Non-conformance vs Non-compliance

              

What is the difference between a non-conformance and a non-compliance?

A non-compliance is the failure to adhere to an Act or its Regulations

A non-conformance is the failure to comply with a requirement, standard, or procedure.

A Non Conformance Report (NCR) is issued in a Quality Management System audit,

when the auditee fails to meet a requirement in the QMS.

From:
Quality Handbook -
Six Sigma
DIFFERENCE BETWEEN CONFORMANCE AND COMPLIANCE

To clarify the difference between conformance and compliance – words which are often
interchanged, but should they be? Here’s just a few lines to explain the difference between
them and also why they tend to become confused.

Conformance
Choosing to do something in a recognised way (following standards such as ISO 9001 or
recognised methods such as agreed test methods for ring tests under ISO 17025).

Compliance
Doing what you are told (i.e. abiding by the law, meeting legislative requirements).

Justification for the confusion

If someone mandates you meet the requirements of a standard or test method then
conformance becomes compliance (i.e. your conformity is required in order for you to
comply).
The Technical Committee of ISO 9001 used the root
word "comply". 

The Technical Committee of ISO 14001 used the root

word "conform". "Conform" was used to differentiate
meeting the requirements of the system standard from
"complying" with regulatory requirements.

"Conform" to ISO 14001 and "comply" with the law.

"Compliance" has a harsher tone than "conformance".

So, you have a certificate hanging on your wall showing that you’ve passed an audit and
conform with the standards of ISO 13485.
Congratulations! That must mean you’re ready for an FDA inspection, right?
Not necessarily.

This is an important topic to talk about because many companies have assumed that having
the ISO certification means they shouldn’t have any problems being compliant with 21 CFR
Part 820. Unfortunately, many find that this is not true. When they’re left sorting out Form
483 observations, and possibly even warning letters, as a result of an FDA inspection, they
genuinely feel that they’ve done nothing to warrant the fuss - if ISO approves, why doesn’t
the FDA?

Medical device companies need to have a fundamental understanding of this; what is the
difference between standard conformity and regulatory compliance?
ISO 13485 VS. 21 CFR PART 820

First of all, it helps to understand one of the first key

differences between ISO and FDA; ISO audits for conformity
to a standard, whereas FDA inspects for compliance with
regulations.

The methodology of the ISO auditor is different to that of the

FDA inspector and of course, while you voluntarily pay for
ISO, FDA compliance is an expectation.

While an ISO auditor might find that you conform with a

standard, that does not automatically mean you’ll be compliant
with FDA regulations.
VOLUNTARY STANDARD VS. THE LAW

For US-based medical device manufacturers, ISO 13485 is entirely

voluntary, although it is generally accepted a defacto requirement if you
want your device to go into markets such as the EU, Canada, and some
other parts of the world. In the US, 21 CFR Part 820 is the law (CFR =
Code of Federal Regulations). When an FDA inspector enters your
premises, they carry a badge and have law enforcement authority, while
an ISO auditor does not.

ISO 13485 put out a new version in 2016 and in many respects, parts of it
were brought closer to FDA regulation. For example, the ISO standard
takes a risk-based approach toward quality management systems, which is
consistent with the interpretation and application of the FDA expectations.
(Note: FDA doesn’t explicitly define risk-based requirements for QMS).
The FDA QSIT (Quality System Inspection Techniques) looks at four
major subsystems; management controls, design controls, CAPA and
production and process controls.

Under the 2016 update, many ISO standards were brought closer into
alignment with the regulations under these subsystems (for example,
adding a specific clause pertaining to complaint handling); however,
there are still differences in interpretation between the two.

Conformity is not the same as compliance.

CONSEQUENCES FOR NONCOMPLIANCE VS. NONCONFORMANCE

This is where device manufacturers can really start seeing a difference. Let’s say you
have an ISO audit and they find an issue, the usual procedure is to issue you with a
finding on your audit report. If you get a Category 1 (Major) finding, then your registrar
will require you to submit a corrective action plan within 30 calendar days. You’ll need
to provide evidence of effectively closing the issue within 90 calendar days.

Most registrars will then return after that 90 days to verify the corrective action with a
follow-up audit. The focus of that audit is solely on the issue that was raised. However,
let’s say you get back to the registrar beyond the 90 days they require, there’s a good
chance they’ll want to conduct a more thorough repeat audit and scrutinize your full
QMS for any other systemic issues. Your ISO certification may be at risk.

Bottom line consequences through ISO: 

You lose your ISO certification and are unable to participate in global markets that
require it.
Let’s flip to the same scenario under an FDA inspection.

You undergo a comprehensive inspection following QSIT guidelines, under which the
inspector documents a form 483 observation. On receiving it, you have 15 business days to
respond in writing, including explaining your corrective actions and providing evidence
that they are an appropriate response.

Once FDA has received your form 483 response, they make a recommendation as to any
follow-up enforcement. Typically, this may include follow-up inspection, issuing a
warning letter or some other type of enforcement. Expect to see the FDA back within 6
months, or sooner for very serious issues.

If you have received a warning letter, you need to comprehend the seriousness of it. A
warning letter indicates that the FDA has determined you are in violation of the law and
may consider further enforcement actions, including seizure, injunction, prosecution or
civil penalties.

Bottom line consequences through the FDA: Your operation gets shut down, you face
civil penalties or prosecution, including the possibility of prison time.
Conformance is voluntary adherence to a standard, rule,
specification,requirement, design, process or practice.

Compliance is forced adherence to a law, regulation, rule, process

or practice.

The Difference
Conformance applies to strategies and plans that you adopt to be
more productive or to improve quality.

Compliance applies to laws and regulations that you have no

option but to follow or face penalties. Such regulations may
potentially be productive for society but don't necessarily
contribute to an organization's goals.