FDA Warning Letters Jumped 50% in 2025: The Supplier Findings That Keep Showing Up
Supplier qualification never seems urgent. There's always a customer complaint to deal with, a production issue, an internal audit finding that needs closing out.
Then the FDA shows up, and suddenly it's the only thing that matters.
At the Enforcement, Litigation, and Compliance Conference in December, Jill Furman (director of CDER's Office of Compliance) called FY 2025 "a year of change."
I've spent the last few months going through recent 483s and warning letters, and the same issues keep coming up. Three things, specifically. If any of these sound familiar, you've probably got some work ahead of you.
Finding #1: Supplier "Audits" That Are Really Just Questionnaires
This is the most common one.
There was an Indian pharmaceutical manufacturer that decided actual supplier audits were too much trouble. Their approach: send out questionnaires. Some suppliers never bothered responding. One supplier admitted in writing that they weren't compliant with ICH stability testing standards, had inadequate water system qualification, and weren't doing sufficient testing.
The company qualified them anyway.
The 483 was blunt:
"The quality unit has not ensured API suppliers are appropriate for use."
"No onsite audit has been conducted for any supplier of APIs."
Three days later, they were on an Import Alert. Fourteen findings total.
The underlying problem is pretty simple: questionnaires tell you what suppliers say about themselves. They don't tell you what suppliers actually do. 21 CFR 820.50 (devices) and 21 CFR 211.84 (drugs) require documented evaluations that verify capability. A returned questionnaire with checkboxes doesn't verify much of anything.
The citations I see most often:
- No documentation that supplier evaluations happened
- Requirements that don't address validated processes
- Over-reliance on supplier self-reporting
- No risk-based criteria for how much control each supplier needs
Investigators want to see risk-based audit schedules where critical suppliers get real audits. For lower-risk suppliers, they want documented justification for reduced oversight. Not just silence in the file. If your SOP says "conduct supplier audits" but nobody's visited a supplier since 2022, that's going to come up.
Finding #2: Quality Agreements That Nobody Looks At
Quality agreements are supposed to define who's responsible when something goes wrong. The problem is that most companies treat them like a checkbox during supplier onboarding. Sign it, file it, move on. Three years later, nobody can find it, and it doesn't cover half the things that matter.
The FDA's guidance on contract manufacturing is pretty clear about what these agreements should include: materials and services, quality specifications, acceptance criteria, communication mechanisms, regulatory references. Standard stuff.
The part that trips companies up is change control and CAPA communication. The agreement doesn't say how the supplier is supposed to tell you when something changes or when they find a problem.
Here's what that looks like in practice: a company's bottle supplier flagged damage occurring during tip insertion on the filling line. The company opened an investigation internally but never involved the supplier's process engineers. Months went by. No root cause. No CAPA. The investigation sat there doing nothing.
That was Akorn. They got a warning letter in June 2019 citing their failure to conduct "a meaningful evaluation" involving the supplier.
When quality agreements don't specify escalation paths or response timeframes or requirements for actually working together on problems, investigations stall and eventually become 483 observations.
What should actually be in there:
| Clause | What It Covers |
|---|---|
| Roles & responsibilities | Who owns quality decisions, testing, release, complaints |
| Communication protocol | How deviations and CAPAs get communicated (specifics, not "as needed") |
| Audit rights | How often, what scope, what records, how you follow up on findings |
| Change control | Supplier tells you before they change materials, processes, or locations |
| CAPA collaboration | Response timeframes, data sharing, when joint investigations happen |
| Document retention | How long, and how you get access for regulatory inspections |
If your agreements don't have version control and aren't reviewed annually, they're probably out of date. Things shift over time, on both sides.
Finding #3: CAPA Programs That Don't Extend to Suppliers
Failure to document preventive action is the fourth most common cause for 483 warning letters, which tells you something about how often companies get this wrong.
Internal CAPA is hard enough. Add suppliers to the equation, and a lot of systems break down entirely.
The FDA doesn't just want you tracking your own CAPAs. When a supplier's quality problem affects your product, their corrective actions become your responsibility. Under 211.84 and 820.50, a failure at your contract manufacturer is a failure of your purchasing controls. Your 483 response needs to show you had robust oversight of supplier corrective actions. Not that you trusted them to handle it.
