Warning Letters by Year (All FDA Centers)
Excluding tobacco. 2025 saw the highest non-tobacco volume in the dataset, driven by unapproved drug enforcement
Letters by Issuing Office
CDRH is the 5th most active center, but its pace is accelerating
Top Subject Categories by Year (Excluding Tobacco)
Unapproved Drug letters surged to 158 in 2025. QSR/device letters hit 30, a 5.0x increase from 2021. COVID letters fully sunset.
Device-Related Letters by Category & Year
QSR device letters surged from 6 (2021) to 30 (2025), a 5.0x increase. COVID-related device letters have fully sunset since 2023.
QSR / Device Subject Breakdown
75% of QSR device letters cite “Devices/Adulterated” as the sole subject classification under 21 CFR 820
Quarterly Trends: Key Enforcement Categories
Quarterly view shows enforcement spikes and seasonal patterns across the most-cited categories
QMSR is live. The citation language has already changed.
Between February 4 and March 13, 2026, FDA completed 93 medical device inspections under the new QMSR framework (CP 7382.850), resulting in 132 Form 483 observations across 52 establishments. 89.4% of observations now cite ISO 13485:2016 clauses directly, not legacy 21 CFR 820 sections. The transition to ISO-based citation language is functionally complete.
QMSR Remediation Mandate
Two post-QMSR CDRH warning letters (IsoTis OrthoBiologics, Feb 24; Longhorn Vaccines, Feb 26) contain standardized language requiring QMSR-compliant remediation for pre-QMSR inspection findings: any corrective actions must now be pursuant to QMSR requirements effective February 2, 2026, even when the underlying inspection occurred under the old QSR. Manufacturers with open 483 observations or warning letters must remediate to ISO 13485 standards, not legacy 820.
Clinical Trial Enforcement
Clinical Investigator, IDE, BIMO, and IRB warning letter trends
Notable Warning Letters & Findings
Recent enforcement actions with findings relevant to medical device software, data integrity, design controls, and clinical trial oversight
Longhorn Vaccines and Diagnostics LLC
Diagnostic Device Manufacturing (CMS# 721702)
Supplier Controls (820.50(a)(1))Failure to establish and maintain requirements for purchased/received product. Supplier qualification and purchasing controls inadequate.
Complaint Records (820.198)Complaint handling procedures inadequate. Records did not meet documentation requirements.
QMSR Remediation MandateInspected October 2025 under old QSR, but letter directs: "any corrective actions you propose or implement must be pursuant to the QMSR requirements in effect as of February 2, 2026."
Key takeaway: This is one of the first two warning letters to contain the QMSR remediation mandate. Even though the inspection was conducted under the old QSR, the firm must now remediate to QMSR/ISO 13485 standards. Any manufacturer with open 483 observations from pre-QMSR inspections faces the same requirement.
IsoTis OrthoBiologics, Inc.
Orthobiologic Medical Devices (CMS# 723370)
CAPA (820.100(a))Corrective and preventive action procedures inadequate. Failure to address identified quality system deficiencies.
Design ControlsDesign controls and supplier qualification cited as deficient areas during the October 2025 inspection.
QMSR Remediation MandateSame standardized template language as the Longhorn letter, requiring QMSR-compliant corrective actions despite pre-QMSR inspection timing.
Key takeaway: Paired with the Longhorn letter, this confirms a standardized FDA template for QMSR transitional language. Risk management file deficiencies referenced in this letter signal that FDA investigators were already focusing on risk management documentation in late 2025 inspections.
Beta Bionics, Inc.
iLet Bionic Pancreas System (Automated Insulin Delivery / SaMD)
CAPA (820.100(a))56 hypoglycemia complaints closed without corrective action despite user-related risk analysis classifying severity as potentially fatal. Trending methodology diluted complaint rates using inflated opportunity counts. CAPA verification tested employees instead of actual device users.
Risk Analysis (820.30(g))Post-market complaints for hardware failures, involuntary meal announcements, and 529 cartridge leaks not incorporated into system risk analysis. Vulnerable population hazard identified but no risk controls documented.
Complaint Handling (820.198)31 cartridge leak complaints closed without investigation despite hyperglycemic outcomes. DKA event (blood glucose 476 mg/dL) closed without escalation to complaint or MDR evaluation.
MDR / Part 806Failed to report serious injuries within 30 days. Software update for delayed glucose readings and cybersecurity vulnerability fix both deployed without submitting required correction/removal reports to FDA.
Key takeaway: This is the most comprehensive SaMD enforcement action in recent history. Autonomous insulin dosing algorithms demand post-market surveillance that feeds directly into risk management. CAPA verification must test the actual user population, not internal staff. When software updates are deployed to address safety risks, correction/removal reporting under Part 806 is required regardless of how the manufacturer categorizes the change.
Dexcom, Inc.
G6 & G7 Continuous Glucose Monitors (Software-Driven SaMD)
Design Change ControlSignificant component change made without adequate validation. Internal studies showed worse performance, yet commercial manufacturing proceeded.
Design Input (820.30(c))Design inputs did not define all requirements from special controls. Missing manufacturing controls and acceptance criteria.
CAPA (820.100(a))CAPA investigation limited in scope despite evidence that all lots may have been affected.
Risk AnalysisSingle global probability code used for multiple hazardous situations rather than independent evaluation.
Key takeaway: Design change and validation failures are a risk for any software-driven medical device. Software updates or configuration changes require the same rigor in design change documentation. Limited CAPA scope when systemic issues exist is a recurring FDA target.
Abbott Diabetes Care, Inc.
FreeStyle Libre 3 Continuous Glucose Monitor
Design Transfer (820.30(h))Device design was not correctly translated into production specifications for third-party manufacturer.
