Regulatory Open Forum

 View Only
  • 1.  Vigilance cases

    Posted 18-Mar-2023 13:53


    If you observe a non-compliance, who and which department is responsible to say if it is a compliance risk or not?

    Will it be wrong to say every non-compliance is a compliance risk?

    Noopur Gupta

  • 2.  RE: Vigilance cases

    Posted 20-Mar-2023 07:14

    Hello Noopur,

    The question is quite broad and probably not easily answered in that context, because you can have internal non-compliance by an employee, internal non-compliance from a system, external non-compliance by a supplier/distributor, external non-compliance from a customer such as a complaint.  In simple terms, every instance of non-compliance or meeting compliance carries a risk.  This is why ISO 9001 and ISO 13485 speak more about using risk-based thinking or a risk-based approach.  In a medical device quality system, generally it would the ones responsible for quality and/or regulatory which would be involved in compliance risk.  In a pharmaceutical company, this would generally be the Qualified Person's responsibility to understand compliance risks with any non-conformity.  As an aside, with the EU MDR and EU IVDR published they introduced a Person Responsible for Regulatory Compliance which is may not be at the level of a Qualified Person, but I think in the European Union this is the intent to have individual(s) monitoring compliance for the company.

    Richard Vincins ASQ-CQA, MTOPRA, RAC
    Vice President Global Regulatory Affairs

  • 3.  RE: Vigilance cases

    Posted 20-Mar-2023 09:26

    Hi Noopur.

    Richard has provided some valuable insight which I completely agree with.  I will just add a little context from my own personal experience: any non-conformance should be reviewed holistically to ensure that the actual situation is completely understood before determining what the risk is.  This should really be a coordinated effort between multiple groups (Quality, Regulatory, Operations, Legal, etc.) to ensure that the most reasonable and defensible decision is made.  

    As for who is responsible, I am not sure I am entirely understanding your question here.  If you mean who is responsible for making the final decision - then that is often company dependent based on how reporting is coordinated and who has what exact responsibility within the organization.  If the question is more about who should report the issue, then I think it depends on whether or not it is an "internal" non-compliance or if it is "external".  To me, whoever recognizes the non-compliance is responsible for initiating the internal review of the issue for risk determination and any possible or necessary actions on the part of the company.  Then, once the company performs their analysis it is up to the decision of the company how to manage the next steps and with whom to contact/interact depending on the severity of the risk, the requirements of the analysis (what happened where and caused by whom) and then obviously what the regulations require.

    Victor Mencarelli MS
    Global Director Regulatory Affairs
    New YorkNY
    United States