GMP for Medical Devices & Combination Products: A Step-by-Step, Inspection-Ready Implementation Guide

GMP for Medical Devices & Combination Products — Step-by-Step, Inspection-Ready Guide

Drug–device combination products sit at the intersection of pharma cGMP and device QMS. In the US, 21 CFR Part 4 defines how manufacturers must apply both drug cGMP (21 CFR 210/211) and device QMS requirements (historically Part 820, now aligned to the FDA Quality Management System Regulation—QMSR—based on ISO 13485) using a streamlined approach. In the EU/UK, the device side aligns to MDR 2017/745 (and UKCA), while the medicinal component remains under GMP/EudraLex. This pillar gives you a hands-on operating model that unifies these regimes into a single, auditable way of working.

At a glance:

Decide the pathway: Determine Primary Mode of Action (PMOA) and assign the lead regulatory framework.
Map obligations: Apply Part 4’s streamlined mapping between drug cGMP and device QMSR/ISO 13485 clauses.
Prove control: Design controls, risk management (ISO 14971), usability (IEC 62366), software (IEC 62304), sterilization validation, packaging (ISO 11607), and complaint/vigilance.

1) Product Classification & Pathway (PMOA → Lead Framework)

Step-by-step.

Describe the constituent parts: drug/biologic component(s), device component(s), accessories, software, packaging.
Determine PMOA: Is the primary therapeutic effect achieved by the drug/biologic or by

the device? This dictates whether drug-led or device-led controls take precedence.

Apply Part 4 (US): For the non-lead constituent, implement the streamlined set of requirements that address cross-risk (e.g., design controls impacting drug performance, or drug stability impacting device safety).

EU/UK alignment: If a device is integrated with a medicinal product, coordinate NB device conformity (MDR Annex I/II/III) with GMP for the drug part (EudraLex Vol. 4). Ensure labeling/IFU and CE/UKCA mark logic match the combined risk profile.

Acceptance: Documented PMOA rationale, pathway chart, and a matrix showing which clauses of QMSR/ISO 13485 and 210/211 apply and how they are met.
Evidence: Classification memo; Part 4 clause-by-clause mapping; EU MDR conformity plan; responsibility matrix for drug QA vs device QA.

2) The Regulatory Map You Must Implement

Topic	US (Lead)	US (Part 4 Streamlined)	EU/UK	Core Standards/Guides
Quality System	Drug: 210/211 or Device: QMSR	Opposite set (streamlined)	MDR QMS (Annex IX/XI); UKCA	ISO 13485 (QMS)
Design Controls	Device-led: mandatory	Drug-led combos: apply where design affects drug safety/quality	MDR Annex I (GSPR), Annex II (tech doc)	ISO 13485 §7.3; IEC 62366 (usability)
Risk Management	Required via design/production	Streamlined where device risks affect drug/biologic	MDR Annex I (risk), PMS/PMCF	ISO 14971 (risk)
Software	Device software lifecycle	Streamlined (if software influences drug safety/label claims)	State-of-the-art software evidence	IEC 62304 (software); IEC 82304-1 (health software)
Sterilization/Asepsis	Drug asepsis + device SAL evidence	Streamlined to cover interface	MDR Annex I; ISO route acceptable	ISO 11135 (EtO), 11137 (radiation), 17665 (moist heat)
Packaging & CCI	Drug CCI + device package validation	Streamlined where package impacts drug quality	Packaging performance & stability	ISO 11607 (packaging), USP/Ph. Eur. CCI
UDI/Traceability	UDI rules	As applicable to device constituent	EUDAMED/UDI; UK UDI	GS1/UDI guidance
Complaints/Vigilance	Drug complaints/FAERS; device MDR	Bi-directional signal sharing	Vigilance, FSCA/FSN	Internal SOPs; PMS/PMCF plans

3) Design Controls (DHF) with Drug–Device Interfaces

What to implement. Build a Design History File (DHF) that traces user needs → design inputs → outputs → verification → validation → design transfer. For drug-led combinations, implement design controls at least for elements that affect drug safety/effectiveness (e.g., container closure, delivery accuracy, human factors, software that drives dose).

