Start QMS Early to Avoid Reverse Documentation with Dr. Basant Bajpai | Ep. 64

The biggest mistake medtech companies make today when implementing their QMS tool is looking for a product that is perceived as heavy or fancy. What they truly need is a simple, traceable tool that fits their regulatory journey. The challenge often arises during audits when they fail due to an inability to prove traceability. I always recommend starting as early as possible. You do not need fancy systems; what you need is a simple, automated system that suffices your needs and helps build your foundation. Once the foundation is built, it is easy to scale. We always recommend not using AI until you have fully established and implemented your QMS. We do not want AI to take ownership of this process. We want to use it as a tool to assist and guide us. I think as long as we are doing that, it is an incredibly effective and incredibly powerful tool. Welcome back to The Med Device Cyber Podcast. I am your host, Trevor Slattery. Unfortunately, our other co-host, Christian Espinosa, is not able to make it today. He is currently flying back from Seoul after a whole gambit of travel delays. We are joined today by a very special guest, Dr. Basant, who is coming in from Dubai with Compliance MedQar. I would love to hear a little bit about yourself, some of your background, and what you are working on over there. Hi, Trevor, thank you for having me. My name is Dr. Basant, I am the CEO at Compliance MedQar. We are located in Dubai. I have a background in medical devices and a PhD in neuromonitoring and neuroscience. We are a regulatory consulting company, and we also have an automated quality management system. Within the med industry, we believe that QMS is not just software, but a business system for survival. In the current trend of medtech services, or within ISO 13485, the tool required for a quality management system is not just a tool. It requires maintaining traceability, documentation, and compliance, which is becoming more and more challenging for medical device companies. The biggest mistake medtech companies make today when implementing their QMS tool is looking for a product that is fancy or heavy, when what they need is a simple, traceable tool that fits their regulatory journey. This is the challenge. Normally, when we communicate with multiple medtech founders or CEOs at an early stage, they always ask when they should implement a quality management system. That is one of the challenges many founders come across at an early stage. What we always advise them is that you need to start as early as possible, meaning when they are at the concept stage or their R&D stage, they have to start there. Regardless, if they do not start, the design control already starts. So they have to document that and do it in a controlled, version-controlled, as well as traceable manner. That is something challenging, especially among startups and early-stage companies. Many companies, for example, opt for a system, or some even use a shared drive or Google Drive when implementing their quality management system. But the challenge hits when they go for the audit and fail because they cannot prove that what they have done is traceable, that there is a sufficient audit trail, that the documentation is done correctly, that different processes have been implemented and are traceable and documented according to different regulatory requirements. Some companies are still able to make it by using Excel sheets and manual documentation by hiring multiple people. However, that hits them hard when they scale, because when they have multiple products, multiple processes, records, and work instructions, it becomes challenging. So I always recommend starting as early as possible. You do not need fancy systems. What you need is a simple, automated system which can suffice your needs, which can help you build your foundation, and once you build the foundation, it is easy to scale. So from day one, if you are a startup, if you are looking for a complex quality management system, you might not have the resources to implement it, and you might not be able to accommodate all the processes and black-box processes that are already designed by these QMS providers. As a company, as a solution provider, we provide a customized, AI-integrated tool designed based on where medtech companies are in their journey. For example, in their compliance journey, whether they are going for FDA, EU MDR, or looking to initially implement a QMS to get QMS certification, it is the same hand-in-hand as with cybersecurity. There are challenges. If you look at cybersecurity, if there is no sufficient audit trail and then the test and penetration test, if you fail to document that you have done sufficient cybersecurity testing, whether you go to any regulatory authority, you will be challenged. I always recommend starting early, whether it is your regulatory journey, and if you are software as a medical device, look for a capable cybersecurity expert who can ensure that what you are doing is correct. Also, look for a simple platform that can suffice the need to simply structure your QMS, ensure your traceability, and have your audit ready when you go for your first audit. Keep things simple. That is my mantra for medtech founders or early-stage companies, as well as companies willing to scale from a startup. I think that is a great mantra to have. Even when you said it is so important to start early, it really resonated with me. I thought, wow, this seems like a very parallel problem to cybersecurity. It is something where the downstream effects can be so severe if you are