Medical Device GMP: Manufacturing Requirements, FDA Inspections, and Compliance Guide

The complete guide to Good Manufacturing Practice for medical devices — 21 CFR 820, QMSR transition, process validation, FDA inspections, Form 483 observations, and practical compliance strategies.

What Is GMP for Medical Devices?

Good Manufacturing Practice (GMP) is the set of regulatory requirements that govern how medical devices are designed, manufactured, packaged, labeled, stored, installed, and serviced. The purpose is straightforward: ensure that devices consistently meet their specifications and are safe for their intended use.

In the pharmaceutical world, GMP has existed since the 1960s. Medical devices followed a different trajectory. The FDA's authority over device manufacturing was established by the Medical Device Amendments of 1976, and the first device-specific GMP regulation appeared in 1978. That regulation evolved into the Quality System Regulation (QSR) in 1996, codified at 21 CFR Part 820 — and as of February 2, 2026, the QSR has been replaced by the Quality Management System Regulation (QMSR).

The term cGMP — current Good Manufacturing Practice — is critical. The "c" means the FDA expects manufacturers to use up-to-date methods, technologies, and systems. What was acceptable in 2010 may not be acceptable today. The regulation is deliberately flexible in many areas precisely so the FDA can hold manufacturers to the current state of the art.

Key distinction: GMP for medical devices is fundamentally different from pharmaceutical GMP. Drug GMP (21 CFR Parts 210/211) focuses on batch consistency, formula control, and laboratory testing. Device GMP focuses on design controls, process validation, and traceability — reflecting the fact that devices are engineered products, not chemical formulations.

Legal and Regulatory Framework

Understanding GMP requires knowing where the requirements come from. The legal basis differs by market, but the frameworks are converging.

United States — 21 CFR Part 820 (QMSR)

The Federal Food, Drug, and Cosmetic Act (FD&C Act), Section 520(f), gives the FDA authority to establish GMP requirements for medical devices. These requirements are codified in 21 CFR Part 820.

As of February 2, 2026, the FDA's Quality Management System Regulation (QMSR) replaced the legacy Quality System Regulation (QSR). The QMSR incorporates ISO 13485:2016 by reference, meaning the international quality management standard now forms the baseline for US device GMP requirements. FDA-specific additions — including complaint file requirements (21 CFR 820.198), corrections and removals, and MDR reporting integration — sit on top of ISO 13485.

European Union — EU MDR and ISO 13485

The EU Medical Device Regulation (EU 2017/745) does not use the term "GMP" in the same way the FDA does. Instead, the EU MDR requires manufacturers to establish, document, implement, and maintain a quality management system — and ISO 13485:2016 is the recognized ("harmonized") standard for meeting this requirement.

EU MDR Annex IX (Quality Management System and Assessment of Technical Documentation) defines the conformity assessment route for Class IIa, IIb, and III devices that involves a full QMS audit by a Notified Body. The Notified Body assesses whether the manufacturer's QMS meets the requirements of the regulation, with ISO 13485 serving as the benchmark.

ISO 13485:2016

ISO 13485:2016 is the international standard for medical device quality management systems. With the QMSR now in force, ISO 13485 is effectively the global baseline for device GMP:

US: Incorporated by reference into 21 CFR Part 820
EU: Harmonized standard under EU MDR/IVDR
Canada: Required under CMDCAS and MDSAP
Japan: MHLW Ministerial Ordinance No. 169 aligns with ISO 13485:2016
Brazil: ANVISA RDC 665/2022 aligns with ISO 13485
Australia: Required by the TGA

Other Key Standards

Standard	Scope
ISO 14971	Risk management — required by ISO 13485 and referenced throughout GMP
ISO 14644	Cleanroom classification and environmental monitoring
ISO 11135	Ethylene oxide sterilization validation
ISO 11137	Radiation sterilization validation
ISO 17665	Steam sterilization validation
IEC 62304	Software lifecycle processes
ISO 11607	Sterile barrier system packaging validation
IEC 60601	Electrical safety for medical electrical equipment
ISO 10993	Biological evaluation of medical devices

The Five Pillars of GMP (The 5 P's)

A useful framework for understanding GMP requirements is the "5 P's" — five foundational elements that every compliant manufacturing operation must address:

People — Personnel must be qualified, trained, and competent. GMP compliance begins with hiring the right people, training them on their responsibilities, and verifying their competency through documented assessments. Every person performing work that affects product quality must understand the regulatory requirements, the procedures they follow, and the patient safety implications of their work.
Products — Every device must meet defined, approved specifications. This includes raw materials, components, in-process intermediates, and finished devices. Product requirements are documented in the Device Master Record and verified through acceptance activities, testing, and inspection at every stage of manufacturing.
Processes — Manufacturing processes must be defined, validated, and controlled. Process validation (IQ/OQ/PQ) ensures that processes consistently produce output meeting specifications. Ongoing monitoring through statistical process control verifies that processes remain in a validated state.
Procedures — Standardized operating procedures (SOPs) and work instructions must be documented, approved, distributed, and followed. Every activity that affects product quality must be governed by a controlled procedure. Employees must be trained on procedures before performing the associated tasks.
Premises — Facilities must be designed, maintained, and cleaned to prevent contamination, mix-ups, and errors. This includes buildings, cleanrooms, equipment, utilities, and environmental controls. The physical environment must be appropriate for the devices being manufactured.

Why this framework matters: During an FDA inspection or Notified Body audit, deficiencies almost always trace back to a failure in one or more of these five areas. Using the 5 P's as a self-assessment framework helps identify gaps before auditors find them.

History of Medical Device GMP

Understanding the history of device GMP helps explain why the current regulatory framework exists and where it is heading.

Year	Event
1938	Federal Food, Drug, and Cosmetic Act enacted — establishes FDA authority but does not specifically address medical devices
1962	Kefauver-Harris Amendment introduces GMP requirements for drugs (following the thalidomide crisis)
1976	Medical Device Amendments to the FD&C Act — establishes FDA authority over medical devices, including device classification, premarket review, and GMP requirements
1978	FDA publishes the first medical device GMP regulation (21 CFR Part 820)
1990	Safe Medical Devices Act (SMDA) — strengthens postmarket surveillance, adds mandatory device tracking and MDR reporting
1996	FDA revises 21 CFR Part 820, renaming it the Quality System Regulation (QSR) — incorporates design controls and aligns more closely with ISO quality system concepts
1997	FDA Modernization Act (FDAMA) — reforms device regulation, adds third-party review programs
2003	GHTF publishes Study Group 3 guidance documents aligning global QMS expectations
2012	FDA Safety and Innovation Act (FDASIA) — expands FDA enforcement authority, strengthens foreign inspection capability
2016	ISO 13485:2016 published — the current edition of the international device QMS standard
2017	EU Medical Device Regulation (2017/745) published — replaces the Medical Device Directives, introduces stricter QMS requirements
2022	FDA proposes QMSR rule to incorporate ISO 13485 by reference
2024	FDA publishes final QMSR rule (February 2, 2024) with a two-year transition period
2026	QMSR takes effect (February 2, 2026) — ISO 13485:2016 is incorporated by reference into 21 CFR Part 820

The QSR to QMSR Transition

The QMSR represents the most significant change to US device GMP requirements in three decades. Here is what happened and what it means.

Timeline

Date	Event
October 2022	FDA publishes proposed QMSR rule; public comment period begins
February 2, 2024	FDA publishes final QMSR rule in the Federal Register
February 2, 2024 – February 1, 2026	Two-year transition period
February 2, 2026	QMSR takes effect; legacy QSR is removed from 21 CFR Part 820
December 4, 2025	FDA publishes technical amendments to QMSR

What Changed

The core shift: instead of maintaining a standalone, FDA-specific quality system framework (the QSR), the FDA now incorporates ISO 13485:2016 by reference. This means:

One QMS for all markets — Manufacturers no longer need to maintain parallel systems for FDA and ISO 13485. A single QMS can satisfy both.
FDA-specific requirements retained — Complaint files (21 CFR 820.198), MDR reporting integration, record retention periods, UDI requirements, and corrections/removals remain as US-specific additions on top of ISO 13485.
New inspection approach — The FDA retired the Quality System Inspection Technique (QSIT) and now uses the updated Compliance Program 7382.850 for device inspections.
Terminology harmonization — FDA's "Design History File" aligns with ISO 13485's design and development file concept. Conflicting terminology between the two frameworks is resolved.

If you are already ISO 13485 certified, the transition is manageable — conduct a gap analysis against the retained FDA-specific requirements. If you are QSR-compliant but not ISO 13485 certified, you face significantly more work. See our QSR to QMSR Transition Guide for a detailed breakdown.

The Seven GMP Subsystems

The FDA has historically organized device GMP requirements into seven subsystems. These subsystems remain the conceptual framework for inspections, even under the QMSR. Understanding them is essential for building — and auditing — a compliant quality system.

1. Management Controls

Management controls establish the foundation. If management is not engaged, the quality system will fail — and the FDA knows this.

Requirements include:

Quality policy and objectives — Documented, communicated, and reviewed (ISO 13485 Clause 5.3)
Management representative — An individual with defined authority and responsibility for the QMS (Clause 5.5.2)
Management review — Formal review at planned intervals, covering audit results, complaint trends, CAPA effectiveness, process performance, and regulatory changes (Clause 5.6)
Resource management — Adequate personnel, competency, infrastructure, and work environment (Clauses 6.1–6.4)
Quality manual — Explicitly required by ISO 13485 (Clause 4.2.2)

Common pitfall: Management reviews that are superficial check-the-box exercises. The FDA and Notified Bodies expect substantive review of data with documented decisions and action items. A management review that shows flat-lining metrics with no discussion, no decisions, and no follow-up actions is a red flag to auditors.

What management review must cover (per ISO 13485 Clause 5.6.2):

Audit results (internal and external)
Customer feedback and complaint data
Process performance and product conformity
Status of preventive and corrective actions
Follow-up actions from previous management reviews
Changes that could affect the QMS (regulatory changes, organizational changes)
New or revised regulatory requirements
Recommendations for improvement

2. Design Controls

Design controls ensure that the device you intend to make is safe and effective — before you start manufacturing it. They apply to Class II and Class III devices in the US, and to all classes under ISO 13485 (with the ability to exclude Clause 7.3 only if justified).