Inputs: dose delivery accuracy, viscosity/temperature ranges, container-device fit, biocompatibility, cleaning/sterility strategy, usability risks, labeling constraints.
Outputs: drawings/specs, materials, alarms, IFU, UDI, acceptance criteria.
Verification & validation: bench tests vs inputs, human factors validation (realistic use scenarios), transport/aging, dose accuracy across ranges.
Transfer: map DHF outputs to DMR (Device Master Record) and integrate with pharma MBR/EBR for combination lines.

4) Risk Management (ISO 14971) as the Operating Backbone

Maintain a living Risk Management File (RMF) that spans design, manufacturing, post-market, and change control. Tie hazards to controls and to measurable acceptance criteria. Read-across device risks to drug quality and vice-versa.

Typical hazards: dose inaccuracy, needle stick, breakage/leakage, contamination, software mal-function, user misuse/misdose.
Controls: mechanical tolerances, sensor checks, lockouts, IFU clarity, alarms, software mitigations, container integrity tests, sterilization assurance.
Acceptance: risk reduced to acceptable with residual risk-benefit justification; verification evidence linked to each control.

5) Usability Engineering (IEC 62366-1) & Labeling/IFU

Human factors are critical to prevent use errors that lead to under/over-dose or contamination.

Activities: user research, task analysis, formative studies, summative validation with representative users in realistic environments.
Outputs: critical tasks list, IFU design, warnings/contraindications, training requirements, packaging cues, device affordances.
Evidence: usability test reports, residual risk rationale, IFU readability and comprehension assessments.

6) Software (IEC 62304/82304-1) & Cybersecurity

If the device includes embedded firmware, mobile apps, or cloud components that influence safety/performance or labeling claims, implement software lifecycle controls.

Classification & planning: safety class, architecture, SOUP/OTS evaluation, unit/integration/system testing, hazard mitigations.
Cybersecurity: threat modeling, secure development practices, update mechanisms, vulnerability management, logging & auditability.
Evidence: requirements traceability matrix (RTM), test reports, risk controls verification, release notes, SBOM, patch policy.

7) Sterilization & Aseptic Strategy (ISO 11135/11137/17665)

For sterile combinations (e.g., prefilled syringes with safety devices, on-body injectors), integrate drug aseptic controls with device SAL validation.

Validation: load development, BI placements, overkill/bioburden-based methods, parametric release where justified.
Compatibility: EtO/radiation/moist heat compatibility with drug product, elastomers/plastics, and labeling inks.
Acceptance: SAL target achieved; no unacceptable changes to drug CQAs; environmental and residuals (e.g., EtO/ECH) within limits.

8) Packaging Validation & Container Closure Integrity (ISO 11607 + Pharma CCI)

Combination packs must protect both the device and the medicinal product through shelf life and distribution.

ISO 11607: package design qualification (DQ), installation/operation/performance qualification (IQ/OQ/PQ) of sealers, transit/aging validation, sterile barrier integrity tests.
Pharma CCI: deterministic methods (e.g., helium leak, HVLD) or validated probabilistic approaches; tie to product microbial ingress risk.
Evidence: packaging validation reports, CCI data, shipping qualification, aging results supporting label claims.

9) Manufacturing Controls: DMR ↔ MBR/EBR, Line Clearance & Reconciliation

Align device DMR (specs, drawings, BOM, software, labeling) with pharma MBR/EBR (weigh/dispense, IPC, yields, reconciliation). Where a single line handles both parts, use hybrid line clearance (device & drug checks) and ensure serialization/UDI data integrity end-to-end.