Vendor ControlsFailed to define whether accuracy testing would be performed by Abbott or its contract manufacturers.
Production MonitoringInadequate monitoring resulted in a Class I recall (7 deaths, 860+ injuries reported).
Key takeaway: FDA holds the device manufacturer accountable for vendor quality. When platform specifications are implemented or hosted by external parties, the same design transfer rigor applies. Vendor qualification programs must clearly define testing responsibilities.
Royal Philips (3 Facilities)
EPIQ Ultrasound, Transducers, IntelliSpace Cardiovascular Software
Vendor Controls (820.50)Outsourced complaint handling to internal team (GCHO) without supplier qualification, evaluation, or approved supplier listing. No change notification agreement in place.
Complaint Handling (820.198)54 investigations exceeded target dates (23 over 100 days late), 32 associated with MDRs. Complaints closed as "non-complaints" without adequate investigation. Software defects not escalated to defect management system.
CAPA (820.100)No CAPA opened for 9 fluid ingress complaints or 29 articulation issues (27 with MDRs). Trending not performed at transducer accessory level. CAPA effectiveness verification inadequate for software fixes.
Design Validation (820.30(g))New product requirements for ISCV v8.0 not included in safety risk management matrix. Competitor device MDR reporting a patient death was not evaluated for severity increase. Cybersecurity threat modeling incomplete.
Distribution (820.160)Refurbished transducers distributed past their 3-year verified useful life. Seven units in the field past useful life were associated with complaints.
Key takeaway: This 13-page letter spanning three global facilities is a textbook multi-site enforcement action. Internal service organizations providing quality functions must be treated as suppliers under 820.50. Software defects must flow to both complaint handling and defect management systems. When new features are added to software products, every requirement must trace to the risk management file.
Clinical Investigator (BIMO Inspection)
Biologics Clinical Trial: ALS Bone Marrow Study (CMS# 677324)
IRB ConflictIRB members who reviewed the protocol were also involved in the clinical study, raising independence and objectivity concerns under 21 CFR 56.
Clinical ConductMultiple violations in clinical trial conduct identified during BIMO inspection at the investigator site. FDA cited a long list of protocol adherence and subject protection issues.
Investigator OversightInadequate oversight of investigational product administration and subject monitoring. CBER issued the warning, reflecting heightened biologics enforcement in 2024.
Key takeaway: CBER issued 12 warning letters in the cell and tissue biologics space in 2024 alone, a dramatic increase from historical norms. IRB independence is under active scrutiny. Clinical investigators at academic medical centers are not exempt from BIMO enforcement.
Applied Therapeutics (Sponsor BIMO)
ACTION-Galactosemia Kids Trial / Govorestat NDA
Data IntegrityMislabeled product was approximately 80% lower concentration than stated. Protocol dose was reported as administered dose rather than actual dose.
Failure to DiscloseFailed to provide FDA with description or analysis of dosing errors. FDA cited significant concerns about data validity and integrity.
ConsequenceComplete Response Letter rejecting the NDA, warning letter, shareholder lawsuits, and leadership departures.
Key takeaway: Data captured in clinical systems must be attributable, contemporaneous, and transparent (ALCOA+). Discrepancies between planned and actual values must be captured accurately. This case demonstrates the cascading business consequences when data integrity fails at the sponsor level.
Cue Health, Inc.
Cue COVID-19 Test (Molecular Diagnostic / Point-of-Care)
Unauthorized ChangesImplemented changes to EUA-authorized devices without FDA authorization. Changes reduced test reliability.
Lot ReleaseFailed to maintain lot release activities to ensure product met claimed clinical and analytical performance.
Key takeaway: Modifications to validated software, assessment algorithms, or platform configurations that could affect performance require formal change control documentation. Unauthorized changes to regulated products remain a top enforcement priority.
MIT (COUHES IRB)
Institutional Review Board Operations
Consent ElementsRequired informed consent elements missing. Recurring documentation issues across multiple studies.
IRB RecordsInadequate membership records and documentation gaps undermining oversight.
Key takeaway: If MIT's IRB can receive a warning letter for documentation failures, no institution is immune. Electronic consent workflows and documentation systems must be audit-ready. The consent documentation trail is part of the BIMO inspection scope.
What this means for your compliance program
The convergence of rising QSR/QMSR enforcement, clinical investigator scrutiny, and IDE/PMA activity creates a heightened risk environment for organizations operating at the intersection of clinical trials and medical device software. The QMSR transition (effective February 2, 2026), combined with FDA's sustained BIMO activity, reinforces the need for audit trails that demonstrate full ALCOA+ compliance, design control documentation that can withstand direct FDA inspection, and change control processes that meet QSR-level scrutiny.
Priority areas to assess
Based on warning letter patterns from 2024-2026, organizations should prioritize: (1) design change control processes for software updates and configuration changes; (2) audit trail capabilities demonstrating full ALCOA+ compliance, with clear attribution of who performed each action and under what conditions; (3) vendor qualification documentation addressing the design transfer gaps FDA is increasingly citing; (4) complaint handling procedures to confirm software issues are being properly classified as complaints when warranted; and (5) CAPA investigation scope, ensuring systemic corrective actions rather than point fixes given FDA's trend toward scrutinizing limited investigation scope.
Find your gaps before the auditor does
Our Gap Assessment Toolkit covers the exact areas FDA is citing most: 21 CFR Part 11, ALCOA+ data integrity, CSV/CSA, EU GMP Annex 11, ICH E6(R3), and QMSR/ISO 13485. 535 assessable criteria across 6 frameworks, every citation verified.