Introduction

Computer-related problems associated with January 1, 2000 are an increasing source of discussion, and perhaps alarm, among government agencies, private industry, and the general public. Although predictions of Year 2000 (Y2K) problems range from a deep global depression to an event more reminiscent of a blizzard, ¹ the consensus is that some computers will malfunction, and problems -- whether they be catastrophic or merely inconvenient -- will occur. Certainly, the Y2K problem could have implications for medical devices that incorporate computer technology.²

FDA recognized the potential significance of the Y2K problem and has taken steps to ensure the safety and effectiveness of affected medical products. The agency has informed manufacturers that under current law each product must operate as intended regardless of the year change from 1999 to 2000.³ In addition, FDA created an online database about each product's compliance with FDA's Y2K standard.⁴

FDA's efforts to address the Y2K problem reflect its limited resources. FDA's efforts rely heavily on manufacturer cooperation, because manufacturers can better evaluate the Y2K threat to their products and because the threat to many products is minor. Moreover, under the agency's law and regulations, devices with Y2K problems will be violative. Thus, any device that malfunctions could be subject to an enforcement action after January 1, 2000 under FDA laws and regulations prohibiting the commercial distribution of adulterated and misbranded devices.

The question for FDA is whether to wait and see what malfunctions occur, rather than pursuing enforcement strategies against potentially noncompliant devices. The mere existence of the problem suggests that in the most extreme cases, FDA should consider taking action prior to device failure to avoid substantial harm to public health.

The Y2K Problem

The Y2K problem⁵ results from the work of early computer programmers to save limited computer memory by using two digits instead of four digits to represent each calendar year.⁶ As a result, when computers reach the year 2000, they will not know if the "00" represents 2000 or 1900. This confusion may cause computers to produce "corrupted data, suffer malfunction, or even shut down entirely." ⁷

The Y2K problem also implicates logic controllers. Logic controllers are semiconductor-based chips embedded into items like computerized medical devices or microwave ovens. Testing and repairing embedded chips for Y2K compliance is difficult because they are not easily located in a product.⁸ With difficulty comes costs, and it appears that many manufacturers are not willing to bear those costs now.

In medical devices, the Y2K problem may seriously affect computer technology in manufacturing or finished products. Some medical devices, such as pacemakers, infusion pumps, and ventilators, incorporate embedded chips that will not be affected by the Y2K problem.⁹ Other devices, such as X-rays and dialysis machines that use computer systems to convert, calculate, or analyze data essential to diagnosis and treatment, may be affected.¹⁰

FDA's Regulatory Approach to the Year 2000 Problem

FDA's efforts to address the potential Y2K problems with medical devices are focused on an online database about the compliance status of every device, and guidance to industry outlining the agency's regulatory posture.

FDA's Definition of Compliance and the On-Line Database

Deputy Secretary Kevin Thurm of the Department of Health and Human Services on January 21, 1998 wrote to device manufacturers, defining Y2K compliance as "the product accurately processes and stores date/time data (including but not limited to calculating, comparing, displaying, recording and sequencing operations involving date/time data) during, from, into and between the 20th and 21st centuries, and the years 1999 and 2000, including correct processing of leap year data." Thurm asked manufacturers of medical devices to review their products for potential Y2K problems in light of this definition. ¹¹

Thurm also announced the creation of a government-sponsored Web site for posting the compliance status of each product.¹² The online database reflects the conclusion that "only the manufacturer has the detailed knowledge of the design of specific devices that is required to effectively evaluate the potential for risk to patients"¹³ from the estimated 2,700 medical products that will be affected by Y2K.¹⁴

Subsequent to the January 21, 1998 letter, D. Bruce Burlington, Director of the Center for Devices and Radiological Health, urged device manufacturers to submit to FDA Y2K compliance information for their products to be posted on the Web site. Whether a device is in compliance or not, FDA wants manufacturers to provide information relevant to Y2K by certifying their products are Y2K compliant, or that the problem does not affect their products. ¹⁵

Burlington also requested that manufacturers provide a list of their products to FDA with sufficient information to identify the product and its Y2K compliance status.¹⁶ This will be used to update FDA's online compliance lists. In addition, FDA asked that affected manufacturers to specify their solution to Y2K; for example, a software upgrade, or none if a product will be obsolete.

