Author: Brandon Miller

Connected Devices & The Cybersecurity “Hot Button”

Posted on by Brandon Miller

Why Cybersecurity Has Become a Regulatory Priority

 

As combination products increasingly rely on software, connectivity, and digital interfaces, cybersecurity has moved from a secondary concern to a core regulatory expectation. What was once viewed as an IT or infrastructure issue is now clearly framed by regulators as a patient safety risk.

 

Vulnerabilities that go unaddressed during development can expose patient data, disrupt device performance, or create pathways into broader healthcare networks. FDA scrutiny has followed this reality—with expectations now focused on how cybersecurity risks are identified and controlled across the entire product lifecycle.

 

When Software Expands the Regulatory Scope

Once software plays a role in device operation, data handling, or clinical functionality, it introduces a new regulatory dimension. IEC 62304 establishes expectations for managing medical device software throughout its lifecycle, and FDA increasingly looks for evidence that these principles are embedded into development practices.

 

This includes clearly defining software architecture, understanding how different components interact, and documenting how risks are assessed and mitigated. Software complexity, especially when multiple operating systems, programming languages, or third-party components are involved, increases the likelihood that vulnerabilities exist. Regulators expect sponsors to demonstrate awareness of that complexity and control over its impact.

 

Secure by Design Starts at the Requirements Level

One of the most common contributors to cybersecurity weaknesses is poor design planning. When security requirements are vague, incomplete, or added late in development, vulnerabilities are often baked into the product.

 

FDA expectations increasingly reflect a “secure by design” mindset. The strongest cybersecurity controls are those that eliminate or reduce vulnerabilities through planned architecture and clear requirements. Protective mechanisms that detect and respond to threats are the next layer of defense.

 

Effective cybersecurity requires giving security considerations a formal seat at the design table, supported by subject matter expertise and documented decision-making. Otherwise, designers run the risk of relying primarily on labeling, instructions, or user warnings for security—which are considered the weakest mechanisms available.

 

Software Changes Are Lifecycle Events, Not IT Tasks

As vulnerabilities evolve, software must be maintained through updates and patches. These activities are not routine maintenance tasks. Each change has the potential to affect safety, performance, and compliance.

 

FDA expects organizations to assess software changes through a quality and risk lens, not an IT convenience lens. Updates tied to cybersecurity posture or device behavior typically require formal change control, risk evaluation, and verification. Organizations that lack clear criteria for distinguishing between design-controlled changes and minor maintenance should expect to struggle when questioned during inspections.

 

Cybersecurity Documentation FDA Now Expects

Cybersecurity reviews increasingly include specific deliverables that demonstrate transparency and control. One example is the Software Bill of Materials, which identifies third-party software components and dependencies. This allows regulators to assess supply chain risk and vulnerability exposure.

 

Threat modeling documentation is also becoming more common, showing how potential attack scenarios were identified and addressed. Additional artifacts may include secure development lifecycle procedures, vulnerability management processes, and post-market monitoring strategies that demonstrate ongoing accountability rather than one-time compliance.

 

Integrating Cybersecurity Into a Streamlined QMS

For combination products, cybersecurity controls can be integrated into an existing pharmaceutical quality system through the streamlined approach allowed under 21 CFR Part 4. This avoids duplicative systems while ensuring software and cybersecurity risks are appropriately governed.

 

Successful integration depends on alignment between software development, Design Controls, risk management, and quality oversight. When cybersecurity is embedded into the QMS and the D&D file for the device rather than bolted on after the fact, inspection readiness improves significantly.

 

How RCA Supports Software and Cybersecurity Readiness

Regulatory Compliance Associates® (RCA) helps life sciences organizations build inspection-ready software and cybersecurity frameworks tailored to combination products.

 

From TIR57 and ISO 14971 compliance and cybersecurity documentation to inspection preparation and training, RCA partners with teams to navigate this complex and rapidly evolving regulatory landscape with confidence.

 

Ready to streamline your QMS for combination product success?
Contact RCA today to schedule a consultation and take the first step toward regulatory readiness and market leadership.

The “Hard Part” of Combination Products: Design Controls

Posted on by Brandon Miller

Why Design Controls Are the Biggest Leap for Drug Teams

 

For pharmaceutical and biologic organizations entering the combination product space, few regulatory requirements cause as much friction as design controls under FDA QMSR. Unlike traditional pharmaceutical Quality Risk Management (QRM), design controls require a structured and documented history of how the device portion of a product was conceived, designed, verified, validated, and transferred into production.

