assure consumers that their food is safe after a bad year or two out there in America’s food chain. Remember lettuce? Beef? Tomatoes? The list goes on and on and…

The latest FDA action is the launch of a Reportable Food Registry (RFR) which requires that facilities that manufacture, process or hold food for consumption in the US now must tell the FDA within 24 hours if they find a reasonable probability that an article of food will cause severe health problems or death to a person or an animal.

The FDA rolled it all out with a big press event Sept 8 – the same day that reporting this way becomes the law of the land, said Michael Taylor, Senior Advisor to the FDA Commissioner on food issues. It will “provide a reliable mechanism” for the FDA to track patterns in food problems and help it act more quickly to fix them. “It’s an important step,” Taylor said. “Our first priority is to prevent food safety problems.”

(It doesn’t include infant formula or dietary supplements, those have separate reporting requirements already on the books.)

This latest FDA move is all part of a wider effort, spearheaded by HHS and USDA, which also just unveiled a new consumer web site: www.foodsafety.gov. It’s designed to help consumers get the latest info on food safety and recalls.

The new site will feature information from all the agencies across the federal government that deal with critical food and food safety information, including preventive tips about how to handle food safely, alerts on life-saving food recalls, and the latest news from the key agencies.

Click here for a copy of ”Food for Thought: The FDA Gets Serious on Electronic Records Management”.

Well, they finally did it.

After more delays and internal intrigue than your typical Hollywood Blockbuster, the FDA today unveiled their proposed guidance for ultimately mandating electronic submission of mandatory adverse event reports.

It’s going to save time (paper submissions take up to two weeks to process at FDA HQ) and money for both industry and the agency.

But will device firms be ready?

A telling stat that came out of today’s press teleconference announcing the draft guidance: While about 80% of the nearly 500,000 submissions CDER gets already come in electronically, on the CDRH device side it’s only about 15%.

“We have some work to do” on the device side, David Buckles, Ph.D., director of the Division of Postmarket Surveillance at the FDA’s Center for Devices and Radiological Health (CDRH), observed mildly at today’s press conference.

Why are pharma firms so far ahead of device firms here? It’s odd because in many ways device firms are viewed as more tech savvy and more of the early adopter type. But the fact that pharma companies are generally much bigger, with much deeper pockets, probably explains some of why they have such a big electronic jump on their device brethren.

Device companies have also complained that the FDA hadn’t made its eMDR expectations clear. But that excuse won’t really hold now that the agency has issued a pretty straightforward guidance.

Industry has 90 days to comment on the draft guidance. After that, the agency will take a few months maximum to digest and perhaps take advice from those comments. Then they’ll issue a final rule that will mandate esubmissions for mandatory reporting (such as adverse events) a year from then.

So, mark your calendar for sometime around February 2011 for a mandate from the agency.

Will device firms be ready? There’s no excuse not to get with the program now.

Download the PDF version of the draft guidance here.

More information about AssurX’s eMDR solution here.

As we all know on August 8, 2005, President Bush signed into law the Energy Policy Act of 2005, which authorized the creation of an electric reliability organization (ERO) with the statutory authority to enforce compliance with reliability standards among all market participants.  The electric industry has had to adjust to the change from a voluntary system of compliance to a mandatory system of reliability standards compliance.  In order to deal with this situation most organizations decided to use their favorite weapon – the spreadsheet. It was a great choice given there was a lot of information that needed to be organized in a very short period of time, including: standards, requirements, entities, measures, subject matter experts, applicable procedures, evidence of compliance and the list goes on.

However, once these spreadsheets were filled up with reams of data on dozens of interconnected worksheets, problems began to surface:

• Complexity: Documenting the relationships of each applicable requirement to applicable procedure, compliance rationale for each of the registered entities within the organization quickly becomes a rat’s nest of intertwined data.

• Maintenance: As new and revised standards are released just managing changes to these spreadsheets becomes more then a full-time job.

• Doesn’t Manage Tasks: Analysis of compliance to requirements usually requires assigning tasks, which implies management of assignees, due dates along with documenting the task and the outcome.

• Silos of Information: Spreadsheets by their vary nature are typically owned by one person and are located on that individual’s computer. After a while most companies learn that there is more than one spreadsheet. In fact several people in various parts of the organization are maintaining this information with overlapping data and most of the time without knowledge of each other.

This is when it makes sense to use a corporate-wide compliance management system that can deal with the complexity of the data, can be easily maintained with new and revised standards and manage task assignments, due dates (with automatic email reminders) and associated procedures and evidence.

Technorati Profile

The idea of software as a service is not new and in fact AssurX has offered its CATSWeb enterprise quality and compliance system in a hosted environment for over 10 years.  However, there has always been a certain resistance in business for utilizing this software model.  The reasons have varied from security issues to wanting to have control over the platforms to a perception that the data just needs to be in-house.  For several years, though, businesses have been looking to reduce their overall costs, including those involved with IT.  As a result SaaS has much more appeal as it can significantly help to reduce the overall cost of ownership.

One of the chief issues that have confounded IT, though, is system integration.  No system is the be-all-to-end-all.  ERP systems will generally handle most of the basic functions of a business, however there are aspects like complaint management, auditing, CAPA, etc., that are not fully covered by these systems – hence the need for multiple applications and the need to integrate.

