August 30, 2014

FERC Order to Impose Stricter Physical Security Standards on Electric Utilities

Trey Kirkpatrick, Vice President, Energy & Utilities Compliance, AssurX Inc.

Vice President, Energy & Utilities Compliance, AssurX Inc.

On March 7th, FERC released a new order (Docket No. RD14-6-000) directing the North American Electric Reliability Corporation (NERC) to develop new reliability standards for the NERC registered entities, the owners and operators of the Bulk-Power System, to address the risks due to physical security threats and vulnerabilities.

“Because the grid is so critical to all aspects of our society and economy, protecting its reliability and resilience is a core responsibility of everyone who works in the electric industry.” FERC Acting Chairman Cheryl LaFleur said. “Today’s order enhances the grid’s resilience by requiring physical security for the facilities most critical to the reliable operation of the Bulk-Power System. It will complement the ongoing efforts of FERC and facility owners and operators to ensure the physical security of the grid.”

In the Commission’s release the order directed the owners and operators of the Bulk-Power System to take at least three steps to protect physical security.

Gerry Cauley, NERC President and CEO, released a statement on NERC’s website:

FERClogo2“On Friday evening, March 7th, FERC issued a directive to NERC to develop reliability standards to address risks due to physical security threats and vulnerabilities. As you know, FERC Acting Chairman Cheryl LaFleur asked NERC to work with her staff to determine the need for a mandatory standard for physical security. I believe we identified a path forward that focuses on the most critical assets, incorporates risk assessment and further affirms foundational physical security efforts, while providing enough flexibility to avoid prescriptive, lock-step regulation. Any standard must be dynamic and adaptable to the constantly changing threat environment. As we review the order, I take seriously the comments made by all the Commissioners to ensure that a standard achieves the goals identified in a cost effective manner.”

As mentioned in a previous AssurX blog, NERC and Industry Move in the Right Direction for Greater Reliability, security vulnerabilities of the electric grid has been a focus for the regulators and registered entities since the attack by gunmen at a California (Metcalf) substation.

Commissioner John Norris, writing a separate opinion, wants Congress to act on protecting sensitive security information “I believe that our success in developing a comprehensive approach to addressing physical vulnerabilities relies at least in part on Congress taking steps to ensure the confidentiality of sensitive security information regarding the physical vulnerabilities of our grid. Currently, industry remains concerned that confidential security information submitted to the Commission would be subject to disclosure through Freedom of Information Act requests. These concerns have understandably left industry reluctant to provide the Commission with its most sensitive security information related to potential physical threats or vulnerabilities to our power grid. A reliability standard will likely have limited impact if industry, NERC, and the Commission remain unable to safely and securely exchange such information. Thus, I urge Congress to act expeditiously by creating a clearly-defined exemption to the Freedom of Information Act to allow for such exchange of information without fear of disclosure.”

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

CDRH 2014 Strategic Priorities Promise Improved IDE, PMA Regulatory Climate

Tamar June

Tamar June, VP, Strategic Marketing, AssurX, Inc.

The Center for Devices and Radiological Health (CDRH) will focus on encouraging medical device innovation and speeding clinical trials in the coming years, according to its 2014-2015 Strategic Priorities report released Feb. 5.

To help encourage that innovation, CDRH says it’s going to work to improve the consistency of the Investigational Device Exemption (IDE) process, especially in the areas of consistency and speed with which it handles applications. CDRH also pledges to find ways to encourage more early IDE studies — especially for those with medical devices aimed at the U.S. patient marketplace.

The report also says CDRH will try to find a better balance between premarket and postmarket data requirements.

CDRH sets measurable metric goals for improving IDE cycles:

  • By September 30, 2014, reduce the number of IDEs requiring more than two cycles to an appropriate full approval decision by 25 percent compared to FY 2013 performance.
  • By September 30, 2014, for disapproved IDEs, offer all sponsors a teleconference or in-person meeting to occur within 10 business days of the IDE decision.
  • By June 30, 2015, reduce the number of IDEs requiring more than two cycles to an appropriate full approval decision by 50 percent compared to FY 2013 performance.

