21 CFR Part 4

This glossary term is part of the SG Systems Global regulatory & operations guide library.

Updated January 2026 • Combination product cGMP requirements, streamlined approach, constituent part controls, design + batch evidence alignment, postmarket safety reporting, inspection readiness • Primarily Combination Products (Drug/Device and Drug/Biologic/Device) with operational cross-over into Quality, Manufacturing, Engineering, and Regulatory

21 CFR Part 4 is the FDA’s rule set that tells you how to operate a compliant program for combination products—products that blend drug, device, and/or biologic elements. Part 4 exists because “drug cGMP” and “device QSR” were built in different eras with different assumptions. Combination products don’t get to pick one worldview. The rule’s job is to make sure your organization doesn’t fall through the seams.

In real operations, Part 4 isn’t about whether you’re a “drug company” or a “device company.” It’s about surviving the day you get asked: Show design controls for the device constituent part. Show batch and release evidence for the drug or biologic constituent part. Show cross-impact change assessments. Show safety reporting decisions on time. If your evidence has to be reconstructed, Part 4 exposes the gap.

Part 4 also reveals a common leadership blind spot: teams often assume combination product compliance is owned by “Regulatory.” That’s convenient—and wrong. Part 4 is an execution rule. It lives in design control, purchasing controls, process validation, batch review, complaint handling, CAPA, and records governance. If those functions can’t operate as one controlled evidence posture, you don’t have Part 4 compliance; you have parallel compliance stories.

That’s why Part 4 naturally connects to 21 CFR Part 210, 21 CFR Part 211, 21 CFR Part 820 (QSR — legacy), the Quality Management System Regulation (QMSR), and practical controls like change control, CAPA, and data integrity.

“Combination product compliance fails at the seams—so your controls must always be designed around seams, not org charts.”

1) What people mean when they cite 21 CFR Part 4

When someone says “we need to comply with Part 4,” they’re reacting to a seam risk: the product doesn’t fit neatly in one compliance system. A drug gains a delivery device, or a device gains a drug/biologic element. Either way, you must decide what your primary cGMP system is and prove the imported controls from the other side are embedded and effective.

What they are really saying is: “Our seams are dangerous.” The seams are where requirements get dropped—design controls not linked to manufacturing acceptance criteria, batch review not linked to device performance risk controls, complaint handling split between Medical Affairs and Quality, CAPA written in one language and executed in another.

Tell it like it is: Part 4 forces leadership to stop using labels as comfort blankets. You don’t get credit for calling yourself “drug-led” if you can’t show device complaint files and design governance. You don’t get credit for calling yourself “device-led” if you can’t show lab controls, batch record discipline, and release decisions that match your risk posture. Part 4 is the regulatory version of “prove it.”

2) What Part 4 is (and what it isn’t)

What it is Part 4 is a framework for meeting cGMP requirements for combination products. In practice, it lets firms use a streamlined approach: you operate under one primary cGMP system (drug or device) and incorporate specified provisions from the other so the combination product is controlled end-to-end.

What it isn’t Part 4 is not a magic merge of two cultures. If your document control, training, or investigations are weak, it simply makes the gaps easier to see. It’s also not only “manufacturing”—for many products, postmarket reporting discipline is part of the seam.

Operationally, treat Part 4 as the “seam governance” rule. It exists because combination products create seam risks: a device design change can alter drug stability; a drug process change can alter device performance; packaging and labeling decisions can create use errors that drive adverse events. Part 4 expects you to have controls that recognize those seam risks and keep evidence coherent across time.

3) Who Part 4 applies to

Part 4 applies to firms that manufacture combination products and, in practice, it reaches into the ecosystem that supports them: contract manufacturers, sterile fill/finish partners, device assemblers, packaging operations, component suppliers, and labs. Your org chart does not change what regulators expect; your responsibility is defined by what you manufacture, control, and release into commerce.

A common trap is assuming “we outsource the device part, so we don’t need device controls.” Outsourcing changes where work happens, not who is accountable. If your product includes a device constituent part, you still need controlled purchasing, incoming verification, complaint handling, CAPA linkage, and clear design + production evidence. This is why Part 4 has a strong dependency on quality agreements and supplier oversight.

4) When Part 4 “turns on”: combination product status and regulatory assignment

Part 4 “turns on” when your product is a combination product and you manufacture it for the U.S. market. The trigger is not your marketing language and it’s not a convenient internal label. It’s about the product’s regulatory identity: single-entity combination products, co-packaged products, and cross-labeled configurations can all create Part 4 exposure.