The design control process:

Phase	Key Activities	Key Outputs
Design planning	Define phases, responsibilities, milestones, review points	Design and development plan
Design input	Capture user needs, regulatory requirements, risk analysis, standards	Design input requirements document
Design output	Translate inputs into specifications, drawings, software requirements	Device specifications, BOM, manufacturing procedures
Design review	Formal review at defined stages by cross-functional team	Design review minutes, action items
Design verification	Confirm outputs meet inputs through testing, analysis, inspection	Verification test reports
Design validation	Confirm the device meets user needs under actual or simulated use conditions	Validation protocols and reports
Design transfer	Transfer the design to production, including process validation	Manufacturing procedures, process validation protocols
Design changes	Document, review, verify, and validate changes before implementation	Design change orders

FDA enforcement trend (2025–2026): Inspectors are increasingly using postmarket signals — complaint trends, MDRs, field actions — to trace deficiencies back to design inputs. If your complaints reveal a systematic performance issue, expect the investigator to pull your design history file and look for whether the failure mode was anticipated during design input, and whether verification and validation testing was adequate to detect it.

3. Production and Process Controls

Production and process controls ensure that every device manufactured matches the approved design. This subsystem covers manufacturing procedures, process validation, environmental controls, and in-process inspection and testing.

Key requirements:

Device Master Record (DMR) — The complete set of procedures and specifications for manufacturing a device (ISO 13485 Clause 4.2.3). The DMR must include device specifications, production process specifications, quality assurance procedures and specifications, packaging and labeling specifications, and installation and servicing procedures.
Device History Record (DHR) — The production record for each lot/batch, demonstrating the device was manufactured according to the DMR (Clause 4.2.5). Each DHR must include manufacturing dates, quantity manufactured, quantity released for distribution, acceptance records demonstrating the device meets DMR specifications, and the primary identification label.
Process validation — Required for any process whose results cannot be fully verified by subsequent inspection and testing (Clause 7.5.6). See the detailed section below.
Work environment controls — Cleanroom classification, temperature, humidity, and environmental monitoring as appropriate (Clause 6.4)
Equipment maintenance and calibration — Documented maintenance schedules, calibration records traceable to national standards (Clause 7.6)
Labeling controls — Procedures to prevent label mix-ups, including label storage, issuance, and inspection. Labeling errors are a surprisingly common source of recalls.
In-process and final inspection — Acceptance activities at defined stages of production to verify that manufacturing specifications are met before the device progresses to the next step or is released for distribution

DMR vs. DHR — a critical distinction: The Device Master Record defines how to manufacture the device. The Device History Record proves that you manufactured it according to the DMR. During an FDA inspection, investigators will pull the DHR for specific lots and compare it against the DMR to verify compliance. Any discrepancy — a missing signature, an out-of-spec result without a documented disposition, a process parameter outside the DMR range — is a citable observation.

4. Corrective and Preventive Action (CAPA)

CAPA is consistently the most-cited subsystem in FDA Form 483 observations and warning letters. In FY2025, CAPA deficiencies appeared in over 60% of enforcement actions against device manufacturers.

The CAPA process requires:

Identification — Sources include complaints, audit findings, process nonconformities, returned product analysis, and management review outputs
Investigation and root cause analysis — ISO 13485 (Clause 8.5.2) explicitly requires determination of root cause. Surface-level investigations are a red flag.
Corrective action — Action to eliminate the cause of an existing nonconformity
Preventive action — Action to eliminate the cause of a potential nonconformity (Clause 8.5.3)
Verification of effectiveness — Documented evidence that the action taken actually resolved the issue
Dissemination — Relevant information about quality problems submitted for management review

Common CAPA failures:

Root cause analysis that stops at "human error" without investigating why the error occurred (inadequate training? unclear procedure? poor design?)
Corrective actions limited to retraining, without addressing systemic causes
No effectiveness verification — the CAPA is "closed" without confirming the problem is actually resolved
Failure to escalate CAPA findings that indicate a broader quality system issue

FDA expectation: A CAPA should not be closed until effectiveness has been verified over a meaningful period. A single data point immediately after implementing the corrective action is insufficient.

5. Material Controls and Purchasing

Material controls ensure that components, raw materials, and services from suppliers meet specified requirements before they are used in device manufacturing.

Requirements under ISO 13485 Clause 7.4:

Supplier evaluation and selection — Documented criteria for evaluating suppliers based on their ability to meet quality requirements
Supplier monitoring — Ongoing assessment through incoming inspection, audits, performance metrics, and re-evaluation at defined intervals
Purchasing data — Purchase orders that clearly define specifications, quality requirements, and acceptance criteria
Supplier change notification — Agreements requiring suppliers to notify the manufacturer of changes that could affect product quality
Incoming acceptance — Verification of purchased product against specifications before use

Between 2008 and 2025, FDA issued over 3,000 citations related to purchasing controls (21 CFR 820.50). The most common finding: absence of documented supplier evaluation procedures or failure to follow them.

Practical consideration: The QMSR and ISO 13485 both require that outsourced processes affecting product quality are controlled. This includes contract sterilization, testing laboratories, contract manufacturing, and even software development. Outsourcing does not remove your responsibility.

6. Records and Document Controls

Document controls ensure that the right people have access to the right version of the right document, and that obsolete documents are removed from use. Record controls ensure that quality records are legible, identifiable, retrievable, and retained for the required period.

Key requirements:

Document control procedures — Approval, review, revision, distribution, and obsolescence (ISO 13485 Clause 4.2.4)
Record retention — Records must be retained for the lifetime of the device, or at minimum 2 years from the date of commercial distribution (FDA requirement)
Device Master Record — Complete specifications, procedures, and quality assurance requirements for a finished device
Device History Record — Production record demonstrating each device was manufactured in accordance with the DMR
Quality System Record — Addresses, activities, and documentation covering the entire quality system

Data integrity: The FDA has increased focus on data integrity in recent years. Electronic records must comply with 21 CFR Part 11 (electronic records and signatures), and any system used to create, modify, maintain, archive, retrieve, or transmit records must be validated.

7. Facility and Equipment Controls

This subsystem covers the physical infrastructure — buildings, equipment, utilities, and environmental conditions.

Requirements include:

Building design — Adequate space, lighting, ventilation, and workflow separation to prevent contamination and mix-ups
Equipment qualification — Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ) for manufacturing equipment
Calibration program — Measurement equipment calibrated at defined intervals, traceable to national or international standards. Calibration records must be maintained.
Preventive maintenance — Documented maintenance schedules and records for all equipment used in manufacturing
Environmental monitoring — Particulate monitoring, temperature and humidity logging, microbial monitoring for cleanroom environments

Additional GMP Requirement Areas

Beyond the seven subsystems, several additional requirement areas under 21 CFR Part 820 and ISO 13485 deserve dedicated attention. These areas are frequently cited in FDA inspections and represent common compliance gaps.

Identification and Traceability

Identification and traceability requirements ensure that every device, component, and material can be tracked through every stage of manufacturing and distribution. Under ISO 13485 Clause 7.5.8 and the QMSR, manufacturers must:

Assign unique identification to devices and components during receipt, production, distribution, and installation. This includes lot or batch numbers, serial numbers, or other control numbers that allow each unit to be traced.
Maintain traceability records that link each finished device to its component materials, manufacturing processes, production personnel, environmental conditions, and distribution history.
Implement Unique Device Identification (UDI) per FDA UDI requirements (21 CFR Part 830). The UDI system assigns a unique numeric or alphanumeric code to each device model (and in some cases, each individual unit) to facilitate tracking through the supply chain and postmarket surveillance.
Enable recall capability — Traceability records must be sufficient to identify every affected device if a recall becomes necessary. The FDA expects that a manufacturer can identify all devices in a specific lot, where they were distributed, and which components and processes were used in their manufacture.

Why this matters: When a complaint or field failure occurs, the investigator will ask you to trace the device back through your records — from the customer, to the lot or serial number, to the DHR, to the component lots, to the supplier records. Gaps in this traceability chain are a citable observation and can severely hamper your ability to assess the scope of a quality issue.

Implantable device traceability: For implantable devices, the FDA requires manufacturers to adopt a method of tracking that enables the manufacturer to promptly trace each device to the initial distributor and, in some cases, to the patient. This requirement is defined in 21 CFR Part 821 (Medical Device Tracking).

Acceptance Activities

Acceptance activities are the inspection, testing, and verification steps performed at defined stages of manufacturing to confirm that products and components meet specifications before progressing to the next step or being released for distribution. Under ISO 13485 Clause 8.2.4 and 21 CFR Part 820, acceptance activities fall into three categories:

1. Receiving/Incoming Acceptance:

Inspect or test incoming components, raw materials, and subassemblies against purchasing specifications
Verify Certificates of Conformance (CoC) or Certificates of Analysis (CoA) from suppliers
Use risk-based sampling plans (per ISO 2859 or equivalent) — critical components require more rigorous inspection than non-critical items
Quarantine incoming materials until acceptance is complete; clearly identify accepted, rejected, and quarantined materials

2. In-Process Acceptance:

Inspect and test work-in-progress at defined stages during manufacturing
Verify that process parameters remain within validated ranges
Document in-process acceptance results in the Device History Record
Quarantine in-process product that does not meet acceptance criteria until disposition is completed

3. Final Acceptance (Finished Device):

Perform final inspection and testing to verify the finished device meets all DMR specifications
Verify that all required manufacturing steps have been completed and documented in the DHR
Confirm that all component acceptance activities, in-process acceptance activities, and required tests have been completed with acceptable results
Authorize release for distribution only after all acceptance criteria are met and the release is signed by authorized personnel

Common citation: "Acceptance activities have not been performed or documented as required." This observation typically arises when manufacturers skip incoming inspection steps, fail to document in-process checks, or release product before all final acceptance activities are completed.

