The U.S. Food and Drug Administration (FDA) inspected Novo Nordisk Inc. (NNI) between January 13 and February 7, 2025, under the Agency’s Bioresearch Monitoring Program, to assess compliance with postmarketing adverse drug experience (PADE) requirements. The inspection focused on whether the company’s systems for receiving, evaluating, investigating, and reporting adverse drug experiences (ADEs) were accurate, timely, and compliant with section 505(k) of the FD&C Act and 21 CFR 314.80.
FDA concluded that Novo Nordisk failed to develop and maintain procedures that ensured serious and unexpected ADEs were reported to FDA within the required 15-calendar-day timeframe and that such cases were promptly investigated. The Warning Letter describes a broader operating-model failure: valid cases were rejected or invalidated based on flawed procedural logic, vendor-executed intake was not adequately controlled, medical review timelines were not enforced, and corrective actions were closed without demonstrating that compliance had actually been restored.
The products discussed during the inspection included application-holder responsibilities for products containing semaglutide, liraglutide, nedosiran sodium, and estradiol, but FDA also made clear that its concerns may extend beyond the sampled products to the firm’s wider portfolio.
Key Non-Conformances Identified
FDA cited two central PADE violations. Both point to the same underlying problem: the company’s pharmacovigilance system did not reliably convert incoming safety information into timely, compliant regulatory action.
Non-Conformance 1: Failure to Develop Written Procedures for Surveillance, Receipt, Evaluation, and Reporting of ADEs
Regulatory Citation: 21 CFR 314.80(b)
FDA found that Novo Nordisk’s written procedures did not ensure that the company, or contractors acting on its behalf, complied with U.S. requirements for the surveillance, receipt, evaluation, and reporting of ADEs. This was not a narrow documentation issue. FDA linked the procedural weaknesses directly to missed 15-day Alert reports, invalid case handling, delayed case progression, and ineffective CAPA implementation.
1) Causality was incorrectly used to reject reportable cases
Novo Nordisk’s procedure Q014048, “Handling of Adverse Events and Other Safety Information”, allowed cases to be rejected or cancelled when the reporter believed the event was unrelated to the product. That approach is incompatible with FDA’s definition of an adverse drug experience, which covers any adverse event associated with the use of a drug in humans, whether or not considered drug-related.
This distinction is critical. For U.S. expedited reporting purposes, the question is not whether the reporter believes causality is excluded. The question is whether the case meets the threshold for a serious and unexpected ADE that must be submitted within 15 calendar days.
FDA cited an example involving Argus Case #1331385, in which a consumer reportedly became disabled after a stroke while receiving liraglutide. Because the consumer stated that the stroke was not related to the product, the case was rejected. FDA considered that handling unacceptable.
The company had already recognized this issue internally. In Deviation DV0166369, opened in April 2024, Novo Nordisk identified that serious and unexpected ADEs had not been submitted because cases were being cancelled or rejected as “incidental” or “incidental and unrelated.” The root cause assessment reportedly acknowledged that the procedural approach may have aligned with certain foreign regulatory expectations, but not with U.S. requirements.
FDA’s concern was not only that the procedure was flawed, but that the remediation of the deviation was also weak. Although the deviation was closed in December 2024, the current version of the procedure still retained problematic language tied to relatedness and causality. In addition, the firm closed the deviation without confirming that all reportable cases had actually been submitted to FDA. As a result, FDA could not verify that the retrospective correction had been completed.
2) Valid cases were invalidated because patient identifiers were not captured correctly
FDA also found that Novo Nordisk and its call-center contractors incorrectly invalidated cases due to an alleged lack of patient identifiers, even though valid identifiers were present in the source documents.
This issue directly affected expedited reporting. Cases that should have qualified as valid Individual Case Safety Reports (ICSRs) were screened out before submission, and some were only reported after they were discussed during the inspection.
FDA cited Argus Case #1342548, involving a report of death in a male patient receiving semaglutide. The case had been invalidated because the patient identifier was not captured, yet FDA identified the patient identifier in the source material during the inspection. Because of that invalidation error, the case was not reported within the required 15-day timeframe.
This problem had also been identified previously. Novo Nordisk had observed issues with one contractor, opened Deviation DV0155511, changed vendors, and implemented training-related CAPAs. However, the same defect persisted even after the contractor transition. FDA therefore concluded that changing vendors and updating training resources did not resolve the underlying control weakness.
The Agency’s position is clear: application holders remain responsible for PADE compliance even when case intake or processing is delegated to third parties. Vendor turnover does not close a compliance gap unless the sponsor can show that oversight, training, source-data verification, and quality controls actually prevent recurrence.