Operationally, the critical moment is when leadership commits to a regulatory strategy (often expressed as “drug-led” or “device-led”) and then treats that choice like it settled everything. It doesn’t. You still have to bring in the missing controls from the “other side,” and you have to prove those controls are real—not bolted-on checklists.

If you want a durable posture, treat regulatory assignment like a design constraint. It shapes how you structure your quality management system, what evidence an investigator will sample, how you structure suppliers and CMOs, and how safety events are routed and reported. Build the system around those constraints early—because retrofitting is expensive and visible.

5) The Part 4 control object: the compliance matrix + quality plan

If you only remember one operational idea from Part 4, make it this: the compliance posture must be explicit. Strong organizations don’t “assume” the streamlined approach works; they document and govern a Part 4 compliance matrix that states which cGMP system is primary, which additional provisions are applied, where evidence lives, and who owns each seam.

Weak organizations treat this as a one-time gap assessment. Strong organizations treat it as a controlled artifact that evolves with product changes, new sites, new automation, and supplier changes—meaning it sits under change control and is referenced by procedures, training, and internal audits. In other words, it is a system contract, not a slide deck.

In practice, the matrix must answer one brutal question: If an investigator picks a lot and a complaint, can we show end-to-end evidence without reinventing the story? If the answer is “it depends who’s in the room,” the matrix is not operational.

6) The evidence model: linking design, batch, and device history records

Part 4 is ultimately an evidence problem. Drug cGMP thinks in lots, batches, lab results, and release decisions (see BMR and EBR). Device QSR thinks in design history, risk management, and device record structures (see DHF, DMR, and DHR). Part 4 expects those worlds to connect for the product you actually sell.

Think of the evidence model as an identity chain: design intent → risk controls → manufacturing specs → execution evidence → release evidence → postmarket signals. If any link is missing, your response becomes broad, expensive, and slow—because you can’t narrow what’s impacted with confidence.

A very common failure is letting “drug records” live in one universe and “device records” live in another. Part 4 doesn’t care what software you use. It cares whether you can prove that the design intent, risk controls, manufacturing execution, and release criteria stayed aligned through time—and that deviations, complaints, and CAPAs link back to the right identities.

This is why data integrity is non-negotiable. If you can’t show who changed what, when, and why—across batch records, design documents, and complaint files—your “integrated” system becomes a liability during enforcement.

7) Execution reality: where Part 4 programs break

Part 4 failures are predictable, and they usually show up the same way: the organization believes it is compliant, but the evidence chain has gaps. The most common operational breakpoints are:

• Dual QMS drift: drug teams run Part 211 systems; device teams run Part 820 systems; nobody owns the seams.
• “Streamlined” as a myth: the matrix exists, but imported controls (design controls, complaint files, CAPA discipline, or lab governance) are weak or performative.
• Labeling and use risk blind spots: the product is safe in the lab, but the real-world use scenario drives errors that are not captured as design inputs or risk controls.
• Automation gaps: manufacturing systems are validated in pieces, but the end-to-end process is not governed (see CSV and VMP).
• OOS/OOT without consequence: results are handled “locally” without consistent investigation depth (see OOS and OOT).
• Supplier seams: a CMO or component supplier holds key records, but you can’t retrieve them fast, or you can’t prove oversight was effective.

The practical takeaway: Part 4 compliance must be forced by workflow, not requested by policy. If people can close a batch record, release a lot, approve a design change, or close a complaint without producing the required cross-constituent evidence, your system will quietly rot until inspection pressure reveals it.

If you want implementation patterns for building a robust evidence posture, the most relevant playbooks are: Audit Readiness (keeping the evidence stable), Complaint Management Software (how signals become action), and Recall Readiness Software (how to execute quickly without overreach).

8) How Part 4 interfaces with 210/211, 820/QMSR, and Part 11

Part 4 rarely lives alone. In a real inspection or incident, it collides with other rules and standards. If you don’t design the interfaces, they will collide during stress.

Parts 210/211 (drug cGMP): This is where batch records, lab controls, stability, release decisions, and distribution controls live. For combination products, the question is not “do we have batch records?” The question is whether the batch evidence reflects device-related design and risk controls—and whether deviations and investigations capture both drug and device impacts. See Part 210 and Part 211.

Part 820 / QMSR trajectory: This is where design controls, purchasing controls, complaint files, servicing, CAPA, and device record structures live. Combination product teams often underestimate how quickly design control gaps become safety reporting problems. See Part 820 and the modernization context in QMSR.

