Recent FDA Warning Letters Highlight Gaps in Supplier Quality

FDA has been drawing a sharp line over the past year when it comes to supplier quality.

From supplier qualification issues to ongoing monitoring failures, the problems that keep showing up in FDA warning letters provide important signals about the agency’s thinking and where enforcement is heading.

The big takeaways: life sciences manufacturers are held responsible for supplier failures, and avoiding those scenarios requires a supplier quality program backed by data and evidence at every step.

With that in mind, let’s look at some of the common gaps highlighted in recent warning letters and how manufacturers can prevent similar failures.

Free white paper: Learn how to make GMP audits smoother in our free white paper: GMP Audits: Moving from an Adversarial to a Cooperative Process

Supplier-provided documentation isn’t sufficient evidence of conformance

More than half of the CGMP warning letters FDA issued to pharma manufacturers in 2025 cited 21 CFR 211.84(d)(1), which covers component identity testing. One common issue in these letters, which appears numerous times, is relying on a supplier’s certificate of analysis (COA) without independently verifying the results.

While companies may use COAs in lieu of some in-house testing, FDA requires that companies perform at least one identity test on each incoming lot and validate supplier analyses at appropriate intervals.

One contract manufacturer accepted supplier COAs for ethanol, glycerin, and chloroxylenol without independent verification. Another OTC liquid drug manufacturer was cited for using glycerin and sorbitol that had not been identity-tested prior to use. This includes testing for diethylene glycol and ethylene glycol (DEG/EG) contamination, a well-documented adulteration risk linked to fatal pediatric poisoning events worldwide.

At least eight additional pharmaceutical warning letters since 2025 cite manufacturers for the same COA-reliance pattern. So, what does the FDA expect to see here instead?

• A tiered, risk-based testing approach that separates high-risk components (e.g., glycerin, propylene glycol, ethanol, sorbitol, and other identity-substitution targets) from low-risk components.
• Documented supplier reliability cycles showing what evidence the firm has, when it was generated, and when it expires.
• At least one identity test on every incoming lot for high-risk components, regardless of supplier history.

Medical device manufacturers face a parallel requirement under FDA’s new Quality Management System Regulation (QMSR), which took effect February 2, 2026. QMSR incorporates ISO 13485 by reference, and requirements under the former 820.50, which required documented verification that purchased product conforms to specified requirements, now live in Clause 7.4 (Purchasing).

Clause 7.4 specifically requires verification proportionate to product risk and supplier evaluation tied to actual performance. That means supplier-provided documentation alone isn’t sufficient evidence of conformance.

FDA treats CMOs as extensions of the manufacturer

At least three pharmaceutical warning letters since 2025 contain almost the same sentence: “FDA regards contractors as extensions of the manufacturer.” This means that FDA will hold manufacturers responsible when a contract manufacturing organization (CMO) fails, regardless of any quality agreement they may have in place with a CMO.

One letter to a pharmaceutical sponsor highlights exactly how the agency views these types of failures. The company in question had been using a CMO to produce sterile ophthalmic drug products, without adequate supplier qualification processes to ensure the products were CGMP-compliant.

In fact, the sponsor had identified CGMP deficiencies at the CMO as early as 2020 and qualified the CMO anyway. The company also requalified the CMO in 2023 without evaluating whether subsequent CAPAs had actually fixed the problems. FDA wrote: “Comparing a COA from a CMO to pre-approved specifications does not overcome your responsibility to evaluate, qualify, audit, and monitor your contract manufacturers.”

Medical device manufacturers are subject to similar expectations under QMSR in clause 4.1.5 of ISO 13485. Those requirements also hold manufacturers responsible for any outsourced process that impacts product conformity, requiring controls proportionate to risk as well as written (and enforced) quality agreements.

The implication for both pharma and medical device is the same. If you outsource a critical activity, three things have to be live in your system:

• Documented evaluation and qualification of the contractor against the work they’re performing for you.
• Active monitoring of performance data, audit findings, and CAPA linkage
• Change control with contractual notification requirements and a documented process for evaluating supplier-initiated changes before they affect product.
• Quality agreement provisions that are actually enforced, with documented evidence the contractor is meeting them and a process for when they don’t.

Supplier qualification needs to be more than a paper exercise

Some recent warning letters describe supplier qualification programs that look procedurally complete on inspection but lack underlying evaluation.

