Episode 16 · June 17, 2025 · 38m listen · 3,820 words · ~19 min read

From Concept to Compliance: A Guide to Med Device Approval | Ep. 24 - Full Transcript | The Med Device Cyber Podcast

Read the complete, searchable transcript of Episode 16 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

Episode summary

In this episode of The Med Device Cyber Podcast, host Trevor Slattery is joined by Mark Swanson and Steve Gompertz, partners at QRX Partners, a consulting firm specializing in quality and regulatory affairs for the medical device industry. The conversation centers on the critical importance of navigating the complex regulatory landscape, particularly for small and early-stage MedTech companies. Swanson and Gompertz, who have extensive experience from large corporations like Medtronic, established QRX Partners to serve this often-underserved market. They argue that many startups, typically founded by brilliant engineers or doctors with a great product idea, have little to no understanding of the regulatory pathway, leading to significant and often fatal missteps. Their firm aims to provide this crucial guidance from the outset, helping companies with everything from initial device classification and defining the intended use, to building a robust Quality Management System (QMS) and planning for funding rounds. The guests emphasize that seeking expert regulatory help early is a form of preventative action, which is always far less expensive than the corrective actions required after a failed submission or a negative FDA finding. They share an anecdote about an investor whose portfolio has a 93% failure rate, a statistic they attribute largely to companies running out of money due to underestimating the time and cost of the regulatory process. A core part of their work is formalizing what's in the founders' heads into a concrete regulatory strategy. This begins with the most fundamental step: accurately classifying the device. They illustrate the complexity of this task with an example: a simple search for "balloon" in the FDA database yields over 30 different product codes, each with a different classification and regulatory pathway. Without expert navigation, a company can easily choose the wrong path, leading to wasted time and resources. The discussion also delves into the nuances of current hot topics like AI, machine learning, and cybersecurity. Swanson and Gompertz clarify that while AI is often used as a marketing buzzword, the underlying technology isn't new. The key regulatory distinction is whether the AI or machine learning is a tool used during development or if the device itself is designed to learn and adapt *after* it's on the market—the latter of which invites intense scrutiny from regulators. They also address a common misconception regarding the FDA's definition of a "cyber device," explaining that it applies to any device with software, not just those with network connectivity. Ultimately, they stress that whether dealing with established regulations or emerging technologies, the principle remains the same: understand the requirements, document everything within a compliant QMS, and don't be afraid to ask for help before you've gone too far down the wrong path.

Key takeaways from this episode

Early-stage medical device companies often underestimate the time and money required for regulatory approval, a primary reason for the high failure rate in the industry.
Engaging with quality and regulatory (Q&R) experts early in the development process is a critical preventative action that is far less expensive than correcting major issues downstream.
The first step for any MedTech startup should be to formally define the device's 'Intended Use' and correctly determine its regulatory classification, as this dictates the entire pathway to market.
Startups should avoid being 'hobbyists' in the regulatory space; the landscape is too complex and the cost of mistakes is too high.
FDA 'guidance' documents, while technically not law, should be treated as requirements, as they reflect the agency's current expectations for submissions.
The definition of a 'cyber device' is broad. A product is typically considered a cyber device if it contains software OR has connectivity, not necessarily both.
While AI and machine learning are popular marketing terms, devices that are designed to learn and change after market release face significant regulatory hurdles and require a carefully managed development process.
Building a compliant Quality Management System (QMS) before or during product design, rather than after, is essential for a smoother and more successful regulatory approval journey.

Full episode transcript

Host: Hello and welcome back to the Med Device Cyber podcast. Today we're going to be talking about some of the key regulations that are applicable to medical device cyber security, some conversation about quality systems and making sure that you have a secure quality system, something that is well designed, so that you're compliant through any regulatory approval processes that you need. Host: And we're joined here today by Mark Swanson and Steve Gampertz from QRX Partners. How are you guys doing today? Guest: We're good. Guest: Doing well. Host: Awesome. You guys are up in Denver, right? With some little bit of rain, little bit of fog. Steve: Yeah, we're at the ASQ WQCQI conference. Mark: The ASQ World Conference on Quality and Improvement. So that's where we're at. Host: Very nice. Yeah, we uh we haven't been to that one. I know we went to Raps in Long Beach last year. That was a pretty good event, but yeah, typically we're at the uh like LSI, Device Talks, events like that. Host: But we just got off of a stunt. I think we were at three conventions at once, and so everyone was flying all over the place and nobody was really nobody was really sure where anyone was, but I think we're all grounded now. Steve: I'm in my fourth in four weeks, so. Oh wow, it's good that I even can figure out what city I'm in. Host: I know. Yeah, sometimes I wake up and I'm just like, where am I? I'm in a hotel somewhere. That's as far as I know. Steve: Yeah, I I I so I do I I'm talking at all these conferences and it's just funny. People come up and go, oh, I just saw your talk and I have to go, which one? Mark: That was that was my March too. I was at uh a couple different ISO meetings. Uh with TC 210 in Japan and then uh over to um Paris for um TC 176 on 9001. So. Host: Very nice. Well, I'd love to hear a little bit about what you guys do at QRX partners and then some background on yourselves as well. Steve: Sure. Um, so QRX uh, it focuses, obviously the letters would imply, on quality and regulatory. Uh, although it typically goes in the other order, we work on regulatory first and then figure out the quality uh constraints or requirements according to the regulatory plan. Steve: Um, we've been in business for five years based in the twin cities in Minnesota, uh but we have a a global presence. Our primary focus is on smaller companies, particularly early stage. Um, we find that those uh companies are often uh underserved in getting the guidance they need to, you know, it's usually a couple of really smart engineers or doctors and they have a great idea for a new device and they have zero understanding of the regulatory pathway ahead of them. Steve: They they're in this mode, they know they need money, but they don't even know how much they ask for and how it's going to be staggered. And that's where we help them figure out, look, we understand, you know, sometimes in their exuberance, they're like, yeah, we got like two credit cards between us, we're going to max them out and, you know, what, six months and we'll be on the market, right? Steve: And then we come in and say, no, you're really looking at you're going to need like $3, $4 million and this is going to take you two to three years, but we'll help you understand that pathway, where the pauses might be, when you'll have to go out and get more funding, uh and then how do we find you the best pathway uh through the regulatory bodies and then then get them set up with the quality management system. Mark: Because Steve and I have both been at the large companies and so we understand all of these different pieces and bringing that knowledge to the the smaller companies. I mean, there's nothing worse than, you know, because it takes longer time, you run out of money and you can't bring your product to market. Mark: And so we want to avoid that for those for those small companies, help them get there quickly, um with using our expertise. Host: A really interesting uh statistic that I heard, and this was just from one investor, but we were talking with him about his portfolio. He's focused on MedTech startups and mostly mostly in that early stage, seed round Series A. And he was saying that 93% of his portfolio fails. Steve: Not surprised by that, yeah. Host: I know, and it seems crazy to think of, but I guess that 7% is successful enough to offset those 93%.

1 / 5