Time to IDE Approval:

  • By September 30, 2014, reduce the overall median time to appropriate full IDE approval by 25 percent compared to FY 2013 performance.
  • By June 30, 2015, reduce the overall median time to full appropriate IDE approval to 30 days.
  • In FY 2013 (as of 12/11/2013), 45% of IDEs received a full approval decision within 2 cycles and median time to full IDE approval was 174 days.

2014 ClockBy June 30, 2015, the report says CDRH intends to increase the number of early feasibility/first-in-human IDE studies submitted to each premarket division compared to FY 2013 performance. CDRH promises several action steps here, including:

  • Establish in the Office of Device Evaluation a premarket clinical trials program responsible for the oversight and performance of the IDE Program and the development and implementation of policies that contribute to the timely initiation and successful execution of medical device clinical trials.
  • Formalize the incorporation of our benefit-risk framework, including patient-specific factors such as tolerance for risk and perspective on benefit, into the IDE process.
  • Establish a process to efficiently and objectively resolve application-specific IDE issues to reduce the number of multi-cycle IDEs.
  • Develop a clinical trials education and training program for CDRH review staff, managers, and industry.
  • Develop real-time metrics to track CDRH and industry IDE and clinical trial performance.

Turning to premarket and postmarket data requirements, the CDRH call to arms lays down more goals:

  • By December 31, 2014, review 50 percent of device types subject to a PMA that have been on the market to determine whether or not to shift some premarket data requirements to the postmarket setting or to pursue down classification, and communicate those decisions to the public.
  • By June 30, 2015, review 75 percent of device types subject to a PMA that have been on the market to determine whether or not to shift some premarket data requirements to the postmarket setting or to pursue down classification, and communicate those decisions to the public.
  • By December 31, 2015, review 100 percent of device types subject to a PMA that have been on the market to determine whether or not to shift some premarket data requirements to the postmarket setting or to pursue down classification, and communicate those decisions to the public.

CDRH plans several specific actions to help attain those targets, including:

  • Develop and seek public comment on a framework for when it is appropriate to shift premarket data collection to the postmarket setting.
  • Conduct a retrospective review of all PMA device types to determine whether or not to shift some premarket data requirements to the postmarket setting or to down classify device types in light of our current understanding of the technology.
  • Implement a mechanism to prospectively assure the appropriate balance of premarket and postmarket data requirements for new devices subject to a PMA.
  • Using existing authorities, develop and seek public comment on a new pathway to market for devices subject to a PMA that address an unmet public health need by shifting appropriate premarket data needs to the postmarket setting and incorporating features of the Innovation Pathway pilots.

The medical device industry no doubt applauds the majority of these goals. Now it’s time for CDRH to roll up its sleeves and get them done.

 

 

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

Medical Device Makers Urged to Play Nicer by Sharing Data

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

You shouldn’t need Barney the giant purple dinosaur to remind you of the playground mantra “sharing is caring,” but maybe the medical device industry needs to do some quick Netflix streaming of back episodes.

The Institute of Medicine (IOM), already working with more than a dozen drugmakers, the FDA and the National Institutes of Health (NIH), wants to see a little more enthusiasm from the medical device community when it comes to data sharing in device clinical trials. To be fair, this requires some delicate balance: Everyone wants to advance the public health, but it’s not fair to expect a drug or device company to just give away all of its hard-earned, costly proprietary data, either.

IOM understands that, it appears. Yet the medical device industry won’t be doing itself any favors by trying to ignore this issue. Beside the bad PR hit the industry could take, what happens if the FDA

info

decides to just swoop in and impose something on industry? The drug folks have had their input; the medical device industry would be well advised to speak up, too.

Industry and anyone else with interest in the issue has a few ways to get involved. Comments on IOM’s proposed framework for getting this right can be sent here until March 24.

For those in the area or looking for a nice trip, there are also two open workshops in Washington D.C. on Feb. 3-4 and May 5.

Seems like the medical device industry has a clear choice here. Speak up now, or don’t complain later.

Reminds me of another useful slogan: Silence is consent.