Nonconforming Product Control

When a device, component, or material does not meet specifications, it must be controlled to prevent unintended use or distribution. ISO 13485 Clause 8.3 and 21 CFR Part 820 require documented procedures for handling nonconforming product:

1. Identification and segregation:

Nonconforming product must be clearly identified (labels, tags, or markings) and physically segregated from conforming product
A quarantine area or system must prevent nonconforming product from being inadvertently used or shipped

2. Investigation:

Determine the nature and extent of the nonconformity
Assess the potential impact on other product (same lot, adjacent lots, similar processes)
Determine root cause when appropriate (link to CAPA if the nonconformity is recurring or systemic)

3. Disposition:

Use as-is (accept) — Only when documented justification demonstrates the nonconformity does not affect device safety, performance, or fitness for use. Requires approval by designated personnel with defined authority. Cannot be used to circumvent specifications routinely.
Rework — Return the product to a conforming state through documented rework procedures. Reworked product must be re-inspected and re-tested against acceptance criteria. Rework procedures must be included in or referenced by the DMR.
Return to supplier — For incoming material nonconformities, return the material to the supplier with documented notification
Reject/scrap — Dispose of the nonconforming product. Document the disposition and ensure scrapped product cannot re-enter the manufacturing stream.

4. Concessions and deviations:

Any acceptance of nonconforming product must be documented with justification, risk assessment, and approval by authorized personnel
The FDA expects that concessions are the exception, not the routine. A pattern of concessions for the same nonconformity indicates a systemic issue that should trigger CAPA.

Rework is not free of regulatory scrutiny. Every rework activity must follow an approved procedure, and the reworked product must be re-verified against all applicable acceptance criteria. The FDA has cited manufacturers for performing rework without documented procedures or for failing to re-inspect reworked product.

Labeling and Packaging Controls

Labeling errors are among the most common causes of medical device recalls. The FDA's definition of "labeling" is broad — it includes the device label, instructions for use (IFU), package inserts, and any other written, printed, or graphic material accompanying the device.

Key requirements under ISO 13485 Clause 7.5.1 and 21 CFR Part 820:

Label design and approval — All labeling content must be reviewed and approved before use. Labeling must include all required elements per 21 CFR Part 801 (device labeling requirements) and, where applicable, EU MDR Annex I Chapter III and UDI requirements.
Label storage and control — Labels must be stored in a manner that prevents mix-ups. Access to label storage should be controlled. Labels for different devices, sizes, configurations, or language versions must be clearly separated.
Label issuance — Labels should be issued to production in controlled quantities. A label reconciliation process — comparing labels issued to labels used plus labels returned — can detect potential mix-ups.
Labeling inspection — Labels must be inspected before use to verify correct content, revision level, and identity. A final inspection of the labeled device must confirm that the correct label has been applied to the correct device.
UDI compliance — Devices marketed in the US must bear a Unique Device Identifier (UDI) on the label and device package in both human-readable and AIDC (automatic identification and data capture) formats, per 21 CFR Part 830. The UDI must be submitted to the FDA's Global Unique Device Identification Database (GUDID).

Common labeling failures that lead to recalls:

Wrong label applied to the product (label mix-up)
Missing or incorrect UDI
Incorrect expiration date or lot number
Missing required warnings or contraindications
Instructions for use that do not match the current device design (obsolete IFU)
Labeling not translated or translated incorrectly for the target market

Handling, Storage, Distribution, and Installation

These requirements ensure that devices are not damaged, contaminated, or degraded between manufacturing and use. ISO 13485 Clauses 7.5.9–7.5.11 and 21 CFR Part 820 require:

Handling:

Documented procedures for handling product to prevent damage, deterioration, or contamination during manufacturing, storage, and shipping
Appropriate containers, conveyances, and handling equipment
ESD (electrostatic discharge) controls for electronic devices and components

Storage:

Defined storage conditions (temperature, humidity, light exposure) appropriate to the device
Controlled stockroom access to prevent unauthorized use or distribution
FIFO (first in, first out) or FEFO (first expired, first out) inventory management
Periodic assessment of stored product condition — devices should not remain in inventory indefinitely without inspection or re-evaluation
Segregation of quarantined, rejected, and accepted product

Distribution:

Distribution records that identify the initial consignee (first customer or distributor) for each lot or serial number
Distribution controls that ensure product is shipped under conditions that maintain its integrity (temperature-controlled shipping for temperature-sensitive devices)
Procedures to ensure only released product is distributed — product awaiting final acceptance, under investigation, or on quality hold must not be shipped
Recall capability — distribution records must be sufficient to execute a recall to the user or patient level when required

Installation:

For devices that require installation, the manufacturer must establish installation instructions and procedures
If installation is performed by someone other than the manufacturer, installation instructions must be provided with the device
Installation records must be maintained, documenting that the device was installed according to the manufacturer's instructions
Installation verification or qualification may be required — particularly for large or complex devices (imaging systems, surgical robots, laboratory instruments)

Distribution record retention: The FDA requires that distribution records be maintained for the lifetime of the device or a minimum of 2 years from commercial distribution, whichever is longer. These records are critical for recall effectiveness and are routinely reviewed during FDA inspections.

Servicing

If a manufacturer specifies that a device requires servicing, or if servicing is offered as part of the device's lifecycle, ISO 13485 Clause 7.5.4 and 21 CFR Part 820 require:

Documented servicing procedures — Instructions for maintenance, repair, calibration, and software updates
Service records — Documentation of each service event, including the date, nature of the service, device identification, parts replaced, and the technician who performed the work
Service report analysis — Service reports must be analyzed to detect trends that may indicate a design or manufacturing deficiency. The FDA specifically requires that service reports be evaluated using appropriate statistical methodology to identify patterns requiring corrective action.
Complaint evaluation — Any service event that involves a device malfunction, degradation of performance, or user complaint must be evaluated under the complaint handling procedure, including MDR reportability assessment
Service personnel qualification — Personnel performing servicing must be trained and qualified. If third-party service organizations perform service, the manufacturer must define the qualifications and training requirements.

Regulatory consideration: The distinction between "servicing" and "remanufacturing" is important. The FDA considers remanufacturing (significantly changing a device's performance, safety, or intended use, or reconditioning a used device to like-new condition) to be manufacturing — subject to full GMP requirements, establishment registration, and device listing. Third-party service organizations that perform remanufacturing are subject to FDA oversight.

Statistical Techniques

ISO 13485 Clause 8.2.6 and 21 CFR Part 820 require that manufacturers establish procedures for identifying valid statistical techniques needed for verifying the acceptability of process capability and product characteristics.

Key applications of statistical techniques in GMP:

Sampling plans — Defining statistically valid sampling plans for incoming inspection, in-process inspection, and final inspection. Plans should be based on recognized standards such as ISO 2859 (sampling by attributes) or ISO 3951 (sampling by variables). The choice of sampling plan must be justified and documented.
Process capability analysis — Calculating process capability indices (Cp, Cpk, Pp, Ppk) to demonstrate that manufacturing processes are capable of consistently meeting specifications. A Cpk of 1.33 or higher is a commonly accepted benchmark, though critical-to-quality characteristics may require higher capability.
Statistical process control (SPC) — Monitoring process parameters and product characteristics over time using control charts (X-bar and R charts, p-charts, c-charts, etc.). SPC enables early detection of process drift, trends, and out-of-control conditions before they result in nonconforming product.
Design of Experiments (DOE) — Used during process development and validation to identify critical process parameters, understand their interactions, and optimize process settings.
Reliability analysis — Statistical methods for predicting device reliability, failure rates, and useful life. Used in design verification, design validation, and postmarket surveillance.
Trend analysis — Statistical analysis of complaint data, CAPA data, nonconformance rates, audit findings, and process data to identify patterns and drive continuous improvement.

Common citation: "Valid statistical techniques have not been established for process capability or product characteristics." This observation typically arises when manufacturers use arbitrary sampling plans without statistical justification, or fail to apply statistical methods to process monitoring data.

Process Validation: IQ, OQ, PQ

Process validation is one of the most technically demanding GMP requirements — and one of the most frequently cited in FDA inspections. The principle is simple: if you cannot fully verify the output of a manufacturing process through subsequent inspection and testing, you must validate the process.

When Is Process Validation Required?

Any process whose results cannot be fully verified by subsequent inspection and testing must be validated. Common examples in medical device manufacturing:

Sterilization (EO, radiation, steam) — You cannot test every device for sterility without destroying the product
Sealing and bonding (heat sealing, ultrasonic welding, adhesive bonding)
Injection molding — Particularly for critical dimensions or properties
Coating and surface treatments (plasma treatment, chemical coating)
Software-controlled processes — Any automated manufacturing step
Cleaning processes — Particularly for devices that contact the body

The Three Phases

Process validation follows a sequential three-phase approach. Each phase must be completed — and documented — before proceeding to the next.

Installation Qualification (IQ)

IQ verifies that equipment and systems are installed correctly and in accordance with the manufacturer's specifications.

IQ activities include:

Verification of equipment model, serial number, and configuration against purchase specifications
Confirmation that utility connections (power, water, compressed air, gases) meet equipment requirements
Verification that the installation environment meets specified conditions
Documentation of software versions and firmware
Verification of calibration status of all measurement instruments
Review of equipment manuals, maintenance requirements, and spare parts lists

Operational Qualification (OQ)

OQ demonstrates that equipment operates as intended within its specified operating ranges.

OQ activities include:

Testing equipment at the specified operating limits (worst-case conditions)
Challenging alarm systems, interlocks, and safety features
Verifying process parameters (temperature, pressure, time, speed) against specifications
Testing automation sequences and software controls
Documenting all test results with acceptance criteria

Critical concept — worst-case testing: OQ must demonstrate that the process produces acceptable output at the edges of the operating range, not just the center. If your sealing temperature is specified at 180°C +/- 10°C, you must demonstrate acceptable seals at both 170°C and 190°C.

Performance Qualification (PQ)

PQ confirms that the validated process consistently produces output meeting predetermined specifications under actual production conditions.

