Segment: Regulatory Affairs

Navigating the QMSR Transition: Expert Insights on FDA Compliance, Risk Management, and Global Harmonization

By: Claire Wallace, Senior Writer, Informa Markets – Engineering. Published by Medical Device and Diagnostic Industry

 

Regulatory affairs expert Jordan Elder breaks down the critical steps medical device manufacturers must take to comply with the QMSR, explaining common misconceptions, prioritization strategies for gap assessments, and how the new risk-based framework differs from the prescriptive QSR—plus what FDA’s alignment with ISO 13485 means for global market access.

 

 

Jordan Elder has served as the Director of Regulatory Affairs at RCA (A Nelson Labs Company) for the last 15 years, providing clients with general direction, tactical objectives, and functional plans for their regulatory needs.

 

Elder has a comprehensive background in medical device regulations and a demonstrated history of successful product submissions, including FDA 510(k), EU Class IIa and IIb, Health Canada III, COFEPRIS Class III, and CFDA Class III submissions. His certifications include RCA-US, Six Sigma Black Belt, and Certified Lead Auditor per ISO 13485:2016.

 

Elder joins MD+DI Senior Writer Claire Wallace to discuss critical QMSR transition steps, gap assessments, FDA inspection changes, and global harmonization strategies.

 

With the QMSR effective as of February 2, 2026, what are the most critical first steps companies should take if they haven’t already begun their transition from QSR to QMSR?

Elder: It’s most important to know that this transition window has already closed. FDA published this rule in February of 2024, and they gave a two-year grace period for companies to make that transition. So going forward, there is no grace period. There is no enforcement discretion or a phased rollout. With that, they’re going to need to read the final rule first, and they’re going to have to have access to ISO 13485, and that’s the 2016 edition. The final rule gives some relevant information that a company should look at, but they’re really going to have to have that ISO standard. So you’re going to want to go to ISO.org and buy that standard. After that, you’re going to want to conduct a formal gap analysis, and there’s a great reference. From there, you want to go ahead and update those gaps and update your documentation. That’s going to include things like updating your quality manual. You’re going to have your SOPs, templates, your forms. You’re going to want to make sure you reference ISO 13485 rather than the old QSR structure. You’re going to migrate from DMR, DHF, and DHR towards the medical device file terminology. One big thing about this transition: they really stepped up risk management. So companies are going to want to make sure they’ve strengthened their risk management processes and make sure that you’ve trained all relevant staff. It’s great that you’ve made these changes, but if you really don’t take the time to train your staff, then you really haven’t done a whole lot other than make some changes on paper. So make sure that everybody who needs to be trained on these relevant updates has been trained.

 

What are the biggest misconceptions you’re seeing among medical device manufacturers about the QMSR transition?

Elder: I’ve seen a lot of companies talk about this QMSR as ISO 13485. And while that is a majority of the change, FDA still kept certain parts of the QSR. And so with that, it’s important to remember that you don’t just blindly follow 13485. You’re going to want to make sure that you follow all the relevant aspects that are still active from the original QSR. And a lot of these changes aren’t just semantic. A good example is documented traceability between design inputs, outputs, and verification. That was simply a best practice under the QSR. But with that transition under the QMSR, there’s an explicit requirement in 13485, and I believe it’s clause 7.3 for planning. So things like this—it’s not just semantic. You’re not just changing your terms; there are substantive changes within this change. Another misconception: a lot of companies that were following 13485 also typically follow ISO 14971, which is your risk management ISO standard. But FDA has explicitly stated in their preamble that 14971 is not incorporated by reference. So while companies can use this, it’s not explicitly required, and you can still maintain your risk management however you see best fit. I think the last misconception that I’ve seen is that ISO 13485 certification means compliance. And while you’re there and it gets you really close to that finish line, like I’ve said before, if you aren’t enacting some of the old QSR requirements, you aren’t there. So just because you got certified from your notified body does not mean you’re compliant with the QMSR.

 

How should companies prioritize their gap assessments when moving from 21 CFR 820 to the QMSR framework?