IOM’s proposed framework is can be found here.

Info on the public workshops is here.

 

 

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

Analysis: No Need For State of the Union Analysis

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

Those of us in and around Washington D.C. like to tell folks leading up to a president’s State of the Union (SOTU) address that the speeches rarely matter and are generally forgotten while the teleprompter’s still warm.

Then we analyze them to death for a few days. I don’t mean to sound cynical, but it does tend to help cable TV ratings and maybe even sell a few of those funny flat things called newspapers.

First, a little perspective might be in order. The good folks at the History Channel remind us that most SOTUs are remembered for reasons less to do with policy and more to do with current events. They point out that Harry Truman’s SOTU was kind of a big deal because…it was the first ever televised. Bill Clinton’s second was also a big deal…because everyone wanted to hear if he’d resign because of Monica Lewinsky and her blue dress.

President’s Reagan and Bush II delivered memorable SOTUs, among others, but in both cases they came after significant events — the Reagan assassination attempt, and 9/11, respectively — and they will probably be remembered more for emotional and not policy reasons.

Still, if CNN, MSNBC, FOX and everyone else can breathlessly analyze them seconds after they’re delivered, why not do it here from a medical device perspective.

It might be interesting to start with something President Obama didn’t talk about in his 2014 address: The Medical Device Excise Tax. It’s still out there, and its prospects of becoming the law of the land have ebbed and flowed over the past year, but the President chose not to bring that one up.

To be sure, the President did devote a lot of the SOTU to domestic issues including healthcare. However, that focus was mostly on the Affordable Health Care Act. That one’s not going away anytime soon, and we’re not going anywhere near that here today.

Now back to the SOTU and the medical device community.

state_of_the_unionSmart communications professionals who work for trade associations and private companies listen closely to the SOTU for anything, anything they can connect their industry to in order to get media coverage. This time, when President Obama spoke about the general need for innovation in this country, some saw the opportunity.

“The President is absolutely correct that investments in innovation will help the United States remain the global economic leader in the 21st century,” Medical Device Manufacturers Association (MDMA) President and CEO Mark Leahey said after the SOTU. “While there will be numerous debates on how we can improve our economy, there is widespread agreement that high tech job creation and reducing the cost of health care play a central role. Medical technology innovators have a proud tradition of meeting these important goals, but we cannot take for granted that this will always be the case.”

Meanwhile, the folks at the Advanced Medical Technology Association (AdvaMed) took a similar approach — but added a whack against the Medical Device Excise Tax in their response to the SOTU.

Its President, Stephen J. Ubl, commended the other President, “AdvaMed applauds the President’s support for the growth of high technology manufacturing jobs and the importance of innovation to economic growth in [Obama's] State of the Union.

“In support of that goal, we urge Congress to act promptly to repeal the medical device excise tax. America’s medical technology companies are leading the world in the development of innovative, life-saving, life-enhancing medical progress – but that lead is eroding. Repealing the medical device tax would support the bipartisan goal of helping companies large and small reinvest in R&D, hiring or expanding.”

President Obama didn’t mention medical devices specifically anywhere in the speech, but what the heck. SOTU’s rarely mean as much as we in the media like to tell you, remember?

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

Medical Device Industry Identifies Some Problems with Agency’s UDI Initiative

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

Let’s start with what most everyone agrees on: The Unique Device Identification (UDI) program is a swell idea.

It gets a little trickier after that.

In extensive comments, the Advanced Medical Technology Association (AdvaMed), Boston Scientific, and Merck, among more than a dozen others, generally voice support for the UDI concept, while finding lots and lots to say about where the FDA’s September Draft Guidance could use improvement.

Noting that implementing UDI will be a “costly proposition,” AdvaMed stresses that the length and complexity of the implementation plan demands a “living document” approach that will allow industry and the FDA to update and improve the guidance as both sides learn more during set-up. AdvaMed follows with 61 specific comments, with suggested changes.

Coviden, manufacturer of medical devices and medical supplies, echoes AdvaMed’s comments, and tosses another 22 into the mix, including a request that the guidance remain open for feedback and comment until the September 24, 2014 implementation deadline.

