Segment: Quality Assurance

Connected Devices & The Cybersecurity “Hot Button”

Posted on by Brandon Miller

Why Cybersecurity Has Become a Regulatory Priority

 

As combination products increasingly rely on software, connectivity, and digital interfaces, cybersecurity has moved from a secondary concern to a core regulatory expectation. What was once viewed as an IT or infrastructure issue is now clearly framed by regulators as a patient safety risk.

 

Vulnerabilities that go unaddressed during development can expose patient data, disrupt device performance, or create pathways into broader healthcare networks. FDA scrutiny has followed this reality—with expectations now focused on how cybersecurity risks are identified and controlled across the entire product lifecycle.

 

When Software Expands the Regulatory Scope

Once software plays a role in device operation, data handling, or clinical functionality, it introduces a new regulatory dimension. IEC 62304 establishes expectations for managing medical device software throughout its lifecycle, and FDA increasingly looks for evidence that these principles are embedded into development practices.

 

This includes clearly defining software architecture, understanding how different components interact, and documenting how risks are assessed and mitigated. Software complexity, especially when multiple operating systems, programming languages, or third-party components are involved, increases the likelihood that vulnerabilities exist. Regulators expect sponsors to demonstrate awareness of that complexity and control over its impact.

 

Secure by Design Starts at the Requirements Level

One of the most common contributors to cybersecurity weaknesses is poor design planning. When security requirements are vague, incomplete, or added late in development, vulnerabilities are often baked into the product.

 

FDA expectations increasingly reflect a “secure by design” mindset. The strongest cybersecurity controls are those that eliminate or reduce vulnerabilities through planned architecture and clear requirements. Protective mechanisms that detect and respond to threats are the next layer of defense.

 

Effective cybersecurity requires giving security considerations a formal seat at the design table, supported by subject matter expertise and documented decision-making. Otherwise, designers run the risk of relying primarily on labeling, instructions, or user warnings for security—which are considered the weakest mechanisms available.

 

Software Changes Are Lifecycle Events, Not IT Tasks

As vulnerabilities evolve, software must be maintained through updates and patches. These activities are not routine maintenance tasks. Each change has the potential to affect safety, performance, and compliance.

 

FDA expects organizations to assess software changes through a quality and risk lens, not an IT convenience lens. Updates tied to cybersecurity posture or device behavior typically require formal change control, risk evaluation, and verification. Organizations that lack clear criteria for distinguishing between design-controlled changes and minor maintenance should expect to struggle when questioned during inspections.

 

Cybersecurity Documentation FDA Now Expects

Cybersecurity reviews increasingly include specific deliverables that demonstrate transparency and control. One example is the Software Bill of Materials, which identifies third-party software components and dependencies. This allows regulators to assess supply chain risk and vulnerability exposure.

 

Threat modeling documentation is also becoming more common, showing how potential attack scenarios were identified and addressed. Additional artifacts may include secure development lifecycle procedures, vulnerability management processes, and post-market monitoring strategies that demonstrate ongoing accountability rather than one-time compliance.

 

Integrating Cybersecurity Into a Streamlined QMS

For combination products, cybersecurity controls can be integrated into an existing pharmaceutical quality system through the streamlined approach allowed under 21 CFR Part 4. This avoids duplicative systems while ensuring software and cybersecurity risks are appropriately governed.

 

Successful integration depends on alignment between software development, Design Controls, risk management, and quality oversight. When cybersecurity is embedded into the QMS and the D&D file for the device rather than bolted on after the fact, inspection readiness improves significantly.

 

How RCA Supports Software and Cybersecurity Readiness

Regulatory Compliance Associates® (RCA) helps life sciences organizations build inspection-ready software and cybersecurity frameworks tailored to combination products.

 

From TIR57 and ISO 14971 compliance and cybersecurity documentation to inspection preparation and training, RCA partners with teams to navigate this complex and rapidly evolving regulatory landscape with confidence.

