cGMPCurrent Good Manufacturing Practice

cGMP stands for Current Good Manufacturing Practice. The FDA uses the term as a regulatory umbrella across every industry it inspects: human drugs, biologics, medical devices, dietary supplements, conventional food, infant formula, animal drugs, and combination products. Each industry has its own cGMP regulation — 21 CFR 211 for finished drugs, 21 CFR 820 for devices, 21 CFR 111 for supplements, 21 CFR 117 for food preventive controls — but the underlying expectation is the same: a manufacturer must consistently produce a product that has the identity, strength, quality and purity it claims.

The word that carries the weight is "current." cGMP is not a frozen rulebook. It is the contemporary expectation of how a competent manufacturer behaves, refined continuously by guidance documents, Warning Letters, 483 trends, consent decrees, and inspector training. A practice acceptable in 2005 — paper batch records reconciled by hand, an audit trail printed only on request, a CSV package no one has touched since installation — can fail a 2026 inspection on data-integrity grounds without a single regulation having changed.

The same site can operate under multiple cGMP frameworks simultaneously — a contract manufacturer making a finished drug, an API, and a Class II device on the same campus must satisfy all three regulations, with the inspection scope determined by which product the inspector showed up to see.

Whatever the product, every cGMP framework asks for the same operational spine. The wording differs; the structure does not.

• Defined responsibilities — named quality unit (211.22), management with executive responsibility (820.20), QP (EU GMP).
• Controlled facilities — fit-for-purpose buildings, environmental controls, pest control, lighting, water systems.
• Qualified equipment — IQ / OQ / PQ before use, preventive maintenance, calibration to traceable standards.
• Verified components — supplier qualification, incoming testing or supplier audit, identity verification, COA review.
• Written procedures — SOPs under document control, training records, change control, periodic review.
• Executed records — batch production records, equipment logs, training records, complaint files, capable of full reconstruction.
• Validated test methods — analytical method validation (ICH Q2), cleaning validation, process validation (FDA Stage 1-3).
• Investigation discipline — OOS / OOT investigations, deviation handling, CAPA loop with effectiveness verification.
• Complaint and adverse event handling — written complaint file (211.198), MedWatch / MDR reporting where required.
• Periodic review — annual product review (211.180(e)), management review (820.20(c) / ISO 13485 §5.6), product quality review (EU GMP Chapter 1).

Five expectations have hardened to the point where they are now baseline cGMP, even though they do not appear verbatim in the underlying regulations.

1. ALCOA+ data integrity

FDA's 2018 final guidance, MHRA's 2018 guidance, PIC/S PI 041, and EU GMP Annex 11 converge on the same expectation: every regulated record — paper or electronic — must be Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring, and Available. Audit trails that can be disabled, original values that can be overwritten, e-signatures with no "meaning of the signature," shared logins, and uncontrolled spreadsheets are all top-cited Warning Letter findings.

2. Computer Software Assurance (CSA) over heavy CSV

FDA's September 2022 draft CSA guidance signals a shift from document-heavy Computer System Validation to risk-based assurance — high-risk functions get rigorous scripted testing, low-risk functions get lighter or exploratory assurance. EU GMP Annex 11 §1 has supported risk-based validation since 2015. The expectation is real CSV that focuses on patient risk, not 1,500-page binders that paper over default-vendor configurations.

3. Contamination control strategy (CCS)

EU GMP Annex 1 (revised 2022, fully effective August 2023) requires a formal Contamination Control Strategy — not just clean-room qualification documents, but a holistic, risk-based plan tying facility design, gowning, environmental monitoring, sterilisation, personnel behaviour, and product flow into a single defendable narrative. FDA inspectors increasingly expect equivalent thinking even where the literal CCS requirement does not apply.

4. Supply chain integrity

DSCSA (Drug Supply Chain Security Act) in the US and the Falsified Medicines Directive (FMD) in the EU have shifted the expectation from "we qualify our suppliers" to "we can prove unit-level provenance through every node in the supply chain." The cGMP edge of this work is supplier qualification, change notification, and component traceability — all of which are now first-tier inspection topics.

