Twitter Google +1 Facebook LinkedIn Share this page RSS


Drug / Device Law Blog Legal updates, news, and commentary from the attorneys of Baker Sterchi Cowden & Rice LLC

Is It Necessary for an Expert Opinion to Take Into Account Obvious Alternative Explanations for an Injury? Eighth Circuit Weighs In.

August 7, 2017 | Leigh Ann Massey

In Redd v. DePuy Orthopaedics, Inc., the Eighth Circuit Court of Appeals has reminded litigators of the importance of ensuring expert witnesses perform a thorough review of a matter, including apparent alternative causal explanations, prior to issuing their opinions.

 In 2008, plaintiff Redd underwent a total hip replacement, receiving an implant supplied by hip manufacturer DePuy Orthopaedics, Inc.  At the time of her surgery, Redd suffered from a number of risk factors that placed her at a higher risk for failure of the implant as she took immunosuppressant drugs and was considered morbidly obese.  Four years after her initial surgery, the implanted hip stem fractured.  During the revision surgery to replace the hip stem, the doctors determined that the stem had not properly grown into the bone at the top of Redd’s hip, which was a known possibility given her risk factors.  Two years after her revision, Redd again experienced a hip stem fracture.  Plaintiff brought a federal diversity action against DePuy Orthopaedics, alleging negligence and strict liability claims based on product defect and failure to warn.  DePuy moved for summary judgment and for exclusion of plaintiff’s expert testimony under Federal Rule of Evidence 702 and the analysis set forth in Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579 (1993).

Plaintiff retained a professor of metallurgy and materials science, Dr. Shankar Sastry, to testify as to the cause of the fracture.  In preparing his expert report, Dr. Sastry failed to review records related to the manufacturing process of the hip implant and disregarded consideration of biomechanical factors that could have resulted in failure of the prosthesis.  Dr. Sastry concluded that it was the physical state of the implant’s metal that caused the fracture.  He further concluded that any individual environmental or biomechanical factors would have been a secondary cause of the fracture. 

In granting DePuy’s motion to exclude Dr. Sastry’s testimony, the US District Court for the Eastern District of Missouri concluded that Dr. Sastry lacked a scientific or factual basis to conclude that there was a manufacturing defect or to opine on causation, and that he failed to consider the necessary issues of the forces that were exerted on the implant as it was placed in Redd’s hip.  Following exclusion of Dr. Sastry’s testimony, Redd lacked expert testimony on defect or causation and DePuy’s motion for summary judgment was granted.

On appeal, the Eighth Circuit reviewed the district court’s exclusion of Dr. Sastry’s testimony, the propriety of which is governed by Rule 702 and the Daubert standard.  Plaintiff argued that the district court erred by requiring Dr. Sastry to exclude other potential causes of the fracture.  The Eighth Circuit concluded that, while an expert is not required to rule out all possible causes of an injury, he or she nonetheless should adequately account for obvious alternative explanations.  Dr. Sastry did not consider the obvious alternative explanation for the fracture—failure of the hip stem to grow into the patient’s upper hip bone and subsequent failure to properly distribute her weight—which was a known possibility at the time of Redd’s surgery given her risk factors.  Because Dr. Sastry failed to consider the individual biomechanical forces placed on the prosthesis in issuing his report, the district court’s decision to exclude the causation testimony was affirmed.

The opinion may be found here.

For more on Missouri’s recent adoption of the expert witness standard set forth in Federal Rules of Evidence 702 and Daubert, see The Daubert Standard – Coming Soon to a Missouri Court Near You.

FDA – Postmarket Management of Cybersecurity in Medical Devices

June 5, 2017 | Suzanne Billam

It seems almost impossible in today’s world to escape our dependence on technology. From the minute we wake-up in the morning, we access news reports on our tablets, keep track of our health with fitness trackers, receive and respond to e-mails on our mobile phones, and many of us rely upon interconnected medical devices, such as insulin pumps, to safely navigate through a typical day.  But such convenience is not without risk. 