Elder: I would put these out in different tiers of priority, or critical areas. I think within your critical areas for tier one: CAPA separation. Your old QSR combined your corrective and preventive action, but in 13485 it required distinct procedures for corrective action and preventive action. Most QSR-based systems combine these, so you’re going to want to take a look at separating those out. Your management review and internal audit records—these records are now fully inspectable by FDA. Previously, FDA could take a look at whether you had conducted them, but that was the extent of it. Now they’re going to be able to take a look at everything. So you’re going to want to make sure you adjust your files and adjust your practices so you’re documenting your best for FDA. Your risk management integration through the QMS—it appeared only once in the entire QSR, but over 25 times within this ISO standard, which is a big change. Like I said, FDA is really emphasizing this risk management. So you’re going to want to conduct risk-based thinking and update your processes with your supplier evaluation, your outsource processes, your process validation, and that includes things like CAPA prioritization, software validation, or even management review of your complaint records. This was a specific FDA addition that is more detailed than the old QSR, and it requires device identification, date received, UDI information, and investigation outcomes. So you’re going to want to make sure you update that as one of your top-tier critical activities. And design, labeling, and packaging controls—they’ve added requirements beyond 13485 for documented inspection of labels for accuracy. So making sure that those processes are updated. And then you’ve got your tier two, or they’re still considered a high priority, but I wouldn’t consider them critical. So those are going to be things like your customer communication procedures, your customer feedback systems, and your QMS software validation if you have any. So making sure that you’ve got enhanced supplier quality controls and it’s risk-proportionate for your evaluation. I would say your tier three or your medium-priority things are updating your documentation terminology. It’s not critical as long as you have the right documents, but it’s something that still needs to happen. Making sure top management accountability and alignment is documented appropriately and updated. So the smaller semantic things should be updated as the final step. Make sure you’ve got your critical things first and phase down from there.

 

As a Certified Lead Auditor for ISO 13485:2016, what are the key differences between pure ISO 13485 compliance and FDA’s incorporation by reference in the QMSR that manufacturers need to understand?

Elder: Section 820.35 supplements clause 7.2.5, and it provides detailed complaint record requirements including data, service record content requirements, and confidentiality marketing provision for FOI purposes. They should also know that the FD&C Act—those definitions from the FDA—will always prevail over ISO definitions, followed by QMSR-specific redefined terms. Manufacturers should also realize that ISO 9000 has additional definitions that are defined and referenced from 13485. So it is not just a 13485 incorporation and adoption. You also need to take a look at ISO 9000 for some of those definitions as well. But the FD&C Act or FDA is always going to come first with those definitions. So take it as a trickle-down from there. I think that’s really important because you’re going to see a lot of manufacturers looking at ISO 13485 as the Bible, essentially, and with that they really need to remember that while it is 13485-centered, there are requirements from FDA, and those requirements are going to supersede whatever is in 13485 if they would contradict in any way.

 

How does the QMSR’s risk-based approach differ from the previous QSR’s prescriptive requirements, and what does this mean for day-to-day quality operations?

Elder: As we mentioned, from a risk-based standpoint, the old QSR mentioned risk once, and within ISO 13485 I think it was 25 times. So with that, there’s a lot more focus on taking a risk-based approach. From a practical standpoint, looking at things like supplier management, which transforms from treating all suppliers relatively equal to a risk-proportionate evaluation. So who are your critical suppliers, your non-critical suppliers—and this is all required under clause 7.4.1. Process validation moves from your typical IQ/OQ/PQ to validation proportionate based on risk, and that’s under 7.5.6. You’ve got your software validation, and it explicitly requires validation depth proportionate to the risk associated with the use of that software, whether it’s incorporated into the device or your QMS. And your CAPA investigations—going back to that again—they have to be proportionate to the effects of the non-conformities. A significant nonconformity needs to be treated differently than a nonconformity that really has no impact on the product quality. At the end of the day, they’re both important, but it’s going to be taken on that risk-based approach. There is no QMS requirement that calls out conformity to ISO 14971, and it does allow flexibility for manufacturers to use their appropriately validated processes to determine their risk-based approach at the end of the day. So for your quality teams out there, you’re going to want to make sure that you have well-defined risk management and how you’re going to approach your risk-based system.

 

You have extensive experience with EU, Health Canada, COFEPRIS, and CFDA submissions. How does the QMSR’s harmonization with ISO 13485 simplify or complicate multi-market regulatory strategies?

