| Good Manufacturing Practice (GMP) for medical devices is the set of regulatory requirements that governs how medical device manufacturers must design, produce, control, and document their manufacturing processes. In the United States, GMP for medical devices is codified in 21 CFR Part 820 — now called the Quality Management System Regulation (QMSR) — which became effective February 2, 2026, incorporating ISO 13485:2016 by reference. |
GMP compliance is not optional for manufacturers who want to sell medical devices in regulated markets. It is a legal prerequisite — and the FDA actively inspects manufacturing sites to verify compliance. [3]
This guide explains what GMP requires in practice, covers the February 2026 QMSR update that significantly changed US compliance obligations, and outlines the consequences of non-compliance for manufacturers operating in regulated markets.
What Is GMP for Medical Devices?
Good Manufacturing Practice (GMP) is a system of binding requirements designed to ensure that medical devices are consistently manufactured to the quality standards required for safe, effective use. It addresses every aspect of production that could affect device quality — from how facilities are designed to how staff are trained, how processes are validated, and how problems are investigated and corrected.
GMP is not a single document:
- In the United States, the governing regulation is 21 CFR Part 820 (QMSR, effective 2026).
- In the European Union, GMP requirements for medical devices are embedded in the EU Medical Device Regulation (EU MDR 2017/745) and supported by ISO 13485:2016.
- Canada, Japan, and Australia all use ISO 13485:2016 as the core basis for their medical device quality requirements.
Following GMP creates a documented, auditable manufacturing system. Every production batch can be traced. Every deviation is investigated. Every change is controlled. This traceability is what allows the FDA to determine the scope of a recall, identify the root cause of a field failure, and hold manufacturers accountable for corrective action.
cGMP vs GMP — What ‘Current’ Means
The FDA uses the term ‘current Good Manufacturing Practice’ (cGMP) to emphasise that GMP is not static. What constitutes acceptable practice evolves as technology, materials, and risk understanding advance. Manufacturers are expected to keep their quality systems aligned with the current state of regulatory expectation — not just the written requirements of the most recent regulation they read.
In practice, this means regulatory agencies issue guidance documents, inspection observation trends, and warning letters that signal what ‘current’ means in their enforcement environment. Following the letter of the regulation while ignoring FDA guidance on its interpretation is a compliance risk.
The 2026 QMSR Update: Why It Matters
On February 2, 2026, the FDA’s Quality Management System Regulation (QMSR) came into effect, replacing the Quality System Regulation (QSR) that had governed US medical device GMP since 1996. This is the most significant regulatory change to US medical device manufacturing requirements in 30 years. [1]
The core change: instead of maintaining its own separately-written quality system requirements, the FDA now incorporates ISO 13485:2016 — the international medical device QMS standard — directly into 21 CFR Part 820 by reference.
Why the FDA Made This Change
Before the QMSR, manufacturers selling devices in both the US and the EU faced two separate quality system frameworks — the FDA’s QSR and ISO 13485. Despite covering similar ground, they used different terminology, different documentation structures, and different audit processes. Dual compliance required significant additional administrative effort.
The QMSR harmonises US requirements with those of Canada, the EU, Japan, and Australia — all of which already use ISO 13485 as their GMP foundation. This alignment also supports the Medical Device Single Audit Program (MDSAP), which allows a single audit to satisfy regulatory requirements in multiple jurisdictions simultaneously. [2]
Key Elements of GMP in Medical Device Manufacturing
GMP compliance is not a single checkpoint — it is an integrated system where each element supports the others. The table below maps the 11 core GMP elements to their governing standards and what they require in practice.
