Recent POST
Imagine a government inspector walking through your front door without a single minute of warning, demanding to see every scrap of paper your team has written for the last three years. For many pharmaceutical and medical device companies, this isn't a nightmare-it's just another Tuesday. The stakes are incredibly high; if you can't prove your manufacturing quality through documented evidence, the FDA doesn't care how good your product actually is. They view a lack of records as a lack of quality, period.
The Quick Facts on FDA Record Access
- General Authority: The FDA uses Section 704(a)(1) of the FD&C Act to inspect facilities and review CGMP records.
- The "Safe Space": Internal quality assurance audits are generally protected from review to encourage honest self-correction.
- Hard Deadlines: Companies have exactly 15 business days to respond to Form 483 observations.
- Retention: Drug records must be kept for 1 year past the expiration date; medical device records for the device lifespan plus 2 years.
Who Gets to See What? Understanding the FDA's Reach
Not all inspections are created equal. Depending on why the FDA is visiting, the amount of data they can dig into changes. Most companies experience "surveillance inspections," which make up about 75% of pharmaceutical visits. In these cases, the FDA usually follows CPG Sec. 130.300, a policy that keeps internal quality assurance audit reports private. Why? Because if the FDA punished companies for finding their own mistakes, nobody would ever run an honest internal audit.
Things change drastically during "for-cause" inspections. These happen when there's a specific problem-like a spike in product recalls or a whistleblower report. In these scenarios, the "safe space" vanishes. The FDA gains full access to everything, including those protected internal audits. If you're in a for-cause situation, transparency isn't a choice; it's a requirement for survival.
The Paper Trail: CGMP and the Documentation Trap
The backbone of every inspection is CGMP (current Good Manufacturing Practice). These aren't just suggestions; they are legal requirements. Investigators look for "contemporaneous records," meaning you wrote it down as it happened. If you fill in a logbook at the end of the week from memory, you've just committed a major violation. In 2024, about 22% of warning letters were issued specifically because of these documentation failures.
Manufacturers often struggle to distinguish between a "protected audit" and a "mandatory investigation." For example, if you run a routine check to see if your staff is following SOPs, that's likely a protected QA audit. But if a batch of medicine fails a purity test and you investigate why, that is a quality control investigation. Under 21 CFR 211.192, that investigation must be fully accessible to the FDA. Many professionals find this line blurry, leading to "over-disclosure" where companies accidentally hand over protected documents, potentially creating more regulatory headaches.
| Inspection Type | Typical Frequency | Access to Internal QA Audits | Primary Outcome |
|---|---|---|---|
| Surveillance | ~75% (Pharmaceuticals) | Generally Restricted (CPG 130.300) | Form 483 or NAI |
| For-Cause | ~18% (Pharmaceuticals) | Full Access | Warning Letters / Consent Decrees |
| Remote (RRA) | ~8% (Early 2025) | Digital/Database Access | Information Gathering (No 483) |
The Dreaded Form 483 and the 15-Day Sprint
When an inspector finds something they don't like, they issue Form FDA 483 (Notice of Inspectional Observations). This isn't a final judgment, but it's a serious warning. The clock starts immediately: you have 15 business days to provide a written response. If you miss this window or provide a weak answer, you're heading straight toward a Warning Letter.
The secret to winning this sprint is root cause analysis. Companies that use a formal methodology to explain why a mistake happened and how they'll stop it from happening again have an 89% closure rate within six months. Those who just say "we retrained the employee" often find their issues recurring, which makes the FDA even more critical during the next visit.
Foreign Facilities: The End of the "Heads-Up"
If you're manufacturing outside the U.S., the rules just got a lot tougher. For years, many foreign sites expected a courtesy call before an inspector arrived. That's ending. The FDA announced in May 2025 that it's ramping up unannounced inspections of foreign facilities, aiming to move from a 12% rate to 35% by the end of the year. This means your facility needs to be "inspection-ready" every single day of the year.
To handle this, many Fortune 500 companies are pivoting toward Remote Regulatory Assessments (RRAs). By setting up digital read-only access to their databases, these firms have cut inspection-related production downtime by a staggering 65%. It's a move toward a more fluid, digital form of transparency that avoids the chaos of a physical surprise visit.
Practical Steps for Inspection Readiness
Getting ready for an FDA visit is an expensive endeavor-averaging about $385,000 annually for many firms. But the cost of failing is much higher. To stay compliant, you need a system that separates your records clearly.
- Create a Document Partition: Clearly label your internal QA audit reports separately from your Quality Control (QC) investigations. This prevents the accidental disclosure of protected data.
- Invest in Specialized Training: A 6-9 month training window for new quality staff is standard. Certification through the Regulatory Affairs Professionals Society (RAPS) can boost your team's readiness by nearly 40%.
- Run "Mock Audits": Don't wait for the FDA. Use an external team to simulate a for-cause inspection to find the blind spots in your CGMP records.
- Digitize for RRA: If you produce for the U.S. market, implement an RRA-ready system. Providing secure, remote access to records shows a level of transparency that can build trust with investigators.
Does the FDA really ignore internal audit reports?
Generally, yes, under CPG Sec. 130.300, provided the audits are part of a formal written program. This is meant to let companies find and fix their own mistakes. However, this protection disappears during "for-cause" inspections or if the auditor suspects the reports are being used to hide systemic fraud.
What happens if I don't respond to a Form 483 in 15 days?
Missing the 15-business-day window is a major red flag. It often leads to the issuance of an FDA Warning Letter, which is a public document that can tank your stock price and alert your competitors to your quality failures. It may also lead to more frequent inspections in the future.
What is the difference between an RRA and a formal inspection?
A Remote Regulatory Assessment (RRA) is a virtual evaluation. It involves reviewing documents or accessing databases remotely. Unlike a formal physical inspection, an RRA does not result in the issuance of a Form 483, making it a lower-stress way for the FDA to gather information.
How long should I keep my manufacturing records?
For pharmaceuticals, the rule is generally 1 year after the drug's expiration date. For medical devices, you must keep quality system records for the entire lifespan of the device plus an additional 2 years. Always check 21 CFR 211.180 and 21 CFR 820.180 for the specific requirements of your product type.
Are all foreign facilities subject to unannounced inspections?
Not all, but the percentage is increasing rapidly. The FDA is targeting a 35% unannounced rate for foreign facilities by the end of 2025. This is a strategic shift to ensure that global supply chains are maintaining the same quality standards as domestic U.S. plants.