Acceptance: zero label mix-ups; reconciliation within tolerance; traceability from drug lot ↔ device lot/UDI.
Evidence: LC checklists, issuance/return logs, vision/scanner challenges, interface test records, EBR audit trails.

10) Post-Market: Complaints, Vigilance & Field Actions

Combination products need bi-directional signal flow between drug safety (e.g., pharmacovigilance) and device vigilance (e.g., MDR/FSCA) systems.

Complaints intake: dose errors, device failures, breakage/leaks, needle safety, software/app failures, adverse events.
Trend & triage: severity × frequency × detectability; define triggers for reportability, field safety notices, or recalls.
Effectiveness checks: confirm that corrective actions (design change, IFU update, training) have reduced recurrence.

11) Change Control & CAPA Across Boundaries

Use a single board to control changes that can impact either constituent (design, materials, software, sterilization, packaging, labeling, process). Require bridging justifications and, when needed, comparability for the drug part and verification/validation for the device part.

Acceptance: risk-ranked changes with impact assessments; testing/verification planned; regulatory strategy defined; training and document updates complete before release.
Evidence: change files, validation/verification results, updated DHF/DMR/MBR, training records, regulator/Notified Body correspondence when applicable.

12) Risk-to-Criteria Cheat Sheet (Quick Design Aid)

Risk	Control	Acceptance Criteria	Evidence
Dose inaccuracy (under/over)	Design tolerance, sensor checks, SW limits, IFU clarity	Accuracy within spec across ranges	Bench tests, HF validation, RTM, V&V reports
Label/UDI mix-up	Hybrid line clearance, issuance/recon, vision/scan	0 mix-ups; reconciliation within tolerance	LC logs, rejects, deviation/CAPA
Container leakage/CCI failure	Package design/CCI strategy, aging/transit validation	CCI pass; no ingress beyond limits	ISO 11607 validation, CCI data, ship tests
Sterility not assured	ISO 11135/11137/17665 validation; bioburden control	SAL achieved; drug CQAs unaffected	Cycle dev, BI mapping, residuals, comparability
Use error	IEC 62366 usability; IFU design; training	Critical tasks success ≥ predefined target	Formative/summative HF reports
Software malfunction	IEC 62304 lifecycle; cybersecurity program	All safety requirements verified; vuln mgmt in place	RTM, test reports, SBOM, patch records

13) Methods, Tools & Templates (Ready to Use)

Part 4 Mapping Matrix: rows = processes (design, purchasing, manufacturing, labeling, complaints); cols = 210/211 vs QMSR/ISO 13485; fill “who/what record” and acceptance criteria.
DHF Core Index: user needs; inputs; risk file links; outputs; V&V plans/results; HF studies; SW lifecycle; transfer records; design reviews and decisions.
Hybrid Line Clearance Checklist: prior component purge; UDI scanning challenge; drug label/leaflet version check; serialization interface test; dual sign-off.
Complaint/Vigilance Workflow: intake → triage → risk score → reportability (drug/device routes) → investigation → CAPA → effectiveness check → PMS trend.
Change Impact Form: affected CQAs/CQPs; DHF/DMR/MBR links; risk re-assessment; verification/validation plan; regulatory filing/NB notice; training & doc updates.

14) Case Studies & Pitfalls

Case 1 — Dose accuracy drift at low temperatures. On-body injector under-delivers in cold environments. Fix: updated motor control + temp compensation + IFU storage guidance. EC: environmental V&V passes across full range; complaints trend to baseline.

Case 2 — Label/UDI mismatch in rework. Device relabeled post-rework without hybrid line clearance. Fix: hybrid LC and DMR↔MBR linkage; scanner challenges added. EC: 0 mix-ups in 3 months; reconciliation variances within limits.

Case 3 — EtO residuals exceeding limits. Accelerated aeration missed for thick polymer sets. Fix: cycle redesign + aeration verification + routine residuals testing. EC: three consecutive lots within residual limits.