PQ requirements:

Testing under normal production conditions (not laboratory conditions)
Using production materials, production personnel, and production equipment
Typically requires a minimum of three consecutive successful runs (though the FDA does not mandate a specific number — statistical justification is the standard)
Product output must meet all acceptance criteria
Process parameters must remain within validated ranges throughout
Statistical analysis demonstrating process capability (Cpk values)

Common mistake: Treating IQ/OQ/PQ as a one-time exercise. Process validation is not a "set it and forget it" activity. Revalidation is required when there are changes to equipment, materials, processes, or software that could affect product quality. Ongoing process monitoring (statistical process control) should verify that the process remains in a validated state.

Validation Documentation

A complete process validation package should include:

Validation Master Plan — An overarching document listing all processes requiring validation, their current validation status, and the approach for each
Validation Protocol — The pre-approved plan for executing IQ, OQ, and PQ, including:
- Process description and parameters
- Equipment identification
- Acceptance criteria (defined before testing begins)
- Sampling plan with statistical rationale
- Test methods and measurement systems
- Responsibilities and approvals
Validation Report — The documented results of execution, including:
- Summary of all data collected
- Deviations from the protocol and their disposition
- Statistical analysis (process capability indices, confidence intervals)
- Conclusion stating whether the process is validated or requires further action
- Approved operating ranges for routine production

Revalidation Triggers

You must revalidate when:

Equipment is replaced, modified, or relocated
Raw materials or components change (different supplier, different lot characteristics)
Process parameters change (even within the validated range, if the change could affect output)
Software or firmware is updated
Facilities change (different cleanroom, different environment)
Trending data shows process drift
Complaint or nonconformance data suggests the process may no longer be in a state of control
After extended periods of non-use (process idle for months)

Ongoing Process Monitoring

Validation does not end with PQ. ISO 13485 Clause 7.5.6 requires ongoing monitoring and control of validated processes. Best practices include:

Statistical Process Control (SPC) — Chart critical process parameters and product characteristics over time. Use control charts to detect trends, shifts, and out-of-control conditions before they result in nonconforming product.
Periodic product testing — Even for validated processes, periodic testing of product attributes provides confirmation that the process remains in a validated state.
Annual product quality review — Summarize process performance data annually, including yield, nonconformance rates, complaint trends, and SPC data. Use this review to determine whether revalidation is needed.

Environmental Controls and Cleanroom Requirements

For devices manufactured under controlled environmental conditions — particularly sterile devices and implantables — environmental controls are a critical GMP requirement.

ISO 14644 Cleanroom Classification

ISO 14644-1 defines cleanroom classifications based on the maximum permitted concentration of airborne particles per cubic meter. Medical device manufacturers typically work within the following classifications:

ISO Class	Max Particles >= 0.5 um/m3	Typical Medical Device Application
ISO 5 (Class 100)	3,520	Implantable devices, aseptic filling
ISO 6 (Class 1,000)	35,200	Sterile device assembly
ISO 7 (Class 10,000)	352,000	Sterile device packaging, cleanroom gowning
ISO 8 (Class 100,000)	3,520,000	Non-sterile device assembly, component preparation

Environmental Monitoring Program

A compliant environmental monitoring program includes:

Particle counting — Continuous or periodic monitoring of airborne particulates at defined locations within the cleanroom
Microbial monitoring — Active air sampling (e.g., settle plates, volumetric air samplers) and surface monitoring (e.g., contact plates, swabs) to detect microbial contamination
Temperature and humidity monitoring — Continuous logging with defined alert and action limits
Differential pressure monitoring — Ensuring cleanroom pressure cascades are maintained to prevent contamination ingress
Requalification — ISO 14644-2 recommends requalification every 6 months for ISO Class 5 and annually for ISO Classes 6–8

Cleanroom Design Considerations

Designing a GMP-compliant cleanroom involves more than achieving a particle count. Key design elements include:

Material flow — Separation of incoming raw materials, in-process product, and finished goods to prevent cross-contamination and mix-ups
Personnel flow — Defined gowning rooms and airlocks that prevent direct access from uncontrolled areas to controlled manufacturing zones
HVAC system — HEPA-filtered air supply, defined air change rates per hour (typically 20–60 ACH for ISO 7, 240–600 ACH for ISO 5), and unidirectional (laminar) airflow where required
Surface finishes — Smooth, non-porous, cleanable surfaces on walls, floors, and ceilings. Coved floor-wall junctions. No unsealed penetrations.
Utilities — Process gases (compressed air, nitrogen) filtered to match the cleanroom classification. Purified water systems validated for the intended use.

Personnel Controls

People are the largest source of contamination in a cleanroom. GMP-compliant personnel controls include:

Defined gowning procedures appropriate to the cleanroom classification
Training and qualification of personnel on gowning technique — including periodic re-qualification (gowning qualification testing using contact plates)
Health and hygiene requirements (no cosmetics, jewelry, or exposed skin in controlled areas)
Limits on the number of personnel in the cleanroom at any given time
Behavior protocols (no running, no leaning on surfaces, controlled movements)
Illness reporting policies — personnel with communicable illnesses or open wounds should not enter controlled manufacturing areas

Sterilization Validation

For sterile medical devices, sterilization validation is a fundamental GMP requirement. The chosen sterilization method must be validated to demonstrate a Sterility Assurance Level (SAL) of 10^-6 — meaning no more than one in a million probability of a non-sterile unit.

Common Sterilization Methods

Method	Standard	Advantages	Considerations
Ethylene oxide (EO)	ISO 11135	Compatible with most materials; penetrates complex geometries	Toxic residuals require aeration; environmental concerns; long cycle times
Gamma radiation	ISO 11137	No toxic residuals; penetrates sealed packaging; fast throughput	Can degrade polymers; requires shielding infrastructure
E-beam radiation	ISO 11137	Fast dose delivery; no residuals	Limited penetration depth; requires specific facility design
Steam (moist heat)	ISO 17665	Well-understood; fast cycle; no toxic residuals	High temperature limits material compatibility; moisture exposure
Hydrogen peroxide	ISO 22441	Low temperature; no toxic residuals	Limited penetration; newer technology; fewer validation precedents

Sterilization Validation Elements

A complete sterilization validation includes:

Bioburden determination — Establish the microbial load on devices before sterilization (ISO 11737-1)
Dose setting / cycle development — Determine the minimum sterilization dose or cycle parameters required to achieve the target SAL
IQ/OQ/PQ — Equipment and process qualification using the same framework described above
Sterility testing — Product sterility testing per ISO 11737-2 to verify the process achieves the target SAL
Residual testing — For EO sterilization, testing for ethylene oxide and ethylene chlorohydrin residuals per ISO 10993-7
Packaging validation — Demonstrating that the sterile barrier system maintains sterility through the shelf life (ISO 11607)
Routine monitoring — Ongoing biological indicator and chemical indicator testing, dose mapping (radiation), or parametric monitoring (steam, EO)
Shelf life and stability — Stability testing to verify that the sterilized device maintains sterility through its labeled shelf life under defined storage conditions

Sterilization Method Selection

Choosing the right sterilization method is a design decision that should be made early in the product development process. Key factors include:

Material compatibility — Some polymers degrade under gamma radiation. Some adhesives fail under EO exposure. Some materials cannot withstand steam temperatures. Conduct material compatibility studies before committing to a sterilization method.
Device geometry — Complex devices with lumens, cavities, or multiple layers may require a sterilization method with superior penetration characteristics (EO is often preferred for complex geometries).
Regulatory expectations — The FDA expects sterilization validation to follow recognized consensus standards. Using a non-standard sterilization method requires additional justification and more extensive validation.
Production volume — Radiation sterilization is cost-effective at high volumes. EO sterilization is more flexible for smaller batches.
Environmental and safety considerations — EO is a known carcinogen with increasing regulatory scrutiny on emissions. Radiation requires specialized facilities with shielding. Consider the long-term viability and regulatory trajectory of your chosen method.

Supply Chain Quality Management

Modern medical device manufacturing relies on global supply chains. Your device may contain components from dozens of suppliers across multiple countries. GMP requires you to control this supply chain as if every supplier were an extension of your own manufacturing facility.

Supplier Qualification Process

Risk-based classification — Categorize suppliers based on the criticality of the component or service they provide. A supplier of implant-grade titanium requires more rigorous controls than a supplier of office supplies.
Initial evaluation — Before approving a supplier:
- Review their quality certifications (ISO 13485, ISO 9001)
- Conduct a supplier questionnaire or quality survey
- Perform an on-site audit for critical suppliers
- Evaluate sample product against your specifications
- Review their complaint history and regulatory status
Approved Supplier List (ASL) — Maintain a documented list of approved suppliers with the scope of their approval (what they are approved to supply).
Supplier agreements — Quality agreements should define:
- Specifications and acceptance criteria
- Change notification requirements
- Right to audit
- Complaint and nonconformance handling
- Certificate of Conformance / Certificate of Analysis requirements
Ongoing monitoring — Track supplier performance through:
- Incoming inspection results (acceptance/rejection rates)
- On-time delivery metrics
- CAPA history related to supplier-sourced nonconformities
- Periodic re-evaluation (audit or performance review)

Single-Source Risk

The FDA and Notified Bodies pay attention to single-source dependencies. If a critical component is available from only one supplier, your risk management file should address this. Consider:

Qualifying a second source
Maintaining safety stock
Negotiating long-term supply agreements
Including supply chain continuity in your risk management process

Counterfeit and Substandard Materials

The risk of counterfeit or substandard components entering the medical device supply chain is real and growing. GMP compliance requires controls to mitigate this risk:

Certificate of Conformance (CoC) / Certificate of Analysis (CoA) — Require these with every shipment from critical suppliers. Verify them against your specifications.
Material traceability — Maintain lot/batch traceability from incoming material through finished device. If a material nonconformity is discovered, you must be able to trace every affected device.
Incoming inspection — Risk-based sampling and testing of incoming materials. For critical components (implant-grade materials, biological materials, electronic components), incoming inspection should include identity testing, not just visual inspection.
Authorized distributor networks — Purchase components from authorized distributors or directly from the manufacturer. Avoid gray-market sources.

