The FY 2025 FDA Inspection Observation data provide more than a statistical snapshot of frequently cited deficiencies. They offer a structured view into how regulators assess the operational maturity, governance discipline, and lifecycle control of quality systems across pharmaceutical and medical device manufacturing.
Although the regulatory frameworks differ: 21 CFR Part 211 for drugs and 21 CFR 820/803/801/830 for devices, the underlying trends point toward common systemic vulnerabilities: insufficient governance by the Quality authority, procedural frameworks that do not translate into reliable practice, underdeveloped investigation capability, weak lifecycle evidence, and incomplete integration between quality feedback loops and executive oversight.
While these datasets reflect system-generated FDA Form 483 observations (and therefore do not represent every inspection), the frequency and consistency in the cited provisions offer a strong indicator of enforcement focus and industry performance.
The Quantitative Profile: Where the FDA Is Writing Observations
A review of the FDA’s FY 2025 dataset shows clear concentration points, indicating not only where firms continue to fall short but also where the FDA repeatedly expects stronger system controls and documented assurance.
Pharmaceutical Manufacturing
FDA recorded:
- 2,837 drug-related citations
- 316 unique regulatory provisions
The most frequently cited remain well-known pillars of GMP weakness:
- 21 CFR 211.22(d): Quality Unit responsibilities and procedures not adequately established or not followed
- 21 CFR 211.192: Failure to thoroughly investigate unexplained discrepancies and failures
- 21 CFR 211.100(a): Absence or inadequacy of written and approved procedures for production and process control
- 21 CFR 211.160(b): Laboratory controls not based on scientifically sound principles
- 21 CFR 211.67: Deficiencies in cleaning, maintenance, and procedural clarity for equipment
- 21 CFR 211.68: Weak governance of automated and electronic systems
Collectively, these observations map to a theme: insufficient control over the lifecycle of manufacturing and laboratory operations, and a Quality Unit that is not consistently functioning as the governing authority mandated by Part 211.
| Rank | CFR Reference | Short Description | Observations | % of Total |
|---|---|---|---|---|
| 1 | 21 CFR 211.22(d) | Procedures not in writing / not followed (Quality Unit) | 243 | 8.6% |
| 2 | 21 CFR 211.192 | Inadequate investigation of discrepancies / failures | 164 | 5.8% |
| 3 | 21 CFR 211.100(a) | Absence of adequate written procedures | 162 | 5.7% |
| 4 | 21 CFR 211.160(b) | Laboratory controls not scientifically sound | 121 | 4.3% |
| 5 | 21 CFR 211.67(a) | Cleaning, sanitizing, and maintenance deficiencies | 95 | 3.3% |
| 6 | 21 CFR 211.68(b) | Computerized system / master record controls | 87 | 3.1% |
| 7 | 21 CFR 211.63 | Equipment design, size, or location deficiencies | 81 | 2.9% |
| 8 | 21 CFR 211.67(b) | Cleaning procedures not established or not followed | 70 | 2.5% |
| 9 | 21 CFR 211.113(b) | Sterile product contamination control procedures | 68 | 2.4% |
| 10 | 21 CFR 211.165(a) | Testing and release for distribution | 44 | 1.6% |
Medical Devices
FDA documented:
- 2,660 device-related citations
- 185 unique provisions
The dominant citations fall within the central nervous system of the Quality System Regulation (QSR):
- 21 CFR 820.100(a/b): Inadequate CAPA procedures and documentation
- 21 CFR 820.198(a): Insufficient complaint handling and escalation
- 21 CFR 820.50: Purchasing controls and supplier qualification weaknesses
- 21 CFR 820.90(a): Failures in handling nonconforming product
- 21 CFR 820.75: Gaps in process validation
- 21 CFR 803.17: Deficient Medical Device Reporting procedures
- Continued citations under management responsibility, internal audits, training, and UDI/GUDID compliance
Here, the recurring narrative is straightforward: the QMS is often functionally reactive rather than proactively supervisory, with feedback loops (complaints → CAPA → risk management → management review) not consistently operating as an integrated control mechanism.
| Rank | CFR Reference | Short Description | Observations | % of Total |
|---|---|---|---|---|
| 1 | 21 CFR 820.100(a) | CAPA procedures inadequate or not established | 279 | 10.5% |
| 2 | 21 CFR 820.198(a) | Complaint handling deficiencies | 211 | 7.9% |
| 3 | 21 CFR 820.50 | Purchasing and supplier controls deficient | 115 | 4.3% |
| 4 | 21 CFR 820.90(a) | Nonconforming product control failures | 95 | 3.6% |
| 5 | 21 CFR 820.75(a) | Process validation inadequate | 93 | 3.5% |
| 6 | 21 CFR 803.17 | Medical Device Reporting (MDR) procedures inadequate | 63 | 2.4% |
| 7 | 21 CFR 820.100(b) | CAPA documentation weaknesses | 63 | 2.4% |
| 8 | 21 CFR 820.22 | Internal quality audits deficient | 57 | 2.1% |
| 9 | 21 CFR 801.20(a) | Device lacks required Unique Device Identification (UDI) | 54 | 2.0% |
| 10 | 21 CFR 820.25(b) | Training procedures inadequate | 50 | 1.9% |
Regulatory Interpretation: What These Citations Really Mean in Practice
This data does not simply say “procedures are missing” or “investigations are weak.” It highlights that regulators increasingly expect systems that are structurally capable of maintaining control under variability, responding predictably to disturbances, and demonstrating capability through documented evidence.
