Combination products face dual FDA oversight from CDER, CDRH, and CBER — and the QMSR update effective February 2026 changed the compliance equation. Here is what quality leaders need to know about building a QMS that satisfies both sets of requirements without redundancy.

QMS Requirements for Combination Products: Navigating FDA 21 CFR Part 3 and Dual Oversight

TLDR

• FDA defines combination products under 21 CFR Part 3 as single-entity or co-packaged products combining a drug, device, and/or biologic. The Primary Mode of Action (PMOA) determines which FDA Center leads regulatory oversight.
• 21 CFR Part 4 establishes the cGMP compliance framework for combination products, allowing a streamlined approach: manufacturers satisfy one full set of requirements (drug or device) plus an abbreviated subset of the other.
• The QMSR (Quality Management System Regulation, effective February 2, 2026) introduced significant changes for combination products, including new explicit requirements for risk management documentation and complaint handling within the abbreviated device pathway.
• The QMSR eliminated the "audit shield" — FDA inspectors can now review management review records, internal audit reports, and supplier audit records that were previously protected from disclosure.
• Building a QMS flexible enough to satisfy both drug cGMP and device quality system requirements is the central operational challenge for combination product manufacturers in 2026.

What Is a Combination Product Under FDA Regulations?

The FDA defines a combination product under 21 CFR Part 3 as a product that combines a drug, device, and/or biological product into a single regulated entity. The most common types are drug-device combinations (e.g., prefilled syringes, auto-injectors, drug-eluting stents, metered-dose inhalers), biologic-device combinations (e.g., cell therapy delivery systems), and drug-biologic combinations.

Per 21 CFR 3.2(e), combination products fall into two structural categories. The first is the single-entity combination product, where the components are physically, chemically, or otherwise combined into one product. The second is the co-packaged combination product, where two or more separate products are packaged together as a single unit, such as a kit containing both a drug and its delivery device.

The FDA's Office of Combination Products (OCP), established under the Medical Device User Fee and Modernization Act of 2002, sits within the Office of the Commissioner and coordinates regulatory jurisdiction across the three product centers: CDER, CDRH, and CBER.

The PMOA Question: Which Center Leads?

The Primary Mode of Action (PMOA) is the single most consequential determination in combination product regulation. It defines which FDA Center holds primary regulatory responsibility, which in turn determines the applicable approval pathway and quality system framework.

Under 21 CFR Part 3, the FDA uses PMOA to assign jurisdiction. The principles are:

• If the drug constituent primarily drives the product's therapeutic effect, CDER leads. The product typically follows a New Drug Application (NDA) or Abbreviated New Drug Application pathway.
• If the device constituent primarily drives therapeutic action, CDRH leads. The product follows a 510(k), PMA, or De Novo pathway.
• If the biologic constituent is primary, CBER leads. The product follows a Biologics License Application pathway.

PMOA determination is not always straightforward. The FDA acknowledges in its guidance that some combination products cannot be clearly assigned because no single mode of action predominates. In these cases, the agency evaluates the product under a combination of factors and may assign jurisdiction based on which Center has the most regulatory experience with similar products.

If a manufacturer disagrees with the agency's jurisdiction determination, or is uncertain before submission, the OCP accepts formal Requests for Designation (RFD) under 21 CFR Part 3. For early-stage products where the PMOA is not yet established, the OCP also accepts Pre-Requests for Designation (Pre-RFD), the guidance for which was revised and finalized in November 2025.

How 21 CFR Part 4 Structures the cGMP Compliance Framework

Once jurisdiction is established, 21 CFR Part 4 governs how the manufacturer satisfies the cGMP requirements for both constituent parts. The regulation creates what FDA calls a "streamlined approach" to avoid requiring manufacturers to fully comply with both drug cGMP and device quality system regulations simultaneously.

Under this streamlined framework, manufacturers of single-entity and co-packaged combination products may choose one of two compliance pathways:

The first pathway applies when the lead regulation is drug cGMP (21 CFR Parts 210/211). The manufacturer satisfies all applicable drug cGMP requirements and then applies an abbreviated subset of device quality system requirements covering elements that drug cGMP does not already address.

The second pathway applies when the lead regulation is the device QMSR (21 CFR Part 820 / ISO 13485). The manufacturer satisfies all applicable QMSR requirements and then applies a corresponding abbreviated subset of drug cGMP requirements.