FDA GMP Inspections

Understanding FDA inspection processes is essential for maintaining compliance and avoiding enforcement actions.

Types of Inspections

Type	Trigger	Scope	Typical Duration
Preapproval (PAI)	PMA submission for Class III devices	Focused on the specific device; evaluates whether the QMS can manufacture the device as described in the application	3–5 days
Surveillance (routine)	Risk-based scheduling	Comprehensive review of QMS subsystems	3–7 days
For-cause	Complaints, MDRs, product failures, whistleblower reports	Targeted investigation of specific issues	Variable
Compliance follow-up	Prior 483 or warning letter	Verifies corrective actions have been implemented and are effective	2–5 days

Inspection Frequency

The FDA uses a risk-based approach to scheduling inspections:

Class III device manufacturers — Inspected approximately every 2 years
Class II device manufacturers — Inspected approximately every 2–4 years, with higher-risk Class II manufacturers inspected more frequently
Class I device manufacturers — Rarely inspected unless a specific concern arises (complaint, MDR, signal detection)
Foreign manufacturers — Inspected less frequently than domestic manufacturers due to resource constraints, but foreign inspection activity has been increasing

The Inspection Process

1. Pre-arrival: You will typically receive advance notice for a surveillance inspection (usually 5–10 business days). For-cause inspections may be unannounced.

2. Opening meeting: The investigator presents their credentials and FDA Form 482 (Notice of Inspection). They will outline the scope of the inspection and request access to your facility and records.

3. Facility tour: The investigator will walk through your manufacturing areas, observing operations, environmental controls, material flow, and personnel practices.

4. Record review: The core of the inspection. The investigator will review:

Complaint files and CAPA records
Design history files
Device master records and device history records
Nonconformance and rework records
Supplier qualification and incoming inspection records
Training records
Management review minutes
Calibration and maintenance records
Process validation protocols and reports

5. Personnel interviews: The investigator will speak with operators, engineers, quality staff, and management. They are assessing whether your people understand the procedures and actually follow them.

6. Daily wrap-up: Good investigators will discuss preliminary observations with your management each day. This is not guaranteed — some investigators save observations for the closeout — but most will provide informal daily feedback.

7. Closeout meeting: The investigator presents any Form 483 observations and discusses next steps. Read each observation carefully during the closeout. If you believe an observation is factually inaccurate, discuss it with the investigator at this time. You are entitled to provide clarification, and investigators can remove or modify observations if presented with evidence that changes their assessment. However, do not argue or become confrontational — document your position and address it formally in your written response.

Practical tip: Designate a small team to manage the inspection. Assign a "back room" to prepare requested documents. Never provide documents the investigator did not request. Answer questions honestly and directly — do not volunteer information, speculate, or promise to "look into" something without careful consideration of the implications.

After the QMSR: New Inspection Approach

With the QMSR effective February 2, 2026, the FDA retired the Quality System Inspection Technique (QSIT) — the inspection methodology that organized assessments around the four major subsystems (management controls, design controls, CAPA, production and process controls) with abbreviated coverage of the remaining three.

The new inspection approach under Compliance Program 7382.850 aligns with the ISO 13485 clause structure. Inspectors are now trained to assess compliance against ISO 13485 requirements plus the FDA-specific additions. This means:

Inspection reports will reference ISO 13485 clauses rather than (or in addition to) 21 CFR 820 sections
Inspectors will expect to see a QMS built around the ISO 13485 framework
The "subsystem" approach is replaced by a more holistic process-based assessment

Form 483 Observations

When an FDA investigator identifies a condition that may constitute a violation of the FD&C Act or its regulations, they document it on FDA Form 483, "Inspectional Observations." A Form 483 is not a final agency determination — it is an observation that gives the manufacturer an opportunity to respond.

Most Common 483 Observations (Medical Devices)

Based on FDA inspection data from 2023–2025, the most frequently cited observations consistently fall into these categories:

Rank	Area	Typical Finding
1	CAPA (820.100 / ISO 13485 Clause 8.5)	Failure to establish procedures for CAPA; failure to investigate the cause of nonconformities; failure to verify or validate corrective actions; failure to verify effectiveness
2	Complaint handling (820.198 / Clause 8.2.2)	Failure to review, evaluate, and investigate complaints; failure to maintain complaint files; failure to determine whether a complaint represents an event required to be reported to FDA
3	Design controls (820.30 / Clause 7.3)	Failure to establish design validation procedures; incomplete design verification; failure to establish and maintain design input requirements; design reviews not conducted at suitable stages
4	Process validation (820.75 / Clause 7.5.6)	Failure to validate processes whose results cannot be fully verified; failure to monitor and control validated processes; failure to revalidate after changes
5	Purchasing controls (820.50 / Clause 7.4)	Failure to establish procedures for evaluating suppliers; failure to establish requirements for suppliers including quality requirements
6	Production and process controls (820.70 / Clause 7.5)	Failure to develop, conduct, control, and monitor production processes; failure to establish and maintain procedures for changes to specifications, methods, or processes
7	Document controls (820.40 / Clause 4.2)	Obsolete documents in use; documents not approved before use; changes not reviewed and approved by appropriate personnel
8	Records (820.184 / Clause 4.2.5)	Device history records incomplete; records not legible or retrievable; failure to maintain records for the required retention period

How to Respond to a Form 483

You are not legally required to respond to a Form 483, but you absolutely should. The FDA expects a written response within 15 business days. Your response should:

Acknowledge each observation — Do not ignore any item, even if you disagree
Describe the corrective action taken or planned — Be specific. "We will retrain personnel" is insufficient. Describe what procedural changes, system improvements, or design modifications will be implemented.
Provide a timeline — Commit to specific dates for completing corrective actions
Include evidence — Where possible, attach evidence of corrective actions already completed (revised procedures, training records, updated validation protocols)
Address root cause — Demonstrate that you investigated the underlying cause, not just the symptom

Failure to respond — or providing an inadequate response — significantly increases the likelihood of a warning letter.

Warning Letters

A warning letter is a formal communication from the FDA notifying a company that it has significantly violated FDA regulations. Unlike a Form 483, a warning letter is a final, reviewed agency determination that requires a response.

FY2025 Warning Letter Statistics

In fiscal year 2025 (October 2024 – September 2025), the FDA issued 44 warning letters to medical device manufacturers. Of these, 38 (86%) cited Quality System Regulation violations — 11 more than the previous year. This represents a clear enforcement trend: the FDA is increasing pressure on manufacturers with systemic quality system deficiencies.

Consequences of a Warning Letter

Import alerts — FDA can detain products at the border. For foreign manufacturers, this can effectively shut down US market access.
Withholding of approvals/clearances — FDA can refuse to approve PMAs or clear 510(k)s until the warning letter issues are resolved
Consent decrees — For persistent or serious violations, the FDA can seek a court-ordered consent decree requiring specific remediation actions under judicial oversight
Product seizure — FDA can seek court authorization to seize adulterated or misbranded devices
Injunction — Court orders to stop manufacturing or distribution
Criminal prosecution — In cases involving fraud or willful violations, individuals and companies can face criminal charges

Real-World Example: Common Warning Letter Pattern

A typical medical device warning letter follows this pattern:

FDA conducts a surveillance inspection and identifies multiple GMP deficiencies
Form 483 is issued with observations across CAPA, complaint handling, and design controls
Manufacturer responds with a response that the FDA deems inadequate — either the corrective actions are too vague, the root cause analysis is superficial, or the timeline is unrealistic
Warning letter is issued, citing the same observations and noting the inadequate response
Manufacturer must respond within 15 working days with a comprehensive corrective action plan
FDA conducts a follow-up inspection to verify corrective actions

Common Warning Letter Citation Patterns

The following patterns appear repeatedly in FDA warning letters to device manufacturers:

Pattern 1 — CAPA System Collapse: The manufacturer's CAPA system exists on paper but is non-functional. CAPAs are opened but never investigated. Root cause analysis is absent or superficial ("operator error" with no further investigation). Corrective actions consist solely of retraining. Effectiveness checks are either missing or performed immediately after the corrective action — too soon to demonstrate sustained improvement.

Pattern 2 — Complaint-to-MDR Disconnect: Complaints are received but not evaluated for MDR reportability. The manufacturer lacks a clear procedure for determining whether a complaint involves a reportable event (death, serious injury, or malfunction that could cause death or serious injury). In some cases, complaints that clearly describe serious patient injuries are closed without MDR filing.

Pattern 3 — Design Control Gaps Revealed by Field Failures: A device has multiple complaints or field failures related to the same failure mode. The investigator traces the issue back to the design history file and discovers that the failure mode was either not identified during risk analysis, not addressed in design inputs, or not tested during design verification and validation. The design control deficiency is the root cause, but the manufacturer has been treating each complaint as an isolated event rather than a systemic design issue.

Pattern 4 — Process Validation Deficiency: A manufacturing process that requires validation (sterilization, sealing, coating, software-controlled assembly) has never been validated — or was validated years ago with no revalidation after significant changes to equipment, materials, or process parameters.

The cost of a warning letter extends far beyond regulatory consequences. Warning letters are public documents, searchable on the FDA website. Customers, investors, and competitors can read them. The reputational damage — and the cost of remediation — often exceeds the cost of maintaining a compliant quality system in the first place.

GMP Requirements by Device Class

Not all devices are subject to the same GMP requirements. The level of regulatory control scales with device risk classification.

United States

Requirement	Class I (General Controls)	Class II (Special Controls)	Class III (Premarket Approval)
Establishment registration	Yes	Yes	Yes
Device listing	Yes	Yes	Yes
GMP/QMS (21 CFR 820)	Some exempt; see below	Yes	Yes
Design controls	Exempt (unless not GMP-exempt)	Yes	Yes
Premarket submission	Most exempt from 510(k)	510(k) or De Novo	PMA
MDR reporting	Yes	Yes	Yes
Labeling requirements	Yes	Yes	Yes

Class I GMP Exemptions

Most Class I devices are exempt from GMP requirements under 21 CFR Part 820 — but with important exceptions:

Devices labeled or represented as sterile — NOT exempt, full GMP applies
Devices with measurement functions — NOT exempt
Devices with software — NOT exempt

Even GMP-exempt Class I manufacturers must still comply with:

Complaint files (21 CFR 820.198) — All device manufacturers must maintain complaint files regardless of GMP exemption status
General recordkeeping (21 CFR 820.180) — Basic records requirements still apply
MDR reporting — Mandatory for all manufacturers
Establishment registration and device listing — Mandatory for all manufacturers

You can verify whether a specific device type is GMP-exempt by checking the FDA's Product Classification Database using the device's product code.