Medical devices, like all interconnected technology, can be vulnerable to security breaches, which “may compromise the essential clinical performance of a device” and potentially impact patient safety.  The Food and Drug Administration (“FDA”) thoroughly understands this benefit v. risk balance, and has issued a number of recommendations that address comprehensive cybersecurity over the lifecycle of medical device products.  Most recently, on December 27, 2016, the FDA issued its final Guidance on Postmarket Management of Cybersecurity in Medical Devices.  The recommendations apply to medical devices that use software, including programmable logic and software that is regulated as a medical device, including mobile medical apps.  You can link to the full text of the Guidance here.  This final Guidance closely resembles a draft of the document, issued for comment almost a year prior.  For more details on our take of the draft Guidance, see our prior series “FDA Issues Draft Guidance Document for Postmarket Management of Cybersecurity in Medical Devices” posted in four parts here, here, here, and here.  This Postmarket Guidance also follows the FDA’s Guidance on medical device premarket cybersecurity, issued in October 2014, discussed in more detail here.

The final Guidance outlines steps that medical device manufacturers and health care systems should take to monitor, identify, understand and address cybersecurity risks once medical devices and mobile medical devices have entered the marketplace.  Yet, don’t allow the “guidance” nature of the document fool you into believing its recommendations are optional, as the FDA takes the position that manufacturers are required to ensure the safety and efficacy of their medical devices, and should they choose not to follow this guidance, the device vendor must have in place another similar cybersecurity strategy in order to avoid regulatory scrutiny.

From this Guidance emerges two predominant concepts: 1) the Guidance, like its predecessor draft and the 2014 Premarket Guidance, follows a risk-based approach, i.e., guiding manufacturers to identify, assess, and mitigate risks that emerge after the device has been introduced to market; and 2) medical device cybersecurity and cybersecurity risk management must be proactively addressed throughout the entire lifestyle of a product, and is a shared responsibility among stakeholders including health care facilities, patients, providers, and manufacturers of medical devices.”[1]  In other words, cybersecurity controls should be incorporated into the design, development and manufacture of a device.  But after marketing and during patient use, the device should be continuously monitored, and cybersecurity concerns addressed.

As Suzanne B. Schwartz, the FDA’s associate director for science and strategic partnerships, stated in a blog post concurrent with the issuance of the Guidance itself, “[w]ith this guidance, we now have an outline of steps the FDA recommends manufacturers take to remain vigilant and continually address the cybersecurity risks of marketed medical devices.”[2]  “This approach enables manufacturers to focus on continuous quality improvement, which is essential to ensuring the safety and effectiveness of medical devices at all stages in the device’s lifecycle.”[3]  Essential to the FDA’s recommendations is the belief that device manufacturers implement comprehensive cybersecurity risk management programs and documentation which emphasizes “addressing vulnerabilities which may permit the unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient, and may result in patient harm. Manufacturers should respond in a timely fashion to address identified vulnerabilities.”[4]

Critical components of such a program include:

  • Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
  • Maintaining robust software lifecycle processes that include mechanisms for: 
    • monitoring third party software components for new vulnerabilities throughout the device’s total product lifecycle;
    • design verification and validation for software updates and patches that are used to remediate vulnerabilities, including those related to Off-the-shelf software;
  • Understanding, assessing and detecting presence and impact of a vulnerability;
  • Establishing and communicating processes for vulnerability intake and handling
  • Note: The FDA has recognized ISO/IEC 30111:2013: Information Technology – Security Techniques – Vulnerability Handling Processes;
  • Using threat modeling to clearly define how to maintain safety and essential performance of a device by developing mitigations that protect, respond and recover from the cybersecurity risk;
  • Adopting a coordinated vulnerability disclosure policy and practice. The FDA has recognized ISO/IEC 29147:2014: Information Technology – Security Techniques – Vulnerability Disclosure which may be a useful resource for manufacturers; and
  • Deploying mitigations that address cybersecurity risk early and prior to exploitation.[5]

It is further recommended that the program incorporate elements consistent with the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity (i.e., Identify, Protect, Detect, Respond, and Recover).  For more details on these concepts, please see our previous discussion, which can be found here.

Perhaps more important than the shared responsibility of risk mitigation in cybersecurity among all stakeholders, is the concept that, in the FDA’s view, cybersecurity risk management should revolve around assessing therisk to the device’s essential clinical performance, which focuses on assessing the risk of patient harm.[6]  As the Guidance explains, “[a] key purpose of conducting the cyber-vulnerability risk assessment is to evaluate whether the risk of patient harm is controlled (acceptable) or uncontrolled (unacceptable). One method of assessing the acceptability of risk involves using a matrix with combinations of “exploitability” and “severity of patient harm” to determine whether the risk of patient harm is controlled or uncontrolled.”[7]  This focus is achieved by considering:

(1)   The exploitability of the cybersecurity vulnerability, and

(2)   The severity of patient harm if the vulnerability were to be exploited.[8]

Such risk is to be assessed according to these two considerations on a sliding scale, which ranges from a controlled risk (low probability of a cybersecurity exploit with little impact on patient health) to an uncontrolled risk (high probability of an exploited vulnerability that seriously threatens patient safety or even patient death).  While in some cases the evaluation will yield a definite determination of controlled or uncontrolled, the possibility remains that not all situations will produce such distinct results.[9]

The Guidance provides that manufacturers should have processes for assessing the exploitability of a cybersecurity vulnerability as well as the severity of patient harm, if the cybersecurity vulnerability were to be exploited. The FDA suggests using a cybersecurity vulnerability assessment tool or similar scoring system for rating vulnerabilities and determining the need for and urgency of the response, such as the “Common Vulnerability Scoring System,” Version 3.0.[10]  Many adequate methodologies may be utilized to analyze the potential severity of patient harm, yet the Guidance highlights an approach based on qualitative severity levels as described in ANSI/AAMI/ISO 14971: 2007/(R)2010: Medical Devices – Application of Risk Management to Medical Devices.[11]  These levels range from Negligible (inconvenience or temporary discomfort) to Catastrophic (resulting in patient death).

The figure below shows the relationship between exploitability and severity of patient harm, and can be used to categorize the risk of patient harm as controlled or uncontrolled.[12]


While the FDA clearly distinguishes between a controlled risk and uncontrolled risk, even its illustrative chart above shows a large gray area of in-between, further acknowledging that it will not always be clear in which category the risk belongs.

The FDA Guidance then sets forth recommended proper responses to controlled and uncontrolled risks.  Controlled risk scenarios involve relatively minor issues, where there is sufficiently low (acceptable) risk of patient harm.  However, manufacturers are still encouraged to proactively promote good cyber hygiene and reduce cybersecurity risks even when residual risk is acceptable.[13]  Uncontrolled risks, on the other hand, require immediate intervention and remediation, and must be reported under 21 CFR part 806, unless:           

(1)   There are no known serious adverse events or deaths associated with the vulnerability;

(2)   The manufacturer communicates with its customers and user community regarding the vulnerability, identifies interim compensating controls, and develops a remediation plan to bring the risk to an acceptable level, as soon as possible, but no later than 30 days after learning of the vulnerability;

(3)   The manufacturer fixes the vulnerability, validates the change, and distributes the deployable fix to its customers and user community within 60 days; and,

(4)   The manufacturer actively participates as a member of an Information Sharing Analysis Organization or “ISAO.”[14]

Like its draft before it, the final Guidance additionally contains an essential practical element in its Appendix: “Elements of an Effective Postmarket Cybersecurity Program.”  The Appendix encompasses the totality of the FDA’s recommendations, in an easy to follow five-prong framework, consistent with the elements of the NIST Framework for Improving Critical Infrastructure Cybersecurity.  These prongs are: A) Identify, B) Protect/Detect, C) Protect/Respond/Recover, and D) Risk Mitigation of Safety and Essential Performance.[15]

All medical devices come with both risks and benefits.  While it may not always be clear whether a particular risk is categorized as controlled or uncontrolled, the FDA has been explicitly clear in both its Premarket and Postmarket Guidances that comprehensive cybersecurity and risk analysis must be addressed over the lifecycle of medical device products, keeping a primary focus on the risk of patient harm.

[1] Guidance, at 12.


[3] Id.

[4] Guidance, at 13.

[5] Guidance, at 13-14.

[6] Guidance, at 15 (emphasis in original).

[7] Guidance, at 17.

[8] Guidance, at 15.

[9] Guidance, at 17.

[10] For more details, see “Common Vulnerability Scoring System,” Version 3.0: Specification Document (

[11] Guidance, at 17.

[12] Guidance, at 18.

[13] Guidance, at 19.

[14] Guidance, at 22-23.

[15] Guidance, at 27-30.

Federal Judge Clobbers Claims in a Class III Medical Device Case

May 22, 2017 | Jeffery Kruse

Talk about a one-two punch. First, federal question jurisdiction kept a medical device case in federal court.  And then came the knock-out blow: a federal judge in North Carolina ruled that federal preemption barred all of the state law claims against the medical device companies.  In Burrell v. Bayer Corp., U.S Dist. LEXIS 38769 (W.D. N.C. March 17, 2017) (Burrell I), Judge Max O. Cogburn, Jr. retained jurisdiction over the medical device related lawsuit based on federal question jurisdiction.  In a subsequent order, Judge Cogburn granted Bayer’s motion to dismiss plaintiff’s claims because federal law preempts those claims.  Burrell v. Bayer Corp., U.S Dist. LEXIS 71374 (W.D. N.C. May 10, 2017) (Burrell II). 