Burlington requested again, on September 2, 1998, that manufacturers provide the relevant Y2K compliance information to FDA. If manufacturers were determining the extent of Y2K problem on their devices, they should provide FDA any available information as well as the target date for the completion of a full response.¹⁷ Despite Burlington's request that industry respond within two weeks of receiving the September 2, 1998 letter, many manufacturers have failed, and some have provided unclear responses.¹⁸

Not only are manufacturers unwilling to provide FDA with Y2K compliance information, but according to Sen. Christopher Dodd (D-CT) they are also unwilling to provide the information to hospitals and clinics that use their products.¹⁹ FDA has stated that unless manufacturers provide this information, neither the agency nor consumers will have the information necessary to respond to the Y2K problem.²⁰ Clearly, FDA is depending upon voluntary submissions to address the Y2K issue.

To address the concerns expressed by many industries about publicizing Y2K compliance information, the Year 2000 Information and Readiness Disclosure Act was recently signed. This provides that Y2K compliance information provided by manufacturers will be inadmissible as evidence of liability in lawsuits.²¹ The legislation specifically excludes any Y2K readiness disclosure from evidence in any civil action, unless the disclosure is used to serve as the basis for anticipatory breach, contract repudiation, or similar claims, or unless the Y2K disclosure "amounts to bad faith or fraud."²²

Essentially, the legislation recognizes liability concerns as an impediment to full disclosure, and is intended to "promote and encourage greater information sharing about both experiences and solutions."²³ Ideally, this will alert healthcare workers which products are reliable and which may be prone to Y2K malfunction. It is important to note, however, that the legislation does not affect liability for the failure of computer systems or computerized products occurring due to the Y2K problem, and therefore does not provide immunity from litigation derived from Y2K computer failures.²⁴

The legislation is an important development in the context of medical devices because it removes disincentives to sharing Y2K compliance information. By encouraging medical device manufacturers to participate in the online database, the legislation should help FDA collect information it deems necessary. To the extent manufacturers take advantage of legislation and submit information, they also may protect themselves from being identified by FDA as noncompliant companies.

FDA Guidance for Device Manufacturers

On May 15, 1998, FDA released a guidance document titled "Guidance on FDA's Expectations of Medical Devices Manufacturers Concerning the Year 2000 Date Problem."²⁵ FDA's position is that manufacturers have a continuing obligation under the quality system regulations to analyze their processes and operations in order to identify existing and potential causes of nonconforming products, including Y2K problems.²⁶ If a device manufacturer's analysis indicates that risks exist, it must report corrective action taken in accordance with the corrections and removals regulations.²⁷

FDA states that if manufacturers fail to take corrective action, the agency may exercise its authority pursuant to section 518 of the Food, Drug and Cosmetic Act (FD&C Act) "to require the manufacturer to undertake corrective action at no charge to the device purchasers or owners."²⁸ However, the threshold for section 518 remedies is extremely high. If the Y2K problem causes a device to fail, but the device defect does not meet the requirements of section 518, the agency states that "FDA has no mechanism to require correction of previously marketed devices."²⁹

To encourage manufacturer cooperation, FDA's guidance states that a manufacturer's action taken to correct a Y2K problem that is completed before January 1, 2000 will not be considered a recall under FDA's Voluntary Recall regulation. FDA states that it will not "classify such actions as recalls, provided the action addresses only correction of a date-related problem and is completed prior to any actual device failure."³⁰ Here, too, as with the quality system regulations, FDA is not treating Y2K defects as violations of the law until the defect compromises a device's function.

The agency's interest in encouraging voluntary fixes while not aggressively enforcing Y2K compliance also is reflected in its approach to premarketing approval (PMA) supplement and 510(k) requirements. FDA will not require manufacturers of Class III devices to submit PMA supplements for device modifications that are made to address the Y2K problem.³¹ Similarly, manufacturers need not submit a new 510(k) for changes made to fix a Y2K problem "provided that the changes do not affect safety and effectiveness."³²

Conclusion

Though FDA's efforts are notable, the possible confounding nature of Y2K on medical devices may demand more. FDA could increase its presence in this area. In certain situations, the agency should not rest on its database as an interim answer, while waiting for malfunctions to occur after January 1, 2000. FDA should create voluntary strategies that provide greater incentives for manufacturers to be more responsive. Also, FDA should identify those devices that present the greatest risks, and closely monitor their Y2K compliance status. At some point, an enforcement response by the agency may be necessary to avoid substantial harm to the public. If FDA's primary concern truly is Y2K problems that threaten health, then corrections of Y2K problems associated with devices must occur prior to becoming manifest.

Mark A. Heller, Esq.
[email protected]

Louise N. Howe, Esq.
[email protected]

David Suski, Esq.

Notes

1 Karen Brandon, Bunker Mentality Taking Hold in Fear of Y2K Glitch, Chi. Trib., Aug. 3, 1998.

2 Indeed, Senator Robert Bennett, Chairman of the Senate Special Committee on the Year 2000 Technology Problem, recently predicted the failure of some medical devices on January 1, 2000. Senator Robert Bennett, Remarks at the National Press Club, July 15, 1998.