 

For many drug teams, this represents a fundamental shift from the line of thinking they are accustomed to. Quality is no longer focused solely on batch release, clinical outcomes, or GMP compliance. Instead, regulators expect a living design narrative that demonstrates intentional engineering decisions and risk-based controls throughout the product lifecycle.

 

Why Pharmaceutical Risk Management Is Not Device Risk Management

Pharmaceutical QRM, often aligned with ICH Q9, is typically focused on patient safety, process variability, and manufacturing controls. Device risk management, however, is governed by ISO 14971 and embedded directly into design controls.

 

The key distinction is timing and intent.

 

Pharma risk management often evaluates risk after formulation and process decisions are made. Device risk management is proactive and iterative, requiring teams to identify hazards, estimate and evaluate risks, implement controls, and reassess residual risk throughout design and development.

 

For combination products, the FDA expects risk management to be tightly linked to design inputs, outputs, verification, and validation. A standalone risk assessment or FMEA is not sufficient if it is not clearly integrated into the design history.

 

The Circular Nature of Design Inputs and Outputs

One of the most misunderstood aspects of design controls is that design is not linear. Design inputs inform outputs, but outputs frequently expose gaps, ambiguities, or risks that require refinement of inputs. This circular relationship is not a weakness. It is an expected and documented part of compliant device development.

 

Design inputs define what the device must do, including performance requirements, safety considerations, usability needs, and regulatory constraints. Design outputs translate those requirements into drawings, specifications, software code, and manufacturing instructions.

 

FDA investigators routinely look for evidence that inputs and outputs were revisited as new information emerged. Static inputs that never evolve raise red flags during inspection.

 

Why Clinical Trials Do Not Equal Design Validation

A common misconception among drug-focused organizations is that clinical trials satisfy device design validation requirements. While clinical data may support aspects of performance or safety, FDA does not consider clinical trials alone to be sufficient design validation for the device component.

 

Design validation under QMSR and ISO 13485 requires documented evidence that the device meets user needs and intended uses under actual or simulated use conditions. This includes usability testing, human factors engineering, and validation of device performance independent of clinical efficacy endpoints.

 

In short, proving the therapy works does not automatically prove the device was designed correctly.

 

Design Transfer Is Where Many Programs Fail

Design transfer is often treated as an administrative milestone. In reality, it is a critical control point where FDA scrutiny increases significantly.

 

Design transfer ensures that the device design is correctly translated into production specifications and manufacturing processes. Regulators expect clear evidence that manufacturing can consistently produce devices that meet approved design requirements.

 

Weak design transfer frequently results in downstream CAPAs, nonconformances, and delayed approvals. Strong design transfer, on the other hand, creates alignment between R&D, quality, and manufacturing and significantly reduces lifecycle risk.

 

Building Design Controls Without Rebuilding Your QMS

For combination products, design controls do not require a full medical device QMS. Under the streamlined approach, organizations can integrate design control elements into an existing pharmaceutical system while maintaining compliance with 21 CFR Part 4.

 

The key is intentional integration, not duplication. Design controls must be documented, traceable, and inspection-ready, but they can coexist with pharmaceutical processes when structured correctly.

 

How RCA Helps Drug Teams Navigate Design Controls

Design controls are challenging because they force organizations to think differently about development. Regulatory Compliance Associates® (RCA) helps pharmaceutical and biologic companies implement right-sized design control frameworks that meet FDA expectations without unnecessary complexity.

 

Ready to streamline your QMS for combination product success?

Contact RCA today to schedule a consultation and take the first step toward regulatory readiness and market leadership.

FDA’s New QMSR Final Rule: What Medical Device Manufacturers Need to Know (2026)

Posted on by Brandon Miller

The FDA’s Quality Management System Regulation (QMSR) replaces the legacy QSR and formally incorporates ISO 13485:2016 (and ISO 9000:2015 Clause 3 for terminology) by reference. The final rule was issued on February 2, 2024, with an effective date of February 2, 2026 and it arrives with a new, lifecycle‑focused inspection model that retires QSIT.

 

 

Why did FDA replace QSR with QMSR?