Per 21 CFR 4.4(b)(1), manufacturers of drug-device combination products regulated by CDER following the drug-led path must comply with drug cGMP in full and the following abbreviated QMSR areas:

• General requirements and management responsibility (ISO 13485 Clauses 4.1, 5, and 6.1; 21 CFR 820.10)
• Design and development (ISO 13485 Clause 7.3 and subclauses, including risk management in product realization)
• Purchasing (ISO 13485 Clause 7.4)
• Analysis of data, improvement, and complaint handling (ISO 13485 Clauses 8.2.2, 8.4, and 8.5; 21 CFR 820.35(a))
• Installation activities (ISO 13485 Clause 7.5.3)
• Servicing activities (ISO 13485 Clause 7.5.4; 21 CFR 820.35(b))

The streamlined approach does not eliminate complexity — it reorganizes it. Each element of the abbreviated subset carries the same compliance weight as the corresponding full requirement, and FDA inspectors evaluate them with equal rigor.

What the QMSR Changed for Combination Products in 2026

The QMSR, which became effective on February 2, 2026, significantly reshaped how combination product manufacturers must approach quality system compliance. Although the QMSR Final Rule states it does not "impact the cGMP requirements for combination products" directly, the changes to the device quality system framework cascade into combination product compliance in three important areas.

Risk Management Documentation Is Now Explicitly Required

The new abbreviated QMSR requirements now explicitly include risk management. As a result, combination product manufacturers must document how risk management is applied throughout all applicable processes within the quality system. This includes hazard identification, risk estimation, risk evaluation, risk control, and postmarket risk monitoring — consistent with ISO 14971 principles.

Previously, risk management documentation was implied within design controls. The QMSR makes it an explicit, standalone requirement. Every CAPA decision, every complaint investigation, and every design control record must demonstrate traceable risk-based decision-making. A determination that a quality action is adequate must be supported with documented data and analysis — not a summary or a checkbox.

Complaint Handling Is Now an Explicit Abbreviated Requirement

The QMSR update formally integrates complaint handling as a defined area within the abbreviated quality system requirements for combination products. FDA's emphasis on postmarket vigilance means that combination product manufacturers must maintain complaint systems that are responsive to device-related issues while also meeting drug adverse event reporting obligations under separate frameworks.

A best practice emerging from the QMSR guidance is to conduct complaint investigations proportionate to the risk and complexity of the complaint, assess how the root cause affects the combination product as a whole (including both the drug and device constituent parts), and document risk-based preventive measures against recurrence.

The Audit Shield Is Gone

The QMSR rescinded 21 CFR 820.180(c), which had previously exempted from FDA inspection certain records and reports related to management reviews, internal quality audits, and supplier audits. Under the old QSR, these records were protected from disclosure during device inspections.

Under the QMSR, FDA investigators may now review management review records, internal audit findings, and supplier audit reports. This elimination of the longstanding "audit shield" directly affects combination product manufacturers whose device constituent parts are subject to QMSR requirements.

The practical implication: every management review, every internal audit, and every supplier qualification record must now be written with the expectation that an FDA investigator may read it. Management reviews must include trend analysis, resource allocation, and documented decisions — not just meeting minutes. Internal audit findings must reflect genuine corrective actions with clear evidence of closure.

The FDA also issued an updated compliance program manual, CP 7382.850, effective February 2, 2026, which replaces the longstanding Quality System Inspection Technique (QSIT) with an ISO 13485-aligned inspection framework. This is now the operative playbook for all device and combination product inspections.

The Dual Reporting Problem: MDRs and Drug Adverse Events

One of the most operationally complex aspects of combination product compliance is postmarket safety reporting. Combination products may trigger reporting obligations under two separate frameworks simultaneously:

Drug-led combination products regulated by CDER must report adverse events under the drug adverse event reporting regulations (21 CFR 314.81 for NDAs, 21 CFR 600.80 for biological products). The same product may also trigger Medical Device Reports (MDRs) under 21 CFR Part 803 if the device constituent part malfunctions and that malfunction contributed to or could contribute to a serious injury or death.

FDA's July 2019 guidance on Postmarketing Safety Reporting for Combination Products addresses how manufacturers must evaluate adverse events against both frameworks. The OCP issued a compliance policy in April 2019 clarifying when each reporting obligation applies and how manufacturers should handle events that are ambiguous as to whether the drug or device drove the outcome.

Quality teams building postmarket surveillance programs for combination products must ensure that their complaint handling and adverse event investigation processes evaluate each event against both reporting triggers, with documented rationale for each determination.

