Regulatory Open Forum

While a regulatory agency is working on developing rules, what are the biggest challenges that regulatory professionals face when trying to create and enforce those rules?

As a graduate student in regulatory affairs, this a question that’s been on my mind as I think about what I’d like to do after I graduate.

------------------------------
Indumathi Devupalli
Boston MA
United States
------------------------------

Wow - is THAT a loaded question Indumathi!

OK - let me start with the biggest issue I generally have seen in my career - the concept of "creating and enforcing the rules".  Let's start with the creating part.  You as a regulatory professional are not really creating the rules.  You are creating processes and procedures to ensure you company remains in compliance with the rules that the regulatory authorities have set out.  While that may seem like wordsmithing the comment, the distinction is significant in my opinion and experience.  That is because the distinction changes you from "the bad guy" or "the enforcer" or whatever other negative connotation term you wish to apply to it into the "collaborator" or the "team-player" or the "advisor" which is far more likely to find people following or at least working with to figure out next steps.  I suggest considering the regulatory professional as the advisor who tries to see into the purpose of the rule or regulation and help the company or the department or whomever try to maintain their compliant status not just because it is the "right thing to do" but because it makes good business sense.  Also, your process and procedure creation must account for not only the regulation and the impact on the regulatory issues but also to involve and employee the expertise of the department(s) that will need to implement or follow the process.  If you write a great process that is not or cannot be followed by the department then the only thing you have written in reality is a 483 observation on your next inspection.

Now to take on the "enforcing the rule" issue.  Again, regulatory needs to follow the requirements but they also should not be the only (or even in my opinion the majority) department owning the requirements and following the and enforcing the rules.  When a company creates the situation where there is a department "charged" with enforcement that is when the company finds itself in serious issues because the "enforcer" is a single department and it breeds a contempt that is hard to work through and also hurts the overall morale of the department assigned and the company as a whole because you end up with people thinking that the assigned department is nothing more than the "bad guys" or the "cost centers" (as opposed to profit centers).

All that said, some of the hardest things around the regulatory job are understanding the gray areas and the company's willingness to engage in behavior that does carry some level of risk.  Most companies in my experience accept some level of risk but every company's appetite for overall risk and the type of risk(s) they are willing to take are almost always different.  Some companies may say "Well my competitors have been doing it so I have to do it to stay competitive" while others may say "I'm only willing to take a risk where the situation is so gray and there is very little out there to extrapolate from that we have good arguments if ever challenged".  The differences between these two positions are essentially polar opposites but I have worked for companies on both sides of this spectrum.  So it was up to me to understand what was acceptable risk, how much risk was acceptable, and then to manage the regulatory business of the company within the four corners of that understanding.

------------------------------
Victor Mencarelli MS
Global Director Regulatory Affairs
New YorkNY
United States
------------------------------

Original Message:
Sent: 27-Apr-2023 12:08
From: Indumathi Devupalli
Subject: Biggest challenges when enforcing rules

While a regulatory agency is working on developing rules, what are the biggest challenges that regulatory professionals face when trying to create and enforce those rules?<o:p></o:p>

As a graduate student in regulatory affairs, this a question that's been on my mind as I think about what I'd like to do after I graduate.<o:p></o:p>

------------------------------
Indumathi Devupalli
Boston MA
United States
------------------------------

Hi Indumathi

Excellent advice from Victor on how regulatory professionals in the industry deal with new regulations.

From the perspective of those working in the regulatory agencies, it varies around the world. Some countries publish very detailed legislation and leave it to the regulators to figure out what to do with it. Where the laws are more general, and the regulatory agencies develop the detailed regulations, many use a measured process of public consultations, which are a lot of work, but tend to result in rules it's possible for the industry to comply with.

How they enforce also varies around the world. The US FDA, for example, puts a lot of energy into assessing which areas are likely to have the biggest impact on the public health, and concentrating their efforts there.

Things are always changing, and it isn't easy to navigate a shifting environment. Laws change, international trade partners change, funding changes, regulatory agencies get reorganized, new technologies are developed, and the regulators must find ways to continue to fulfill their mandates and adapt their rules and processes to continue to make relevant contributions to public safety.

------------------------------
Anne LeBlanc
United States
------------------------------

Original Message:
Sent: 28-Apr-2023 09:58
From: Victor Mencarelli
Subject: Biggest challenges when enforcing rules

Wow - is THAT a loaded question Indumathi!

OK - let me start with the biggest issue I generally have seen in my career - the concept of "creating and enforcing the rules".  Let's start with the creating part.  You as a regulatory professional are not really creating the rules.  You are creating processes and procedures to ensure you company remains in compliance with the rules that the regulatory authorities have set out.  While that may seem like wordsmithing the comment, the distinction is significant in my opinion and experience.  That is because the distinction changes you from "the bad guy" or "the enforcer" or whatever other negative connotation term you wish to apply to it into the "collaborator" or the "team-player" or the "advisor" which is far more likely to find people following or at least working with to figure out next steps.  I suggest considering the regulatory professional as the advisor who tries to see into the purpose of the rule or regulation and help the company or the department or whomever try to maintain their compliant status not just because it is the "right thing to do" but because it makes good business sense.  Also, your process and procedure creation must account for not only the regulation and the impact on the regulatory issues but also to involve and employee the expertise of the department(s) that will need to implement or follow the process.  If you write a great process that is not or cannot be followed by the department then the only thing you have written in reality is a 483 observation on your next inspection.