Case 4 — App version causes UI confusion. Update changed button order; increase in use errors. Fix: HF re-validation; in-app tutorial; release management with rollback. EC: critical task success ≥ target; complaint rate reduced.

15) FAQs

Do drug-led combinations always need full design controls? Apply design controls where design decisions impact drug quality/safety or labeling claims; justify the scope in your Part 4 mapping.
Can we run separate pharma and device QMS? Possible, but risky. A unified QMS with clear ownership and integrated records is more defensible and efficient.
How do we link DMR to MBR/EBR? Use common identifiers (part numbers, UDI DI, version) and controlled cross-references so a batch record points to the right device specs, software version, and labeling set.
When is usability validation mandatory? When user interaction can affect safety/effectiveness or label claims; for drug delivery systems, this is typically required.
What triggers a field action? Risk assessment of complaint trends or single severe events indicating potential harm; follow device vigilance plus drug recall requirements as applicable.

References & Further Reading

21 CFR Part 4 (US) — cGMP Requirements for Combination Products
21 CFR Parts 210/211 (US) — Finished Pharmaceuticals cGMP
FDA Quality Management System Regulation (QMSR) — alignment with ISO 13485
EU MDR 2017/745 (and UKCA guidance) — Device conformity, GSPR, technical documentation
ISO 13485 — Medical Devices Quality Management Systems
ISO 14971 — Application of Risk Management to Medical Devices
IEC 62366-1 — Usability Engineering for Medical Devices
IEC 62304 / IEC 82304-1 — Medical Device Software and Health Software
ISO 11135 / 11137 / 17665 — Sterilization Validation (EtO, Radiation, Moist Heat)
ISO 11607 — Packaging for Terminally Sterilized Medical Devices
ISO 10993 Series — Biological Evaluation of Medical Devices (Biocompatibility)

{
“@context”:”https://schema.org”,
“@type”:[“TechArticle”,”FAQPage”],
“headline”:”GMP for Medical Devices & Combination Products — Step-by-Step, Inspection-Ready Guide”,
“description”:”Unified operating model for drug–device combinations covering 21 CFR Part 4, QMSR/ISO 13485 design controls, ISO 14971 risk, usability, software lifecycle, sterilization, packaging/CCI, UDI, complaints/vigilance, CAPA, and inspection evidence.”,
“dateModified”:”2025-11-14″,
“author”:{“@type”:”Organization”,”name”:”PharmaGMP.com”},
“publisher”:{“@type”:”Organization”,”name”:”PharmaGMP.com”},
“mainEntity”:[
{“@type”:”Question”,”name”:”Do drug-led combinations always need full design controls?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”Apply design controls where design decisions impact drug quality/safety or labeling claims; justify scope in your Part 4 mapping.”}},
{“@type”:”Question”,”name”:”Can we run separate pharma and device QMS?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”Possible but risky; a unified QMS with integrated records is more defensible and efficient.”}},
{“@type”:”Question”,”name”:”How do we link DMR to MBR/EBR?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”Use common identifiers and controlled cross-references so batch records point to the correct device specs, software version, and labeling.”}},
{“@type”:”Question”,”name”:”When is usability validation mandatory?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”Whenever user interaction can affect safety or effectiveness; delivery systems typically require formal HF validation.”}},
{“@type”:”Question”,”name”:”What triggers a field action?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”Risk assessment of complaint trends or severe single events indicating potential harm; follow device vigilance and drug recall rules as applicable.”}}
],
“breadcrumb”:{
“@type”:”BreadcrumbList”,
“itemListElement”:[
{“@type”:”ListItem”,”position”:1,”name”:”GMP for Medical Devices & Combination Products”,”item”:”https://www.pharmagmp.com/gmp-devices-combination-products-pillar/”},
{“@type”:”ListItem”,”position”:2,”name”:”Category Pillar”,”item”:”https://www.pharmagmp.com/gmp-devices-combination-products-pillar/”}
]
}
}