Warning Letters by Year (All FDA Centers)
Total issuance has declined from 2021 peak, driven by COVID and tobacco reductions
Letters by Issuing Office
CDRH is the 5th most active center, but its pace is accelerating
Top Subject Categories by Year (Excluding Tobacco)
CGMP Pharma and Unapproved Drug letters dominate; device/QSR categories show steady growth while COVID letters have fully sunset
Clinical Trial Enforcement
Clinical Investigator, IDE, BIMO, and IRB warning letter trends
Notable Warning Letters & Findings
Recent enforcement actions with findings relevant to medical device software, data integrity, design controls, and clinical trial oversight
Dexcom, Inc.
G6 & G7 Continuous Glucose Monitors (Software-Driven SaMD)
Design Change ControlSignificant component change made without adequate validation. Internal studies showed worse performance, yet commercial manufacturing proceeded.
Design Input (820.30(c))Design inputs did not define all requirements from special controls. Missing manufacturing controls and acceptance criteria.
CAPA (820.100(a))CAPA investigation limited in scope despite evidence that all lots may have been affected.
Risk AnalysisSingle global probability code used for multiple hazardous situations rather than independent evaluation.
Key takeaway: Design change and validation failures are a risk for any software-driven medical device. Software updates or configuration changes require the same rigor in design change documentation. Limited CAPA scope when systemic issues exist is a recurring FDA target.
Abbott Diabetes Care, Inc.
FreeStyle Libre 3 Continuous Glucose Monitor
Design Transfer (820.30(h))Device design was not correctly translated into production specifications for third-party manufacturer.
Vendor ControlsFailed to define whether accuracy testing would be performed by Abbott or its contract manufacturers.
Production MonitoringInadequate monitoring resulted in a Class I recall (7 deaths, 860+ injuries reported).
Key takeaway: FDA holds the device manufacturer accountable for vendor quality. When platform specifications are implemented or hosted by external parties, the same design transfer rigor applies. Vendor qualification programs must clearly define testing responsibilities.
Royal Philips
CT Systems, Ultrasound, IntelliSpace Cardiovascular Software
Complaint HandlingComplaints closed as "non-complaints" without adequate investigation. A probe broke during use; conflicting information was not explored.
Design Controls (Software)New requirements for software v8 were not implemented into the product safety risk matrix across multiple facilities.
Field CorrectionsSoftware defect was fixed but the correction was never reported to FDA. Retrospective review revealed additional unreported recalls.
Key takeaway: When software gets new requirements or updates, those must flow through to the risk management file and design controls. Classifying user reports as bugs rather than complaints with regulatory implications is a risk area FDA actively targets.
Clinical Investigator (BIMO Inspection)
Biologics Clinical Trial: ALS Bone Marrow Study (CMS# 677324)
IRB ConflictIRB members who reviewed the protocol were also involved in the clinical study, raising independence and objectivity concerns under 21 CFR 56.
Clinical ConductMultiple violations in clinical trial conduct identified during BIMO inspection at the investigator site. FDA cited a long list of protocol adherence and subject protection issues.
Investigator OversightInadequate oversight of investigational product administration and subject monitoring. CBER issued the warning, reflecting heightened biologics enforcement in 2024.
Key takeaway: CBER issued 12 warning letters in the cell and tissue biologics space in 2024 alone, a dramatic increase from historical norms. IRB independence is under active scrutiny. Clinical investigators at academic medical centers are not exempt from BIMO enforcement.
Applied Therapeutics (Sponsor BIMO)
ACTION-Galactosemia Kids Trial / Govorestat NDA
Data IntegrityMislabeled product was approximately 80% lower concentration than stated. Protocol dose was reported as administered dose rather than actual dose.
Failure to DiscloseFailed to provide FDA with description or analysis of dosing errors. FDA cited significant concerns about data validity and integrity.
ConsequenceComplete Response Letter rejecting the NDA, warning letter, shareholder lawsuits, and leadership departures.
Key takeaway: Data captured in clinical systems must be attributable, contemporaneous, and transparent (ALCOA+). Discrepancies between planned and actual values must be captured accurately. This case demonstrates the cascading business consequences when data integrity fails at the sponsor level.
Cue Health, Inc.
Cue COVID-19 Test (Molecular Diagnostic / Point-of-Care)
Unauthorized ChangesImplemented changes to EUA-authorized devices without FDA authorization. Changes reduced test reliability.
Lot ReleaseFailed to maintain lot release activities to ensure product met claimed clinical and analytical performance.
Key takeaway: Modifications to validated software, assessment algorithms, or platform configurations that could affect performance require formal change control documentation. Unauthorized changes to regulated products remain a top enforcement priority.
MIT (COUHES IRB)
Institutional Review Board Operations
Consent ElementsRequired informed consent elements missing. Recurring documentation issues across multiple studies.
IRB RecordsInadequate membership records and documentation gaps undermining oversight.
Key takeaway: If MIT's IRB can receive a warning letter for documentation failures, no institution is immune. Electronic consent workflows and documentation systems must be audit-ready. The consent documentation trail is part of the BIMO inspection scope.
What this means for your compliance program
The convergence of rising QSR/QMSR enforcement, clinical investigator scrutiny, and IDE/PMA activity creates a heightened risk environment for organizations operating at the intersection of clinical trials and medical device software. The QMSR transition (effective February 2, 2026), combined with FDA's sustained BIMO activity, reinforces the need for audit trails that demonstrate full ALCOA+ compliance, design control documentation that can withstand direct FDA inspection, and change control processes that meet QSR-level scrutiny.
Priority areas to assess
Based on warning letter patterns from 2024-2026, organizations should prioritize: (1) design change control processes for software updates and configuration changes; (2) audit trail capabilities demonstrating full ALCOA+ compliance, with clear attribution of who performed each action and under what conditions; (3) vendor qualification documentation addressing the design transfer gaps FDA is increasingly citing; (4) complaint handling procedures to confirm software issues are being properly classified as complaints when warranted; and (5) CAPA investigation scope, ensuring systemic corrective actions rather than point fixes given FDA's trend toward scrutinizing limited investigation scope.
Find your gaps before the auditor does
Our Gap Assessment Toolkit covers the exact areas FDA is citing most: 21 CFR Part 11, ALCOA+ data integrity, CSV/CSA, EU GMP Annex 11, ICH E6(R3), and QMSR/ISO 13485. 535 assessable criteria across 6 frameworks, every citation verified.