FDA warning letters are public documents, and the patterns inside them are consistent enough that quality teams who read them regularly spot the same failures appearing year after year. If your QMS has gaps in CAPA, data integrity, or document control, the chances are high that a company already received a warning letter for those exact gaps.
This article reviews the most frequently cited violations in recent FDA warning letters, examines specific case studies from 2024 and 2025, and explains what each finding means for your quality management system.
What is an FDA warning letter?
An FDA warning letter is an official communication from the agency notifying a company that it has observed violations of FDA regulations that are significant enough to warrant regulatory action. Warning letters follow an FDA inspection and a Form 483 that went unresolved or received a response FDA considered inadequate.
Warning letters are public. The FDA posts them on its website, including the company name, the site address, the specific CFR sections violated, and the exact language describing each failure. That transparency makes them one of the most useful compliance learning tools available to quality teams.
According to data published by Pharmaceutical Online in March 2026, FDA sent 303 drug warning letters in FY 2025, a 59% increase from the prior fiscal year. That volume matters because each one of those letters describes a real failure that FDA considered serious enough to escalate beyond a 483.
The most frequently cited violations across warning letters
1. CAPA system failures
Corrective and Preventive Action failures rank as the single most cited violation category in FDA warning letters for medical device manufacturers. According to Cloudtheapp's FDA enforcement trends analysis, FDA issued 279 CAPA observations to medical device facilities in FY 2025 alone.
The specific failure patterns in warning letters go beyond simply not having a CAPA procedure. FDA consistently cites:
- CAPA processes that document the corrective action but do not verify the root cause was actually eliminated
- Repeat CAPAs opened for the same failure type across multiple cycles, indicating the underlying cause was never resolved
- CAPA effectiveness checks that consist of closing the record after a defined time period rather than confirming the problem stopped occurring
The Dexcom warning letter issued March 4, 2025 (MARCS-CMS 700835) cited failures in the CAPA system among other quality system violations following inspections at San Diego facilities in October 2024. Dexcom manufactures continuous glucose monitoring systems, which makes this a high-consequence example of what happens when a medical device company's CAPA system cannot demonstrate effectiveness.
2. Data integrity violations
Data integrity citations appear in almost every pharmaceutical warning letter and an increasing percentage of medical device letters. The core violation involves records that do not accurately capture what actually happened during manufacturing, testing, or release.
Specific failure modes FDA cites in data integrity observations include:
- Backdating entries in batch records or laboratory logs
- Deleting and re-running laboratory tests without documenting the original result
- Using a shared login for electronic systems rather than individual user credentials
- Failing to maintain an audit trail that captures original entries, changes, and the identity of the person who made each change
The Glenmark Pharmaceuticals warning letter issued July 11, 2025 (MARCS-CMS 708270) cited repeat violations across multiple sites, which reflects a pattern FDA treats with particular severity. When the same violation appears at more than one facility within the same company, FDA reads it as a systemic quality culture problem rather than an isolated site issue.
3. Laboratory control failures
According to analysis published by Certainty Software in May 2026, identity testing failure was cited in 49 of 85 drug warning letters reviewed from 2025, making it the single most common violation in that set. Identity testing requires that every active ingredient in a drug product is verified at receipt. Companies that skip or abbreviate this step because their supplier has a long track record are not compliant.
Other frequent laboratory violations include:
- Out-of-specification (OOS) investigations that fail to complete a root cause investigation before invalidating a result
- No documented procedure for when and how to escalate an OOS result
- Laboratory instruments with expired calibrations used for release testing
- Stability testing programs that do not cover the full product shelf life
The FDA's own guidance on laboratory controls, published under 21 CFR 211.68 for drug products and 21 CFR Part 820 for devices, requires that all laboratory equipment is calibrated, that procedures are followed without exception, and that any deviation from a specification triggers a documented investigation.
4. Production and process controls
Production control violations cite manufacturers for running processes that have not been fully validated or for running validated processes outside their specified parameters without documented justification.
Common specific observations include:
- Batch records that do not match actual manufacturing steps performed
- Environmental monitoring data showing contamination trends that were never investigated
- Failure to validate cleaning procedures between product changeovers
- Process parameters set outside the validated range without change control approval
5. Document control deficiencies
Document control violations in warning letters typically describe facilities where the procedures employees follow do not match the approved versions on file, or where the document management system does not prevent access to superseded documents.