 

Ready to streamline your QMS for combination product success?
Contact RCA today to schedule a consultation and take the first step toward regulatory readiness and market leadership.

The “Hard Part” of Combination Products: Design Controls

Posted on by Brandon Miller

Why Design Controls Are the Biggest Leap for Drug Teams

 

For pharmaceutical and biologic organizations entering the combination product space, few regulatory requirements cause as much friction as design controls under FDA QMSR. Unlike traditional pharmaceutical Quality Risk Management (QRM), design controls require a structured and documented history of how the device portion of a product was conceived, designed, verified, validated, and transferred into production.

 

For many drug teams, this represents a fundamental shift from the line of thinking they are accustomed to. Quality is no longer focused solely on batch release, clinical outcomes, or GMP compliance. Instead, regulators expect a living design narrative that demonstrates intentional engineering decisions and risk-based controls throughout the product lifecycle.

 

Why Pharmaceutical Risk Management Is Not Device Risk Management

Pharmaceutical QRM, often aligned with ICH Q9, is typically focused on patient safety, process variability, and manufacturing controls. Device risk management, however, is governed by ISO 14971 and embedded directly into design controls.

 

The key distinction is timing and intent.

 

Pharma risk management often evaluates risk after formulation and process decisions are made. Device risk management is proactive and iterative, requiring teams to identify hazards, estimate and evaluate risks, implement controls, and reassess residual risk throughout design and development.

 

For combination products, the FDA expects risk management to be tightly linked to design inputs, outputs, verification, and validation. A standalone risk assessment or FMEA is not sufficient if it is not clearly integrated into the design history.

 

The Circular Nature of Design Inputs and Outputs

One of the most misunderstood aspects of design controls is that design is not linear. Design inputs inform outputs, but outputs frequently expose gaps, ambiguities, or risks that require refinement of inputs. This circular relationship is not a weakness. It is an expected and documented part of compliant device development.

 

Design inputs define what the device must do, including performance requirements, safety considerations, usability needs, and regulatory constraints. Design outputs translate those requirements into drawings, specifications, software code, and manufacturing instructions.

 

FDA investigators routinely look for evidence that inputs and outputs were revisited as new information emerged. Static inputs that never evolve raise red flags during inspection.

 

Why Clinical Trials Do Not Equal Design Validation

A common misconception among drug-focused organizations is that clinical trials satisfy device design validation requirements. While clinical data may support aspects of performance or safety, FDA does not consider clinical trials alone to be sufficient design validation for the device component.

 

Design validation under QMSR and ISO 13485 requires documented evidence that the device meets user needs and intended uses under actual or simulated use conditions. This includes usability testing, human factors engineering, and validation of device performance independent of clinical efficacy endpoints.

 

In short, proving the therapy works does not automatically prove the device was designed correctly.

 

Design Transfer Is Where Many Programs Fail

Design transfer is often treated as an administrative milestone. In reality, it is a critical control point where FDA scrutiny increases significantly.

 

Design transfer ensures that the device design is correctly translated into production specifications and manufacturing processes. Regulators expect clear evidence that manufacturing can consistently produce devices that meet approved design requirements.

 

Weak design transfer frequently results in downstream CAPAs, nonconformances, and delayed approvals. Strong design transfer, on the other hand, creates alignment between R&D, quality, and manufacturing and significantly reduces lifecycle risk.

 

Building Design Controls Without Rebuilding Your QMS

For combination products, design controls do not require a full medical device QMS. Under the streamlined approach, organizations can integrate design control elements into an existing pharmaceutical system while maintaining compliance with 21 CFR Part 4.

 

The key is intentional integration, not duplication. Design controls must be documented, traceable, and inspection-ready, but they can coexist with pharmaceutical processes when structured correctly.