For nearly three decades, manufacturers managed a U.S. QSR that diverged from global practice, creating duplicate compliance burdens. QMSR harmonizes with ISO 13485, modernizes expectations, and preserves specific U.S. obligations where needed, improving clarity while reducing redundancy for firms marketing in multiple jurisdictions.

 

The headline changes you’ll notice

 

ISO 13485 becomes the backbone of U.S. device CGMPs

QMSR restructures Part 820 to function as an overlay on ISO 13485:2016 (and ISO 9000:2015 for definitions), while retaining targeted FDA additions to avoid conflicts with U.S. requirements (e.g., records and labeling/packaging clarifications).

 

New inspection model; QSIT is retired

On the effective date, FDA begins inspections under Compliance Program 7382.850 and discontinues QSIT. Expect risk‑based planning, integration of post-market and lifecycle data, and inspectors following issues across processes rather than auditing subsystems in isolation.

 

Analyses show FDA will organize inspections around six QMS Areas and cover four “Other Applicable FDA Requirements” (MDR, Corrections/Removals, Tracking, UDI), often starting with your risk management file as the roadmap.

 

Terminology alignment: DHF/DMR/DHR → ISO terms

QMSR sunsets QSR‑only terms in favor of ISO vocabulary:

  • Design History File (DHF) → Design & Development File (DDF)
  • Device Master Record (DMR) → Medical Device File (MDF)
  • Design History Record (DHR) → Manufacturing Records/Records

FDA notes the content obligations remain under ISO clauses (especially 4.2 and 7.x) and retaining the old terms would be redundant and confusing.

 

Practical tip: You don’t have to rename every document, just ensure your files demonstrably meet ISO 13485 content and traceability, and keep a clear mapping for inspection.

 

Internal audits & management reviews are now fair game

Under QMSR and its new compliance program, industry observers and FDA‑facing legal analysts note that internal audits, supplier audits, and management review records are no longer categorically exempt. Treat them as inspection‑ready evidence.

 

MDSAP updates and new home

The MDSAP Audit Approach has been updated to Version 10 and is now hosted on MDSAP. Global, managed by Australia’s TGA, important for firms relying on MDSAP for global oversight alignment.

 

What doesn’t change—and where FDA adds clarity

QMSR supplements rather than displaces certain U.S. obligations. You should continue to reference UDI (21 CFR Part 830) and Medical Device Tracking (21 CFR Part 821) where ISO 13485’s text isn’t sufficiently specific for U.S. needs. FDA’s Part 820 overlay also emphasizes records and labeling/packaging controls to ensure U.S. expectations remain explicit.

 

Design controls under QMSR: clarifying Class I and risk

Class I exemptions: If your device was previously exempt from design controls, that status remains; QMSR doesn’t retroactively impose design controls on exempt devices. (Narrow exceptions for specific Class I products continue as before.)

 

Risk integration: Inspectors now begin with your risk management documentation and trace how risks drive design decisions, supplier oversight, production controls, and post-market actions reflecting the ISO 13485/ISO 14971 emphasis and the new compliance program’s lifecycle scope.

 

Inspections under CP 7382.850: what FDA evaluates now

FDA will test whether your QMS works as an integrated, risk‑driven whole:

  • Risk‑based sampling guided by your risk files; investigators follow issues across functions.
  • Lifecycle data integration (complaints, MDRs, recalls, servicing, supplier issues) feeding back into design/manufacturing changes.
  • Six QMS Areas + four OAFRs (MDR, Corrections/Removals, Tracking, UDI) form the backbone of inspection scope.

 

Do I have to buy ISO 13485 now?

Because QMSR incorporates ISO 13485 by reference, firms need to control the standard as an external document inside their QMS, typically requiring purchase and version control (per ISO 13485 clause 4.2.4 on external documents).

 

If you’re already ISO 13485‑certified: the lift is manageable

Most of the effort is validating coverage of the Part 820 overlay and tightening traceability to U.S. obligations (MDR, UDI, tracking, labeling controls). Expect incremental updates for servicing/installation records and labeling release/reconciliation to match FDA clarity.

 

FAQs

Q: Does QMSR change Class I design control exemptions?
A: No. Devices previously exempt remain exempt (with the same narrow exceptions).

 

Q: Does ISO 13485 certification replace FDA inspections?
A: No. FDA still inspects under QMSR and CP 7382.850; certification helps, but it’s not a substitute.