European Union

The EU MDR takes a different approach. All manufacturers must establish a quality management system, but the level of Notified Body involvement depends on the device class:

Device Class	Notified Body Involvement	QMS Audit Required?
Class I	No Notified Body required (self-declaration)	No (manufacturer self-declares conformity)
Class I (sterile, measuring, reusable surgical)	Notified Body required for specific aspects	Yes, for specific functions
Class IIa	Notified Body required	Yes
Class IIb	Notified Body required	Yes
Class III	Notified Body required — full QMS audit and technical documentation review (Annex IX)	Yes, comprehensive

GMP Audits: Internal and Third-Party

Audits are the mechanism for verifying that your quality system actually works as documented. There are three types that matter.

Internal Audits

ISO 13485 Clause 8.2.4 requires internal audits at planned intervals to determine whether the QMS conforms to planned arrangements, the requirements of ISO 13485, and QMS requirements established by the organization — and whether the QMS is effectively implemented and maintained.

Best practices for internal audits:

Audit schedule — Cover all QMS processes within a defined cycle (typically annual). Higher-risk processes should be audited more frequently.
Auditor independence — Auditors must not audit their own work. This can be challenging for small companies — consider using external auditors or cross-training staff from different departments.
Checklist development — Build audit checklists from ISO 13485 clauses, applicable regulations, and your own procedures. Do not rely solely on generic checklists.
Objective evidence — Record findings based on objective evidence (documents reviewed, records examined, personnel interviewed, observations made), not opinions.
CAPA linkage — Audit findings that represent nonconformities must be entered into the CAPA system and tracked to closure.
Trend analysis — Track audit findings over time. Recurring findings in the same area indicate a systemic issue that needs escalation.
Management reporting — Internal audit results must be reported in management review. This is a mandatory input per ISO 13485 Clause 5.6.2.

Third-Party Audits (Certification Audits)

Conducted by accredited registrars (also called certification bodies or Notified Bodies, depending on the context) to assess conformity to ISO 13485 and applicable regulations.

Audit types:

Audit Type	Timing	Duration	Scope
Stage 1 (Document review)	Before initial certification	1–2 days	QMS documentation adequacy review; readiness assessment
Stage 2 (On-site audit)	After Stage 1	3–6 days (size-dependent)	Full QMS assessment; records, processes, facilities
Surveillance audits	Annually after certification	2–4 days	Partial QMS assessment; focus areas rotate
Recertification audit	Every 3 years	3–5 days	Comprehensive reassessment; covers entire QMS

Supplier Audits

Your approved supplier list should define audit frequency based on supplier risk classification. For critical suppliers (those providing components or services that directly affect device safety or performance):

Initial qualification audit — Before approval
Periodic audits — Annually or per risk-based schedule
For-cause audits — Triggered by quality events, complaints, or nonconforming material

International GMP Requirements Comparison

Medical device GMP requirements vary by market, but ISO 13485 serves as the common thread. Here is how the major markets compare:

Aspect	US (FDA)	EU (MDR)	Japan (PMDA)	Canada (Health Canada)	Brazil (ANVISA)	Australia (TGA)
Primary regulation	21 CFR 820 (QMSR)	EU MDR 2017/745	MHLW Ordinance 169	CMDR (SOR/98-282)	RDC 665/2022	TG Act 1989
QMS standard	ISO 13485 (incorporated by reference)	ISO 13485 (harmonized)	ISO 13485 (aligned)	ISO 13485 (required)	ISO 13485 (aligned)	ISO 13485 (required)
Design controls	Class II & III	All classes (with justification for exclusion)	All classes	All classes	All classes	All classes
GMP certification required	No (FDA inspects)	Notified Body audit for Class IIa+	QMS conformity investigation (PMDA/RCB)	MDSAP audit	B-GMP certification (Class III/IV)	Conformity assessment
GMP certificate validity	N/A	5 years (certificate)	5 years	3 years (MDSAP cycle)	2 years (extendable)	5 years
Inspection by regulator	Yes (FDA)	Notified Body + competent authority	PMDA or RCB	MDSAP auditing organization	ANVISA	TGA or JAS-ANZ

Key Differences to Note

Japan — MHLW Ordinance 169 aligns with ISO 13485:2016 (revised in 2021, transition completed March 2024), but includes additional Japan-specific requirements. QMS conformity certificates are valid for 5 years. Japan also requires that the Marketing Authorization Holder (MAH) maintain its own quality management system, separate from the manufacturing site's QMS. The PMDA conducts QMS conformity investigations as part of the device approval process.
Brazil — ANVISA requires B-GMP (Brazilian Good Manufacturing Practice) certification for Class III and IV devices. RDC 665/2022 defines Brazilian QMS requirements. Class I and II devices are exempt from B-GMP certification but must still comply with QMS requirements. B-GMP certificates are valid for 2 years and can be extended to 4 years for MDSAP-certified manufacturers. ANVISA inspections can include on-site visits to foreign manufacturing facilities.
Canada — Requires ISO 13485 certification through MDSAP for device license applications. Canadian Medical Devices Regulations (CMDR) contain additional requirements including mandatory problem reporting, recall procedures, and distribution records. Canada was the first country to make MDSAP participation mandatory for device license applications.
Australia — The TGA recognizes ISO 13485 certification and accepts MDSAP audit reports. Australian-specific requirements include conformity assessment procedures under the Therapeutic Goods (Medical Devices) Regulations 2002 and mandatory adverse event reporting.

Convergence trend: The global regulatory landscape is converging toward ISO 13485 as the universal device QMS standard. The QMSR was the final major holdout — with the US now incorporating ISO 13485 by reference, manufacturers building their QMS around this standard can access virtually every major market with a single quality system, supplemented by country-specific additions.

MDSAP and GMP

The Medical Device Single Audit Program (MDSAP) allows a single audit by an MDSAP-recognized auditing organization to satisfy the regulatory requirements of five participating countries: United States, Canada, Australia, Japan, and Brazil.

How MDSAP Relates to GMP

MDSAP audits are conducted against ISO 13485:2016, plus the country-specific regulatory requirements of each participating country. A single MDSAP audit can replace:

An FDA surveillance inspection (the FDA may still conduct for-cause inspections)
A Health Canada audit (MDSAP is mandatory for Canadian device licenses)
A TGA conformity assessment
A PMDA QMS conformity investigation
An ANVISA B-GMP inspection (for countries accepting MDSAP results)

MDSAP Benefits for GMP Compliance

Single audit, multiple markets — Reduces audit burden and cost
Harmonized approach — Auditing organizations use a standardized audit model across all participating countries
Pre-QMSR advantage — Since MDSAP already audited against ISO 13485, companies with MDSAP certification were better prepared for the QMSR transition
Predictable schedule — MDSAP follows a 3-year certification cycle with annual surveillance audits

Strategic consideration: Even if you currently only sell in the US, obtaining MDSAP certification demonstrates a mature, internationally harmonized QMS. It also positions you for faster entry into Canada, Australia, Japan, and Brazil if you decide to expand.

How GMP Relates to Other GxP Frameworks

GMP is one component of a broader family of "Good Practice" (GxP) regulatory frameworks. Understanding how these frameworks relate to each other is important for manufacturers of combination products, companies with clinical programs, and organizations navigating multiple regulatory obligations.

Framework	Full Name	Scope	Relevance to Device Manufacturers
GMP	Good Manufacturing Practice	Manufacturing, quality systems, production controls	Core requirement for all device manufacturers
GLP	Good Laboratory Practice	Non-clinical laboratory studies (safety testing, biocompatibility)	Applies to non-clinical studies submitted to FDA to support device safety — biocompatibility testing per ISO 10993 performed under GLP (21 CFR Part 58)
GCP	Good Clinical Practice	Clinical trials and investigations	Applies to clinical investigations of devices (IDE studies). Governed by 21 CFR Parts 812 and 50 for devices, ICH E6(R2) for drugs
GDP	Good Distribution Practice	Storage, transport, and distribution of products	Ensures devices maintain quality during distribution. Particularly important for temperature-sensitive devices and cold-chain logistics
GVP	Good Pharmacovigilance Practice	Post-market safety monitoring and adverse event reporting	The device equivalent is MDR reporting (21 CFR Part 803) and postmarket surveillance. Relevant for combination products subject to both drug and device postmarket requirements
GAMP	Good Automated Manufacturing Practice	Computerized systems validation	GAMP 5 (ISPE) provides a risk-based framework for validating computerized systems used in GMP environments — including QMS software, manufacturing execution systems (MES), laboratory information management systems (LIMS), and ERP systems

Combination products: If your device is a combination product (e.g., a drug-eluting stent, a pre-filled syringe, or a device with an integrated biologic), you may be subject to both device GMP (21 CFR 820) and drug/biologic GMP (21 CFR 210/211 or 21 CFR 600). The FDA assigns a primary mode of action (PMOA) that determines the lead review center, but GMP compliance obligations apply to all constituent parts.

Training and Competency Requirements

GMP compliance depends on people. ISO 13485 Clause 6.2 requires that personnel performing work affecting product quality are competent on the basis of appropriate education, training, skills, and experience.

GMP Training Program Elements

A compliant training program must include:

Initial training — All new employees must receive GMP orientation training before performing any work that affects product quality. This includes an overview of the quality management system, relevant regulations, and company-specific procedures.
Job-specific training — Documented training on the specific procedures, work instructions, and equipment an employee will use. Training must be documented and include an assessment of competency (not just attendance records).
Ongoing training — Periodic refresher training, training on revised procedures, and training triggered by nonconformities or CAPA findings related to training gaps.
GMP awareness training — Personnel at all levels should understand why GMP matters, not just what to do. Understanding the patient safety impact of their work drives better compliance than rote procedure memorization.