The connection between document control failures and other quality problems is direct. If operators are working from outdated SOPs, their actions cannot be compliant regardless of how well-intentioned they are.
Three patterns that explain why the same violations repeat
Pattern 1: CAPAs that document activity instead of eliminating causes
The most common CAPA failure is not the absence of a CAPA system. It is a CAPA system that closes records based on the completion of action items rather than verification that the failure stopped. A company can complete every task in a CAPA and still reopen the same problem six months later if the root cause was misidentified.
FDA investigators look specifically at whether effectiveness checks are conducted, when they are conducted relative to the corrective action, and what objective evidence confirms the problem no longer occurs.
Pattern 2: Electronic systems without controls
Companies that transition from paper records to electronic systems often replicate the paper-based process in digital form without implementing the access controls, audit trails, and validation that electronic systems require under 21 CFR Part 11.
An electronic batch record that can be edited without creating a permanent audit trail entry is not more compliant than the paper record it replaced. It is less compliant, because the audit trail requirement is now explicit and the failure to meet it is documentable.
Pattern 3: Quality systems that do not escalate to management
FDA warning letters frequently cite situations where quality data showing a trend was available in the QMS but was never escalated to site management or addressed through the management review process. The data was collected. The CAPA was opened. The trend continued. No one with authority to allocate resources to fix the underlying problem was ever made aware of it.
This is why FDA places significant weight on the management review process. It is the mechanism by which quality data converts into resource decisions.
What these citations mean for your QMS
Each repeat citation category points to a specific capability gap that quality teams can address before an inspection.
For CAPA: Build effectiveness verification into every CAPA record before it can be closed. Define what evidence constitutes proof that the root cause is gone. Set a verification date tied to when enough time has passed to observe whether the failure recurred.
For data integrity: Audit your electronic systems for shared logins, disabled audit trails, and the ability to delete or overwrite records without a traceable entry. Any system where that is possible represents a 21 CFR Part 11 violation waiting to be cited.
For laboratory controls: Confirm that your OOS procedure requires a full root cause investigation before any test result can be invalidated. Check that all instruments in your release testing workflow have current calibration certificates and that expired instruments are physically removed from service.
For process controls: Validate every process parameter that affects product quality. If a process is running outside its validated range, treat that as a deviation requiring documentation and investigation, not a routine adjustment.
For document control: Implement a system that makes it impossible for employees to access superseded document versions. This is not a procedural requirement alone; it requires a technical control.
How a modern QMS addresses warning letter risk areas
Warning letters describe failures that are almost always traceable to the same root cause: the quality system cannot generate real-time visibility into whether its own processes are working.
A CAPA that closes without an effectiveness check is not a process failure. It is a system failure. The QMS did not require effectiveness verification before allowing the record to close.
Cloudtheapp's QMS platform includes 60+ configurable applications built specifically for regulated environments, including dedicated modules for CAPA management, deviation tracking, document control, laboratory management, and audit management. Each application is pre-configured to meet FDA QMSR, ISO 13485, and ISO 9001 requirements, and every record maintains a full audit trail by default.
For companies preparing for an FDA inspection or addressing observations from a prior inspection cycle, Cloudtheapp's CAPA module enforces an effectiveness verification step before any corrective action record can be closed, directly addressing the most frequently cited warning letter failure pattern.
Learn more about how Cloudtheapp approaches FDA inspection readiness and responding to FDA 483 observations.
Schedule a demo to see how the platform handles CAPA, document control, and data integrity in a pre-validated environment: https://www.cloudtheapp.com/demo/
Key takeaways
FDA warning letters from 2024 and 2025 show four dominant violation categories: CAPA failures, data integrity problems, laboratory control gaps, and inadequate process validation. These are not new categories. They appear in warning letters year after year because the underlying causes are not resolved at the system level.
Quality teams that read recent warning letters as case studies can identify whether their own QMS has the same structural gaps. The specific failures FDA describes in each letter are specific enough to check against your own procedures, records, and system configurations.
The companies that receive warning letters are not always the companies with the worst quality cultures. They are often companies with quality systems that cannot enforce their own requirements.