Now to take on the "enforcing the rule" issue.  Again, regulatory needs to follow the requirements but they also should not be the only (or even in my opinion the majority) department owning the requirements and following the and enforcing the rules.  When a company creates the situation where there is a department "charged" with enforcement that is when the company finds itself in serious issues because the "enforcer" is a single department and it breeds a contempt that is hard to work through and also hurts the overall morale of the department assigned and the company as a whole because you end up with people thinking that the assigned department is nothing more than the "bad guys" or the "cost centers" (as opposed to profit centers).

All that said, some of the hardest things around the regulatory job are understanding the gray areas and the company's willingness to engage in behavior that does carry some level of risk.  Most companies in my experience accept some level of risk but every company's appetite for overall risk and the type of risk(s) they are willing to take are almost always different.  Some companies may say "Well my competitors have been doing it so I have to do it to stay competitive" while others may say "I'm only willing to take a risk where the situation is so gray and there is very little out there to extrapolate from that we have good arguments if ever challenged".  The differences between these two positions are essentially polar opposites but I have worked for companies on both sides of this spectrum.  So it was up to me to understand what was acceptable risk, how much risk was acceptable, and then to manage the regulatory business of the company within the four corners of that understanding.

------------------------------
Victor Mencarelli MS
Global Director Regulatory Affairs
New YorkNY
United States

Original Message:
Sent: 27-Apr-2023 12:08
From: Indumathi Devupalli
Subject: Biggest challenges when enforcing rules

While a regulatory agency is working on developing rules, what are the biggest challenges that regulatory professionals face when trying to create and enforce those rules?<o:p></o:p>

As a graduate student in regulatory affairs, this a question that's been on my mind as I think about what I'd like to do after I graduate.<o:p></o:p>

------------------------------
Indumathi Devupalli
Boston MA
United States
------------------------------

As a former inspector working for an EU Competent Authority I know that making and enforcing rules is extremely difficult and in almost every stage you have to make compromises. The population that is subjected to the rule is not a single entity, it is a spectrum; some are keen to be compliant, others are just not interested, some have explicitly non-compliant intentions, and the rest of the population are postioned somewhere between these extremes. 
My father has been an editor of laws. He decided what word went into what sensence in which article. He said: 'A good law is short, chrystal clear and hard as rock.' I think that is still a valid statement. In practice, this means that a requirement must be relevant, fair, and practically feasible. 
When it comes to enforcement, you have to apply various strategies. First, the target group must know about the existence of the requirement. Just assume that every time you publish about a new requirement, this is received by 30% of the population that has not been reached before. This meant that you must communicate repeatedly and over multiple channels, just to make a rule known. The target group will have questions, so you must be prepared to answer them. But there is a risk. If they want to know how to interpret the rules, you may be drawn into discussions about the compliance of a device. You should never bring yourself in a position where you explicitly have to say that you find something compliant, because that may turn into an informal standard that does not work for all subjects. You should only be explicit about something that you find non-compliant. Personally I find the best strategy to enforce requirements is to make compliance the easiest option. For example, in the EU we now see UDI on the label being introduced. For many devices this will only become mandatory in a few year's time. In reality, hospitals are already demanding UDI on the labels. As a result companies are introducing UDI, well ahead of the deadline. Hospitals only started to demand UDI on labels after they had been made aware of this option. That was a communication strategy used by several of the EU authorities. This 'non-enforced enforcemen' strategy is often called 'nudging'. 
If nudging is not possible, you should try to convince organisations by explaining (again) why these rules matter. This will often happen as a result of inspections, so these can be made-to-measure communications. If convincing does not work, you have to go for harder enforcement strategies.
When it comes to the most stringent enforcement strategies, fines and prison sentences, I think that if more than 3% of the population is faced with these measures, you have failed in creating relevant, fair and well-communicated requirements. Criminal behaviour is in general quite rare, so if you think you see too much of that, you may have to alter your strategy.
Finally, you must have stragegies to respond to undesired effects. For example, the rules may prevent a well-working device entering the market. In the MDR Articles 59 and 97 allow for derogation measures. But you may even have to change the law, if you are too strickt. We have seen that in the EU, where Regulation 2023/607 allows manufacturers to rely on Directive certificates for some extra years to keep devices on the market. Obviously, the requirements in that amending regulation must also be short, chrystal clear and hard as rock. We will have to see if they really are...

------------------------------
Ronald Boumans
MDR Expert
Super PRRC
Netherlands
------------------------------

Original Message:
Sent: 27-Apr-2023 12:08
From: Indumathi Devupalli
Subject: Biggest challenges when enforcing rules

While a regulatory agency is working on developing rules, what are the biggest challenges that regulatory professionals face when trying to create and enforce those rules?<o:p></o:p>

As a graduate student in regulatory affairs, this a question that's been on my mind as I think about what I'd like to do after I graduate.<o:p></o:p>

------------------------------
Indumathi Devupalli
Boston MA
United States
------------------------------