Competency Assessment

The FDA distinguishes between training (exposure to information) and competency (demonstrated ability to perform a task correctly). Your training program must include competency assessments:

Written assessments — Tests or quizzes to verify understanding of procedures and requirements
Practical demonstrations — Observed performance of manufacturing tasks, gowning procedures, or equipment operation
On-the-job evaluation — Supervisor observation and sign-off during initial production activities
Periodic re-assessment — Regular competency verification, particularly for critical processes

FDA observation trend: "Personnel performing work affecting product quality have not been trained as required." This observation appears consistently in Form 483s. The most common finding is not that training did not occur, but that competency was not adequately assessed or documented.

Common GMP Failures and How to Prevent Them

Based on FDA enforcement data, audit findings, and industry experience, here are the most common GMP failures — and practical strategies to prevent them.

1. CAPA System Failures

The problem: CAPAs opened but never closed. Root cause analysis that stops at "operator error." Corrective actions limited to retraining. No effectiveness verification.

Prevention:

Implement mandatory root cause analysis tools (5 Whys, fishbone diagrams, fault tree analysis) and require investigation beyond the immediate cause
Define criteria for when a CAPA can be closed — including a minimum effectiveness monitoring period
Track CAPA metrics (aging, overdue, recurrence) and report them in management review
Ensure preventive actions are truly proactive — analyze trend data, near-misses, and external data sources (recalls, MDR databases)

2. Inadequate Design Controls

The problem: Design inputs that are vague or incomplete. Design verification testing that does not cover all design inputs. Design validation performed in conditions that do not simulate actual use.

Prevention:

Use a design input requirements traceability matrix that maps every design input to a verification method and acceptance criteria
Include risk analysis outputs (ISO 14971) as design inputs
Conduct design validation with actual users under simulated use conditions — not bench testing alone
Perform design reviews with documented attendance, action items, and follow-up

3. Process Validation Gaps

The problem: Processes validated years ago with no revalidation. Validation protocols that do not define acceptance criteria. Process changes implemented without assessing the impact on validation status.

Prevention:

Establish a process validation master plan that lists all validated processes, their validation status, and revalidation triggers
Implement a change control system that requires assessment of validation impact for every change
Monitor validated processes using statistical process control (SPC) — if a process drifts, investigate before it goes out of control
Document revalidation criteria and schedules

4. Supplier Control Deficiencies

The problem: Suppliers used without qualification. No incoming inspection program. Supplier changes not communicated or assessed.

Prevention:

Risk-classify all suppliers and define appropriate controls for each tier
Establish quality agreements with all critical suppliers
Implement incoming inspection sampling plans based on risk and supplier performance history
Include supplier change notification requirements in purchase agreements and quality agreements

5. Document Control Breakdowns

The problem: Obsolete procedures still in use on the production floor. Documents changed without proper approval. Electronic systems not validated for 21 CFR Part 11 compliance.

Prevention:

Implement an electronic document management system (eDMS) with built-in version control, approval workflows, and access controls
Conduct periodic floor audits to verify that only current-revision documents are in use
Validate electronic systems for Part 11 compliance before use
Train all personnel on document control procedures — not just quality staff

6. Complaint Handling Deficiencies

The problem: Complaints not evaluated for MDR reportability. Investigation timelines not defined or not met. Complaints closed without adequate investigation.

Prevention:

Define clear criteria for what constitutes a complaint (FDA's definition is broad — any written, electronic, or oral communication that alleges deficiencies)
Establish mandatory MDR reportability assessment for every complaint
Define investigation timelines and track compliance
Link complaint trends to CAPA and design review processes

Frequently Asked Questions

What is the difference between GMP and cGMP?

Technically, there is no difference. The "c" in cGMP stands for "current," emphasizing that manufacturers must use up-to-date technologies, methods, and systems. The FDA uses "cGMP" to signal that compliance is measured against the current state of the art, not the state of the art when the regulation was written. In practice, "GMP" and "cGMP" are used interchangeably in the medical device context.

Is ISO 13485 certification the same as GMP compliance?

No. ISO 13485 certification is a voluntary, third-party assessment of your quality management system against the ISO 13485 standard. GMP compliance is a regulatory obligation. However, with the QMSR incorporating ISO 13485 by reference, ISO 13485 certification now provides strong evidence of GMP compliance for FDA purposes — though the FDA retains additional requirements beyond ISO 13485.

Do Class I devices need GMP?

Most Class I devices are exempt from GMP requirements under 21 CFR Part 820, but there are critical exceptions: devices labeled or represented as sterile, devices with measurement functions, and devices containing software are NOT exempt. Even GMP-exempt Class I manufacturers must maintain complaint files and general records.

How often does the FDA inspect medical device manufacturers?

The FDA uses a risk-based approach. Class III device manufacturers are typically inspected every 2 years. Class II manufacturers are inspected every 2–4 years, depending on risk factors. Class I manufacturers are rarely inspected unless a specific concern arises. Foreign manufacturers are inspected less frequently than domestic manufacturers but inspection frequency is increasing.

What is a Form 483 and how should I respond?

FDA Form 483 lists inspectional observations — conditions that may violate the FD&C Act or its regulations. It is not a final determination. You should respond within 15 business days with specific corrective actions, timelines, root cause analysis, and evidence of corrections already made. Failure to respond adequately increases the likelihood of a warning letter.

Can I get GMP certification from the FDA?

No. The FDA does not issue GMP certificates. The FDA inspects and issues findings (483s, warning letters, or no-findings letters). If you need a GMP certificate for international regulatory submissions, you can obtain ISO 13485 certification from an accredited registrar, participate in MDSAP, or request an export certificate from the FDA under certain circumstances.

What is the relationship between GMP and MDSAP?

MDSAP audits evaluate your QMS against ISO 13485 plus the country-specific requirements of five participating countries (US, Canada, Australia, Japan, Brazil). A successful MDSAP audit can substitute for individual country inspections, including FDA surveillance inspections. MDSAP is one of the most efficient ways to demonstrate GMP compliance across multiple markets.

How do I prepare for a GMP inspection?

Preparation should be ongoing, not reactive. Maintain your quality system in a state of continuous compliance. Conduct regular internal audits. Keep complaint files, CAPA records, and validation documentation current. Designate an inspection team and maintain a "war room" with organizational charts, facility layouts, quality manual, SOPs, and training documentation. Review your last inspection findings and verify that all corrective actions have been completed and are effective.

What is the cost of GMP non-compliance?

The direct costs include warning letter remediation (typically $500,000 to $5 million depending on scope), consent decree compliance (often $10 million or more), product recalls, and lost revenue from withheld approvals. The indirect costs — reputational damage, lost customer confidence, increased audit scrutiny, and difficulty attracting talent — are often even higher. Companies under consent decree typically spend 2–5 years and tens of millions of dollars to return to full compliance, and the consent decree remains on public record indefinitely.

Does GMP apply to software-only medical devices (SaMD)?

Yes. Software as a Medical Device (SaMD) is subject to GMP requirements. While SaMD manufacturers do not have traditional manufacturing processes (no cleanrooms, no sterilization), they must maintain a QMS that includes design controls, document and record controls, CAPA, complaint handling, and software lifecycle management per IEC 62304. The "manufacturing" of software is the development, build, and release process — and it must be controlled under design controls and validated. See our SaMD Regulatory Guide for details.

How do I handle contract manufacturing under GMP?

Using a contract manufacturer does not relieve you of GMP obligations. As the device legal manufacturer (the entity whose name appears on the label), you are responsible for the quality of the finished device regardless of where it is manufactured. Your responsibilities include:

Qualifying the contract manufacturer through audit and supplier evaluation
Establishing a quality agreement that defines responsibilities, specifications, change notification requirements, and right to audit
Maintaining the Device Master Record and ensuring the contract manufacturer follows it
Reviewing and approving Device History Records
Conducting incoming inspection of finished goods received from the contract manufacturer
Monitoring the contract manufacturer's quality performance through periodic audits and performance metrics
Including the contract manufacturing site in your CAPA and complaint handling processes

What records must I keep and for how long?

Under the QMSR and ISO 13485, records must be retained for the lifetime of the medical device, or a minimum of 2 years from the date of commercial distribution, whichever is longer. For implantable devices, this effectively means records must be retained for the expected implant life plus 2 years. Key records include the Device Master Record, Device History Records, complaint files, CAPA records, audit reports, management review minutes, training records, calibration records, supplier evaluation records, and process validation reports.

What is the difference between 21 CFR Part 820 and ISO 13485?

Before the QMSR, 21 CFR Part 820 (the QSR) was a standalone, FDA-specific regulation, while ISO 13485 was a voluntary international standard. They covered similar ground but used different terminology, had different structural organization, and contained some conflicting requirements — which forced manufacturers to maintain parallel documentation. With the QMSR effective February 2, 2026, the FDA incorporated ISO 13485:2016 by reference into 21 CFR Part 820, largely eliminating this conflict. Now, 21 CFR Part 820 is ISO 13485 plus FDA-specific additions (complaint files, MDR integration, UDI, corrections and removals). The key remaining difference is that 21 CFR Part 820 is a legally enforceable regulation (non-compliance can result in enforcement action), while ISO 13485 certification is a voluntary third-party assessment.

What is 21 CFR Part 11 and how does it relate to GMP?

21 CFR Part 11 governs electronic records and electronic signatures. If you use electronic systems to create, modify, maintain, archive, retrieve, or transmit records required by GMP regulations, those systems must comply with Part 11. Key requirements include validated systems, audit trails that capture who changed what and when, electronic signature controls (unique user IDs, passwords, authority checks), and system security to prevent unauthorized access. With the shift toward electronic QMS platforms and paperless manufacturing, Part 11 compliance is increasingly important — and increasingly scrutinized during FDA inspections.