5. Quality culture and management responsibility

FDA's 2021 Quality Metrics initiative and the long-running ICH Q10 framework both place explicit weight on management's role in driving the pharmaceutical quality system. Inspectors increasingly ask to see management review minutes, quality KPI trends, and evidence that quality concerns reach senior leadership without filtering. A programme that delivers paper compliance but cannot show its leadership reviews complaint trends or CAPA effectiveness is now flagged under "culture" findings.

21 CFR Part 211 is the most-cited cGMP rule in the world. Subparts B through K cover personnel, facilities, equipment, components, production and process controls, packaging and labelling, holding and distribution, lab controls, records and reports, and returned products. Section 211.180(e) requires an annual product review of every drug product. Sections 211.186 (MMR) and 211.188 (BMR) define the master and batch record requirements that drive most plant IT.

Above Part 211 sits Part 210 — the framework definitions and general provisions. Below 211 sits ICH Q7 for APIs, ICH Q9 for quality risk management, and ICH Q10 for the pharmaceutical quality system. FDA expects manufacturers to interpret 211 through the lens of Q7/Q9/Q10, even though the ICH guidances are not regulations in their own right.

21 CFR Part 820 (the Quality System Regulation, QSR) has governed device manufacturing since 1996. From 2 February 2026 it is replaced by the Quality Management System Regulation (QMSR), which incorporates ISO 13485:2016 by reference plus a small set of US-specific additions (UDI, MDR / MedWatch reporting, complaint handling specifics, 503B compounding). The transition does not relax cGMP — it harmonises US expectation with the global device standard.

Operationally, manufacturers already certified to ISO 13485 will find QMSR familiar. Manufacturers operating only to 820 must read the QMSR Final Rule for the additions ISO 13485 does not cover — notably the 21 CFR 820.35 record-keeping requirements that survive the harmonisation.

21 CFR 111 establishes cGMP for dietary supplements. It is structurally similar to 21 CFR 211 but with distinctive features: master manufacturing record (MMR) under 111.205 and batch production record under 111.255, mandatory identity testing of each incoming dietary ingredient (111.75), the Quality Control Unit (111.105) as the explicit decision-maker for release, holding and distribution records (111.453), and returned product handling (111.503). FDA inspections of supplement facilities cite component identity testing and the MMR/BPR gap more than any other categories.

21 CFR 117 implements the FSMA Preventive Controls for Human Food rule (2015). Subpart B carries forward the legacy food cGMP from old 21 CFR 110; Subpart C layers on the hazard-analysis and risk-based preventive controls (HARPC) framework — written hazard analysis, preventive controls for identified hazards, monitoring, corrective actions, verification, and a Food Safety Plan signed by a qualified preventive controls qualified individual (PCQI). Food facilities frequently confuse Subpart B compliance (cGMP) with Subpart C compliance (HARPC) — both are required.

The single best predictor of how a manufacturer will fare in inspection is the quality of its investigations — out-of-specification (OOS) investigations under FDA's 2006 guidance, out-of-trend (OOT) handling, deviation investigations, complaint investigations, and the CAPA loop that ties the four together. Inspectors sample investigations because they are the visible evidence of a working quality culture: thin investigations with no root-cause discipline, repeat findings, or CAPAs that close without effectiveness verification are the leading source of cGMP findings across every product type.

A modern cGMP programme treats every signal — OOS, OOT, complaint, deviation, supplier complaint, return — as a candidate input to a single CAPA system, with structured root-cause analysis, risk-based prioritisation, and an effectiveness check before close-out. Anything less is paper compliance.

• Audit trail review absent or perfunctory — 211.68(b) and Annex 11 §9 both require periodic audit-trail review; inspectors sample for it.
• Out-of-spec investigations short-cut to "laboratory error" without supporting evidence (FDA OOS guidance §IV.C).
• Annual product review (211.180(e)) reduced to a checkbox without trend analysis or follow-up.
• CAPA effectiveness check absent — corrective action closed before evidence shows the failure mode has been eliminated.
• Supplier qualification on file but no on-site audit, no change notification, and no requalification cadence.
• Computer systems with shared logins, disabled audit trails, or original-value overwriting capability.
• Cleaning validation based on visual inspection alone, with no swab/rinse data or worst-case rationale.
• Process validation Stage 3 (continued process verification, FDA 2011 guidance) absent — Stage 1/2 documented at launch and never revisited.
• Training records that show completion of an SOP read-and-sign with no demonstrated competency assessment.