The plaintiff in Burrell alleged she was injured as a result of her use of an Essure birth control device.  The Essure device is a Class III medical device approved by the FDA through the pre-market approval process.  Plaintiff sued various Bayer entities, as well as local doctors for malpractice to defeat diversity jurisdiction.  Bayer removed the case to federal court arguing it belonged there because of federal question jurisdiction.  As evidenced by the inclusion of local defendants in her Complaint, plaintiff did not want the case in federal court and, thus, filed a motion to remand.

But the plaintiff’s Complaint was “replete with references to the FDA” and included numerous allegations “that the defendants violated the federal requirements of the Federal Food, Drug & Cosmetic Act (FDCA).”  Burrell I, at *4-5.  Because plaintiff’s Complaint “necessarily raise[d] federal issues,” Judge Cogburn concluded it was “properly a case that ‘arises from’ federal law, as the MDA was passed by Congress to govern the safety and effectiveness of Class III medical devices.”  Id. at *11.  He therefore retained jurisdiction over the case and denied plaintiff’s motion to remand.  Id.

Just under two months later, Judge Cogburn delivered the knockout punch by granting Bayer’s motion to dismiss.  Before delivering the decisive blow, though, Judge Cogburn had to block plaintiff’s counter punch – a motion to reconsider the remand denial order.  In Burrell II, plaintiff tried again to convince Judge Cogburn that he should remand the case to state court.  Judge Cogburn had no trouble crushing plaintiff’s reconsideration attack.  For her reconsideration argument, the plaintiff relied on a 2005 Fourth Circuit case for the proposition that:

“[A] preemption defense that raises a federal question is inadequate to confer federal jurisdiction. Again, a case may not be removed to federal court on the basis of a federal defense, including the defense of preemption," even if the complaint begs the assertion of the defense, and even if the defense is the only question truly at issue in the case.

Burrell II, at *8-9 quoting Pinney v. Nokia, Inc., 402 F.3d 430, 446 (4th Cir. 2005).

But Judge Cogburn easily rebuffed the reconsideration wrangle by distinguishing Burrell from Pinney. While federal law “was ‘lurking’ as a question in the background” in Pinney, in Burrell II, “[b]y plaintiff’s own admission,” she alleged violations of the FDCA as part of her state law claims and thus her Complaint met the requirements for federal jurisdiction.  Motion for reconsideration denied.

After successfully deflecting plaintiff’s reconsideration left hook, Judge Cogburn led with a little jab about preemption.  Usually, when a judge begins a preemption discussion by noting that “Federal law generally recognizes a presumption against preemption,” the defendant can expect a body blow at the end of the discussion.  Thankfully, that was not what happened in Burrell II.  Instead, Judge Cogburn followed the jab with the express and implied preemption combination by noting that “the task of avoiding express and implied preemption is a difficult one.”  Burrell II.  He then thoroughly analyzed plaintiff’s claims and concluded federal law preempted all of the claims against the Bayer defendants.

Negligent Failure to Warn Claims

Plaintiff alleged the Bayer defendants were negligent by failing to warn of adverse events relating to Essure and that they “were under a continuing duty to comply with requirements” in the FDA’s pre-market approval of Essure.  On this point, the court agreed with the plaintiff. Burrell II at *12. But that agreement also meant federal law preempted plaintiff’s negligence claims because “plaintiff’s cause of action is being brought because the Bayer defendants allegedly failed to meet those reporting requirements.”  Id. at *12-13.

To insure the negligent failure to warn claims remained knocked out, as an added bonus, Judge Cogburn also ruled that “plaintiff cannot support a finding of causation” for those warnings claims.  Id. at * 13.  Judge Cogburn explained that by the time the plaintiff in Burrell received her device, “the FDA had the related information regarding the adverse event reports mentioned by plaintiff.”  Id. Thus, in addition to being a preempted claim, Judge Cogburn found that plaintiff “failed to show that the failure-to-warn caused her injuries.”  Id.