Elder: It somewhat makes it a little easier. Prior to the QMSR, companies had to have parallel quality systems. So you had one for Europe if you were marketing in Europe, and then you followed the QMS for FDA, and they kind of align—and that’s the intent here, to make things harmonized. The goal was harmonization between countries. So you’ve got Canada, which has MDSAP, which is 13485-centric. You’ve got now 13485 for the EU side of things and FDA with the QMSR. So the goal is to make things easier for companies in terms of compliance to quality systems and not have one-off problems, because as a company, if you’re juggling four different parallel quality systems, it’s really easy to overlook something and end up with a critical finding. So the intent here is to harmonize globally, and I think it’ll make it a lot easier for those companies who do have international markets.

 

For companies pursuing global market access, what are the strategic advantages of the QMSR’s alignment with international standards, and where do regulatory gaps still exist?

Elder: If you’re already certified to ISO 13485, most companies are within visual distance of that finish line for compliance for a lot of major—we’ll say tier-one—countries. So that makes gap assessments a lot easier. With that being said, if you are compliant to the QMSR, the EU MDR does go beyond 13485 for things like clinical evidence, post-market surveillance, and transparency. So conducting that gap assessment is going to be really important for each country. Health Canada has some additional requirements. I think a really good tool, outside of using FDA’s new audit inspection readiness guide, is to take a look at the MDSAP documents that are provided on the MDSAP website and conduct a gap assessment or even an audit against your system to the MDSAP audit requirements. I think that will go a long way to getting you to where you want to be, especially for Canada, Brazil, Australia, Japan—those other countries that are part of MDSAP, which are a lot of the international market. That will bring you relatively close, if not all the way, to compliance. But making sure that you’ve filled those gaps where they need to be filled.

 

Looking ahead, how do you see the QMSR evolving? Are there areas where FDA might issue additional guidance or clarifications?

Elder: I think the biggest question on everybody’s mind is: what happens when 13485 is updated? In 2016, we had a major update that was very, very significant. The good news is that in 2025, ISO 13485 was confirmed as valid, and that is through 2030. So we know that at least for the next four years, there won’t be any significant or major updates to 13485. As more countries are implementing these requirements, I think we’re going to see minor, maybe small nuanced changes in 13485 if needed, but I wouldn’t expect any major revisions coming out, especially since we had such a significant revision in 2016. FDA has discussed that any future revisions to the standard will be evaluated on a case-by-case basis to determine whether they’re going to adopt that update or whether they will make their own revisions based on that. And we do see countries taking that stance across the board with other standards as well. You have British standards for Europe where they adopt most of the ISO standard for whatever the standard may be, but at the same time they’ve put their own spin on it or their own requirements included as well. So if there is a significant update and FDA feels it is not adequately addressed or disagrees, I think we’ll see guidance from FDA on how they’re going to handle that. It won’t just be a pure adoption and moving on.

 

Is there anything else you would like to expand on?

Elder: I think one thing is critical to note: FDA is already conducting inspections for manufacturers under the QMSR. So the old QSIT manual that companies used to use—if you’re still looking at that and referencing that or expecting FDA to audit that—that has changed. Do not throw out that manual. FDA has issued a new document on their website that is explicitly made for the QMSR. I’ve seen companies that have unfortunately recently gone into inspections under the guise of, “Hey, we’re going to use the QSIT,” and it hasn’t gone as well as they had expected. So make sure that you’re updating those documents as well and reviewing all new guidance that FDA puts out.

Designing a Test Plan that Works Globally: A Medtech Makers Q&A

As regional variations can create inconsistencies for testing a device, it’s important to work with a vendor that understands and can accommodate those differences.

By Sean Fenske, Editor-in-Chief, Medical Product Outsourcing

 

Medical devices are developed with at least one universal primary goal—to help patients. That can involve treatment, diagnosis, prevention, or recovery. As such, it’s vital a device is determined to be safe and effective in accomplishing its task. Regardless of clinical application, the device needs to perform as intended under all potential conditions.

 

To ensure this, a test plan is developed that is specific and customized to each medical device. The test plan must take into consideration how and where a device will be used, how it will be transported to that location, potential compatibility issues with the surrounding environment, who will use the device, and other important factors. All of this helps steer the test plan design.

 

Given the varying requirements for medical device testing around the world, representatives from Nelson Labs and Regulatory Compliance Associates (RCA) responded to a number of questions on the topic. In the following Q&A, Audrey Turley, RM (NRCM), CBA (ASQ), Biosafety Segment Leader, and Thor Rollins, RM (NRCM), VP, Global Market Segment Leader—Medical from Nelson Labs, joined Jordan Elder, RAC, Director of Regulatory Affairs at RCA, to provide the following comprehensive overview.