| GMP Element | Governing Standard / Regulation | What It Requires in Practice |
| Quality Management System (QMS) | ISO 13485:2016 / QMSR §820.10 | Documented framework of procedures, processes, and responsibilities. Covers the full product lifecycle from design input through post-market surveillance. Required for all Class II and III device manufacturers. |
| Design Controls | ISO 13485 Clause 7.3 / QMSR | Procedures to ensure device design meets user needs and intended use. Covers design inputs, outputs, verification, validation, reviews, and transfer. Design History File (DHF) documents all design control activities. |
| Process Validation | ISO 13485 Clause 7.5.6 / QMSR | Documented evidence that manufacturing processes consistently produce products meeting specifications. Required as a ‘special process’ where output cannot be fully verified by end-of-line inspection. Covers IQ/OQ/PQ protocols. |
| Risk Management | ISO 14971:2019 | Systematic identification, estimation, evaluation, and control of device risks. Risk management file must be maintained throughout the device lifecycle. Linked to design controls, post-market surveillance, and CAPA. |
| Document and Record Control | ISO 13485 Clause 4.2 / QMSR | All GMP activities must be documented and records retained. Controlled documents include SOPs, work instructions, forms, and specifications. Records demonstrate compliance during FDA inspections and audits. |
| Supplier and Purchasing Controls | ISO 13485 Clause 7.4 / QMSR | Evaluation, selection, and monitoring of suppliers and subcontractors. Supplier qualification records and audits now subject to FDA inspection under QMSR. Purchasing specifications must ensure material quality. |
| Corrective and Preventive Action (CAPA) | ISO 13485 Clause 8.5.2/8.5.3 | Systematic investigation of quality problems and implementation of corrective actions to prevent recurrence. CAPA records are a primary focus of FDA inspections — inadequate CAPA is among the most common Form 483 observations. |
| Complaint Handling and MDR | ISO 13485 Clause 8.2.2 / 21 CFR Part 803 | Process for receiving, reviewing, and evaluating complaints. Adverse events, malfunction reports, and serious injuries must be reported to FDA via MDR (Medical Device Report). QMSR explicitly links complaint handling to MDR obligations. |
| Facility, Equipment, and Calibration | ISO 13485 Clauses 6.3, 7.5.1, 7.6 | Facilities must be designed to prevent contamination and support controlled workflow. All measurement and monitoring equipment must be calibrated to traceable standards. Calibration records must be maintained. |
| Personnel Qualifications and Training | ISO 13485 Clause 6.2 | Staff must be qualified, trained, and their training documented. Training must address procedures relevant to their roles, awareness of GMP principles, and any role-specific regulatory requirements. |
| Sterilisation Controls | ISO 11135, ISO 11137, ISO 17665 | For sterile devices, sterilisation processes must be validated, monitored, and controlled. Sterility Assurance Level (SAL) of 10⁻⁶ must be demonstrated. Parametric release requires validated process control records. |
Of the 11 elements above, CAPA (Corrective and Preventive Action) draws the most attention during FDA inspections. An inadequate CAPA system — one that closes actions without demonstrated root cause elimination — is consistently among the top five Form 483 observations issued at medical device manufacturing sites.
How GMP Operates in Practice: The Manufacturing Floor Perspective
Understanding GMP requirements at the regulatory level is necessary but not sufficient. The test of GMP compliance is whether the documented requirements actually drive behaviour on the manufacturing floor — consistently, across shifts, equipment types, and product families.
Design Controls: Where Quality Begins
Design controls govern how a device goes from concept to manufacturable product. The Design History File (DHF) documents every design decision, design review, verification test, and validation activity. If an FDA inspector asks why a device performs the way it does, the DHF is the document that provides the evidence-based answer.
Design controls apply to all Class II and III medical devices, and to any Class I device with measurement functions or that is intended to be sterilised. They require that device design meets user needs — not just engineering targets — and that changes to design are controlled through a documented change process.
Process Validation: Why ‘Inspecting Quality In’ Is Not Enough
For manufacturing processes where the output cannot be fully verified by end-of-line inspection — injection moulding of microfluidic features, hermetic sealing of active implant housings, sterilisation validation — process validation is mandatory under ISO 13485 Clause 7.5.6.
Process validation demonstrates, through Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ), that a process consistently produces conforming product when operated within its validated parameter range. Validated processes operate predictably; unvalidated processes rely on inspection to catch failures that could have been prevented.
Supplier Controls: The Extended Manufacturing Footprint
A medical device manufacturer is responsible for the quality of every component and service that goes into their device — including those sourced from suppliers. GMP requires that suppliers be evaluated, selected based on quality criteria, and monitored throughout the supply relationship.
