What Are Good Machine-Learning Practices (GMLP) & Who Must Follow Them?

TL;DR:

Good Machine-Learning Practices (GMLP) are a set of ten FDA-endorsed, IMDRF-aligned principles covering the entire AI/ML lifecycle—data management, model design, performance evaluation, monitoring, explainability, change control, risk management, and documentation.

Any SaMD or AI/ML-enabled medical device must adhere to GMLP; adjacent digital-health tools should adopt them for quality and future compliance preparedness.

What Are GMLP & Where They Come From

The FDA released its first GMLP discussion paper in January 2023, updated in October 2024, to bring structure and predictability to AI/ML-based medical devices.

GMLP draws on international standards (notably IMDRF’s AI-enabled Device Software Functions N41 guidance) and is now reflected in premarket reviews (510(k), De Novo, PMA).

At its core, GMLP is about proving your ML system is:

• Built on high-quality, traceable data.

• Designed transparently and robustly.

• Continuously monitored and updated with documented change control.

The Ten Core GMLP Principles

1. Multi-Disciplinary Expertise Is Leveraged Throughout the Total Product Life Cycle

   
   

   In-depth understanding of the model’s integration into clinical workflow, intended benefits, and associated patient risks ensures AI/ML-enabled devices are safe, effective, and address meaningful clinical needs over the device lifecycle.

   
   

2. Good Software Engineering and Security Practices Are Implemented

   
   

   Model design incorporates robust software engineering, data quality assurance, data management, cybersecurity, and methodical risk management to ensure data authenticity, integrity, and secure implementation.

   
   

3. Clinical Study Participants and Data Sets Are Representative of the Intended Patient Population

   
   

   Data collection protocols ensure that characteristics such as age, sex, race, and ethnicity of the intended population are adequately represented to manage bias and promote generalizable performance.

   
   

4. Training Data Sets Are Independent of Test Sets

   
   

   Training and test datasets are selected to be appropriately independent, considering all potential dependencies (patient, acquisition, site factors) to assure unbiased evaluation.

   
   

5. Selected Reference Datasets Are Based Upon Best Available Methods

   
   

   Reference datasets are developed using accepted best methods to ensure clinically relevant, well-characterized data, and limitations of references are understood; accepted reference datasets are used to promote robustness and generalizability.

   
   

6. Model Design Is Tailored to the Available Data and Reflects the Intended Use of the Device

   
   

   Model design suits the data and mitigates risks such as overfitting and performance degradation; clinical benefits and risks inform meaningful performance goals aligned with intended use.

   
   

7. Focus Is Placed on the Performance of the Human-AI Team

   
   

   Emphasis on how the AI system interacts with human users to ensure safe and effective clinical decision-making.

   
   

8. Testing Demonstrates Device Performance during Clinically Relevant Conditions

   
   

   Testing protocols simulate real-world clinical conditions to validate device performance and safety.

   
   

9. Users Are Provided Clear, Essential Information

   
   

   Users receive transparent, understandable information about the AI/ML device’s capabilities, limitations, and appropriate use.

   
   

10. Deployed Models Are Monitored for Performance and Re-training Risks are Managed

    
    

    Continuous monitoring of model performance in the field is conducted, with managed processes for retraining and mitigating risks from model updates.

Who Must Follow GMLP?

Primary Audience:

• Medical device manufacturers developing AI/ML-enabled medical devices (Software as a Medical Device - SaMD).

  
  

Why Follow GMLP?

• Ensure safety, effectiveness, and quality throughout the device lifecycle.

• Meet regulatory expectations (FDA, Health Canada, MHRA) during premarket (510(k), De Novo, PMA) and postmarket phases.

FAQ

Are GMLP mandatory for 510(k) submissions?

Yes. ML/AI components in SaMD require adherence to GMLP as part of the eSTAR DSF & AI/ML module.

How do GMLP align with ISO 14971?

GMLP’s risk management principle integrates directly with ISO 14971 hazard analysis and control processes.

Can wellness apps use GMLP?

While not mandatory, adopting GMLP improves quality and prepares your app for future FDA oversight if clinical claims are added.