3 Letter to Medical Device Manufacturers from Kevin Thurm, HHS, Jan. 21, 1998, enclosure.

4 The regularly updated database is located at http://www.fda.gov/cdrh/yr2000/y2kintro.html.

5 Closely related to the Y2K problem are two additional problems. Computers and software will recognize the dates September 9, 1999 and April 9, 1999 as a series of nines, which is an error code for certain computer operations and may cause computers to malfunction. Second, the calculation of February 29, 2000 is problematical. The year 2000 will be a leap year, yet many date calculating computer programs do not account for February 29, 2000. Therefore, computers may indicate that the correct date is not Tuesday, February 29, 2000, but rather Tuesday, March 1, 2000, or Thursday, March 1, 1900.

6 Letter to Pharmaceutical Manufacturers from Dr. Janet Woodcock, FDA, Oct. 14, 1998.

7 H.R. Rep. No. 105-827, at 2 (1998). Several organizations recently encountered Y2K problems indicative of the sort that may occur. At the Unum Life Insurance Company, 700 records regarding the licensing status of brokers were deleted when a computer program interpreted year 2000 expiration dates to be year 1900 expiration dates; at a Phillips Petroleum oil rig a system intended to detect leaks of deadly hydrogen sulfide gas failed to work during a Y2K test; and at the Chrysler Corporation, a Y2K test that set the clocks forward caused the security system to fail, thus locking all employees into the factory. Id.

8 Id. at 7-8.

9 Statement of Ramin Mojdeh, on behalf of the Health Industry Manufacturing Association, before the Senate Committee on the Year 2000 Technology problem, July 23, 1998, at 36.

10 Statement of Kenneth Kizer M.D., Dep't of Veterans Affairs, Before the Senate Special Committee on the Year 2000 Problem, 105th Cong., July 23, 1998, at 14 (noting that x-rays will be affected); Opening Statement of Senator Christopher Dodd, Senate Special Committee on the Year 2000 Problem, 105th Cong., July 23, 1998, at 5 (noting that dialysis machines will be affected).

11 Letter to Medical Device Manufacturers from Kevin Thurm, HHS, Jan. 21, 1998, at enclosure

12 Id.

13 Guidance on FDA's Expectations of Medical Device Manufacturers Concerning the Year 2000 Date Problem, 63 Fed. Reg. 34,433, 34,436 (1998).

14 Statement of Dr. Michael Friedman, Acting FDA Commissioner, before the Senate Special Committee on the Year 2000 Technology Problem, 105th Cong., July 23, 1998, at 19.

15 Letter to Medical Device Manufacturers from D. Bruce Burlington, FDA, June 29, 1998. The data submitted to FDA by manufacturers is available at .

16 Id. Information that FDA considers sufficient to identify a specific product requires listing: 1) the generic type of product, 2) the owner or operator number of the manufacturer, 3) the original manufacturer, 4) the model number, 5) the specific serial numbers where appropriate, 6) the software version number, 7) A brief description of the Y2K related problem, 8) the manufacturer's mitigating solutions (including what software updates, if any, will be provided), and 9) the name of the manufacturer's contact person. Id.

17 Letter to Medical Device Manufacturers from D. Bruce Burlington, FDA, Sept. 2, 1998.

18 144 Cong. Rec. S10,790.

19 Id.

20 As then acting Commissioner Dr. Michael Friedman stated, medical device manufacturers are the "only reliable source for [Y2K compliance] information." Statement of Dr. Michael Friedman, Acting FDA Commissioner, before the Senate Special Committee on the Year 2000 Technology Problem, 105th Cong., July 23, 1998, at 19.

21 Statement by President Clinton on Signing S. 2392, the Year 2000 Information and Readiness Disclosure Act, 34 Weekly Comp. Pres. Doc. 2078 (Oct. 19, 1998).

22 Year 2000 Information and Readiness Disclosure Act, Pub. L. No. 105-271 (1998) at § 4(a)(1)-(2).

23 Statement by President Clinton upon Signing into Law S. 2392, October 19, 1998.

24 Id.

25 63 Fed. Reg. at 34,435.

26 Id.; 21 C.F.R. § 820.100 (1998).

27 63 Fed. Reg. at 34,438; see also 21 C.F.R. Part 806.

28 Id. (citing FD&C Act § 518).

29 Id.

30 63 Fed. Reg. at 34,441; see also 21 C.F.R. Part 7 (containing the product recall regulations).

31 Letter to Medical Device Manufacturers from D. Bruce Burlington, June 25, 1997; see also 21 C.F.R. § 814.39(a) (containing the PMA supplement regulation).

32 Id.