Risk Based Compliance - A Panacea?

Risk-Based Compliance (RBC) seems to be the new buzzword in compliance circles these days. Touted by consultants to minimize compliance costs, improve compliance outcomes, and secure greater management support for compliance activities, RBC looks, feels, and sounds like a good idea. 

Should we all jump on the bandwagon then? Let's see...

Most RBC strategies include the following (or similar) tactical steps:

1. Identify the risks of non-compliance: what can happen? when? where? how? why?

2. Determine the level of each risk: what is the short term and the long term impact, in real dollars (fees, penalties, recalls) as well as in soft costs (lost sales, lost opportunities, and loss of customer trust)

3. Prioritize risks based on the level of risk and on the estimated probability of risk realization. Decide on which risks to address.

4. Identify and select the best suited compliance measures to address the selected risks

5. Plan and implement the chosen compliance measures

6. Monitor, review, and report progress (status, costs), and compliance levels (internal audits, external audits, etc.)

While it is true that implementing a RBC strategy might improve the state of our firm's regulatory compliance in some cases, let's also consider the following thoughts:

1.      RBC parameters are internally determined (perhaps with the help of consultants), while the “state of regulatory compliance” is externally determined (by regulatory agencies).

“Our analysis leads us to believe that the risk of not validating a computerized system controlling a manufacturing line for a Class III medical device is low since the device is 100% tested at the end of the line.” 

Yet due to an unforeseen side effect of a recent software upgrade, excessive torque gets applied to a mounting screw and the device casing cracks under stress exposing the patient to a potential air embolism. Customers complain and the subsequent FDA audit drill-down exposes the lack of validation as the root cause. A recall is initiated. A CAPA is launched. Total cost: $5 million.

2. RBC probabilities of occurrence for each risk are either determined intuitively, or based on past history.

“Since it has not been brought up in any regulatory audits in the past, why should we be concerned with adding a Human Factors analysis step in our design process? We believe the risk of non-compliance (for us) to be less than 1%.”

Yet due to an unforeseen side effect of a mold change for our infusion pumps, nurses have a tendency to confuse Start with Stop which can lead to non-delivery of medication and potential Adverse Events. A recall is initiated. A CAPA is launched. Total cost: $12 million.

3. The criteria used to decide which compliance measures are “best suited” are highly influenced by internal biases and constraints.

“We are a small firm; therefore we believe that the best way for us to keep track of customer complaints is to log them into an Excel spreadsheet that we all share on our internal corporate LAN”

Yet due to the inability of such a simplistic system to avoid multiple update conflicts, 2 complaints logged by one customer support representative are lost when the shared file is updated by another.  A subsequent FDA audit finds that one of the complaints that was lost should have triggered an MDR, and the company is assessed a $430,000 fine for adverse event reporting violations.

While following an RBC strategy seems to help optimize the cost of regulatory compliance, we also have to realize that, just like with any model based on a set of implicit assumptions, there might be significant pitfalls [you might want to hopefully avoid] if, when, and where these assumptions might not hold true.

What do you think?

Are SOPs always needed for 21 CFR Part 820 compliance?

A QA consultant I know made the case that SOPs are not always needed for QSR compliance. As an example, his client is a small Class II Medical Device contract sterilization services company which has executed the validation of the computerized system controlling its sterilization line with a validation plan, test protocols, and a validation report. There is no SOP in place to ensure the consistency of validation for similar systems; however, the company seems to have passed all its FDA audits in the past 6 years with no major or minor findings.

GAMP-5 specifies: “It is the responsibility of regulated companies to establish policies and procedures to meet applicable regulatory requirements”

§ 820.75 Process validation from 21 CFR Part 820 specifies: “(a) Where the results of a process cannot be fully verified by subsequent inspection and test, the process shall be validated with a high degree of assurance and approved according to established procedures”, and

§ 820.3 Definitions from 21 CFR Part 820 further clarifies: “(k) Establish means define, document (in writing or electronically), and implement.”

What do you think?

Optimized Regulatory Compliance - a Tautology?

At the end of the day, businesses are in business to make money. So where does regulatory compliance fit within your business model? Let's go ahead and examine the two main cost components of compliance:

- Cost of submissions. According to the law, you must obtain regulatory approval as a precondition to market your product. This is usually obtained in response to an active submission to the appropriate regulatory agency. Can't cut any corners here, the success of your submission will gate short term sales performance. Hire the best regulatory consultants you can afford.

- Quality system costs. To keep your product on the market, the law says that you must implement and maintain a quality system compliant with the regulations. This is an ongoing operational cost. Your "state of compliance" is sampled at the regulatory agency's periodic audit event, usually every 2-4 years (on average). Do we have an opportunity here?

The answer, in most cases, seems to be yes. The key word is how to "manage the enforcement risk" and this thinking is most prevalent in small firms, perhaps even with the tacit cooperation of regulatory agencies which seem to be a lot more lenient in their inspections when dealing with small entities.

So the microeconomic behavior in relation to Item 2 seems to go like this:

1. Implement a "de minimis" quality system. Hope for the best.

2. When audited, hire a smart regulatory consultant that can successfully argue with the auditor that your quality system's level of depth is commensurate with your product's level of risk

3. If and when cited in the regulatory agency's audit report, address the specific finding(s) and move on

Adopting this strategy would automatically "optimize" your regulatory compliance costs. Or would it?

Perhaps in the short term the answer could be yes. To be viable over the long term, however, you might want to consider the following additional elements:

a) Worst case scenario, what is the impact of non-compliance? Might range from massive documentation rework, consent decree, or total product recall.

b) Given the current trends in regulatory enforcement, what is the probability that your firm will be found non-compliant, even if you successfully passed all regulatory audits in the past?

c) Will your firm be acquired by a larger firm in the near future? If so, are you prepared to "raise the bar" on your quality system compliance just before or after the acquisition?

d) Do you have safety issues in the field (like patient injuries or deaths associated with your product) that might trigger unwarranted attention from the regulators?

e) Are you a supplier, OEM, or a contract service provider of a company that was involved in a recent safety recall, consent decree, or associated with adverse events related to patient injury or death?

The major hidden "hard" cost of long term non-compliance is the cost of rework. This includes the cost of reverse engineering device designs, revalidating products, fixtures, and manufacturing lines, and the cost of recalls.

The more important hidden costs, however, are the "soft" ones: losing out market share due to negative customer image, inability to respond to your competitors' newest feature offerings, and loss of revenue while your product is put "on hold" by the regulatory body until remediation is complete.

Each company, product, and market is different. To find out more, visit http://www.priusmedical.com/ and contact us for a personalized assessment.