Merck, among other commenters, requested clarification and summarization regarding the scope of products for which data must be submitted to the Global Unique Identification Database (GUDID). Merck also asked FDA to add information regarding deadlines for submitting data to GUDID.

X-ray of hipBoston Scientific, noting that its medical devices already bear unique identification via HIBCC or GS1 standards, calls FDA out for what it labels “inconsistencies” with the FDA UDI Rule.

To pick one of their examples, and joining several other commenters in making this point, Boston Scientific claims the data elements column “Required?” is unclear because it fails to clarify if it is required to follow the rule based on regulatory requirements or validation requirements. “The meaning of ‘required’ should be clarified so that BOTH regulatory and system validation requirements are clearly identified in this guidance.”

FDA’s got its work cut out for it here, particularly with the recent departure of its UDI guru, Jay Crowley, for the greener fields of consultantdom.

We can offer some small consolation though: Crowley leads a webinar on UDI implementation from his new professional perch. Information is here:

 

Final UDI rule as published in Federal Register

FDA’s UDI page

Previous AssurX blog on UDI

The entire comment letter line-up is available here

 

 

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

Interpreting the FDA View of Medical Device Design Controls

Dennis Payton, Vice President of Product Marketing and Development, Expandable Software, Inc.

Dennis Payton, Vice President of Product Marketing and Development, Expandable Software, Inc.

Some of the shortest descriptions in the FDA CFR 21 Part 820 Quality System regulation are found in Sec. 820.30 and Sec. 820.40 totaling about a page of written language around Design Controls and Document Controls. However short, these two sections can be the most complex aspects of Medical Device controls when actual complying with the regulation. Fortunately, the FDA does give a bit more background to help a new medical device company understand these two key elements (see Medical Device Quality Systems Manual, A Small Entity Compliance Guide) but again with the detailed complexities, even those few pages of guidance (covered in section 9 Document and Change Control) fall short of coverage needed to understand the impact a company’s Medical Device Quality System. The good news is that there are some very good tools that can help mitigate these complexities and streamline controls. The bad news is that it still takes a very strong detailed and sustained effort to insure these complex controls are in place for continued success and compliance with regulation.

With a wide variety of Medical Device suppliers there comes a wide variety of processes, procedures and controls that are developed specific to a business and to the Medical Device(s) being produced. It is important to understand how the FDA tries to normalize a specific business to the regulation when auditing that business for Design Control compliance. Having a bit of understanding of their view will help make for a much smoother comparison, analogy and a much cleaner and successful audit of a company’s design processes.

A simplistic model can be derived from the 820.30 regulation that the FDA may use to assure design coverage and compliance of a device design and/or manufacture to the regulation. The design and development model can be graphically depicted and loosely linked to the regulation as follows:

FDA Design and Development Planning Model

Diagraming out the design flow is helpful in seeing a more detailed picture of the flow and validation and verification of a product against its intended use model and specifically important to the FDA that each and every stage of the process is well reviewed and documented.

Again, like the FDA regulation on Design Controls, this is a very short summary of complex processes, document definitions, controls and general management & approvals that there have been volumes of books written. The objective should be to have a very good understanding of how the FDA or other regulatory entity views the medical device controls such that a business can demonstrate how their particular controls map into the regulatory model. A logical analogy of a business’ design and development model should be able to map to the regulatory normalized base line model(s), in doing so, will result in smoother audits with a higher degree of success and hopefully (something the regulatory folks don’t really care about but as a business we all do) a lower expense/time in managing through the audit process.

A fuller descriptive paper outlines some key points in the development of a Medtech-specific design control with a product development process and how to maximize the use of enterprise level business tools that accelerate process, streamline audits and make for a much smoother compliance. The brief outline here is a key element to a more streamlined and smoother compliance with regulation keeping in mind not just the business drivers but also the FDA’s “normalized view” of design controls.

Get the full detailed White Paper here

About the Author

Dennis Payton is Vice President of Product Marketing and Development with Expandable Software Inc. He has 24 years of engineering, product management and executive management experience. He holds a BS in electrical engineering from California Polytechnic State University, San Louis Obispo, and post studies at Stanford University, University of California, Santa Cruz, and UC Berkley Haas School of Business.

