FDA Compliance in Software Development: Cases Where Poor Software Quality Led to Costly FDA Rejections

If you work in pharma, you know how much time and money go into drug development. The last thing you want is a painful FDA rejection, one that not only costs your company millions but also delays critical treatments for patients who need them.

Regulatory rejections can happen for many reasons, such as insufficient clinical evidence, manufacturing and quality concerns, incomplete applications or missing data, and general safety issues. However, in recent years, poor software quality has become a growing yet often overlooked factor.

By "software," we mean not just applications, but also programming environments, languages, and the tools used to process and govern clinical data. As more pharmaceutical companies explore open-source technologies like R alongside SAS for clinical trial analysis, regulatory bodies are paying closer attention to software quality and compliance.

With that in mind, GxP compliance in software development is critical to making this transition smooth and secure. In this article, we'll examine cases where software quality issues led to costly FDA rejections—so you can learn what to watch for and how to avoid similar setbacks.

GxP validation in software development starts with the Definition of Done. Read how Appsilon implements it for Fortune 500 companies.

Table of contents

• Are Software Quality Issues a Common Reason for FDA Rejections?
• How FDA Rejection Can Cost Your Company Three-Quarters of its Valuation - And How to Avoid It
• Appsilon's Role in GxP Compliance

Are Software Quality Issues a Common Reason for FDA Rejections?

There are many reasons why the FDA might reject your drug submission or request improvements during an inspection.

While issues like insufficient clinical evidence, manufacturing concerns, and missing data are often the most cited reasons, software quality plays a crucial role in ensuring compliance and data integrity.

For example, poor data processing or flawed statistical analyses can lead to insufficient clinical evidence, where trial results fail to demonstrate efficacy due to errors in data handling. Similarly, compliance issues in manufacturing and quality control may arise if software systems used for tracking and reporting do not meet regulatory expectations.

The following reasons are much more common:  

• Insufficient clinical evidence: Lack of sufficient data demonstrating the drug’s efficacy.  
• Manufacturing and quality concerns: Non-compliance with Current Good Manufacturing Practices (CGMP), which ensure consistency and safety in drug production.  
• Incomplete applications or missing data: Gaps in documentation or failure to provide required study results.  
• Safety concerns: Adverse effects of the drug that outweigh its potential benefits.  

However, this doesn't mean that the FDA doesn't pay attention to software quality.

The FDA and other regulatory bodies closely examine the tools and methodologies used in data analysis, clinical trial reporting, and regulatory submissions.  They also receive the data needed to reproduce the analyses done by the sponsor.

If your company uses programming languages like R or Python for these tasks, the FDA may evaluate whether your scripts and validation processes comply with their expectations.

How an FDA Rejection Can Cost Your Company Three-Quarters of Its Valuation - And How to Avoid It

Let’s start with a devastating FDA rejection case that broke one company overnight.

In late November 2024, Applied Therapeutics (APLT) stock plummeted after the FDA rejected its metabolic disease drug. And when we say "plummeted," we mean it - APLT lost three-quarters of its valuation almost instantly:

The stock dropped from a closing price of $10.21 on November 26 to $2.03 on November 29, representing an 80% decrease.

It is now February 2025, and judging by the chart, the company has yet to recover - partly due to avoidable deficiencies in its clinical application. 

Unfortunately, this is not the only software-related FDA rejection. Here are a few more cases that highlight the importance of GSEP (Good Software Engineering Practices):

• Outlook Therapeutics collapses as FDA rejects application for eye drug
• FDA rejects Theratechnologies application, with problems 'largely' centered on manufacturing
• 2023 FDA Warning Letters and Software Validation

Types of FDA inspections

If you're part of a highly regulated industry like pharma, you're probably accustomed to FDA inspections. If not, here are a few reasons why the FDA might conduct an inspection:

• Pre-approval inspections: Conducted before approving a new drug application to verify submitted data, assess manufacturing processes, and confirm compliance.  
• Routine GMP inspections: Conducted periodically based on risk factors, typically every 2 to 4 years.  
• For-cause inspections: Triggered by complaints, adverse events, product recalls, or whistleblower reports.  
• Follow-up inspections: Conducted after a previous inspection identified significant deficiencies.  
• Bioresearch Monitoring (BIMO) inspections: Conducted to inspect clinical trials, bioequivalence studies, and laboratory practices.  
• Post-market inspections: Conducted after a product is on the market to ensure ongoing quality and regulatory compliance.  
• Foreign inspections: Conducted at overseas facilities that manufacture products for the U.S. market.  

Examples of software-related compliance issues

Now that you know the types of inspections the FDA can conduct, let's examine real-world FDA inspection reports that highlight software-related issues. All of these reports are publicly available on the FDA website.

Common FDA concerns related to software include software bugs, missing audit trails, security flaws, lack of backup processes, and poor validation of software systems.

Software bugs found, and the system for data acquisition is not properly validated:  

‍Lack of software security controls, no backups, and missing audit trails:  

‍No data validation procedures and no access controls:  

‍

‍Software released without appropriate change control:  

‍Missing documentation and lack of access control:  

‍Lack of access control and data validation, no audit trails:  

‍Use of unvalidated software:  

In conclusion, all these examples highlight insufficient GSEP (Good Software Engineering Practices), which likely cost the organizations significant time and money.

Appsilon's Role in GxP Compliance

At Appsilon, we help companies navigate the complexities of GxP compliance, ensuring the fast adoption of technology while meeting regulatory requirements and mitigating regulatory risks. We offer comprehensive services, from GxP compliance audits to building compliant Shiny dashboards in R and Python, running on scalable data platforms and the cloud.

We specialize in pharma and life sciences and have helped multiple Fortune 500 companies develop high-quality software.‍

Learn more about how our GxP Audit Service can help you navigate FDA and EMA submissions.

In conclusion, GxP compliance is challenging, especially in complex industries like pharma. While our comprehensive guide on navigating GxP compliance is a great place to start, there is no one-size-fits-all solution.

If you’re confident in your understanding of quality and compliance, double-check your readiness by downloading our Definition of Done (DoD) Checklist for Pharma Teams.

If you need a reliable partner to ensure the high quality of your software and streamline the FDA and EMA submission process, reach out to Appsilon.