Documentation: If It Wasn’t Written Down, It Didn’t Happen
Documentation is the mechanism through which GMP activities are verified. The FDA cannot inspect every production run, calibration event, or training session — so GMP compliance is demonstrated through records. Every critical activity must be documented at the time it occurs, by the person who performed it, using controlled document formats.
Document control requirements cover the entire document lifecycle: creation, review, approval, distribution, and revision. Obsolete versions must be removed from use. Records must be retained for specified periods — typically at least the lifetime of the device plus two years, or as specified in the relevant regulation.
Consequences of GMP Non-Compliance
Non-compliance with GMP is an enforcement matter, not merely a quality management issue.
FDA Enforcement Actions — Form 483 to Consent Decree
FDA inspections typically conclude with a Form 483 — a list of inspectional observations where the inspector believes violations of the law may exist. Form 483 observations do not constitute a final determination of violation, but they require a written response within 15 business days demonstrating corrective action.
If Form 483 observations are not adequately addressed, the FDA may issue a Warning Letter — a public document that names the manufacturer, describes the violations, and demands correction within a specified timeframe. Warning Letters are published on the FDA website and are searchable by any potential customer, partner, or investor. [3]
More severe enforcement actions include:
- Consent decrees: Court-ordered agreements requiring manufacturers to correct specific violations before resuming production. Can include third-party certification of corrective actions.
- Product seizures: FDA can seize non-compliant product from the market, often triggering significant financial losses and customer disruption.
- Import alerts: Foreign manufacturers can be placed on an Import Alert, preventing their products from entering the US market until violations are resolved.
- Criminal prosecution: In cases of knowing, wilful, or fraudulent GMP violations, the FDA can refer cases to the Department of Justice for criminal prosecution of individuals, not just organisations.
Patient Safety and Liability Consequences
Manufacturing failures in medical devices ultimately reach patients. Contaminated products, devices with uncontrolled dimensional variation, or sterility failures can cause infections, device malfunction, or death. These events trigger adverse event reporting obligations, potential class action litigation, and reputational damage that typically outlasts any regulatory penalty.
The financial exposure from a product recall involving a GMP failure extends far beyond the direct cost of retrieving product. It includes investigation costs, remediation investment, notification expenses, potential field service, and compensation claims. For Class III devices in particular, a recall associated with a manufacturing quality failure can cost tens to hundreds of millions of dollars.
GMP Compliance at Fecision
Fecision’s manufacturing operations are certified to ISO 13485:2016 — the international medical device QMS standard that forms the legal basis of the FDA’s QMSR. This certification means our quality management system, documentation practices, and manufacturing processes are independently audited and verified against the same standard that US, EU, Canadian, Japanese, and Australian regulators use.
- Quality Management System: ISO 13485:2016 certified. Full documentation chain from design input through production, inspection, and post-market support.
- Process validation: IQ/OQ/PQ documentation for special processes (injection moulding, insert moulding, cleanroom assembly). Cpk ≥ 1.67 on critical-to-quality dimensions.
- Cleanroom production: ISO 7 (Class 1,000) cleanroom for medical-grade components requiring contamination-controlled environments.
- Supplier controls: Approved supplier list, incoming material inspection protocols, and supplier audit programme maintained to QMSR requirements.
- Traceability: Full lot traceability from raw material Certificate of Analysis through finished part batch release — formatted to support 510(k), PMA, and CE Technical File submissions.
- Additional certifications: ISO 9001:2015, AS9100 Rev D (aerospace), ISO 14001:2015 (environmental), ISO 45001:2018 (occupational health and safety).
Contact Fecision to discuss quality documentation requirements for your medical device program.
References & Authoritative Sources
Accessed April 2026.
[1] U.S. Food and Drug Administration. ‘Quality Management System Regulation (QMSR).’ https://www.fda.gov/medical-devices/postmarket-requirements-devices/quality-management-system-regulation-qmsr
[2] U.S. Food and Drug Administration. ‘Medical Devices; Quality System Regulation Amendments — Final Rule.’ https://www.federalregister.gov/documents/2024/02/02/2024-01938/medical-devices-quality-system-regulation-amendments
[3] U.S. Food and Drug Administration. ‘Warning Letters — Medical Devices.’ https://www.fda.gov/inspections-compliance-enforcement-and-criminal-investigations/compliance-actions-and-activities/warning-letters