One example is a 2025 letter to an API distributor and relabeler. As part of qualifying one of its API suppliers, the distributor sent a vendor survey asking whether the supplier had ever been inspected by FDA. The supplier said yes, with a “satisfactory” outcome.

In reality, FDA had never inspected the firm, a discrepancy that showed up in a separate vendor survey but was never investigated before requalifying the supplier. The quality agreement also required ongoing stability data; FDA later confirmed the supplier had no stability chambers and no stability samples. By the time FDA arrived at the distributor, several of its API suppliers were on FDA Import Alert.

A similar pattern shows up in medical device warning letters. A 2025 letter to a U.S. distributor of capillary blood collection tubes used in pediatric lead testing cited the firm under 21 CFR 820.50 for missed supplier evaluations, not conducting required audits, and quality agreement provisions that went unenforced. Moreover, this involved a critical supplier whose manufacturing change ultimately produced false-positive lead results in pediatric blood samples.

Supplier qualification requirements go beyond material suppliers

It’s worth noting that the supplier qualification requirements also apply to contract testing laboratories, something that appears in multiple warning letters. FDA expects manufacturers to qualify and oversee contract testing laboratories with the same rigor as material suppliers.

This principle even extends down to qualifying the water used in manufacturing as a component, another routine citation in pharma letters where companies fail to treat water systems as a supplied raw material.

The big question for quality leaders here is whether your supplier qualification record can answer three things at any moment:

• Who is approved and against what scope of work?
• What evidence supports the initial approval?
• What supports continued approval (e.g., audit findings, SCAR history, performance data, change notifications, CAPA effectiveness)?

FDA is shifting enforcement to QMSR

The first major post-QMSR warning letter was issued in Q1 2026 to a manufacturer of cardiovascular procedure kits, and while it doesn’t focus on supplier quality specifically, the letter’s concluding paragraph notes, “any corrective actions you propose or implement must be pursuant to the QMSR requirements in effect as of February 2, 2026.”

Two additional 2026 CDRH warning letters contain identical QMSR transition language. For supplier quality specifically, one of the most consequential changes is that supplier audit records are now within FDA inspection scope, after being explicitly off-limits under the previous QSR.

ISO 13485:2016 Clause 7.4 requires supplier evaluation, monitoring, and re-evaluation proportionate to the risk associated with the medical device. Two things device quality leaders should expect FDA to look for going forward:

• Risk-based supplier audits, with risk criteria documented and applied consistently.
• Supplier audit records that show real evaluation of findings, root cause analysis, corrective actions, and effectiveness verification.

How does an EQMS help prevent supplier quality management failures?

From a big-picture perspective, an enterprise quality management system (EQMS) helps companies avoid supplier-related compliance failures is by connecting records that live in separate systems. With an EQMS, all supplier-related data flows into one comprehensive record, including:

• Supplier qualification files
• Audit findings
• Supplier corrective action requests (SCARs)
• Change control records
• CAPA effectiveness reviews

In terms of supplier audits, risk-based requalification replaces calendar-based auditing, surfacing suppliers that need attention before findings accumulate.

Supplier audit records capture the full chain of evaluation, root cause analysis, corrective actions, and effectiveness verification. In other words, exactly what FDA expects to see under QMSR. Teams can easily track quality agreement provisions against documented evidence, rather than just assuming the supplier is meeting them based on an existing quality agreement.

Supplier records must exist before FDA shows up

When supplier records exist as a live system, asking who is approved, why, and what supports continued approval becomes a routine part of the process.

Consider, for example, the letter to one API distributor demanding a comprehensive, detailed list of every supplier the manufacturer had evaluated in the past three years. This includes FEI numbers, current status, point of contact, date approved, and quality agreement confirmation for each.

The response window for an FDA warning letter is just 15 working days. The agency clearly expects these records to already exist on demand, not as something quality teams build in response to enforcement actions.

The supplier-quality patterns FDA has been citing since 2025 aren’t likely to slow down, and under QMSR, the agency now has more visibility into supplier programs than ever before. The work of building supplier oversight that holds up under inspection happens long before the 15-day response window starts. That’s where quality leaders should be investing now.

About the Author

Stephanie Ojeda is Vice President of Product Management for the Life Sciences industry at AssurX. Stephanie brings more than 18 years of leading quality assurance functions in a variety of industries, including pharmaceutical, biotech, medical device, food & beverage, and manufacturing.