 

Q: Do we have to rename DHF/DMR/DHR?
A: Not necessarily. Ensure your content satisfies ISO 13485, maintain a clear mapping, and be consistent in training and retrieval.

 

How Regulatory Compliance Associates Can Support Your QMSR Transition

The shift from QSR to QMSR is more than a terminology update, it’s a transformation in how quality systems are evaluated. With ISO 13485 as the legal backbone of Part 820 and a risk‑based, lifecycle inspection model replacing QSIT, the standard is clear: demonstrate real‑world system effectiveness.

 

Why partner with RCA now?

  • QMSR Gap Assessment & Implementation Support—map current QSR systems to ISO 13485 + FDA overlay (records, labeling/packaging).
  • SOP & Document Modernization—align MDF/D&D files and manufacturing records with inspection‑ready ISO/FDA expectations.
  • Risk Management Integration—embed ISO 14971 across design, suppliers, production, and post-market—the first stop for investigators.
  • Mock FDA Inspections (CP 7382.850)—train on the new lifecycle framework (risk‑based sampling; six QMS Areas + OAFRs).
  • MDSAP Alignment—update readiness to MDSAP Audit Approach v10 (MDSAP.Global).

 

Ready to strengthen your quality system and prepare for QMSR?

 

Contact Regulatory Compliance Associates today to schedule a QMSR readiness review or request a customized support plan. Your next inspection will test how your system performs, not just what’s on paper.

The Streamlined Approach to Combination Product Compliance

Posted on by Brandon Miller

Understanding and Applying the Streamlined QMS Framework

In today’s rapidly evolving life sciences landscape, pharmaceutical and biologic companies are increasingly venturing into the world of combination products. These innovative therapies, which integrate drugs or biologics with medical devices, offer enhanced patient convenience, improved therapeutic outcomes, and a competitive edge in the marketplace. However, entering this space requires a strategic expansion of your existing Quality Management System (QMS) to meet regulatory expectations. That’s where the streamlined approach comes in.

 

Why a Streamlined QMS Approach Matters

The FDA’s implementation of 21 CFR Part 4 and the harmonization with ISO 13485 have paved the way for a simplified yet robust method for integrating device regulations into an existing pharmaceutical QMS. Known as the “streamlined approach,” this method allows companies to incorporate only six key elements from the medical device QMS framework, rather than overhauling their entire system. This is a significant advantage for organizations looking to enter the combination product market without disrupting their current operations.

 

 

The Six Core Elements of FDA’s Streamlined Approach

  1. Management Responsibility: Establishing executive oversight and accountability for the expanded QMS.
  2. Design Controls: Implementing structured documentation and testing protocols for the device component.
  3. Purchasing Controls: Ensuring supplier qualification and ongoing performance monitoring.
  4. Corrective and Preventive Actions (CAPA): Addressing systemic issues through root cause analysis and effectiveness checks.
  5. Installation and Servicing: Defining procedures for proper setup and maintenance of device components.
  6. Recordkeeping and Documentation: Maintaining comprehensive records that demonstrate compliance.

For more details, refer to the FDA’s CGMP Companion Guidance for Combination Products.

 

Key Benefits for Pharmaceutical and Biologic Companies

  • Efficiency: Focused integration minimizes disruption and accelerates time-to-market.
  • Compliance Confidence: Aligns with FDA and international standards, reducing regulatory risk.
  • Scalability: Easily adaptable to different product types and organizational sizes.
  • Cost-Effectiveness: Avoids the need for a full QMS rebuild, saving time and resources.

 

Preparing for FDA’s 2026 QMSR Transition

With the FDA’s Quality Management System Regulation (QMSR) set to take effect on February 2, 2026, aligning your QMS with ISO 13485 is no longer optional—it’s essential. The streamlined approach offers a clear, actionable path to compliance that supports innovation and growth in the combination product space.

 

Partner with RCA for End-to-End Compliance Support

Navigating the complexities of combination product compliance doesn’t have to be overwhelming. Regulatory Compliance Associates® (RCA) brings decades of experience and a team of over 500 global experts to help you expand your QMS with confidence. Whether you need SOP development, training, or full-scale implementation support, RCA is your trusted partner in regulatory, quality, and compliance excellence.