mismanaging your quality system or if you are mismanaging your cybersecurity. Obviously, cyber seems to be a subset of quality. I did once hear that cybersecurity is evidence of quality within your code, within your software. So I do think there is always an intrinsic tie-in between the two. I know you have been talking a little bit about an automated QMS. For a bit of background, what does that mean? How are you integrating AI into your quality system solution, and what are some of the real benefits you see there as opposed to a more manual SharePoint and Excel file approach? I am glad you asked. What we do differently today from conventional QMS or manual QMS, or some say paper-based quality management systems, is that we use AI to enable or help the regulatory or quality team be more efficient. How we do it is we have a simple, trained algorithm that drafts documentation, whether it is different processes, work instructions, or different requirements. It checks and keeps you in check with various requirements, whether it is 21 CFR, EU MDR requirements, regulations, as well as different other regulatory requirements, including MDSAP. What we do is train our algorithms to keep the regulatory and compliance team in check. If something is non-compliant, it flags it. At the same time, it drafts the documentation based on your needs, based on the data you have already provided. If you have not provided the data in the system, it can still suggest some documentation specific to your need. If you provide some information about what class, what product class you have, what type of process you are looking for, it can draft it. Then, a human in the loop, meaning your quality or regulatory expert, can cross-examine whether to accept, reject, or update. We also ensure that the algorithm is sufficiently trained on the clinical evidence needed by EU MDR or FDA requirements so it can flag where you have gaps. So regulatory experts can fill the gaps. We are not replacing individuals or experts, but giving them a tool to be more efficient. I was wondering while you were talking about it: where is this human-in-the-loop intervention? I think that is something that is definitely a risk of AI, especially in such a tightly regulated space, such as the chance that an AI can run away and start presenting information that is not accurate, or start presenting information that will be hard to trace back, or trying to essentially fabricate this full process. I always think of the example if you go to ChatGPT and you tell it to do my taxes, make sure I get a $100,000 refund, it is going to jump through whatever fake rabbit holes it can invent to get you that refund. Is it going to be legal? Probably not, but it is going to try. And so I think that is a really important thing to think about: where is that interaction? And it sounds like you have a pretty good system. So the quality system and the AI within it are drafting the documentation, but you still do have a Q professional who is able to go in and make sure that everything looks good there. One thing I would be curious to hear about is if this is a situation that comes up when you are building out some of this content with AI-generated information. We always think that the output is only going to be as good as the input. So what do you typically see as some of the constraints if you are not giving it enough context to build this out? Is it going to try to just go across generally, or is it going to try to drill in for a bit more detail within the device specifically? So the option we have today is that we have trained algorithms, and we also allow them to invent for you. So you have to choose an opt-in, and it comes with a warning. If you choose that it can invent and draft, then the user, for example, your compliance team, needs to look at it and validate the information. Because, yes, it will be inventive, but then accepting them in your records or in your processes is completely up to the quality manager or the compliance person they have in the company. What it will not do is if you stick to the conventional trained algorithm, which is trained on your internal data. What we always recommend is not to use AI until you fully establish and implement your QMS. What does this mean? By implementing your QMS, it means having your records and data that you already have, the basics. It has a checklist that says you have to have the product information, basic information. So it already has what it needs to provide you with more accurate information. We have made the validation based on how much minimum data or information it needs to give you close to accurate output or close to accurate information. So we have already set the bars very high, and we have trained the algorithm. On that basis, what we do is provide two options. Sometimes the user might feel overwhelmed that there is very limited information, then they can jump to another option that we have in our AI that can support to invent a bit and take the information or look up the information based on the LLM that we use. But absolutely there, the compliance individual needs to take responsibility, and we have proper training to train the organization, and we communicate that transparently to the user and the compliance team on how they should take this in terms of content. So we have the control there. I have been speaking to multiple regulatory authorities, for example, here in G.C. HEALTH authorities, and they were really surprised because the use of AI is a bit more flexible in terms of how health authorities look at it in the UAE. So I was talking with the regulators, and they were like, "Wow, that