When you talk about "regulatory compliance" in the context of Medical Systems, in addition to the well-known aspects of GMP/GCP/GLP FDA and the equivalent EU / Canada / Japan / China / etc. compliance standards, one must consider other, broader aspects of compliance such as the ones related to contracts, payments, anti-kickback, foreign corrupt practices, sustainability, carbon emissions, ROHS, OSHA, etc.
Since the state of compliance is generally determined by an external third party (through a regulator or an authorized contractor audit), an activist regulatory affairs group would make a case for going all out and implementing any and all published guidance and best practice details in an attempt to "audit-proof" your quality system. Unfortunately, the cost of adopting such a "worst case scenario" strategy will be punitive to the bottom line, potentially impacting not just margins but also time to market and / or competitive feature sets.
A more minimalistic mindset (found most prevalently in startups and smaller companies) would lobby for implementing only what is absolutely necessary to pass a superficial, high level external audit -- and nothing more. Unfortunately this approach is akin to playing Russian roulette - just because you passed an external audit yesterday does not necessarily mean that you will pass another one tomorrow; it only means that you were lucky that the auditor did not probe in the areas of your weakness (yet).
So, how do you decide to what level of detail & intensity you should develop procedures and ensure "compliance" (as defined by the average external auditor probing at random) in each of these areas?
The key insight is that, to the regulator, adequacy of compliance is judged based on the perceived level of risk to society (the general population) a company and / or its marketed products might pose.
Based on this key insight, the right approach then would seem to be to establish and maintain a dynamic cost-optimized balance of the level of detail within each compliance related area based on the potential level of risk the company and its product(s) can pose in the market(s) where it competes, the regulation(s) which are applicable, and the state of compliance of its main competitors similar in size and which sell in the same or similar markets.
Are you doing this already? If so, how is it working for you?