 

How RCA Helps Drug Teams Navigate Design Controls

Design controls are challenging because they force organizations to think differently about development. Regulatory Compliance Associates® (RCA) helps pharmaceutical and biologic companies implement right-sized design control frameworks that meet FDA expectations without unnecessary complexity.

 

Ready to streamline your QMS for combination product success?

Contact RCA today to schedule a consultation and take the first step toward regulatory readiness and market leadership.

Ask the Expert: Working with Regulators to Develop Orphan Drugs

In this episode of the Ask the Expert video series hosted by Pharmaceutical Technology®, Susan J. Schniepp, Nelson Labs, and Siegfried Schmitt, Parexel, discuss the benefits of orphan drug development and how a mid-sized company can work with regulators through the pathway to approval.

 

Link to the Video and Article on Pharmaceutical Technology

 

In this episode of the Ask the Expert video series, Susan J. Schniepp, Distinguished Fellow, Regulatory Compliance Associates, a Nelson Labs Company, and Siegfried Schmitt, Vice President, Parexel, answer the question:

 

“We are a medium sized company and are looking to develop a new drug and are thinking of applying for orphan drug status. Do you have any suggestions for working regulators?”

 

For medium-sized pharmaceutical companies considering developing a drug for orphan drug designation, the transition from traditional development to rare disease therapy requires a shift in regulatory, clinical, and operational planning. An orphan drug is defined by the size of the population it treats; in the United States, this generally refers to conditions affecting 200,000 or fewer people,1 while the European Union uses a threshold of approximately five in 10,000.2

 

What are the regulatory and financial incentives

According to Schniepp and Schmitt, the orphan drug designation route offers government-backed incentives designed to offset the limited blockbuster potential of these products. These include financial support that includes government funding, grants, and tax credits. In the US, fees under the Prescription Drug User Fee Act may be waived for orphan drug developers. Regulators also offer more support for applications and faster approval timelines.

 

What challenges does the Orphan Drug pathway bring?

Orphan drugs must meet the same rigorous quality and compliance standards as traditional drug approvals , Schmitt and Schniepp emphasize. An accelerated approval process often means manufacturers must be more agile to apply high-level quality systems within a shorter timeframe.

 

Orphan drugs may also introduce specific manufacturing complexities. Producing smaller batches for clinical trials or commercial use is often more difficult than large-scale production.

 

Smaller companies without internal facilities may need to utilize contract development and manufacturing organizations (CDMOs). However, CDMOs may find it harder to integrate low-volume runs into their schedules compared to large-scale large tank production.

 

Because the patient population is small and globally dispersed, distributing small batches of product to far-reaching locations may also be a logistical hurdle.

 

Patient enrollment for rare-disease treatment development may be difficult, especially if multiple companies are competing for the same eligible participants. Medium-sized firms lacking regulatory experience should seek external expertise, according to Schmitt, and work in close collaboration with regulatory authorities. While these therapies may be commercial risks, they may lead to the discovery of broader indications for other diseases, Schniepp suggests, making them even more worthwhile to pursue.

 

References

  1. FDA. Office of Orphan Products Development. FDA.gov. Oct. 1, 2024 https://www.fda.gov/about-fda/office-chief-medical-officer/office-orphan-products-development (accessed Feb. 17, 2026).
  2. EMA. Orphan Designation. Overview. Ema.europa.eu. https://www.ema.europa.eu/en/human-regulatory-overview/orphan-designation-overview (accessed Feb. 17, 2026).

Accelerated Facility Expansion for High-Value Drug Product

Background

A pharmaceutical manufacturer faced a significant capacity shortfall for a high-value drug product, with demand forecasts projecting accelerated growth. The expansion carried a high-risk profile due to complex interdependencies across construction, utilities, automation, commissioning and qualification (CQV), quality approvals, and regulatory submissions.

Compounding the challenge was an aggressive 24-month delivery timeline, alongside global supply chain volatility impacting critical equipment such as lyophilizers and isolators. Any delay across these integrated workstreams could jeopardize commercial supply continuity and regulatory readiness.

