Episode 7 · September 2, 2025 · 36m listen · 5,448 words · ~27 min read

Balancing Innovation and Regulation in MedTech Development with Karandeep Singh Badwal | Ep. 35 - Full Transcript | The Med Device Cyber Podcast

Read the complete, searchable transcript of Episode 7 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

Episode summary

In this episode of The Med Device Cyber Podcast, hosts Christian Espinosa and Trevor Slattery are joined by Karandeep Anand, a UK-based quality and regulatory consultant and founder of QRA Medical. The discussion centers on the complex landscape of regulatory affairs and quality management systems (QMS) for medical devices, with a particular focus on the unique challenges presented by Software as a Medical Device (SaMD) and artificial intelligence (AI). Karandeep shares his background, which began in pharmaceutical science before pivoting to the medical device industry. Over the last several years, his work has concentrated on the burgeoning field of software, AI, and machine learning, where he observes a significant disconnect between rapid innovation and the rigorous demands of regulatory compliance. He also hosts the MedTech Podcast, aiming to demystify these often-confusing topics for a wider audience. The core of the conversation revolves around the common pitfalls that MedTech startups and innovators encounter. Karandeep draws a helpful analogy, describing regulatory affairs as the "offense" (getting the product to market) and quality management as the "defense" (ensuring the product and processes are safe and effective through proactive, preventative measures). He argues that quality is not just a department but a fundamental company culture. A major issue he frequently encounters is companies developing their software products well into advanced versions before considering a QMS or proper design controls. This creates a massive, often insurmountable, challenge of retrospectively building a design history file and validating the product's development, a process that should have been integrated from the very beginning. Similarly, cybersecurity is often treated as an afterthought, with companies conducting penetration tests on early versions that become irrelevant as the software rapidly evolves, leaving the final product with unassessed vulnerabilities. Karandeep and the hosts also explore the broader reasons for the high failure rate among MedTech startups. Beyond technical hurdles, many ventures fail due to a lack of early planning around market fit, reimbursement strategies, and the specific regulatory pathways for their target markets. A crucial piece of advice is for companies to shift their mindset: they are not software companies that happen to make a medical device, but medical device companies that use software. This perspective change prioritizes the highly regulated nature of the industry from day one. He stresses that integrating regulatory, quality, and cybersecurity frameworks at the project's inception is far more cost-effective and efficient than trying to patch them in later. The conversation underscores that while standards like IEC 62304 provide a baseline, the dynamic nature of AI and software demands a more continuous and integrated approach to ensure patient safety and successful market entry.

Key takeaways from this episode

Quality management should be viewed as a proactive, preventative "defense" and a company-wide culture, while regulatory affairs is the "offense" focused on achieving market approval.
A major pitfall for software medical device companies is neglecting to implement a Quality Management System (QMS) and proper design controls from the start, making regulatory compliance difficult and costly to achieve retrospectively.
Many innovators treat their product as a software product first and a medical device second. To succeed, this mindset must be flipped to prioritize the rigorous requirements of a regulated medical device from its inception.
Cybersecurity is often an afterthought in SaMD development. Companies must integrate continuous security testing, such as penetration testing, throughout the agile development lifecycle, not just on early versions.
The validity and quality of data used to train AI and machine learning models are critical for regulatory submission but are often an area where companies lack sufficient documentation and validation.
Successful MedTech startups do extensive early-stage research not just on technology, but also on their target markets, reimbursement pathways, and specific regulatory hurdles like FDA or EU MDR requirements.
The agile, fast-moving development process common in the tech world often clashes with the structured, documentation-heavy design control process required for medical devices.
Building quality and regulatory frameworks into the product lifecycle from day one is significantly cheaper and more effective than trying to apply them after the product is already developed.

Full episode transcript

Host: Hi, welcome back to the Med Device Cyber podcast. Today we have a guest, uh, Karandeep. We're going to be talking about regulatory affairs, quality management systems, and some of the differences that have come out recently, uh, across the global regulatory affairs, um, perspective. Host: Uh, Karandeep comes to us from the UK. I'm your co-host, Christian Espinosa, and I've got the co-host here today, Trevor Slattery. I think one of the podcasts we did before, I wasn't here, Trevor handled it up by himself, but he did a good job. Host: So, how's it going, Karandeep, today? I think you're coming from the UK today, right? Guest: That's correct. Thank you for having me on. Host: Awesome. You want to give a little bit of uh background of what you do in your organization does? I know you're also a podcast host. Maybe a little bit about uh, you know, your podcast and what how many years you've been working on that and just a little background on you. Guest: Sure. So I'm Karandeep and I'm founder of QRA Medical, a quality and regulatory consultancy working within the medical devices space. Um, in terms of my background, I actually still come from a pharmaceutical background, which was what my education was based in. So I did a bachelor's in pharmaceutical science and a master's in pharmaceutical quality by design. But it just so happened that when I left university, the first job that I had was actually working within medical devices and I just kind of kept it going from there. Guest: I started working in traditional devices with things like pacemakers, defibrillators at St. Jude Medical, which eventually became Abbott. And over the past sort of four to five years, I've been doing a lot more in the software, AI, and machine learning space where, that's where it seems that the medical device industry is moving forward as well, you know, not just in other industries as well. Guest: Also outside of that, as you mentioned, Christian, I am host of The MedTech Podcast, which I started back in 2021, which I interview different MedTech leaders, founders, CEOs, experts, etc. in the field and give them a platform to share their story. Guest: I also I a content creator on LinkedIn as well for anybody who does follow me on LinkedIn. A lot of people find quality and regulatory often very confusing and there's a lot of guidance out there, you know, if you was to go out and read the regulations, you probably walk out more confused than when you started. So the my point of the content that I make is just trying to make things a little bit more easier to understand, effectively. Host: Awesome. Well, I find quality, quality and regulatory a little bit confusing as well. I we had someone on the podcast before that described regulatory as offense and quality as defense. Would you agree with that statement? Guest: Yeah, there is some element of truth with that because with quality is often to what, taking a proactive approach, you know. For example, the biggest tool that we use often in quality is is often the CAPA corrective action preventive action. A lot of companies out there take a corrective action, they wait for something to go wrong and then they try to fix it. Guest: But what quality often uh tries to encourage is taking a preventive approach. You know, look for something that may potentially go wrong and put something in place to make sure that thing doesn't go wrong in the future. So yeah, I would somewhat agree with that. Guest: Whereas a regulatory, that's more about, you know, getting that market approval, getting the product out there and fulfilling that. Whereas quality, yourself is on the company as a whole. And quality really is not a department, it's more of a culture. Host: What, um, I know you mentioned you're doing a lot of work with AI and software as a medical device, which we see as well, the industry shifting that way. What are some of the biggest uh challenges you've noticed uh working with your clients from a consulting perspective when they have software and some sort of AI model? Guest: The issue that I've often found with companies, so let's for example, I bring them on as a client and they're on version 15. And when I try to go back in time and say, okay, what did version one look like? There were never any proper design controls in place. So realistically, they don't really know the changes that got them from V1 to V15. Guest: Or in some cases there were not the high level of it, you know, but how did that affect the code? Can it give false positives? Can it give false negatives? Uh what are the risks that come with it? So often just trying to do things like that retrospectively can be difficult.

1 / 7