 

Copyright UBM Canon. Used by permission.

 

 

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

FDA’s 2014 Promises Increased International Operations, Label Enforcement

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

Given the fact that the FDA probably doesn’t know what it plans to do in 2014, predicting their actions is challenging, to put it mildly.

With that slightly weasel-like caveat, it’s worth noting three events in 2013 that will almost certainly impact 2014:

1) CDRH’s Office of Compliance Reorganization: With the addition of a Division of International Compliance Operations, watch for the FDA to shift focus and some budget funds to increased inspection and audits of foreign device manufacturers, and increased crackdowns on promotional claims (see below). Steve Silverman, Office of Compliance Director, is making the public relations rounds of late with events at a trade shows and the like. He’s stressing that the new “look” OC will better harmonize and broaden enforcement efforts. We’ll keep an eye on this and report back.

FDAlogo2) Device Off-Label Enforcement: If the old expression “the past is prologue” holds true, device makers would be well advised to take a good hard look at any public claims they, or a surrogate such as a doctor at a trade show, make about the wonderful things its gizmo can or will do for patients. Between May 1, 2012 and April 30, 2013, CDRH averaged two letters per month hitting device makers for making claims outside their 510(l) clearance and making claims requiring additional data they didn’t provide, among other issues. Early anecdotal evidence suggests this trend of more focus and more warning letters will continue to climb in 2014. Again, we’ll keep an eye out.

3) UDI Finally: FDA issued the long-awaited Unique Device Identification (UDI) Final Rule in September. Its driving force and 27 year FDA veteran Jay Crowley, has since left the agency for a consulting gig. It remains to been seen what impact, if any, his departure will have on an issue that’s vexed industry and the agency for many moons. I can’t think Crowley leaving is any kind of net plus in terms of helping to fine-tune the rule. Time will tell. Then we’ll tell you.

I didn’t even factor in the possibility of more budget shenanigans in Washington, D.C. I’m a naive romantic, and I’m not going to go there until I have to.

Happy new year!

 

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

FDA VCIP Program: Too Much Stick, Not Enough Carrot?

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

It’s a growing trend in these United States: paying extra for convenience such as bypassing the riffraff in airport security lines, or whizzing past mere mortal motorists on pristine for-pay express lanes.

Where I live in the Washington, D.C. area, the new express road program in Northern Virginia’s clotted traffic arteries appears to be a hit. For a buck or two, you get out of the more crowded free lanes. And you are allowed to go 65 miles an hour, while the peasants are held to 55 mph!

On the other hand, the express lane program at Reagan National Airport doesn’t appear to be generating much traffic.

If the FDA’s new VCIP (Voluntary Compliance Improvement Program) is trying to ride the “pay for convenience” bandwagon, early anecdotal evidence suggests they’re resembling airports more than highways. We’re hearing many in industry say the VCIP program doesn’t offer enough of an incentive to take on the extra work.

Undaunted, FDA released earlier this week a document that reads like a nice, bureaucrat gently trying to convince industry to give the program a try.

The joint pilot project housed in the Center for Devices and Radiological health (CDRH) and Office of Regulatory Affairs (ORA) “differs from the FDA’s traditional oversight model by allowing firms to voluntarily self identify and correct possible regulatory violations instead of undergoing FDA inspection.”

Regulated entities have to apply to participate, but those with violations that raise “imminent” public health concerns needn’t bother.

Here’s the FDA’s big carrot: “The FDA supports using new approaches to help companies come into compliance. These approaches benefit industry and may decrease the number of inspections that the FDA performs or permit the agency to focus on manufacturers with serious and ongoing problems.”

Pacemaker150Hmm. I guess I’m not super surprised that initial industry enthusiasm appears weak. To my knowledge, FDA has not released any statistics about participation. I’m basing my very early days’ assessment on discussions with medical device firms and consultants at recent trade shows and the like. I could be wrong, and VCIP might turn out to be a big hit.