What are the GMP requirements for IVDs (In Vitro Diagnostic devices)?

In vitro diagnostic devices are subject to the same GMP requirements as other medical devices under 21 CFR Part 820 (QMSR). In the EU, IVDs are governed by the In Vitro Diagnostic Regulation (EU 2017/746, IVDR), which requires a quality management system aligned with ISO 13485. IVD manufacturers face additional considerations including reagent stability and shelf life validation, lot-to-lot consistency testing, reference material and calibrator traceability, and performance evaluation studies. The FDA's QMSR applies equally to IVD and non-IVD devices.

Building a GMP-Compliant Quality System from Scratch

For startups and companies entering the medical device space for the first time, building a GMP-compliant quality system can seem overwhelming. Here is a practical sequence:

Define your scope — What devices will you manufacture? What device class? What markets will you sell into? The answers determine the specific GMP requirements that apply.
Obtain ISO 13485:2016 — Purchase the standard from ISO or your national standards body. This is your blueprint.
Develop your quality manual — Define your quality policy, QMS scope, organizational structure, process interactions, and exclusions (with justification).
Write your core procedures — Start with the mandatory documented procedures: document control, record control, internal audit, CAPA, control of nonconforming product, management review.
Establish design controls — If you are developing a device, your design control process must be in place from the beginning. Retrofitting design controls after development is complete is extremely difficult and rarely convincing to auditors.
Implement production procedures — Develop your DMR, manufacturing work instructions, incoming inspection procedures, in-process inspection procedures, and final release procedures.
Validate your processes — Identify all processes requiring validation and execute IQ/OQ/PQ before production begins.
Qualify your suppliers — Evaluate, approve, and document your critical suppliers before using their components.
Train your personnel — Document GMP training, job-specific training, and competency assessment for all personnel affecting product quality.
Conduct internal audits — Audit your QMS before seeking certification or FDA registration. Identify and correct deficiencies proactively.

Practical advice for startups: Do not try to build a quality system by copying another company's procedures. Your QMS must reflect your actual processes, your actual organization, and your actual products. Auditors can immediately tell when procedures are generic templates that do not match the company's operations.

Consequences of GMP Non-Compliance

The consequences of failing to comply with GMP requirements extend across regulatory, financial, operational, and reputational dimensions. Understanding the full scope of potential consequences reinforces why GMP investment is not optional.

Regulatory Consequences

Form 483 observations — Documented inspectional findings that require a written response within 15 business days
Warning letters — Formal agency determinations that trigger mandatory corrective action and are published on the FDA's website
Import alerts and detention — FDA can detain imported devices at the border, effectively blocking US market access for foreign manufacturers
Withholding of approvals — FDA can refuse to approve PMAs, clear 510(k)s, or grant De Novo classifications until GMP deficiencies are resolved
Consent decrees — Court-ordered remediation agreements requiring specific corrective actions under judicial oversight, often with an independent quality consultant
Product seizure — Court-authorized seizure of adulterated or misbranded devices from the manufacturer or from the market
Injunction — Court orders prohibiting manufacturing or distribution until compliance is achieved
Criminal prosecution — For willful violations or fraud, individuals and companies can face criminal charges, including imprisonment

Financial Impact

Remediation costs — Warning letter remediation typically costs $500,000 to $5 million. Consent decree remediation frequently exceeds $10 million and can run to $50 million or more for large companies.
Recall costs — Field corrections and product removals involve notification costs, replacement or repair costs, logistics, and customer management. A single major recall can cost millions.
Lost revenue — Withheld approvals, import alerts, and manufacturing shutdowns directly impact revenue. Companies under consent decree may be unable to launch new products for years.
Increased insurance costs — Product liability insurance premiums increase after enforcement actions, recalls, or adverse events linked to GMP failures.
Litigation — Product liability lawsuits are more likely — and more difficult to defend — when GMP violations can be demonstrated. Plaintiff attorneys routinely cite FDA warning letters and recall notices as evidence of negligence.

Operational and Reputational Consequences

Customer loss — Hospitals, distributors, and group purchasing organizations (GPOs) monitor FDA enforcement actions and may drop non-compliant suppliers
Investor confidence — For publicly traded companies, FDA enforcement actions can trigger stock price declines and investor scrutiny
Talent retention — Quality and regulatory professionals prefer to work at compliant organizations. Companies with enforcement histories may struggle to attract qualified personnel.
Competitive disadvantage — Competitors will use your enforcement history against you in sales situations. Warning letters and consent decrees remain publicly searchable indefinitely.

Future Trends in Medical Device GMP

The GMP landscape is evolving. Manufacturers should anticipate and prepare for these emerging trends:

Advanced Manufacturing Technologies

3D printing (additive manufacturing) is increasingly used for patient-specific implants, surgical guides, and prototyping. The FDA has published guidance on technical considerations for additive manufactured devices, but GMP frameworks for 3D-printed devices are still maturing. Key challenges include process validation of additive processes, material qualification, and post-processing controls. Manufacturers using 3D printing must apply the same IQ/OQ/PQ framework to their additive manufacturing equipment and processes.

Nanotechnology and advanced materials introduce new challenges for process validation, biocompatibility testing, and environmental controls. Nanoscale manufacturing may require novel characterization methods and more sophisticated process monitoring.

Digitalization and Industry 4.0

Digital transformation of GMP is accelerating. Key developments include:

Electronic quality management systems (eQMS) — Replacing paper-based quality systems with validated electronic systems that automate workflows for CAPA, complaints, document control, training, and change management
Manufacturing Execution Systems (MES) — Real-time monitoring and control of manufacturing processes, with electronic batch records replacing paper DHRs
Internet of Things (IoT) and sensor integration — Continuous monitoring of environmental conditions, equipment parameters, and process variables with automated alerting
Artificial intelligence and machine learning — Predictive analytics for process optimization, anomaly detection, and predictive maintenance. The FDA has signaled interest in AI/ML-based manufacturing through its ongoing guidance development.
Digital twins — Virtual replicas of manufacturing processes used for process optimization, troubleshooting, and training without impacting production
Blockchain for supply chain traceability — Emerging use of distributed ledger technology to provide tamper-proof traceability records across global supply chains

Regulatory note on computerized systems: Any computerized system used to create, modify, maintain, or transmit GMP-required records must be validated per 21 CFR Part 11 (electronic records and electronic signatures). The EU equivalent is Annex 11 (Computerised Systems). Validation should follow a risk-based approach such as GAMP 5.

Personalized Medicine and Patient-Specific Devices

The growth of patient-specific devices (custom implants, personalized surgical guides, patient-matched prosthetics) challenges traditional GMP models that assume batch manufacturing of identical units. Manufacturers of patient-specific devices must develop GMP processes that accommodate variable geometry and specifications while maintaining consistent quality and safety. Design controls, process validation, and acceptance activities must be adapted for a manufacturing model where every unit may be different.

Regulatory Convergence

The global regulatory landscape continues to converge around ISO 13485 as the universal device QMS standard. The QMSR was a watershed moment — the last major regulatory holdout. Future developments to watch include:

Potential revision of ISO 13485 (the current 2016 edition is due for review)
Expansion of MDSAP to additional participating countries
Increasing adoption of IMDRF (International Medical Device Regulators Forum) guidance documents
Harmonization of postmarket surveillance requirements across markets

Sustainability and Environmental Considerations

Environmental sustainability is becoming a GMP consideration:

EO sterilization scrutiny — Ethylene oxide is a known carcinogen, and regulatory pressure on EO emissions is increasing. The EPA has proposed stricter emission standards for EO sterilization facilities. Manufacturers should evaluate alternative sterilization methods and emission control technologies.
Single-use vs. reusable devices — Growing regulatory and market pressure to reduce medical device waste. Reprocessing of single-use devices is regulated by the FDA (reprocessors must meet the same GMP requirements as original manufacturers).
Packaging reduction — Optimizing packaging to reduce waste while maintaining sterile barrier integrity and device protection.
Supply chain sustainability — Increasing customer and regulatory expectations for environmentally responsible supply chain practices.

Remote and Hybrid Auditing

The COVID-19 pandemic accelerated adoption of remote auditing techniques. While on-site audits remain the standard, hybrid approaches combining remote document review with focused on-site activities are becoming more accepted. MDSAP and Notified Bodies have developed frameworks for remote auditing that are likely to persist. Manufacturers should ensure their eQMS and documentation systems can support remote auditor access securely and efficiently.

Key Takeaways

GMP is not optional. Every medical device manufacturer selling in the US must comply with 21 CFR Part 820 (now the QMSR). Most international markets have equivalent requirements based on ISO 13485.
The QMSR is now in effect. As of February 2, 2026, the FDA has replaced the legacy QSR with the QMSR, incorporating ISO 13485:2016 by reference. If you have not completed your transition, you are non-compliant.
CAPA is the #1 enforcement target. CAPA deficiencies appear in the majority of Form 483 observations and warning letters. Invest in a robust CAPA system with real root cause analysis and verified effectiveness.
Process validation is not a one-time event. IQ/OQ/PQ must be maintained through revalidation when changes occur and ongoing process monitoring.
Design controls trace from complaint to input. The FDA is increasingly tracing postmarket problems back to design inputs. Ensure your design controls are complete and your traceability matrix is airtight.
Supplier control is your responsibility. Outsourcing does not remove your GMP obligations. Control your supply chain with qualified suppliers, quality agreements, incoming inspection, and ongoing monitoring.
Inspections are risk-based. Higher-risk devices and manufacturers with compliance history issues are inspected more frequently. Maintaining a clean compliance record reduces your inspection burden.
MDSAP provides efficiency. A single MDSAP audit can satisfy GMP requirements for five countries. Even if you only sell in the US, MDSAP positions you for international expansion.
Warning letters are public and costly. The reputational and financial cost of a warning letter far exceeds the cost of maintaining a compliant quality system. Prevention is always cheaper than remediation.
GMP is a culture, not a document. The most compliant companies are those where quality is embedded in daily operations — not confined to the quality department. Management commitment, employee training, and a culture of continuous improvement are the real foundations of GMP compliance.