Part 11 (electronic records and signatures): When your evidence lives in systems—MES, LIMS, QMS, ERP, PLM—Part 11 (and data integrity expectations) becomes the glue that makes records defensible. If audit trails are weak or e-signature controls are inconsistent, Part 4 integration becomes “trust us.” Regulators don’t. See Part 11 and Data Integrity.

Biologics overlays: If your combination product includes a biologic constituent part, expect additional requirements and record expectations that must be incorporated into your evidence model. See 21 CFR Parts 600–680.

9) Records, retention, and data integrity across constituent parts

Combination product programs quietly fail on record lifecycle management. Teams capture pieces of evidence, but they don’t retain them long enough, they can’t retrieve them quickly, or the “source of truth” moves when systems change. Retention is not a storage problem—it’s a governance problem.

Operationally, treat retention as a product lifecycle commitment: design records (DHF), device build records (DHR), and drug batch records (BMR/EBR) must remain linked and retrievable for as long as the product’s risk and regulatory obligations require. If your records are scattered across vendor portals, email attachments, and departmental drives, you will not be able to prove control under pressure.

In a mature organization, the record chain is treated like regulated evidence: versioned, protected, attributable, and auditable. That requires stable identifiers, controlled corrections, and disciplined document control. It also requires practical testing: can you retrieve a complete evidence set for a specific lot, device build, and complaint—without assembling a war room?

10) Inspection & incident response: proving your Part 4 system works

Inspectors don’t validate Part 4 by reading your matrix. They validate it by sampling reality. In practice, Part 4 readiness looks like a cross-constituent retrieval drill:

If this drill turns into a week-long hunt across departments, the gap is not “training.” It’s architecture. You don’t fix Part 4 readiness by telling people to collaborate; you fix it by designing systems where the evidence chain is produced as work is done.

11) Copy/paste readiness scorecard (self-assessment)

Use this as a practical self-assessment. If you can’t answer these cleanly, your Part 4 posture is fragile.

The goal is not to “pass a quiz.” The goal is to replace seam assumptions with seam evidence.

12) How this maps to V5 by SG Systems Global

V5 supports Part 4 outcomes by turning “integration” into an evidence chain rather than a committee decision. Part 4 is fundamentally about: controlled design/quality governance, controlled execution, and fast retrieval under inspection or incident pressure.

In practice, you need quality governance and regulated execution to behave like one evidence chain. That’s why Part 4 alignment fits naturally with the V5 platform:

Use the V5 Quality Management System (QMS) to govern procedures, changes, training, deviations, and CAPA evidence; use the
V5 Manufacturing Execution System (MES) to enforce controlled execution and generate compliant batch/build records; and connect enterprise data cleanly using
V5 Connect (API) so the Part 4 evidence chain doesn’t fracture across ERP/PLM/LIMS ecosystems.
If you want the platform overview in one place, anchor on V5 Solution Overview.

If you’re operating in regulated manufacturing and want an industry-aligned view of how execution + compliance patterns come together, start with GxP foundations and then map your program requirements into a single controlled evidence posture.

13) Extended FAQ

Q1. Is Part 4 just “device rules plus drug rules”?
Not exactly. It’s a framework that allows a streamlined way to comply by using one primary cGMP system while incorporating specified provisions from the other. The catch is that you still have to prove those imported controls are effective.

Q2. What’s the most common Part 4 failure mode?
Seam gaps. The company can show drug batch evidence and device design evidence, but it cannot show that the two remained aligned through changes, investigations, complaints, and release decisions for specific lots and events.

Q3. Does outsourcing the device or the drug part reduce our Part 4 obligations?
No. Outsourcing changes where work occurs, not who is accountable. If a partner holds critical records, you still must be able to retrieve them and prove oversight through quality agreements and audits.

Q4. Does Part 4 include postmarket safety reporting?
For many combination products, yes—Part 4 contains requirements that address how postmarket safety events are reported and aligned across constituent part reporting expectations. Operationally, this means you need one intake, one decision logic, and one controlled record chain for safety reporting decisions.

Q5. How do we know whether our Part 4 integration is real?
Run integrated retrieval drills. Pick a released lot and a complaint and prove you can show design linkage, batch/build evidence, controlled changes, investigations, CAPA, and the safety reporting pathway—using system records rather than manual reconstruction.

Related Reading
• Regulatory Sources: 21 CFR Part 4 (CFR text via Cornell) | Streamlined approach (21 CFR 4.4)
• Core CFR Cross-Links: 21 CFR Part 210 | 21 CFR Part 211 | 21 CFR Part 820 | 21 CFR Part 11 | 21 CFR Parts 600–680 | QMSR
• Supporting Glossary Terms: Change Control | Data Integrity | CAPA | OOS | Document Control System