If you want to get picked, know that FDA will identify manufacturers eligible to participate in VCIP through its 2014 inspection work plan and offer them an opportunity to apply rather. For the pilot, the FDA will choose three to five applicants. Of course, their feedback, whether official or in trade show hallway conversations, will tell us a lot about the merits of VCIP.

While it promises some benefits down the road, initial participation in VCIP sounds like it will just add another layer to a device manufacturer’s compliance program. VCIP participants will be required to retain an outside expert consultant to assess their manufacturing and quality assurance systems and to monitor and certify that they are following program requirements. Firms must also demonstrate the ability to define problems, analyze root causes, create appropriate corrective actions, and verify that the actions taken were effective.

If a firm does not meet its commitments under the VCIP, or if the FDA and the firm disagree about any of the results, then the firm may be removed from the program and undergo FDA inspection, which could lead to regulatory action. If a manufacturer ends its participation in the VCIP, it would be subject to FDA inspection and any resulting regulatory action.

FDA gets to the potentially big benefits toward the end of the new VCIP document. If you are selected and pass the tests, your firm “will not be subject to routine surveillance inspection while program participation is underway.” The exemption will be good for two years after a manufacturer successfully completes the program. FDA says it will also expedite review of export certificate requests and prioritize device and pre-amendment determination requests from program participants.

Clearly it’s too early to judge whether VCIP will be a success. And FDA is to be applauded, I think, for trying something a bit new.

Still, here’s hoping VCIP becomes the equivalent of sailing down the relatively empty highway at 65 mph, while others are slogging through heavy traffic at lower speeds.

 

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

The Much-Anticipated CIP Version 5 Final Rule Released by FERC

Trey Kirkpatrick

Vice President, Energy & Utilities Compliance, AssurX Inc.

At the FERC Commission meeting on November 21, 2013, the Commission approved the CIP version 5 Standards that addresses the cyber security of the bulk electric system.  As stated in the FERC final rule, these standards are an improvement over the current effective CIP version 3 Standards.  CIP version 5 requires the industry to adopt new controls and expands the scope of systems that are protected by the CIP standards.  The Commission also approved definitions associated with the CIP Standards and directed NERC to make modifications to CIP version 5 and submit informational filings back to FERC.

FERC LogoOne of the key decisions, as requested by the ERO, was the Commission’s approval to allow registered entities to transition from currently-effective CIP version 3 Standards to compliance with CIP version 5 Standards.  The CIP version 4 approved Standards will not become effective.  CIP version 3 will remain in effect until the effective date of CIP version 5.  The Commission also approved the implementation plan and effective dates proposed by NERC.

Some of the key highlights from the FERC Order:

  • The CIP version 5 Standards identify and categorize BES Cyber Systems using a new methodology based on whether a BES Cyber System has a Low, Medium, or High Impact on the reliable operation of the bulk electric system. At a minimum, a BES Cyber System must be categorized as a Low Impact asset. Once a BES Cyber System is categorized, a responsible entity must comply with the associated requirements of the CIP version 5 Standards that apply to the impact category.
  • The CIP version 5 Standards also include 12 requirements with new cyber security controls, which address Electronic Security Perimeters (CIP-005-5), Systems Security Management (CIP-007-5), Incident Reporting and Response Planning (CIP-008-5), Recovery Plans for BES Cyber Systems (CIP-009-5), and Configuration Change Management and Vulnerability Assessments (CIP-010-1).
  • The Commission directs NERC to remove language found in 17 requirements in the CIP version 5 Standards that requires responsible entities to implement the requirements in a manner to “identify, assess, and correct” deficiencies.   We support NERC’s move away from a “zero tolerance” approach to compliance, the development of strong internal controls by responsible entities, and NERC’s development of standards that focus on the activities that have the greatest impact on Bulk-Power System reliability. However, the Commission is concerned that the proposed language is overly-vague, lacking basic definition and guidance that is needed, for example, to distinguish a successful internal control program from one that is inadequate.

