In this episode of RCA Radio, host Brandon Miller is joined by cybersecurity experts Jason Tugman of Regulatory Compliance Associates® and Mustanir Ali of BSI Group to unpack the evolving landscape of cybersecurity in medical devices. Together, they explore the latest FDA and EU guidance, the growing expectations for connected device security, and the top gaps companies face when bringing products to market. From threat modeling and SBOMs to legacy device challenges and global regulatory alignment, this episode offers practical insights for MedTech developers navigating today’s complex cybersecurity requirements. Whether you’re launching a new device or updating an existing one, this conversation is packed with actionable advice to help you stay secure and compliant.
Background
An established pharmaceutical company with a strong background in biologics and biosimilars was preparing to enter Phase 3 clinical trials with a biosimilar product. While their drug development and manufacturing teams were experienced and well-resourced, the organization had no prior experience with medical devices.
With the introduction of FDA’s combination product regulations and 21 CFR Part 4, the company realized they needed to house their drug product in a drug delivery system—triggering a set of new design and regulatory requirements. Despite their mature quality system aligned to 21 CFR Parts 210/211, they lacked the internal expertise and infrastructure to integrate device development, design controls, and risk management into their QMS.
RCA Approach
Regulatory Compliance Associates® (RCA). was brought in to establish a compliant and sustainable combination product development framework. The engagement began with a comprehensive gap assessment to evaluate the client’s current quality system against the regulatory requirements in 21 CFR Part 820 and Part 4.
While foundational systems like CAPA were already robust, gaps were identified in design controls, risk management, and supplier controls. RCA worked closely with the client to integrate these new requirements into the organization’s operations.
Key activities included:
- Developing and revising SOPs:
- Multiple SOPs were created covering design controls, risk management, and management responsibilities.
- Existing SOPs (such as Purchasing Controls) were updated to reflect device-specific needs.
- Training cross-functional teams:
- RCA conducted training sessions for QA, regulatory affairs, manufacturing operations, and marketing on combination product regulations and new procedures.
- Establishing design documentation:
- Created complete design history files (DHFs) using new SOPs.
- Developed design and development plans, design input requirements, and detailed design specifications for all components, packaging, and labeling.
- Facilitated risk assessments through cross-functional collaboration.
- Technical and manufacturing support:
- Integrated device tests into ongoing stability studies.
- Worked with external vendors on component specifications.
- Helped develop and qualify an in-house final assembly process and supported manufacturing process qualifications for new equipment.
- Conducted and documented a design transfer to manufacturing.
- Verification & validation (V&V):
- Executed comprehensive testing, including:
- Container Closure Integrity
- Delivered Volume
- Break Loose and Glide Force
- Human Factors (Formative and Summative) per IEC 62366
- Executed comprehensive testing, including:
- Regulatory support:
- Assisted in authoring the Device Section of the BLA, ensuring alignment with FDA expectations.
Result
Thanks to RCA’s support, the company was able to initiate its Phase 3 clinical trials on schedule, with a fully compliant combination product.
Over the next two years, the organization successfully launched three commercial combination products—two prefilled syringes and one vial kit—all of which passed FDA audits. The quality system enhancements and DHFs stood up to regulatory scrutiny, and the trained internal teams were able to carry the work forward independently.
RCA also temporarily stood up a Device Development Department, mentoring internal staff and ensuring a seamless handoff post-acquisition. The company has since maintained compliance and continues to expand its biosimilar product portfolio with confidence.
Why Design Controls Matter for Combination Products
Design controls represent one of the most significant regulatory challenges for companies entering the combination product market, especially those with a pharmaceutical or biologics background.
Key Regulatory Frameworks Involved
Pharma companies are well-versed in process validation under GMPs (21 CFR Part 210/211). However, combination products that include a device component require adherence to device regulations under 21 CFR Part 820, which mandates design controls.
What’s Required Under Design Controls?