Let us break this into domains.
Quality Governance and Organizational Authority
For pharmaceuticals, repeated citation to 211.22(d) reinforces that the FDA is not satisfied when the Quality Unit exists only on an organizational chart. The regulation requires:
- Clear definition of responsibilities
- Written, approved procedures governing decision-making
- Demonstrable adherence to those procedures
FDA expectations are anchored in the concept that the Quality Unit exercises independent and effective oversight. When it does not, regulatory confidence erodes immediately.
For devices, the parallel weaknesses emerge in:
- 820.100: Deficient CAPA management structures
- 820.20: Insufficient management responsibility
- 820.22: Internal audit systems that fail to detect performance degradation
In both environments, FDA is effectively asking:
“Does your Quality function merely approve documents, or does it govern the system in a measurable, defendable, and accountable way?”
Investigations: From Documentation to Rooted Understanding
In the pharmaceutical industry, 211.192 remains one of the most potent indicators of inspectional vulnerability. The regulation requires thorough investigations, including:
- Identification of causes
- Evaluation of the impact on the distributed product
- Documentation of conclusions and follow-up
When firms default to:
- Unjustified repeat testing
- Narrative-based closure without evidence
- Failure to trend and contextualize deviations
- Absence of scientific rationale
The FDA does not categorize these as clerical oversights but as failures in the integrity of the decision-making process.
In devices, the equivalent breakdown appears through:
- complaint handling deficiencies
- nonconforming product mismanagement
- failure to link field signals to CAPA
Regulatory thinking is aligned across both sectors: Investigations are not administrative outcomes; they are risk control instruments. When they fail, the entire assurance chain loses credibility.
Procedures vs. Practice: The “Living System” Expectation
Across FY 2025, a recurring theme emerges: companies often have procedures, but those procedures either do not reflect reality or are not robust enough to withstand operational variability.
For drugs:
- 211.100(a) reveals production control instructions that lack operational precision
- 211.160(b) demonstrates laboratory systems lacking scientifically defensible frameworks
- 211.67 exposes cleaning systems that cannot be justified or repeated with confidence
For devices:
- CAPA procedures exist, but lack triggers, thresholds, or structured evaluation criteria
- Complaint procedures exist, but fail to define decision logic
- MDR procedures exist, but do not guarantee timely reporting
- UDI systems exist, but do not function as reliable traceability infrastructures
The regulatory expectation is not “write a procedure.” It is to establish a durable, reproducible, risk-aware operating architecture.
Lifecycle Control and Evidence
Both sectors reveal insufficient maturity in lifecycle thinking, a theme strongly aligned with modern regulatory philosophy (ICH Q10, Q12, ISO 13485 principles, Annex 15, and the future U.S. QMSR alignment for devices).
For pharmaceuticals:
- Laboratory controls are not treated as lifecycle entities
- Cleaning validation lacks continued verification models
- Computerized systems do not always demonstrate validated, controlled, and access-secured states
SEE ALSO: Computer System Validation (CSV) in the Pharmaceutical Industry
For medical devices:
- Process validation is too often “event-based” rather than lifecycle-based
- Risk management files are not consistently linked to CAPA or complaint trends
- UDI is approached as a compliance requirement instead of an operational traceability backbone
The regulator’s message is clear: Compliance is not static. It must live, evolve, and remain demonstrable.
Why These Trends Matter Beyond the Inspection Room
These FY 2025 observations align closely with the reasons FDA escalates cases to Warning Letters and consent decrees. Patterns indicate that when companies fail, they rarely fail at isolated execution; they fail in system architecture, leadership accountability, and disciplined governance.
The trajectory of global regulation reinforces this shift:
- Stronger integration of risk management and decision justification
- Increasing digital reliance requires structured control of computerized systems
- Transition of device regulation toward QMSR alignment with ISO 13485
- Continued international convergence around lifecycle proof and data-driven oversight
Organizations that treat Quality as documentation management will increasingly find themselves vulnerable.
Key Strategic Questions Every Manufacturer Should Be Asking
Both pharmaceutical and device manufacturers should be evaluating themselves against the questions the FDA implicitly asks through these observations:
- Is the Quality Unit / Quality Management truly empowered, documented, and demonstrably accountable?
- Do investigation systems produce learning, or do they simply produce closure?
- Do procedures describe reality or wishful process design?
- Is lifecycle evidence available, defendable, and actively reviewed?
- Are CAPA systems functioning as drivers of continuous improvement or as repositories of administrative activity?
- Are computerized systems, data integrity controls, and traceability infrastructure governed with the same rigor as physical processes?
- Can management prove, not simply claim, oversight and control?
If any of these answers produce hesitation, FY 2025 data suggests the FDA will eventually expose the weakness.
Final Reflection
FY 2025 does not reveal surprising new risks. It exposes unresolved structural weaknesses that continue to challenge manufacturing organizations across both sectors.
Drugs and devices operate under different legal frameworks. But the FDA is clearly assessing them under a shared expectation of maturity, robustness, scientific justification, and management accountability.
Those who evolve beyond compliance performance toward true quality system maturity, lifecycle control, and evidence-driven governance will not only withstand inspection pressure; they will strengthen their operational credibility, regulatory relationships, and ultimately, patient safety assurance.