Common QMS Compliance Failures in Combination Products

Based on patterns from FDA inspection data and OCP guidance, the most recurring compliance failures in combination product quality systems fall into five categories:

PMOA documentation gaps: Companies assume their product's jurisdiction is clear, but fail to document the rationale for their PMOA determination. When FDA asks for the basis of the classification, the response is incomplete or not grounded in the regulatory framework in 21 CFR Part 3.

Incomplete design control records: The abbreviated QMSR requires design and development documentation under ISO 13485 Clause 7.3. Many combination product manufacturers working from a drug cGMP primary system underestimate the depth required: design history files, design verification and validation records, risk management documentation, and records of risk management activities throughout product realization must all be present.

Risk management documentation that exists on paper but is not operationalized: Under the new QMSR, risk management must be traceable through every applicable quality system process. A standalone ISO 14971 study that is not connected to the complaint system, the CAPA system, or the design change process does not meet this standard.

Audit records written for internal eyes only: Now that the audit shield is gone, internal audit reports, management reviews, and supplier audit records are subject to FDA inspection. Records written with vague language, missing trend data, or superficial corrective action descriptions are enforcement exposure.

Dual reporting gaps: Companies fail to evaluate whether a safety event triggers MDR obligations under the device framework in addition to any drug adverse event report obligations, or vice versa. The absence of a documented evaluation is itself a compliance gap.

Building a QMS That Satisfies Both Frameworks

The practical challenge for combination product manufacturers is building a quality system that is coherent — not two parallel systems bolted together. The streamlined approach in 21 CFR Part 4 provides the structure, but implementation requires a quality platform flexible enough to accommodate both drug cGMP and ISO 13485-aligned QMSR requirements in an integrated way.

Cloudtheapp was designed to support exactly this kind of multi-framework quality system. The platform is validated against 21 CFR Part 820 (QMSR), 21 CFR Part 11, ISO 13485, ISO 9001, and ISO 22001, and its no-code configuration tools allow quality teams to build custom process structures that reflect their specific combination product compliance architecture.

For combination product manufacturers, the platform's key capabilities map directly to the compliance requirements:

Design and development module: Cloudtheapp supports design history file management, design verification and validation records, and risk management documentation in product realization — the core of the ISO 13485 Clause 7.3 requirements in the abbreviated QMSR framework.

Risk management integration: Risk management is embedded across CAPA, complaint handling, and change management processes, with documented risk-based rationale at each decision point. This is the traceable risk management posture that the QMSR now requires.

Complaint and adverse event investigation management: The platform's complaint module supports dual-framework investigation workflows, allowing quality teams to evaluate each event against both drug adverse event and MDR reporting triggers, with documented rationale captured in the system of record.

Internal audit management: With the audit shield eliminated, Cloudtheapp's audit module produces structured, substantive audit records with trend data, CAPA linkages, and management review integration — records built to withstand FDA scrutiny.

Supplier quality management: The platform's supplier qualification and management capabilities support the documentation of supplier oversight required under ISO 13485 Clause 7.4 — another area now open to FDA inspection under the QMSR.

The Request for Designation Process: Using OCP Strategically

Many combination product manufacturers wait until they have a fully developed product before engaging the OCP on jurisdiction. A smarter approach is using the Pre-RFD process early — the guidance for which was revised in November 2025 — to obtain informal FDA feedback on PMOA and likely jurisdiction before committing to a development pathway.

A jurisdiction determination that arrives late in development can require redesigning quality system processes, renegotiating supplier agreements, and restructuring regulatory submissions. Getting OCP clarity early is far less expensive.

The OCP also coordinates cross-center consultations for products where jurisdiction is genuinely ambiguous, and these consultations can provide informal guidance on which quality system elements the agency will evaluate most closely.

Conclusion

Combination products sit at the intersection of two major quality system frameworks, each with its own language, emphasis, and inspection approach. The QMSR transition effective February 2, 2026 changed the compliance equation significantly — expanding risk management requirements, formalizing complaint handling obligations, and eliminating the audit shield that once protected internal quality records from FDA inspection.

For quality teams managing combination product programs, the path forward requires a QMS that is genuinely integrated, not a dual system running in parallel. Risk management must be traceable through every applicable process. Complaint and safety reporting must evaluate each event against both regulatory frameworks. And internal audit and management review records must be written with the knowledge that FDA can now read them.

The combination product landscape in 2026 demands quality systems that are built for dual oversight from the ground up.

Schedule a demo of Cloudtheapp at https://www.cloudtheapp.com/demo/ to explore how the platform supports combination product quality systems across 21 CFR Part 4, the QMSR, and ISO 13485.

This post created by and appeared first on Cloudtheapp