3) Cases remained in medical review too long, leading to missed 15-day deadlines
Novo Nordisk’s procedure Q040018, “Handling Individual Safety Cases in the Global Safety Database”, stated that most serious adverse reactions should enter medical review by calendar day 9 and complete medical review by calendar day 10 after the awareness date. FDA found that these timelines were not being enforced in practice.
The Warning Letter states that serious and unexpected ADEs remained in medical review status beyond the period allowed by procedure, and that this delay prevented timely submission to FDA.
FDA cited Argus Case #1334278, involving a consumer report of suicidal ideation while taking semaglutide. The information was reportedly received on December 9, 2024. The case entered medical review on December 16, 2024, but was not medically reviewed until February 3, 2025, after being identified during FDA’s inspection. It was not submitted until February 5, 2025.
This finding is operationally important because it shows that a company can fail expedited reporting requirements even after the case enters the formal safety workflow. In other words, a valid case intake process is not enough if queue management, medical review capacity, escalation controls, and aging oversight are not robust enough to protect the reporting clock.
FDA’s Core Concern
FDA’s concern goes beyond several late cases. The letter shows a pharmacovigilance system in which valid safety information could be filtered out, downgraded, or delayed at multiple points:
during case intake
during validity assessment
during medical review
during vendor-executed processing
during deviation closure and CAPA follow-up
In practical terms, the system did not make compliance inevitable. Instead, it allowed too much discretion, too many procedural barriers, and too little governance over whether reportable safety information reached FDA on time.
Non-Conformance 2: Failure to Promptly Investigate ADEs Subject to 15-Day Alert Reports
Regulatory Citation: 21 CFR 314.80(c)(1)(ii)
FDA also found that Novo Nordisk failed to develop procedures that ensured all ADEs subject to 15-day Alert reporting were promptly investigated.
This finding is especially significant because it shows the Agency was not focused only on late submissions. FDA also examined whether the firm followed up appropriately to obtain additional safety information, clarify the case, and support ongoing signal evaluation.
1) The procedure imposed an unnecessary consent requirement before follow-up
Novo Nordisk’s procedure Q0360683, “Case Management Workflow at Novo Nordisk Inc. Patient Safety”, stated that follow-up was not required if consent had not been obtained from the reporter and the reporter was a non-health care professional.
FDA rejected this logic. PADE regulations do not require reporter consent as a precondition for follow-up attempts when additional information is needed for investigation of a serious and unexpected ADE.
FDA cited Argus Case #1171264, in which a non-health care professional reported the death of a patient receiving semaglutide. According to the Warning Letter, the company did not promptly investigate the case because the reporter had not provided consent, and the case was ultimately closed without being reported to FDA.
This is a highly consequential finding. It means that the company’s procedure did not merely slow follow-up; it established a rule that could prevent serious cases from being investigated at all.
2) Even when follow-up was required, it was not consistently performed
The same procedure reportedly required two follow-up attempts for serious cases involving death. FDA nevertheless identified cases where follow-up was not documented.
One example involved Argus Case #1079792, in which a physician reportedly informed a company representative that a patient taking semaglutide had become depressed and died by suicide. FDA stated that no attempt to obtain additional information from the reporter, including patient identifiers, was documented. As of the date of the Warning Letter, that case had still not been submitted to FDA.
This point is central to the Agency’s broader message. A company cannot claim that its procedures require follow-up if the operational system does not ensure that follow-up actually happens, is documented, and feeds back into timely regulatory reporting.
Why This Warning Letter Matters
This Warning Letter represents a pharmacovigilance enforcement action centered on how a marketing application holder captures and governs safety information after product approval.
That makes the implications especially important for companies with complex global PV models, outsourced intake activities, shared service functions, or multiple handoffs between vendors and internal safety teams.
FDA is making several points very clearly:
U.S. reportability rules cannot be diluted by global definitions or foreign reporting logic.
Reporter views on causality do not justify excluding a case from U.S. ADE handling.
Valid case criteria must be applied correctly and verified against source data.
Vendor delegation does not reduce sponsor accountability.
Daily workflow states, including medical review, must be actively controlled against reporting deadlines.
CAPAs are not effective simply because they were opened, documented, or administratively closed.
Root Causes Suggestions
Based on the deficiencies described, the underlying root causes appear to include the following:
1) U.S. regulatory requirements were not adequately embedded into procedure design
Key written procedures contained logic that conflicted with FDA requirements, particularly around relatedness, causality, case validity, and follow-up expectations.
2) Vendor oversight was not sufficiently mature
Contractors performed critical intake and processing steps, but the sponsor did not demonstrate that it had a reliable control model for training, source-data review, quality checks, performance monitoring, and delegated-function oversight.