The gaps I keep seeing:
- No trending to catch recurring supplier issues (Intas Pharmaceuticals got cited for failing to "evaluate and identify recurring issues that should be targeted for laboratory improvements")
- Root cause investigations that don't include supplier input, even when the problem started at their facility
- CAPAs that get "closed" without verifying they worked
- No trail showing how issues were communicated, what data the supplier provided, how you validated their fix
What this should look like: when a supplier-related deviation happens, you notify them within 24-48 hours. Get their investigation timeline and interim containment. When they send their root cause analysis, actually read it. Does the logic make sense? Is there data supporting it? Push back on weak corrective actions. Schedule effectiveness checks 30-90 days out. Document all of it.
One pattern I see over and over: supplier sends a one-page CAPA closure report that says "Retrained operator." Retraining by itself rarely fixes anything. If that's the answer to every problem, nothing is getting fixed. Effective corrective actions address systemic issues.
A 90-Day Plan (More or Less)
Supplier problems don't get fixed quickly. But if you've got an audit coming or you're tired of hoping nobody looks too closely at this stuff, here's roughly how to prioritize.
First week or so: Make a list of every active supplier. Components, raw materials, CMOs, testing labs. Group them by risk. Flag anyone who hasn't been audited in three years.
Second week: Pull your quality agreements. Check whether they cover CAPA communication, change control, audit rights. Mark the ones that need work.
Third week: Look at open CAPAs. How many supplier-related ones are overdue? Have you verified effectiveness on any of them in the last year?
Fourth week: Write up what you found. Suppliers without audits, outdated agreements, stalled CAPAs. Present to leadership with a realistic resource request.
Supplier audits: Start with high-risk suppliers. APIs, sterile components, anything implantable. If on-site isn't feasible, do remote audits with thorough document review. For suppliers you're not auditing, document your justification.
Agreement updates: Revise to include CAPA collaboration, change control, escalation paths. Get signatures. This takes longer than you'd expect because suppliers are slow to respond.
Overdue CAPAs: Contact every supplier with an open CAPA and set actual deadlines. For CAPAs closed without effectiveness verification, schedule follow-up.
Performance monitoring: Define metrics. On-time delivery, defect rate, deviation frequency, CAPA response time. Quarterly scorecards. Tie re-qualification to performance thresholds.
Procedure updates: Purchasing Controls SOP should cover when audits are required and how to categorize suppliers by risk. (Align these with the QMSR requirements taking effect February 2, 2026.) Quality Agreement SOP should standardize templates and review cycles. Supplier CAPA SOP should specify communication timelines and verification requirements.
Training: Quality team on evaluating supplier audit reports. Purchasing on why price isn't the only consideration.
What This Actually Means
The 50% increase in warning letters isn't random. It's a shift in what FDA prioritizes.
They're done with suppliers managed through spreadsheets and hoping for the best. They want documented systems, risk-based decisions, verifiable controls. If you can't show audit records, current agreements, and evidence of CAPA collaboration when someone asks, you're going to have problems.
Most companies getting warning letters aren't doing anything egregiously wrong. They're doing the minimum, and that doesn't cut it anymore.
The Fix
- Audit your critical suppliers
- Update your quality agreements
- Close your overdue CAPAs
- Write things down
References
- RAPS: FDA official: CDER warning letters up 50% in FY 2025
- FDA Group Insider: CDER Warning Letters Jump 50% in FY 2025
- Pharmaceutical Online: Trends In FDA FY 2024 Inspection-Based Warning Letters
- ECA Academy: Supplier Questionnaires and their Way into a FDA 483
- FDA: 21 CFR 820.50 - Purchasing Controls
- FDA: 21 CFR 211.84 - Testing and Approval or Rejection
- FDA: Contract Manufacturing Arrangements for Drugs: Quality Agreements (Guidance)
- FDA: Akorn Inc. Warning Letter (June 2019)
- European Pharmaceutical Review: FDA warning letters highlight CAPA concerns
- AssurX: Weak CAPA Programs Hit Globally by FDA Warnings
Find Your Supplier Gaps Before Auditors Do
We analyze quality system documentation against FDA requirements and show you what's missing, what's outdated, and what's going to be a problem during inspection.
Get a Gap Assessment