 

Ready to streamline your QMS for combination product success?
Contact RCA today to schedule a consultation and take the first step toward regulatory readiness and market leadership.

How EU and US Cybersecurity Regulations Are Aligning

Posted on by Brandon Miller

As connected medical devices become more prevalent, cybersecurity regulations are evolving rapidly across global markets. Manufacturers must now navigate complex requirements from both the United States Food and Drug Administration (FDA) and the European Union (EU) to ensure compliance and protect patient safety. Fortunately, recent updates show promising signs of alignment between these regulatory bodies, making it easier for companies to adopt unified cybersecurity strategies.

 

Understanding the Regulatory Landscape

The FDA has introduced new cybersecurity requirements under Section 524B of the Omnibus Law, mandating Software Bill of Materials (SBOMs), coordinated vulnerability disclosure, and secure product development practices. Meanwhile, the EU is updating its Medical Device Regulation (MDR) and introducing the Cyber Resilience Act, which, although not directly applicable to medical devices, sets the tone for broader cybersecurity expectations.

 

Key Areas of Alignment

Both the FDA and EU regulators emphasize the importance of early threat modeling, SBOM transparency, and postmarket vulnerability management. They also encourage manufacturers to adopt global cybersecurity standards such as ISO/IEC 27001 and IEC 62443 to ensure consistent security practices across markets.

 

Benefits of Regulatory Harmonization

As the FDA and EU move toward harmonized cybersecurity expectations, manufacturers can benefit from streamlined product development, reduced compliance costs, and faster market access. Unified standards also help improve device security and patient trust across international markets.

 

How to Stay Ahead of Regulatory Changes

To stay ahead, manufacturers should monitor regulatory updates, engage in early cybersecurity planning, and collaborate with experts who understand both FDA and EU requirements. Proactive planning and secure design practices are essential for meeting current and future cybersecurity expectations.

 

Partner with Regulatory Compliance Associates®

Navigating the evolving cybersecurity landscape requires deep regulatory expertise and strategic planning. Regulatory Compliance Associates® (RCA) specializes in helping medical device companies align with global cybersecurity regulations, from SBOM development and threat modeling to FDA submissions and EU MDR compliance.

 

Contact RCA today to schedule a consultation and ensure your connected medical device is secure, compliant, and ready for global market access.

How to Reduce Cybersecurity Costs Through Early Planning

Posted on by Brandon Miller

In today’s connected healthcare landscape, cybersecurity is not just a technical requirement, it’s a strategic investment. For medical device manufacturers, early planning can significantly reduce cybersecurity costs while improving compliance, product safety, and time to market. In this blog, we explore how proactive cybersecurity planning can help companies avoid costly mistakes and meet evolving regulatory expectations in both the U.S. and EU.

 

1. Start Cybersecurity at the Concept Phase

Waiting until the end of development to address cybersecurity can lead to expensive redesigns and regulatory delays. By integrating cybersecurity from the concept phase, manufacturers can identify risks early and design secure systems from the ground up.

 

2. Build Threat Modeling into Your Design Process

Threat modeling helps identify potential vulnerabilities before they become embedded in the product. This proactive approach reduces the need for costly post-development fixes and supports FDA and EU compliance.

 

3. Develop a Comprehensive SBOM Early

A complete Software Bill of Materials (SBOM) is now a regulatory requirement. Creating it early ensures transparency, streamlines vulnerability management, and avoids last-minute compliance issues.

 

4. Align with Global Cybersecurity Standards

Following international standards like ISO/IEC 81001-5-1 and FDA premarket guidance from the start helps reduce rework and ensures smoother regulatory submissions across markets.

 

5. Collaborate with Cybersecurity Experts

Partnering with experienced cybersecurity consultants can help identify risks, implement best practices, and avoid costly missteps. Expert guidance ensures your team stays ahead of evolving regulations and industry expectations.

 

Partner with Regulatory Compliance Associates®

Early cybersecurity planning is not just cost-effective, it’s essential for regulatory success and patient safety. By embedding cybersecurity into every stage of product development, medical device manufacturers can reduce costs, accelerate time to market, and build more secure, compliant products.

 

Regulatory Compliance Associates® (RCA) helps medical device companies reduce cybersecurity costs through early planning, threat modeling, SBOM development, and global regulatory strategy. Contact RCA today to learn how our experts can support your secure product development journey.