 

Sean Fenske: When it comes to medical device development, what is a test plan? What does it entail?

Audrey Turley: Test plans are developed for multiple scientific areas regarding medical devices. Test plans specifically for biocompatibility, or biological safety, should be compliant with the most current revision of ISO 10993-1. These test plans are commonly referred to as a biological evaluation plan, or BEP. Additional consideration for the market of submission should also be included, as each regulatory agency can have further requirements for specific medical devices.

 

Jordan Elder: Just to expand on what Audrey said, a test plan is commonly referred to as a verification and validation plan. It is a core document that defines how manufacturers will demonstrate their device is safe and effective and meets applicable regulatory and design requirements. It acts as a bridge between the design inputs and the design outputs. The test plan is intended to identify all verification and validation activities required to support regulatory submissions. The test plan maps the design requirements, performance specifications, and applicable standards to each specific test method, acceptance criteria, sample size, and rationale. The test plan also defines the samples and justifies that they are production equivalent. The test plan ensures that no critical requirements are overlooked during testing.

 

A typical testing plan should include (or consider including) functional and performance testing, biocompatibility evaluations, sterilization validation (if applicable), packaging and shelf-life testing, electromagnetic compatibility (EMC) and electrical safety testing, usability/human factors testing, environmental and transport stability testing, and software verification and validation (if applicable). This test plan is a part of the design control framework within the QMS and typically feeds into the risk management process (ISO 14971). The plan must be reviewed and approved, and it should be traceable back to the design and development plan.

 

Thor Rollins: As Jordan mentioned, the test plan is the strategic roadmap for generating the evidence needed to demonstrate a medical device is safe, effective, and fit for its intended use. It is more than a list of required tests. A good test plan links the device design, materials, manufacturing process, clinical application, and regulatory pathway to the specific data needed to support development and market access.

 

In practice, a test plan typically outlines what needs to be evaluated, why it needs to be evaluated, what standards or regulatory expectations apply, when the work should be performed, and how the results will be used. Depending on the device, this can include biocompatibility, sterilization validation, packaging validation, shelf life, chemical characterization, microbiology, functional performance, and other product-specific evaluations. The best test plans are risk-based, intentional, and built early enough to prevent costly surprises later in development.

 

Fenske: What defines what must be in the test plan? What effect does the type of device or clinical application have on the test plan?

Turley: ISO 10993-1 outlines a risk management process to follow when writing a BEP. An initial part of a BEP is a full description of the device and how it is used. Pictures are extremely helpful in this section of the document to bring all readers to the same understanding, regardless of expertise with the specific device. For many regions, it is typical for medical devices to be classified based on their risk to the patient. However, from a biocompatibility perspective, devices are not classified but rather assessed for risk based on the type and duration on contact as every device has the potential to introduce risk to a patient.

 

Elder: In addition, the contents of a test plan are determined by the regulatory evidence required to demonstrate a device is safe and effective for its intended use. Typically, the design and development plan will dictate what must be in the test plan. The test plan should include how the risks associated with testing will be used to determine a statistically significant sample size, a justification for the samples to be used for testing, any additional requirements for external testing facilities, and the requirements for test method validation. The test plan should outline the workflow process in instances where samples are used for multiple tests and include a justification for the applicability of the devices used in these tests. The test plan should cover the entire process by which the device demonstrates verification evidence for all design input requirements.

 

Design inputs act as the foundation for all testing and verification activities. The design inputs are supplemented by applicable consensus standards, such as ISO 10993 for biocompatibility or IEC 60601-1 for electrical safety. Region-specific guidance documents provide further input requirements where applicable. The manufacturer’s risk management process also defines the scope of the testing plan by ensuring each risk control identified during the hazard assessment is mitigated and supported by objective evidence.

 

The type and intended use of the device will significantly impact the testing plan’s scope and complexity. For example, a low-risk, skin-contact device and a long-term, blood-contacting implantable device require very different testing strategies. Using these two examples, the biocompatibility requirements could range from basic cytotoxicity and sensitization studies to a testing strategy that includes chronic systemic toxicity, hemocompatibility, and implantation evaluations. The biocompatibility testing will ultimately depend on the nature and duration of the device’s intended body contact. Furthermore, software-driven devices require a full verification and validation testing lifecycle. Ultimately, the device classification, device contact characteristics, the intended patient population, and overall complexity of the device will all act together as primary drivers determining how extensive and rigorous the testing plan must be.

 

Rollins: So, in summary, what must be included in a test plan is driven by the totality of the device: its intended use, duration and nature of body contact, materials of construction, route of exposure, method of manufacture, sterilization modality, packaging system, and clinical context. Regulatory requirements and applicable consensus standards also play a major role, but they should be applied through the lens of device-specific risk.

 

The type of device and its clinical application can dramatically change the testing strategy. As Jordan’s examples demonstrated, a short-term externally communicating device will not require the same evidence package as a long-term implant, and a device used in a neurologic or cardiovascular application may warrant a different level of scrutiny than a simple skin-contacting product. Combination products, reprocessed devices, and devices with novel materials or manufacturing methods can add even more complexity. In other words, the test plan should never be “one size fits all.” It should reflect the actual biological, chemical, physical, and clinical risks of the device in question.

 

Fenske: If the device is going to be used in multiple regions around the world, how does that impact the test plan? Can a single test cover multiple requirements, or does each region have a slightly different aspect that requires additional testing?

Turley: The ISO 10993 standards are international, where each country translates and adopts its own version. It is often the case that countries adopt the ISO version without edits. However, each regulatory body has its own interpretation of the standard itself, meaning even when the words are translated, the standard is carried out or understood differently. For the U.S., the FDA publishes acceptance or rejection of standards on their consensus standards database. This helps companies understand where the FDA has different expectations for the standards.

 

Elder: Also, when a device is planned to be used in multiple regions, it is important to ensure manufacturers have a comprehensive regulatory strategy to identify requirements and prevent duplicative testing across regions. It is critical manufacturers map all applicable standards and regional regulatory requirements to build a master test plan that can capture everything in a single pass.

 

It is important to note harmonized testing standards are not always identical to the parent testing standard. For example, the FDA may have specific recognized standard editions or national deviations for EMC testing. At the same time, the EU MDR demands more rigorous clinical evidence and chemical characterization than most other markets. China’s NMPA typically requires a recognized in-country testing facility regardless of how good your data is.

 

Bench testing requirements often overlap significantly between regions; however, clinical evidence requirements, documentation, packaging, and labeling expectations can vary in ways that require additional consideration. Manufacturers should design their testing approach from a worst-case testing standpoint to help encompass multiple regional regulatory requirements. The manufacturers that navigate this most efficiently are the ones that treat multi-region strategies as a design input rather than a retrofitting exercise after the data has already been collected.

 

Rollins: To reiterate, global commercialization should influence the test plan from the beginning. In many cases, a well-designed study can support multiple markets, especially when internationally recognized standards are used, and the rationale is clearly documented. That is one of the major benefits of building a globally informed testing strategy early: it can reduce redundancy and improve efficiency.

 

That said, regional expectations are not always identical. While there is significant harmonization in many technical areas, regulators and notified bodies can still differ in how they interpret standards, the depth of justification they expect, or the type of supporting data they want to see. Sometimes the testing itself can be leveraged globally, but the documentation, risk rationale, or framing of the conclusions may need to be tailored for a specific region. Manufacturers should not assume that passing a test automatically means universal acceptance. The real goal is to generate data in a way that is technically sound and broadly usable.

 

Fenske: If a device is only being launched in one region, does it make sense to do additional testing for potential future commercial launches in other regions? Or does that become cost-prohibitive?

Turley: Manufacturers may decide to perform the testing required for all regions of submission at once or stagger the testing to push the costs down the road. It is important to have a strategy of submission to know all that will be required; however, the decision remains with the business side of the manufacturer.

 

Elder: Exactly. The answer will truly depend on the manufacturer’s commercial strategy and plans for the device in question. In most cases, companies that choose to incorporate the additional testing requirements upfront find that the testing is significantly more cost-effective than conducting a second study with the new requirements added to meet additional regulatory requirements. The cost of adding a few extra testing endpoints is typically small when bundled with an existing testing plan. When companies choose to test specific endpoints after testing is completed, it can cost significantly more, as the testing may require a complete retest to add the additional endpoints.

 

However, manufacturers should be cautious not to fall into the mindset of trying to satisfy every conceivable regulatory requirement across the global markets. Manufacturers should assess the cost-to-benefit for adding testing endpoints, as additional endpoints will increase costs and, likely, the overall test duration. I recommend manufacturers select critical markets where they may want to market their device in the future and test those requirements, rather than trying to test everything.

 

Rollins: As my colleagues have stated, in some cases, it makes sense to build a slightly broader evidence package up front if there is a realistic expectation of near-term expansion into other markets. Doing so can save time, conserve samples, and avoid repeating studies or explaining why earlier work was not designed with future requirements in mind.

 

However, there is a balance. Over-testing too early can consume budget and extend timelines without creating immediate value. The smartest approach is usually not to test everything possible, but to design the initial strategy so future expansion remains feasible. That means understanding where the likely global gaps are, preserving flexibility in study design, and avoiding narrow decisions that could limit future market access. It is less about doing every possible test today and more about ensuring today’s plan does not create tomorrow’s problem.

 

Fenske: When seeking a testing partner for a device that will launch in multiple regions, what should a device manufacturer seek in that partner? What criteria are important?

Elder: When considering a testing partner, manufacturers should look to companies that can offer multiple areas of testing, so they do not have to work with multiple organizations for each type of test or region.

 

Turley: Specifically, when designing a BEP, awareness of the differences for each region is critical; therefore, a partner with global experience is highly beneficial. Additionally, a partner that will fully support the data through the regulatory body is important for good technical conversations.

 

Rollins: In addition, manufacturers should look for a partner that offers more than test execution. For a global device program, the ideal testing partner understands the science, the regulatory landscape, and how the full evidence package fits together. They should be able to help the manufacturer build a testing strategy, not just quote individual studies.

 

Key criteria include technical depth, experience with the relevant device type, familiarity with global expectations, quality systems, regulatory credibility, and the ability to provide integrated support across disciplines. Responsiveness and transparency also matter greatly. If a partner is only answering the question asked, rather than helping the manufacturer see around corners, that is usually a missed opportunity.

 

Another important consideration is whether the testing partner can think holistically. Many delays and unnecessary costs come from disconnected testing decisions made in silos. A strong partner can help connect biological risk, chemistry, microbiology, sterilization, packaging, and product lifecycle considerations into a coherent plan that better supports regulatory success.

 

Fenske: What aspects or expectations with regard to device testing do you find to be overlooked, not considered, or misunderstood? Can you explain what should be kept in mind for these aspects of device testing?

Elder: One of the most overlooked aspects of design verification testing is the determination of the appropriate sample size for the specific device. The determination is based on the risk as well as the confidence and reliability intervals necessary for the specified risk under evaluation. The determination criteria should be outlined in the plan and based on the manufacturer’s 14971 risk management file. Another test manufacturers often overlook is transport and environmental testing. Manufacturers typically focus on a device’s performance and safety testing but fail to fully consider requirements from a transport and environmental perspective. Environmental factors such as humidity, vibration, drops, and altitude changes during transport can significantly impact a device’s integrity, ultimately impacting its safety and effectiveness. Manufacturers should fully evaluate these factors before the final stages of testing.

 

Additionally, shelf-life and aging studies tend to be overlooked as last-minute considerations, both because of the time required and because of what needs to be evaluated. Manufacturers must consider all aspects of shelf-life and aging, including packaging integrity, material degradation, battery performance, and adhesive stability (where applicable). Furthermore, manufacturers must conduct confirmatory functional testing of the device to ensure critical parameters are still met after completing certain tests, such as shelf-life and transport stability. Manufacturers should ensure functional testing is conducted at multiple points during the validation process to confirm the device meets its required performance specifications, regardless of environmental factors. Manufacturers with software should plan appropriately and incorporate cybersecurity into their design as early as possible. Many manufacturers fail to account for this requirement or wait too long, resulting in a much more difficult integration into the overall design, ultimately costing time and money to redesign the software architecture.

 

Usability and human factors testing are other areas that are often misunderstood. Many organizations, unfortunately, treat this testing requirement as a late-stage checkbox rather than a consideration to be included as part of the formative design. Manufacturers that fail to consider usability and human factors in the initial stages of development may find their summative study identifies fundamental use errors that could have been mitigated much earlier. These failures can lead to costly redesigns or risk-based justifications that reviewers may not find acceptable, ultimately delaying market clearance/approval of the device.

 

Rollins: To emphasize a common misunderstanding Jordan mentioned is the idea that device testing is simply a checklist exercise. In reality, a good testing strategy is fundamentally about risk management and scientific justification. Standards are critical, but they are not meant to replace thoughtful evaluation of the device itself.

 

Another frequently overlooked point is timing. Too often, manufacturers wait until late in development to think seriously about their test strategy, at which point design choices, material selections, manufacturing methods, or packaging decisions are already locked in. That can make the testing more expensive, more difficult to interpret, or misaligned with the final product.

 

I also see manufacturers underestimate the importance of chemistry, materials understanding, and manufacturing change control. A device is not just its intended design; it is the total product as manufactured. Small changes in suppliers, processing aids, residuals, packaging, sterilization, or shelf-life assumptions can meaningfully affect what data are needed.

 

Finally, many teams underestimate the value of a strong written rationale. Testing alone does not tell the whole story. Regulators want to see how the manufacturer thought through the risks, why specific testing was selected, and how the results support safety for the intended clinical use. The narrative around the data matters.

 

Fenske: Do you have any additional comments you’d like to share based on any of the topics we discussed or something you’d like to tell medical device manufacturers?

Rollins: My biggest advice to medical device manufacturers is to think about testing as a strategic enabler, not just a regulatory obligation. When approached correctly, a strong test plan helps de-risk development, improve decision-making, and accelerate market access. When approached too narrowly or too late, it often becomes a source of delay, rework, and unnecessary cost.

 

I would also encourage manufacturers to engage their internal experts and external partners early. The most efficient programs are usually the ones where the team takes time up front to understand the device, identify the real risks, and build a plan that is scientifically grounded and globally informed.

 

Ultimately, the goal is not to run the most tests. The goal is to generate the right evidence at the right time and in the right way to support patient safety and product success.

 

Identifying Data Integrity Hotspots Using AI Technology

Susan Schniepp, Regulatory Compliance Associates Inc., explains how AI and digital twins speed up pharma batch release and detect data integrity issues with human oversight in this publication from PharmTech.

 

Data Integrity

Link to the Video and Article on Pharmaceutical Technology

 

In part 2 of a 2-part interview (Link to Part 1), Susan Schniepp, Regulatory Compliance Associates Inc., discusses the evolving relationship between AI and human oversight. She highlights how emerging technologies, such as digital twins, are transforming traditional manufacturing and validation processes, as a part of PDA Week 2026.

 

Schniepp explains that AI can significantly streamline operations by acting as a highly efficient data aggregator. Rather than requiring a person to manually hunt through disparate files, the technology centralizes information to provide a comprehensive overview of a batch. She observes, “it’s compiling all of this information coming at it like one big centralized brain and then saying, ‘All of these things related, and there were no deviations.’” This centralized brain allows for the creation of a batch dossier that summarizes parameters and deviations, greatly speeding up the timeline for product release.

 

The technology also serves as a proactive tool for quality assurance. By analyzing vast amounts of data, AI can pinpoint specific areas where errors are likely to occur. Schniepp notes, “As you put AI in, it’s gonna identify places where there, is potential for data integrity.” Once these hotspots are identified, humans can take action to shore up the system and prevent actual violations from happening.

 

Schniepp advocates for a human-in-the-loop model. While machines are capable of learning faster and absorbing more data than humans, she emphasizes that the human professional must remain the final decision-maker. The human’s role is to absorb the data provided by the digital twin and AI to make the final call on whether a batch is safe for release, ensuring accountability in a complex and high-stakes industry.

FDA’s 12‑Digit NDC Update: What Drug Manufacturers Need to Know Now

Posted on by Brandon Miller

The FDA is transitioning the National Drug Code to a standardized 12‑digit format, with the final rule taking effect on March 7, 2033. While the timeline may seem distant, this change will impact far more than labeling alone.

 

In this short video, RCA explains what is changing, why the FDA is expanding the NDC format, and what drug manufacturers should start preparing for now. We cover how the new 6‑4‑2 structure affects labeling, quality systems, internal databases, and product documentation, as well as the uncertainty around leading zero placement and FDA‑driven updates to drug listings.

 

You will also learn how the updated rule creates an opportunity to streamline packaging through the use of a single 2D data matrix barcode that can meet both NDC and Drug Supply Chain Security Act requirements.

