A recent guest column published in BioProcess Online analyzed 85 FDA warning letters issued to drug product manufacturers in 2025, offering one of the clearest, data-driven snapshots we’ve seen of where GMP systems are still breaking down.

The findings are unsurprising, as the same areas tend to be recurring problems, but they are clarifying. And when paired with what our auditors are seeing firsthand inside facilities, they paint a very actionable picture for RA/QA leaders heading into 2026.

We recently reported on the 50% jump in CDER warning letters in fiscal year 2025. As a companion to that piece, we’ve broken down what we feel are the most important takeaways from the analysis and translated them into practical, operational guidance for quality teams responsible for preventing the next warning letter, not responding to one.

Talk to us if you need auditing, mock inspection, or remediation support heading into the new year.

1. The data confirms what the FDA has been signaling for years: these are systemic failures

The BioProcess Online analysis (covering warning letters posted between January 1 and December 9, 2025) shows that the FDA is still citing the same core GMP failures repeatedly across regions and company types. The most frequently cited sections of 21 CFR Part 211 include:

• 211.84(d)(1) and (d)(2) – Identity testing and conformity testing of components

• 211.22(a) and (d) – Quality unit authority, responsibility, and adherence to written procedures

• 211.100(a) – Written procedures and lifecycle process validation

• 211.165(a) – Inadequate laboratory testing prior to release

• 211.192 – Inadequate production record review and investigations

Maybe most notably, 211.84(d)(1) (identity testing of components) was cited in 49 of the 85 warning letters, making it the single most common violation reported.

In our drug audit and mock inspection work over the past 12 months, these findings almost always trace back to the same root issue: incoming material controls are treated as a procurement or QC activity, not as a core GMP system owned and enforced by Quality.

We’ve routinely seen:

• Supplier qualification files that technically exist but have not been risk-ranked, re-evaluated, or updated as materials, suppliers, or manufacturing strategies change.

• Identity testing programs that rely on supplier COAs by default, without documented scientific justification or ongoing verification.

• Change control systems that technically require QA involvement, but where supplier, test method, or specification changes are operationally implemented before QA review.

FDA investigators are testing whether firms can demonstrate end-to-end control of incoming materials:

Supplier qualification → identity testing → change control → ongoing oversight.

If those elements are disconnected or inconsistently applied, FDA treats the failure as systemic, not procedural.

If your supplier qualification and incoming testing program has not been globally audited, material by material, within the last 12–18 months, you should assume exposure, particularly if you rely on overseas suppliers, legacy material specifications, or reduced testing models justified primarily by historical performance.

2. Data integrity remains uneven, and the FDA is responding accordingly

The analysis found that 15% of all warning letters cited data integrity (DI) issues, but the distribution was highly uneven:

• India: DI cited in ~60% of warning letters

• China: ~21%

• U.S.: ~10%

This disparity suggests more than isolated procedural gaps. It points to differences in data governance maturity and quality culture across regions. Across all regions (including the U.S.), the FDA’s expectations around data integrity have been a huge focal point for inspections. Investigators are increasingly testing whether firms can demonstrate control over:

• Audit trails that are routinely reviewed—not just enabled.

• ALCOA+ principles applied consistently across systems.

• Meaningful second-person review, not checkbox approvals.

• Escalation and investigation when data anomalies appear.

If your data integrity program lives primarily in SOPs or training decks, you are already behind. FDA is looking for evidence of lived control, especially in QC labs and batch record review.

3. The FDA’s near-universal recommendation for GMP consultants is a signal, not a suggestion

One of the most striking findings in the analysis is that the FDA recommended the use of a GMP consultant in 87% of the warning letters reviewed. This reflects the FDA’s assessment that many firms lack the internal capability to identify, scope, and remediate systemic GMP failures without external expertise. We wrote about this extensively over on our blog a few years ago.

In our remediation work, we consistently see companies underestimate what FDA expects post-warning letter. Firms often attempt to:

• Address observations individually rather than systemically.

• Update SOPs without redesigning workflows or controls.

• Rely on retraining while leaving authority, resourcing, and accountability gaps untouched.

The FDA, however, is looking for structural correction, not cosmetic fixes. Investigators expect to see evidence that systems have been redesigned to prevent recurrence, not simply re-documented. If your CAPAs repeatedly focus on missed reviews, documentation errors, or retraining without addressing system design, the FDA will escalate. At that point, remediation is no longer optional or internally controlled, and the scope of required corrective action expands significantly.

4. Quality unit authority is still breaking down in practice

Sections 211.22(a) and (d), which define the authority, responsibility, and procedural discipline of the quality unit, were cited 54 times across the dataset.

Despite decades of regulatory emphasis, the FDA (and our auditors and mock inspectors) continue to find that quality units:

• Do not have real authority to stop production or delay release.

• Are overruled by operations or commercial pressure, formally or informally.

• Approve records without sufficient time or resources to perform meaningful review.

• Follow procedures inconsistently due to workload, timelines, or competing priorities.

In many organizations, we see a quality unit is structurally set up to fail. Common red flags include:

• QA reporting lines are buried under operations.

• No formal mechanism to escalate unresolved discrepancies.

• Batch review workloads that make meaningful review impossible.

The FDA is not asking whether QA exists. They are asking whether QA can exercise authority in real time. If your org chart, resourcing model, or release timelines prevent that, expect findings. If QA cannot credibly delay release, extend investigations, or reject product without resistance or workaround, FDA will conclude that 211.22 is not being met, regardless of how well-written the SOPs are.

If you haven’t already, be sure to watch our recent conversation with Coruna Medical’s Vice President of Quality, Jeff Hines, who shares his 4-room inspection model and how to lead through remediation with composure, clarity, and structure:

What RA/QA teams should do with this data

Taken together, the BioProcess Online analysis and our field experience point to a clear conclusion: 2025 warning letters reflect repeatable, preventable failures.

Teams should prioritize:

• A global audit of supplier qualification and incoming material controls. Start by mapping every material that enters the facility (APIs, excipients, components, primary packaging, and critical consumables) back to an approved supplier, a defined risk category, and a current qualification status. This includes confirming that supplier risk assessments are documented, science-based, and periodically re-evaluated, not static artifacts created years ago. From there, verify that identity testing is actually being performed as required, and that any reliance on supplier COAs is scientifically justified, documented, and supported by ongoing verification testing. The FDA is repeatedly citing firms where identity testing is skipped, reduced without justification, or inconsistently applied across materials. Finally here, review how your supplier changes are handled in practice. This means confirming that changes in suppliers, manufacturing sites, test methods, or specifications trigger formal change control, requalification, and risk assessment, rather than informal workarounds. If supplier qualification lives primarily in procurement systems rather than the QMS, the FDA will find it.

• A practical data integrity assessment focused on how data is actually generated, reviewed, and escalated.