To mitigate risk and ensure timely delivery, the organization engaged Regulatory Compliance Associates® (RCA).

RCA Approach

RCA appointed a dedicated Program Manager (PM) to lead the initiative and assume ownership of the Integrated Master Plan (IMP) and Integrated Master Schedule (IMS). The PM coordinated all functional areas to ensure alignment across the project lifecycle, including:

  • Construction and facility build-out
  • Commissioning & Qualification (CQV)
  • Quality and QA oversight
  • Regulatory strategy and submission readiness
  • Compliance activities (CSV/GxP)
  • Environmental Health & Safety (EHS)
  • Operations readiness

A phase-gated governance model was established to control risk, enforce accountability, and align technical milestones with regulatory deliverables. RCA integrated CQV activities directly with validation planning and regulatory timelines to prevent downstream delays.

Inspection readiness was embedded early in the project, with proactive quality oversight and compliance alignment to ensure a seamless transition from build completion to regulatory approval.

Results

  • The facility was delivered, commissioned, and validated in Month 23, ahead of the 24-month target.
  • All critical utilities passed qualification on the first attempt.
  • The FDA inspection resulted in zero Form 483 observations.
  • The facility was cleared for commercial manufacturing within eight weeks of inspection.

Through disciplined program management, integrated governance, and proactive regulatory alignment, RCA helped the client successfully expand capacity while minimizing operational and compliance risk.

FDA’s New QMSR Final Rule: What Medical Device Manufacturers Need to Know (2026)

Posted on by Brandon Miller

The FDA’s Quality Management System Regulation (QMSR) replaces the legacy QSR and formally incorporates ISO 13485:2016 (and ISO 9000:2015 Clause 3 for terminology) by reference. The final rule was issued on February 2, 2024, with an effective date of February 2, 2026 and it arrives with a new, lifecycle‑focused inspection model that retires QSIT.

 

 

Why did FDA replace QSR with QMSR?

For nearly three decades, manufacturers managed a U.S. QSR that diverged from global practice, creating duplicate compliance burdens. QMSR harmonizes with ISO 13485, modernizes expectations, and preserves specific U.S. obligations where needed, improving clarity while reducing redundancy for firms marketing in multiple jurisdictions.

 

The headline changes you’ll notice

 

ISO 13485 becomes the backbone of U.S. device CGMPs

QMSR restructures Part 820 to function as an overlay on ISO 13485:2016 (and ISO 9000:2015 for definitions), while retaining targeted FDA additions to avoid conflicts with U.S. requirements (e.g., records and labeling/packaging clarifications).

 

New inspection model; QSIT is retired

On the effective date, FDA begins inspections under Compliance Program 7382.850 and discontinues QSIT. Expect risk‑based planning, integration of post-market and lifecycle data, and inspectors following issues across processes rather than auditing subsystems in isolation.

 

Analyses show FDA will organize inspections around six QMS Areas and cover four “Other Applicable FDA Requirements” (MDR, Corrections/Removals, Tracking, UDI), often starting with your risk management file as the roadmap.

 

Terminology alignment: DHF/DMR/DHR → ISO terms

QMSR sunsets QSR‑only terms in favor of ISO vocabulary:

  • Design History File (DHF) → Design & Development File (DDF)
  • Device Master Record (DMR) → Medical Device File (MDF)
  • Design History Record (DHR) → Manufacturing Records/Records

FDA notes the content obligations remain under ISO clauses (especially 4.2 and 7.x) and retaining the old terms would be redundant and confusing.

 

Practical tip: You don’t have to rename every document, just ensure your files demonstrably meet ISO 13485 content and traceability, and keep a clear mapping for inspection.

 

Internal audits & management reviews are now fair game

Under QMSR and its new compliance program, industry observers and FDA‑facing legal analysts note that internal audits, supplier audits, and management review records are no longer categorically exempt. Treat them as inspection‑ready evidence.