Design controls involve structured development planning and documentation, including:
- Design and development planning
- User needs and design inputs
- Design outputs and verification
- Design validation (often including human factors/usability testing)
- Design transfer
- Design history files (DHF)
The Importance of Human Factors and Validation Testing
These are not just technicalities—they’re critical quality elements the FDA uses to determine whether a product will perform as intended when used by real patients. One of the most commonly misunderstood areas is design validation, which often requires human factors testing to confirm that the user can safely and effectively operate the device component.
How to Integrate Design Controls into a Pharma QMS
For many drug companies, integrating these design requirements means:
- Creating new SOPs for design and development
- Training teams on device regulations
- Hiring or consulting with medical device experts
Get Help From Combination Product Experts
RCA offers deep expertise in integrating design controls into pharmaceutical systems. Whether you need support with SOP development, training, or validation planning, RCA is here to help. Contact us today to learn more.
Many companies don’t realize they have a combination product until it’s too late. With increased regulatory scrutiny from the FDA, properly identifying your product type is not just important—it’s essential for compliance, market access, and patient safety.
A combination product, as defined by the FDA, is a therapeutic and diagnostic product that combines drugs, devices, and/or biological products. These products can take multiple forms, including:
- Prefilled syringes (drug + delivery device)
- Drug-eluting stents (device coated with a drug)
- Convenience kits (e.g., vials packaged with filters and needles)
- Cross-labeled products (e.g., drug and device sold separately but intended for combined use)
Some of these combinations are obvious, but many are not. A product that seems like simple packaging may actually trigger combination product regulations under FDA’s 21 CFR Part 4, effective since 2013. The FDA began strict enforcement in 2014, prompting many companies to reevaluate their portfolios.
One of the biggest risks is operating under outdated assumptions. If your company has historically marketed a device or drug in conjunction with another regulated product, you may already be in combination product territory without knowing it.
If there’s uncertainty, the FDA allows companies to submit a Request for Designation (RFD). This formal process helps determine which regulatory center (CDER, CBER, or CDRH) will have primary jurisdiction over your product based on its primary mode of action (PMOA).
Identifying whether your product qualifies as a combination product is a foundational step. Doing so early allows for proper planning of your development pathway, avoids regulatory surprises, and helps build a robust compliance strategy.
Partner with Regulatory Experts Regulatory Compliance Associates (RCA) has extensive experience helping companies identify and navigate combination product requirements. Contact RCA today to ensure you’re on the right path from the start.
Background
A pharmaceutical company preparing for product commercialization faced significant challenges in meeting FDA expectations. The organization lacked standard operating procedures (SOPs), had minimal supplier qualification controls, and was not adequately prepared for a Good Manufacturing Practice (GMP) inspection. A comprehensive evaluation of the company’s operational and quality infrastructure was necessary to ensure readiness for a successful FDA review and market entry.
RCA Approach
Regulatory Compliance Associates® Inc. (RCA) conducted a full Commercial Readiness Gap Assessment tailored to the FDA’s pre-approval inspection (PAI) framework. Key focus areas included:
- Evaluation of organizational structure and quality systems
- PAI readiness across six critical GMP subsystems
- Data integrity and Good Documentation Practices (GDP)
- Consumer complaint handling processes
- Oversight and qualification of third-party partners (CDMOs, laboratories, logistics providers
- Quality agreements and end-to-end supply chain traceability
- Internal QMS documentation gaps and procedures to support batch release
- Inspection preparedness through mock audits, training, and strategic planning
Result
Within just four weeks, RCA delivered a written, risk-based remediation roadmap that enabled the client to address high-priority compliance issues. The team identified and resolved critical GMP and supply chain gaps that could have resulted in regulatory findings during an inspection. RCA also supported the development of an interim Quality Unit (QU) and an inspection response team, ensuring organizational preparedness. As a result of this comprehensive engagement, the client was positioned to successfully pass their FDA pre-approval inspection without any major observations. RCA’s involvement continued post-launch, supporting the full build-out of a compliant, scalable Quality Management System (QMS).