Note the Commission response to the “identify, assess, and correct”

“We would prefer approaches that would not involve the placement of compliance language within the text of the Reliability Standards to address these issues. We understand that NERC has inserted the “identify, assess, and correct” language into the CIP Reliability Standard requirements to move its compliance processes towards a more risk-based model. With this objective in mind, we believe that a more appropriate balance might be struck to address the underlying concerns by developing compliance and enforcement processes that would grant NERC and the Regional Entities the ability to decline to pursue low risk violations of the Reliability Standards. Striking this balance could be accomplished through a modification to the Compliance Monitoring and Enforcement Program. We believe that such an approach would: (1) empower NERC and the Regional Entities to implement risk-based compliance monitoring techniques that avoid zero defect enforcement when appropriate; (2) allow the Commission to retain oversight over the enforcement of Reliability Standards; and (3) ensure that all Reliability Standards are drafted to be sufficiently clear and enforceable.”

  • The Commission directs NERC to develop modifications that address security controls for Low Impact assets. The adoption of the Low Impact BES Cyber Asset category will expand the protections offered by the CIP version 5 Standards to additional assets that could cause cyber security risks to the bulk electric system. Specifically, categorizing BES Cyber Systems based on their Low, Medium, or High Impact on the reliable operation of the bulk electric system, with all BES Cyber Systems being categorized as at least Low Impact, offers more comprehensive protection of the bulk electric system. However, the CIP version 5 Standards do not require specific controls for Low Impact assets nor do they contain objective criteria from which to judge the sufficiency of the controls ultimately adopted by responsible entities for Low Impact assets. The Commission directs that NERC develop modifications to the CIP version 5 Standards to address this concern. While NERC may address this concern by developing specific controls for Low Impact facilities, it has the flexibility to address it through other means, including those discussed below.
  • The Commission directs NERC to submit an informational filing one year from the effective date of this Final Rule that assesses, based on the survey results, whether the BES Cyber Asset definition will, with the 15- minute parameter, cover the assets that are necessary to ensure the reliable operation of the Bulk-Power System.
  • Commission directs NERC to create a definition of communication networks and to develop new or modified Reliability Standards that address the protection of communication networks.  The Commission also directs its staff to include the issue of protecting the nonprogrammable components of communications networks in the staff-led technical conference discussed herein.

For more information: 

NERC CIP Version 5 Implementation Plan

Version 5 Critical Infrastructure Protection Reliability Standards, Docket No. RM13-5-000

Commissioner LaFleur’s comments

Trey Kirkpatrick is Vice President of Energy and Utilities for AssurX, Inc., a leading provider of energy and utility enterprise compliance management solutions.

 

 

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

FDA Draft Medical Device Development Tools Guidance is Here to Help

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

A new FDA draft guidance just issued by the Center for Devices and Diagnostic Health (CDRH), outlining a voluntary process for qualification of medical device development tools (MDDT), is designed to facilitate the development and “timely evaluation of innovative” medical devices, the Center says.

An MDDT is a scientifically validated tool — such as a clinical outcome assessment or a test to detect or measure a biomarker — designed to aid device development and regulatory evaluation.

The guidance, issued November 14, 2013, describes the framework and process of voluntary CDRH qualification of MDDT.

It also includes a helpful definition of key concepts that provide something of a window into FDA’s viewpoint and regulatory expectations. Here are two important examples of how FDA views the world:

  • Qualification: A conclusion that within a specified context of use (FDA’s italics), CDRH expects that the results of an assessment that uses MDDT can be relied upon to support device development and regulatory-decision making.
  • Context of Use: Use defined in part by the device or product area for which the MDDT is qualified, the stage of device development, and the specific role of the MDDT.

FDAlogoCDRH is developing a qualification process because it provides a mechanism for leveraging advances in regulatory science, encouraging MDDT development and adoption, and “facilitating faster, more efficient device development and regulatory evaluation,” the draft guidance states.

However, the guidance intentionally stays away from any specific evidentiary or performance expectations the agency would have for qualifying a specific MDDT.

FDA is accepting comment and suggestions for revising the guidance until early February 2014. Electronic comments should be sent to http://www.regulations.gov.

 

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare