From Concept to Compliance: A Guide to Med Device Approval | Ep. 24

In this episode of The Med Device Cyber Podcast, host Trevor Slattery is joined by Mark Swanson and Steve Gompertz, partners at QRX Partners, a consulting firm specializing in quality and regulatory affairs for the medical device industry. The conversation centers on the critical importance of navigating the complex regulatory landscape, particularly for small and early-stage MedTech companies. Swanson and Gompertz, who have extensive experience from large corporations like Medtronic, established QRX Partners to serve this often-underserved market. They argue that many startups, typically founded by brilliant engineers or doctors with a great product idea, have little to no understanding of the regulatory pathway, leading to significant and often fatal missteps. Their firm aims to provide this crucial guidance from the outset, helping companies with everything from initial device classification and defining the intended use, to building a robust Quality Management System (QMS) and planning for funding rounds. The guests emphasize that seeking expert regulatory help early is a form of preventative action, which is always far less expensive than the corrective actions required after a failed submission or a negative FDA finding. They share an anecdote about an investor whose portfolio has a 93% failure rate, a statistic they attribute largely to companies running out of money due to underestimating the time and cost of the regulatory process. A core part of their work is formalizing what's in the founders' heads into a concrete regulatory strategy. This begins with the most fundamental step: accurately classifying the device. They illustrate the complexity of this task with an example: a simple search for "balloon" in the FDA database yields over 30 different product codes, each with a different classification and regulatory pathway. Without expert navigation, a company can easily choose the wrong path, leading to wasted time and resources. The discussion also delves into the nuances of current hot topics like AI, machine learning, and cybersecurity. Swanson and Gompertz clarify that while AI is often used as a marketing buzzword, the underlying technology isn't new. The key regulatory distinction is whether the AI or machine learning is a tool used during development or if the device itself is designed to learn and adapt *after* it's on the market—the latter of which invites intense scrutiny from regulators. They also address a common misconception regarding the FDA's definition of a "cyber device," explaining that it applies to any device with software, not just those with network connectivity. Ultimately, they stress that whether dealing with established regulations or emerging technologies, the principle remains the same: understand the requirements, document everything within a compliant QMS, and don't be afraid to ask for help before you've gone too far down the wrong path.

Host: Hello and welcome back to the Med Device Cyber podcast. Today we're going to be talking about some of the key regulations that are applicable to medical device cyber security, some conversation about quality systems and making sure that you have a secure quality system, something that is well designed, so that you're compliant through any regulatory approval processes that you need. Host: And we're joined here today by Mark Swanson and Steve Gampertz from QRX Partners. How are you guys doing today? Guest: We're good. Guest: Doing well. Host: Awesome. You guys are up in Denver, right? With some little bit of rain, little bit of fog. Steve: Yeah, we're at the ASQ WQCQI conference. Mark: The ASQ World Conference on Quality and Improvement. So that's where we're at. Host: Very nice. Yeah, we uh we haven't been to that one. I know we went to Raps in Long Beach last year. That was a pretty good event, but yeah, typically we're at the uh like LSI, Device Talks, events like that. Host: But we just got off of a stunt. I think we were at three conventions at once, and so everyone was flying all over the place and nobody was really nobody was really sure where anyone was, but I think we're all grounded now. Steve: I'm in my fourth in four weeks, so. Oh wow, it's good that I even can figure out what city I'm in. Host: I know. Yeah, sometimes I wake up and I'm just like, where am I? I'm in a hotel somewhere. That's as far as I know. Steve: Yeah, I I I so I do I I'm talking at all these conferences and it's just funny. People come up and go, oh, I just saw your talk and I have to go, which one? Mark: That was that was my March too. I was at uh a couple different ISO meetings. Uh with TC 210 in Japan and then uh over to um Paris for um TC 176 on 9001. So. Host: Very nice. Well, I'd love to hear a little bit about what you guys do at QRX partners and then some background on yourselves as well. Steve: Sure. Um, so QRX uh, it focuses, obviously the letters would imply, on quality and regulatory. Uh, although it typically goes in the other order, we work on regulatory first and then figure out the quality uh constraints or requirements according to the regulatory plan. Steve: Um, we've been in business for five years based in the twin cities in Minnesota, uh but we have a a global presence. Our primary focus is on smaller companies, particularly early stage. Um, we find that those uh companies are often uh underserved in getting the guidance they need to, you know, it's usually a couple of really smart engineers or doctors and they have a great idea for a new device and they have zero understanding of the regulatory pathway ahead of them. Steve: They they're in this mode, they know they need money, but they don't even know how much they ask for and how it's going to be staggered. And that's where we help them figure out, look, we understand, you know, sometimes in their exuberance, they're like, yeah, we got like two credit cards between us, we're going to max them out and, you know, what, six months and we'll be on the market, right? Steve: And then we come in and say, no, you're really looking at you're going to need like $3, $4 million and this is going to take you two to three years, but we'll help you understand that pathway, where the pauses might be, when you'll have to go out and get more funding, uh and then how do we find you the best pathway uh through the regulatory bodies and then then get them set up with the quality management system. Mark: Because Steve and I have both been at the large companies and so we understand all of these different pieces and bringing that knowledge to the the smaller companies. I mean, there's nothing worse than, you know, because it takes longer time, you run out of money and you can't bring your product to market. Mark: And so we want to avoid that for those for those small companies, help them get there quickly, um with using our expertise. Host: A really interesting uh statistic that I heard, and this was just from one investor, but we were talking with him about his portfolio. He's focused on MedTech startups and mostly mostly in that early stage, seed round Series A. And he was saying that 93% of his portfolio fails. Steve: Not surprised by that, yeah. Host: I know, and it seems crazy to think of, but I guess that 7% is successful enough to offset those 93%. Steve: Some of that is going to be it just doesn't pan out like the technologies or the benefits don't pan out, you know, relative to what's on the market today. Uh what we call the generally recognized standard uh state of the art, sorry. Mark: Just my humble opinion, but it's those companies that can't get there fast enough, right? So they're they're working on something, but somebody else is working on it too and that other company gets more funding or whatever, you know, that type of thing happens. They don't have the right expertise, all those types of things. Steve: Yeah, that was where I was going to go next with that same kind of thing was I think a lot of times they don't whether it's pride or they don't know how to find the resources they need to guide them and then they stumble, right? Steve: They they think they you read the guidance documents, you read the instructions on the FDA website and it sounds like, oh, I understand how to make a submission and then they send a 510K and then they get a deficiency letter back or a non-reviewable and then they lose time, right? And they're burning money that whole time because they don't know where the landmines are and they just keep stepping on them. Mark: You can tell Steve and I have worked together for a while and we're kind of finishing each other sentences and that kind of stuff. So, I don't know. You want to talk about your background a little bit, Steve? Steve: Yeah, so I've been in the Medtech space primarily on devices for 34 years. Uh, that was after seven years in the uh, um, computer products industry, uh, where I did software development. Steve: Um, uh, so I've been, yeah, Mark said, we've been in some of the larger companies, um, worked at smaller companies, the companies that are peripheral to the industry. Um, and you know, now, you know, consulting uh through uh through QRX. Steve: Mark and I also teach at one of the local universities here in Minneapolis, St. Cloud State University, uh where they have three master's degree programs specific to Medtech, one in quality, one in regulatory and one in clinical. Um, Mark at one point was the program director for the, uh, the quality program. I helped to create that program. And I teach in four of the courses of Mark, you teach three. Steve: Yep. So we get a chance to actually educate people to become true quality professionals or regulatory professionals rather than as I always like the joke, don't be a hobbyist in this industry. Host: Yeah, it's not I think that regulatory is not really an industry that you can dabble in. It's not something where you can just know a thing or two here or there. There's just too much. It's pretty full time. Steve: And you see it all the time, right. So we post every Wednesday, we post the column on LinkedIn or a series called inadequate response, um, where and it's me looking at some of the weekly warning letters and then trying to pick out what went wrong, right to get to that point. Steve: Um, and I often make that point is it sounds like a company that guessed at it, right? They didn't really take it seriously or didn't have the right confident personnel in place to keep them out of trouble that they just tried to figure out, oh, all right, I think we understand this, let's do it this way, and then found out that it was absolutely the wrong interpretation. Mark: And and sometimes worse yet when they when they get it wrong, they want to argue that their way is right. You're just not going to win that argument with FDA. Host: Yeah. Yeah, the FDA uh quite literally wrote the book on what you're supposed to do and what you're not supposed to do and so. Steve: Yeah, you're not going to win too many of those debates with the inspector. Host: Oh, no, no. Yeah, I've seen that situation come up a fair amount when we're handling deficiency response. There'll be a design flaw or some, you know, issue with the risk assessment and the client comes to us and they say hey, we think we're right and this is, you know, this is how we want to explain to the FDA that we're right. I always say, look, you can think you're right, I can even think you're right. The FDA is the one who is right. And so that's what you have to do. Steve: One of my favorite warning letters that I I analyzed for the for the column was one where the company their response to the 483 findings was to come back and tell FDA, no, you're wrong, we're not a medical device. So none of this applies to us. And FDA had clearly said, you meet all the criteria and they were going to argue the interpretation of the act as to whether or not they qualified as a med device. It was like, you're not going to win this. Host: One thing that I see pretty often, not necessarily on, you know, is it a medical device or not, but an argument on is our product a cyber device? And we see a lot of um, problems with that, namely mainly just because of how the FDA defines a cyber device on their website. It's a whole bunch of ands. Host: They say, you know, you have to be a software-enabled device and have wireless connectivity and run all this different criteria when in effect they're they should be or. And that is the way that the FDA treats it. So they say, do you have software or are you connected to other products or do you have an operating system? Um, usually as soon as you have software you fall into that bucket, but a lot of companies have tried to make the argument that we're not a cyber device because we don't meet the published definition even though the unpublished definition is what should be adhered to. Mark: And I can tell you, you know, I had a submission that I just did and the only we we gave them pictures of course as part of the submission and there's a you know, a screen, right? An LCD screen. Um, and it's all it is is a PID temperature controller. And they're like, you have software. wait a minute, it's not really software, but they're like, nope, and so I had to fill out all the stuff for cyber and and that that kind of stuff just because There is firmware inside of those enabled, you know, uh pieces. So. Host: Even if the software is inaccessible, which is something that I feel like really trips up a lot of manufacturers. That software can be completely boxed in. You have like in you know No connections, no no wireless, no nothing. All it's doing is showing a result on a screen with some little, you know, microcontroller just running a single function and you still need to do all of your software documentation, all of your cyber security documentation, you still need to do cyber security testing on it. Steve: And the trick is now more and more devices have some sort of software built in them that traditionally didn't, right? Knee implants, used to be really straightforward. It's all mechanical, right? Not anymore. Now there are sensors. Sensors imply firmware. It has to talk to something. It has to process that information. Congratulations, you're a cyber device. Mark: Yeah, and and of course, I mean the hospitals are asking for a lot of that stuff too because they want the data to get transferred from whatever device into their hospital, you know, information system. And so they're looking for that interconnectivity, right? And those types of things. So, I mean it's natural for us um and that kind of stuff. So, anyway, um if you've done my mind, I'll just go back into a little bit of my background. Mark: Um, I spent uh a little more than a decade, about 12 years at uh mother Metronic, um in the cardiovascular uh division working on heart valves and blood pumps and oxygenators, all those kinds of things. Um, when I was there, I got a lot of experience with some combination products. So Metronic gave me a good, a good wide base for my uh my experience. Mark: Um and then about 13 years ago, I went out on my own. Um and then came back together, like Steve said, five years ago into QRX. Um, the two of us coming together and uh and been doing so I've been doing the kind of regulatory quality consulting. You know, my idea when I when I started my own company was to to make sure that we were taking care of the small companies. Mark: And so, you know, Steve with a with a common vision, um that we come together and uh make sure that the small companies get the expertise that they need. Host: So if any small manufacturers are listening and they need to know what are those key areas that they need to cross because obviously there are, you know, hundreds of different boxes to tick to try to make sure that you have all your regulations in place. You're compliant with everything you need to be compliant with, you have a good quality system. What is the starting point? It can seem really intimidating and daunting, so I want to hear your opinions on where do you go from? Steve: Yeah, it's the classification process, right? Which consists of going through FDA's database of product codes, which is huge and and can be very confusing. Um I was just uh talking the other day, uh in a webinar um or with the client, sorry. And if you type in the word balloon, right, looking for a balloon catheter, you get 34 hits of possible product codes. And some of them are class three, some are class two. I think there was even one that was a class one. Steve: That's the challenge to now, which is mine, right? Which one of those do I fall under? And so you have to understand how to read because some of them are coming out of the neurological uh side of FDA, some are coming out of the cardiac piece, right? You got to look at all the details and then you got to go see, well, who else is using that code and does their device look like mine, right? Steve: And then at some point if you exhaust all that and go nothing here matches, then you go, uh oh, I might be class three, right? Because there's no predicate for it. But that's the challenge is just figuring out, Right, question one is always am I a medical device? That again, the definition is broad. So it's almost always going to be a yes. Uh, but there's some nuances in there. And then it's okay, what medical device am I and what pathway am I going to have to follow? Mark: And then followed right behind that is, is there anybody else out there doing a similar thing that I can be a use them as a predicate, right? Because that's going to be the the most common pathway to market is going to be um do what we call me too, right? You have a product on the market, I can have my product on the market that does the same thing. Um so you're looking for other devices that are uh in a in a similar space. Steve: Yeah. And then there's kind of gray areas areas, right? It's not always just clear one class one versus two versus three. I was working with a client and we found two possible product codes to use and a lot of devices like theirs were using and the owner was like, well, no problem because they're both class one. I said, no, not really. Steve: One of them was what's called class one reserved, which means even though it's class one, you still you still have to do a 510K. And I said unfortunately that's the one that matches your device better. So you're on the 510K pathway. Um and then you get into things like, all right, there are no predicates, right? Which by default means you're now going to be class 3 PMA pathway. But if you're not high risk, then you can make the case for weight. We want to go to what's called the De Novo pathway, which is somewhere between a two and a three. Steve: Um and this is, you know, again, right, why it's not for the hobbiists. Mark: Right. Well it's because FDA like I said, FDA has engaged these experts to come in and help them understand what they need to know. And so they're putting the latest and greatest into some of the FDA templates and all that kind of stuff. And the standards take a while to catch up. Right. so don't necessarily just rely on the standards, you need to figure out what's really going on and asking these questions. It's one of the reasons that especially with software, we will always do a presumption. We will always go to the FDA before we're doing our final submission and ask these questions. You know, do we or is what we're doing sufficient to meet your requirements? Because they'll come back and say, oh no, we've updated that. Here's some additional information. Host: I think that's a it's a little bit of a double-edged sword that E-STAR doesn't need that review process. They don't need to publish a draft E-STAR. Um because we're on version five now, right? But it changes really fast, which is good because it's actually 5.3 or something like that. So. Steve: Well, it's actually 5.3 or something. I was gonna say you gotta remember to not just like download it and keep using that old version, you always have to go get the newest one, right? Host: It changes fast, which, you know, it's good if something in the industry is changing, regulations are slow to adapt like you said. And so E-Star can be faster to adapt. But, you know, Mark: Actually what I said is standards are slow. If you want to talk about how regulations take, you know, keep keep in mind that the QST reg is 1998 that we're just now updating in 2026. Yeah. Uh that's that's how fast regulation can often work. Host: So now we're redefining slow even, it's real slow. Steve: there was some controversy last year cuz FDA had floated the idea that they might just start publishing final drafts of guidance without, you know, public comment. And I suspect it's, you know, it sounded like they'm just trying to take over, you know, be a power trip. But I suspect it was more like, because we need to get the information out really fast, right? Steve: Because the standards are going to take a while, the regs are going to take even longer and I think they were was looking for how can we get you our thinking faster? Right? Um, so, you know, obviously they had to take a step back from that because there was a lot of push back from industry. Wait, no, no, no, you can't just throw a guidance at us without a chance for us to look at it. But, you know, things like updates to eSTAR and updates to guidance that's already final. Steve: I get it where they may want to just put it out there and not go, we're doing an update to this guidance document that we put out three years ago. We don't want to wait six nine months to get feedback because industry needs this information today. Host: Well, we're coming up on time here. This has obviously been fantastic conversation on all the crazy stuff going on in the regulatory world. Um at the end of our episodes, we always just like to kind of cap it off. If you could just give a word of advice to manufacturers, to someone who's starting up their company, someone trying to navigate all these regulations, how would you sum up just a quick little summary of what they need to know. Steve: For me it's always get expert help. I know it sounds like it's expensive. It will be far less expensive than the errors you're going to make downstream. Host: Expert help like QRX. Mark: Yeah, well and and cuz one of the things we say, there's one thing that we know, preventive action is always less expensive than corrective action. So, getting around the problem, not hitting the wall is always better than, you know, having the crash. Mark: And, um, and and I'll finish that up with, you you need to engage somebody early. Um, we often engage with, um, you know, potential clients and they never become our client, but we give them some information about the pathway that they need to follow. Um, you know, things that they need to find out, um, things that they need to put in their pitch deck, these types of things because we know that they need that information to get along because we don't like the 7% success rate. We we'd like it to be much higher. And and our clients are much better than that. So. Host: Definitely. Well, it's been fantastic to have you both on the Med Device Cyber podcast. And uh, yeah, thanks for jumping in.