 

Early planning is key. Companies that begin assessing impact and aligning internal systems now will be better positioned to reduce risk, avoid rework, and maintain compliance as the transition approaches.

 

 

If you have questions about how the 12‑digit NDC update affects your organization, RCA is here to help.

Connected Devices & The Cybersecurity “Hot Button”

Posted on by Brandon Miller

Why Cybersecurity Has Become a Regulatory Priority

 

As combination products increasingly rely on software, connectivity, and digital interfaces, cybersecurity has moved from a secondary concern to a core regulatory expectation. What was once viewed as an IT or infrastructure issue is now clearly framed by regulators as a patient safety risk.

 

Vulnerabilities that go unaddressed during development can expose patient data, disrupt device performance, or create pathways into broader healthcare networks. FDA scrutiny has followed this reality—with expectations now focused on how cybersecurity risks are identified and controlled across the entire product lifecycle.

 

When Software Expands the Regulatory Scope

Once software plays a role in device operation, data handling, or clinical functionality, it introduces a new regulatory dimension. IEC 62304 establishes expectations for managing medical device software throughout its lifecycle, and FDA increasingly looks for evidence that these principles are embedded into development practices.

 

This includes clearly defining software architecture, understanding how different components interact, and documenting how risks are assessed and mitigated. Software complexity, especially when multiple operating systems, programming languages, or third-party components are involved, increases the likelihood that vulnerabilities exist. Regulators expect sponsors to demonstrate awareness of that complexity and control over its impact.

 

Secure by Design Starts at the Requirements Level

One of the most common contributors to cybersecurity weaknesses is poor design planning. When security requirements are vague, incomplete, or added late in development, vulnerabilities are often baked into the product.

 

FDA expectations increasingly reflect a “secure by design” mindset. The strongest cybersecurity controls are those that eliminate or reduce vulnerabilities through planned architecture and clear requirements. Protective mechanisms that detect and respond to threats are the next layer of defense.

 

Effective cybersecurity requires giving security considerations a formal seat at the design table, supported by subject matter expertise and documented decision-making. Otherwise, designers run the risk of relying primarily on labeling, instructions, or user warnings for security—which are considered the weakest mechanisms available.

 

Software Changes Are Lifecycle Events, Not IT Tasks

As vulnerabilities evolve, software must be maintained through updates and patches. These activities are not routine maintenance tasks. Each change has the potential to affect safety, performance, and compliance.

 

FDA expects organizations to assess software changes through a quality and risk lens, not an IT convenience lens. Updates tied to cybersecurity posture or device behavior typically require formal change control, risk evaluation, and verification. Organizations that lack clear criteria for distinguishing between design-controlled changes and minor maintenance should expect to struggle when questioned during inspections.

 

Cybersecurity Documentation FDA Now Expects

Cybersecurity reviews increasingly include specific deliverables that demonstrate transparency and control. One example is the Software Bill of Materials, which identifies third-party software components and dependencies. This allows regulators to assess supply chain risk and vulnerability exposure.

 

Threat modeling documentation is also becoming more common, showing how potential attack scenarios were identified and addressed. Additional artifacts may include secure development lifecycle procedures, vulnerability management processes, and post-market monitoring strategies that demonstrate ongoing accountability rather than one-time compliance.

 

Integrating Cybersecurity Into a Streamlined QMS

For combination products, cybersecurity controls can be integrated into an existing pharmaceutical quality system through the streamlined approach allowed under 21 CFR Part 4. This avoids duplicative systems while ensuring software and cybersecurity risks are appropriately governed.

 

Successful integration depends on alignment between software development, Design Controls, risk management, and quality oversight. When cybersecurity is embedded into the QMS and the D&D file for the device rather than bolted on after the fact, inspection readiness improves significantly.

 

How RCA Supports Software and Cybersecurity Readiness

Regulatory Compliance Associates® (RCA) helps life sciences organizations build inspection-ready software and cybersecurity frameworks tailored to combination products.

 

From TIR57 and ISO 14971 compliance and cybersecurity documentation to inspection preparation and training, RCA partners with teams to navigate this complex and rapidly evolving regulatory landscape with confidence.

 

Ready to streamline your QMS for combination product success?
Contact RCA today to schedule a consultation and take the first step toward regulatory readiness and market leadership.