 

MDSAP updates and new home

The MDSAP Audit Approach has been updated to Version 10 and is now hosted on MDSAP. Global, managed by Australia’s TGA, important for firms relying on MDSAP for global oversight alignment.

 

What doesn’t change—and where FDA adds clarity

QMSR supplements rather than displaces certain U.S. obligations. You should continue to reference UDI (21 CFR Part 830) and Medical Device Tracking (21 CFR Part 821) where ISO 13485’s text isn’t sufficiently specific for U.S. needs. FDA’s Part 820 overlay also emphasizes records and labeling/packaging controls to ensure U.S. expectations remain explicit.

 

Design controls under QMSR: clarifying Class I and risk

Class I exemptions: If your device was previously exempt from design controls, that status remains; QMSR doesn’t retroactively impose design controls on exempt devices. (Narrow exceptions for specific Class I products continue as before.)

 

Risk integration: Inspectors now begin with your risk management documentation and trace how risks drive design decisions, supplier oversight, production controls, and post-market actions reflecting the ISO 13485/ISO 14971 emphasis and the new compliance program’s lifecycle scope.

 

Inspections under CP 7382.850: what FDA evaluates now

FDA will test whether your QMS works as an integrated, risk‑driven whole:

  • Risk‑based sampling guided by your risk files; investigators follow issues across functions.
  • Lifecycle data integration (complaints, MDRs, recalls, servicing, supplier issues) feeding back into design/manufacturing changes.
  • Six QMS Areas + four OAFRs (MDR, Corrections/Removals, Tracking, UDI) form the backbone of inspection scope.

 

Do I have to buy ISO 13485 now?

Because QMSR incorporates ISO 13485 by reference, firms need to control the standard as an external document inside their QMS, typically requiring purchase and version control (per ISO 13485 clause 4.2.4 on external documents).

 

If you’re already ISO 13485‑certified: the lift is manageable

Most of the effort is validating coverage of the Part 820 overlay and tightening traceability to U.S. obligations (MDR, UDI, tracking, labeling controls). Expect incremental updates for servicing/installation records and labeling release/reconciliation to match FDA clarity.

 

FAQs

Q: Does QMSR change Class I design control exemptions?
A: No. Devices previously exempt remain exempt (with the same narrow exceptions).

 

Q: Does ISO 13485 certification replace FDA inspections?
A: No. FDA still inspects under QMSR and CP 7382.850; certification helps, but it’s not a substitute.

 

Q: Do we have to rename DHF/DMR/DHR?
A: Not necessarily. Ensure your content satisfies ISO 13485, maintain a clear mapping, and be consistent in training and retrieval.

 

How Regulatory Compliance Associates Can Support Your QMSR Transition

The shift from QSR to QMSR is more than a terminology update, it’s a transformation in how quality systems are evaluated. With ISO 13485 as the legal backbone of Part 820 and a risk‑based, lifecycle inspection model replacing QSIT, the standard is clear: demonstrate real‑world system effectiveness.

 

Why partner with RCA now?

  • QMSR Gap Assessment & Implementation Support—map current QSR systems to ISO 13485 + FDA overlay (records, labeling/packaging).
  • SOP & Document Modernization—align MDF/D&D files and manufacturing records with inspection‑ready ISO/FDA expectations.
  • Risk Management Integration—embed ISO 14971 across design, suppliers, production, and post-market—the first stop for investigators.
  • Mock FDA Inspections (CP 7382.850)—train on the new lifecycle framework (risk‑based sampling; six QMS Areas + OAFRs).
  • MDSAP Alignment—update readiness to MDSAP Audit Approach v10 (MDSAP.Global).

 

Ready to strengthen your quality system and prepare for QMSR?

 

Contact Regulatory Compliance Associates today to schedule a QMSR readiness review or request a customized support plan. Your next inspection will test how your system performs, not just what’s on paper.