The next argument from many is that if our systems are all hosted we cannot integrate them.  That is not necessarily true.  Systems that have Web service capabilities are fully capable of being integrated regardless of their location.  This was recently proven by a very successful hosted NetSuite to CATSWeb integration.  The requirement was to allow customer service to enter their initial customer complaint as a Support Case in NetSuite (which the customer runs as a SaaS) and have a corresponding transaction triggered in CATSWeb (which is also running as SaaS) where the actual complaint processing occurs.  This was all accomplished by using a simple call from NetSuite to the CATSWeb web service.  CATSWeb creates the record and sends a success or error message back to NetSuite, which then either stores the newly created CATSWeb Record ID in the Support Case for reference purposes or sends an email to an individual in the case of an error message.  Additionally, because CATSWeb returns the Record ID created to NetSuite, any further changes to the NetSuite Support Case can be sent to CATSWeb, which will update the record accordingly.

So is system integration of SaaS applications possible?  Absolutely. And depending the capabilities of the systems involved it can be relatively easy to accomplish.  CATSWeb offers a fully functional Web services API, which will allow any external system to integrate with it.  The location of the external system does not matter.  The bottom line is that Software as a Service is a viable business model which can greatly reduce IT costs and the idea that just because your applications are hosted at offsite locations is no reason why they cannot be effectively integrated.

In the IT world, there is ever that security pendulum that either seems to move toward ease of use or toward restrictive control.  Users typically tend towards the “ease of use” end of the spectrum because who wants to remember yet another password?  And who wants to install complicated VPN software or jump through extra authentication hoops? Conversely, IT folks (like me) tend to believe in restrictive control, in complicated passwords as possible, extra authentication hoops and logging everything that happens over an established connection.

With the advent of SaaS (Software as a Service), security becomes all the more critical in terms of both the user of the service and the administrator of the environment providing that service.  The beautiful thing about SaaS offerings like CATSWeb is that they are completely web based through HTML.  This makes life much easier for all parties.  From the user side, CATSWeb requires no special VPN software, nothing downloaded to the client computer and no local certificate store to verify a user’s identity  only  a web address and a password.  From the IT standpoint, all machines involved in providing CATSWeb SaaS are completely locked down to two ports of traffic; an IT dream come true.  Users will either be coming into a hosted CATSWeb environment via HTTP (port 80) or HTTPS (port 443). For securing a server to the world, only having to deal with two ports is about as simple a scenario as exists in the IT industry.

Because CATSWeb traffic is only on two ports, our servers are locked down completely, with those two ports being monitored constantly through the firewall, protected by live scanning anti-virus solutions and safeguarded by managed IDS (Intrusion Detection) systems.  Add to that all web traffic is logged from start to finish and you’ve got as bulletproof a server system as can be found.  And then we get to CATSWeb itself.

Within CATSWeb, AssurX has included additional security tools to ensure that your data is safe.  First, each customer company has their own unique, individual database not shared by anyone else. If a customer chooses to require SSL for accessing their CATSWeb database, this ensures that all traffic to and from that database is encrypted.  System access is automatically logged for easy review, including the IP address from where the traffic originated.

The rest we leave up to users.   I guess that’s where CATSWeb SaaS becomes a two-pendulum system. The “server security pendulum” we’ve chosen to swing as far toward restrictive control as possible.  The “user access pendulum” we leave to the users of CATSWeb.  An administrator in a CATSWeb system can set their own requirements for passwords for their users, establish their own session parameters such as session length and inactivity timeouts and much, much more.  This will allow any given SaaS CATSWeb system to have security anywhere along the user access pendulum, from easy to restrictive, based on what your requirements are.

In the IT world, there is ever that security pendulum that either seems to move toward ease of use or toward restrictive control.  Users typically tend towards the “ease of use” end of the spectrum because who wants to remember yet another password?  And who wants to install complicated VPN software or jump through extra authentication hoops? Conversely, IT folks (like me) tend to believe in restrictive control, in complicated passwords as possible, extra authentication hoops and logging everything that happens over an established connection.

With the advent of SaaS (Software as a Service), security becomes all the more critical in terms of both the user of the service and the administrator of the environment providing that service.  The beautiful thing about SaaS offerings like CATSWeb is that they are completely web based through HTML.  This makes life much easier for all parties.  From the user side, CATSWeb requires no special VPN software, nothing downloaded to the client computer and no local certificate store to verify a user’s identity ­ only  a web address and a password.  From the IT standpoint, all machines involved in providing CATSWeb SaaS are completely locked down to two ports of traffic; an IT dream come true.  Users will either be coming into a hosted CATSWeb environment via HTTP (port 80) or HTTPS (port 443). For securing a server to the world, only having to deal with two ports is about as simple a scenario as exists in the IT industry.

Because CATSWeb traffic is only on two ports, our servers are locked down completely, with those two ports being monitored constantly through the firewall, protected by live scanning anti-virus solutions and safeguarded by managed IDS (Intrusion Detection) systems.  Add to that all web traffic is logged from start to finish and you’ve got as bulletproof a server system as can be found.  And then we get to CATSWeb itself.

Within CATSWeb, AssurX has included additional security tools to ensure that your data is safe.  First, each customer company has their own unique, individual database not shared by anyone else. If a customer chooses to require SSL for accessing their CATSWeb database, this ensures that all traffic to and from that database is encrypted.  System access is automatically logged for easy review, including the IP address from where the traffic originated.

The rest we leave up to users.   I guess that’s where CATSWeb SaaS becomes a two-pendulum system. The “server security pendulum” we’ve chosen to swing as far toward restrictive control as possible.  The “user access pendulum” we leave to the users of CATSWeb.  An administrator in a CATSWeb system can set their own requirements for passwords for their users, establish their own session parameters such as session length and inactivity timeouts and much, much more.  This will allow any given SaaS CATSWeb system to have security anywhere along the user access pendulum, from easy to restrictive, based on what your requirements are.