3) Workflow governance was weak
Cases could remain in medical review too long without escalation, suggesting inadequate aging controls, queue ownership, or deadline-based management.
4) CAPA effectiveness was not demonstrated
Deviations were opened and closed, but FDA did not see evidence that the procedural fixes had actually removed the compliance risk or prevented recurrence.
5) Root-cause investigations were too narrow
FDA repeatedly criticized the company for failing to provide sufficient detail on why the issues occurred, how broad the impact was, and how future compliance would be ensured across the full product portfolio.
CAPA Plan Expectations and Regulatory Recommendations
Based on the findings in the Warning Letter, an adequate remediation program would need to go beyond revising SOP language. FDA is clearly expecting system-level correction with demonstrable control.
Non-Conformance 1: Failure to Develop Adequate Written Procedures for ADE Reporting
Root Causes
Written procedures inconsistent with U.S. PADE definitions and reporting thresholds
Improper use of relatedness and causality as case-screening criteria
Weak source-data verification for validity assessment
Inadequate oversight of vendor-performed case intake and processing
Failure to verify CAPA completion before deviation closure
Expected Corrective and Preventive Actions (CAPA)
Revise all applicable local and global procedures to align with U.S. reporting requirements
Remove causality-based exclusion logic from case intake and evaluation procedures
Revalidate the definition and handling of valid ICSRs, including patient identifier capture rules
Perform a documented retrospective review of rejected, cancelled, invalidated, or delayed cases
Submit any missed 15-day Alert reports and document case reconciliation
Establish formal source-data verification and quality-check requirements for internal teams and vendors
Strengthen deviation closure criteria so CAPAs cannot be closed before implementation and effectiveness are verified
Non-Conformance 2: Failure to Promptly Investigate 15-Day Alert Cases
Regulatory Citation: 21 CFR 314.80(c)(1)(ii)
Root Causes
Procedural barriers to follow-up, including unnecessary consent requirements
Insufficient controls over vendor follow-up activities
Lack of documented escalation when critical case information is missing
Weak monitoring of serious cases requiring prompt investigation
Limited assurance that follow-up requirements were consistently performed and documented
Expected Corrective and Preventive Actions (CAPA)
Remove consent as a predicate requirement for follow-up attempts
Revise SDEAs, work instructions, and vendor guidance to reflect FDA expectations
Define minimum follow-up requirements by case seriousness and scenario
Establish documented controls for timing, number of attempts, and escalation of follow-up
Conduct retrospective review of serious cases to verify whether follow-up was timely and adequate
Implement quality oversight mechanisms for vendors performing intake or follow-up on behalf of the application holder
Practical Remediation Horizon
FDA did not lay out a formal phased timeline in the Warning Letter, but the remediation logic points to a sequence that would typically need to include the following:
Immediate Actions (0–3 Months)
Stop using procedures that conflict with FDA PADE requirements
Reconcile and submit all potentially missed 15-day Alert reports
Implement interim review controls for case validity, patient identifier capture, and medical-review aging
Begin independent assessment of pharmacovigilance procedures, vendor interfaces, and deviation/CAPA systems
Short-Term Actions (3–6 Months)
Finalize revised SOPs, work instructions, training materials, and SDEAs
Complete retrospective reviews of affected cases and pharmacovigilance-related deviations
Implement formal daily aging review and escalation controls across workflow states
Define vendor quality oversight activities, including audits, KPIs, training checks, and source-data verification
Long-Term Actions (6–12 Months)
Demonstrate CAPA effectiveness through measurable compliance outcomes
Establish governance forums for recurring review of ADE timeliness, validity errors, follow-up quality, and vendor performance
Complete portfolio-wide impact assessment and close any residual systemic gaps
Strengthen management review so serious pharmacovigilance deviations are escalated and challenged before they recur
Conclusion
This Warning Letter is fundamentally about pharmacovigilance system design.
FDA did not describe isolated administrative misses. It described a safety-reporting model in which valid cases could be rejected based on the wrong regulatory logic, invalidated despite available source information, delayed in medical review beyond internal deadlines, or left without appropriate follow-up because the procedure itself created unnecessary barriers.
The Agency’s message is direct: for an application holder, compliance with 21 CFR 314.80 is not satisfied by having procedures on paper, vendors under contract, or retrospective corrections after inspection. The system must reliably ensure that safety information is captured, investigated, escalated, and reported within the timelines required by law.
For companies operating outsourced or hybrid pharmacovigilance models, this Warning Letter is a strong reminder that sponsor accountability does not weaken when work is delegated. If the procedures are misaligned, the oversight is soft, and the CAPAs are closed before effectiveness is proven, the same reporting failures will continue to recur—only now with FDA questioning the integrity of the entire safety surveillance framework.