Negligent Failure to Train Claims

In addition to her negligent failure-to-warn claims, plaintiff also asserted claims that the Bayer Defendants failed to train the implanting physician about how “to implant the device, deal with potential complications, and remove the device.” Id. at *14.  Judge Cogburn quickly dispensed with plaintiff’s failure-to-train combination.  Federal law preempted plaintiff’s negligent training claim because plaintiff’s claim “imposes a duty that is beyond the confines of the MDA.” Id.  But on the downside, Judge Cogburn noted that such a claim could survive a preemption attack “to the extent that the manufacturer failed to provide the training required by the MDA.”  Id.  However, plaintiff’s Complaint did “not provide information as to how the training violated the FDA’s requirements or how her physician was trained.”  Id. at *14-15.  Due to lack of information on that point, federal law preempted the claim.

As with the negligent warning claims, Judge Cogburn also found plaintiff failed to provide sufficient facts to establish that any training failure caused her injuries.  Thus, in addition to being preempted, the negligent training claims failed for lack of causation.

Manufacturing Defect Claims

Judge Cogburn also knocked aside plaintiff’s weak attempt at throwing a manufacturing defect punch.  Although the plaintiff alleged her Essure was “manufactured improperly,” she did not link “any manufacturing deficiency to the device that [she] received and how it caused the alleged injuries.”  Id. at *16.  Thus, her manufacturing defect claim failed.

Design Defect Claim

Judge Cogburn parried plaintiff’s product liability claim as well. To the extent plaintiff argued that Essure suffered from a design defect, federal law expressly preempted those claims.  In brushing aside the design defect claim, Judge Cogburn simply noted that “The FDA made its determination [about the] safety and effectiveness” of the Essure and therefore “these design defect claims are preempted.”  Id. at 17.

Breach of Warranty Claims

Judge Cogburn blasted the breach of warranty claims.  The plaintiff alleged the Bayer defendants “expressly warranted Essure to be safe for use by the general public, including Plaintiff” and that the “warranties and representations ‘were untrue in that Essure was unsafe and unsuited for the use for which it was intended.’” Id. at *18.  In short, Judge Cogburn noted that “Congress provided the FDA with the authority to regulate the safety and effectiveness of Class III medical devices.”  So, he dismissed the breach of warranty claims.

Fraud and Unfair Trade Practices Claims

Finally, with all other claims against Bayer flat on the mat, Judge Cogburn crushed plaintiff’s unfair and deceptive trade practices claims.  Judge Cogburn noted that the “allegations largely repackage the allegations” he already dismissed and that “several of the alleged misrepresentations are indistinguishable from FDA-approved labeling statements.”  Id. at *19-20.  Plaintiff’s allegations of “deviations from the FDA-approved language” were insufficient to “support a claim based on fraudulent behavior or unfair trade practices.”  Id. at *20.  Federal law preempted those claims.

Medical Malpractice Claims

After knocking out all of the plaintiff’s claims against the Bayer defendants, Judge Cogburn came full circle and turned his attention to the medical malpractice claims against the local defendants.  Plaintiff eventually got her wish – the case will not remain in federal court.  Judge Cogburn declined to exercise supplemental jurisdiction over the medical malpractice claims and dismissed those claims pursuant to 28 U.S.C. § 1367(c)(3) so plaintiff could reassert those claims in state court.

Post Bout Summary

Under Riegel v. Medtronic, Inc., 552 U.S. 313, 128 S. Ct. 999 (2008), plaintiffs in Class III medical device cases have a “narrow window” through which they must plead when attempting to state “parallel claims.”  Judge Cogburn’s orders in this case provide great training roadmaps for knocking out claims in Class III medical device cases when plaintiffs allege violations of the FDCA or FDA regulations.  Bayer used a great combination of federal question jurisdiction and preemption arguments to flatten plaintiff’s claims in this Class III medical device case.  Bayer made the arguments, and Judge Cogburn delivered the epic knockout.
About Drug / Device Law Blog

The BSCR Drug / Device Law Blog examines topics and legal developments of interest to the drug and device industry. Learn more about the editor, Angela Higgins, and our Drug and Device practice.


The Drug / Device Law Blog is made available by Baker Sterchi Cowden & Rice LLC for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. Your use of this blog site alone creates no attorney client relationship between you and the firm.


Do not include confidential information in comments or other feedback or messages related to the Drug / Device Law Blog, as these are neither confidential nor secure methods of communicating with attorneys. The Drug / Device Law Blog should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.