The FDA are paying attention - Exer Labs Warning Letter

By Ben O'Brien

The February 10, 2025 warning letter issued by the FDA to Exer Labs, Inc. offers a cautionary example of how marketing claims for AI-based medical devices can exceed the bounds of a 510(k) exemption. It also illustrates that core quality system requirements apply regardless of whether that device is exempt from premarket notification.

The Risk of "Regulatory Scope Creep"

The Warning Letter Findings: Exer Labs was marketing the Exer Scan under a 510(k) exemption applicable to exercise equipment, but simultaneously marketing it as an AI-based algorithm to "screen, diagnose, and treat musculoskeletal and neurological disorders," going well beyond the bounds of the exemption.

The Importance: Intended use is a pivot point for those operating in GxP environments. As outlined in GAMP 5 (2nd Edition), the level of control and documentation must be proportional to the system’s risk. When an organization moves the use case from essentially a measuring "reps" exercise device to a clinical use case such as diagnosing a disease, the risk has clearly shifted from "low" risk to a much higher risk class. This requires a total upgrade in validation rigor and efforts to be commensurate with risk. 

Operating beyond your existing intended use likely makes a device "misbranded. In fact for Exer Labs their device was found to be both misbranded and adulterated. The moment Exer’s claims moved outside the exemption they likely needed at minimum a full 510(k) clearance but possibly a full Pre-Market Approval (PMA) depending on the final risk classification.

The Prevention: To avoid this, organizations should implement a claim mapping process where every marketing claim and clinical feature is tied back to a specific, validated intended use. Quality teams must act as a "check and balance,"ensuring promotional content remains within the technical boundaries of the regulatory filing.

Design Controls: Beyond the "Technical Pilot"

The Warning Letter Findings:  The FDA noted a total failure to establish design controls (21 CFR 820.30). The firm distributed an AI-driven device without a formal system to govern its development, verification, or validation.

The Importance: Design controls are not optional for software that impacts patient health. Because AI is probabilistic (it makes a "best guess") rather than deterministic (it follows a fixed path), standard software testing is insufficient. Technical accuracy metrics (like F1 scores) are not the same as clinical safety. Without design controls, there is no evidence that the model has been benchmarked against "ground truth" or that its inherent limitations have been mapped. This absence of transparency creates opaque ‘essentially black box’ systems where performance and failure modes remain unknown to both developer and regulator and use case assurance cannot be provided.

The Prevention: Best-in-class organizations adopt a repeatable validation framework that moves beyond technical metrics. For high-stakes AI, this should include a "Human-in-the-loop" evaluation. By comparing the performance of a Human + AI team against a human-only baseline, you can provide additional assurance that the AI actually enhances safety and effectiveness within a real-world use of the model.

Algorithmic Integrity and the Robust Quality Process Gap

The Warning Letter Findings: Exer Labs did not follow a CAPA procedure or similar quality event process after a software update failed to automatically update and design changes were made in response to the issue. There was no process to be followed to establish if a CAPA was actually required to be opened for such an issue.

They also lacked purchasing controls for their suppliers (including those associated with the device) and had never conducted a quality audit or management review since beginning operations.

The Importance: In an AI-model lifecycle, the often static state of traditional software has been replaced by dynamic models dependent on continuous data inputs. As emphasized in GAMP 5 2nd Ed and EMA’s AI Reflection Paper, the risk profile of an AI system is inextricably linked to the quality of the suppliers and vendors associated with it. The failure to effectively qualify suppliers and vendors (either through a robust qualification process, or through a vendor audit) means Exer cannot verify that purchased components or services meet specified requirements. This gap may be particularly significant for AI-based devices where the integrity of training data and model inputs may depend on third-party sources.

Following this, failure to follow established processes on managing AI model related deviations (or drifts) leaves room for non-compliance. All stakeholders must clearly understand what steps are taken in cases of non-conformance; by both understanding the type of investigation, and where the information regarding the model is stored in order to perform an effective investigation (e.g. intended use of the model, baseline model metrics, integrated systems, etc.).

The Prevention: To mitigate these risks, organizations should consider continuous quality oversight. This begins with a centralized AI Governance Framework that is integrated within the QMS. This would ensure that GxP-impacting models are subject to the same design controls, change management, supplier qualification, and CAPA processes as any other regulated process, providing a single source of truth for model status, validation history, and ongoing oversight.

• Vendor Competency: Implement qualification protocols that include the assessment of AI-specific factors like bias mitigation and data security.
• Performance Thresholds: Define and monitor specific technical thresholds. When a model encounters an error or its performance dips, it should automatically trigger a Quality investigation.
• Model Inventory: Maintain a live inventory that maps every model to its intended use, its training data source, and its validation boundaries.

How Phanero Addresses These Lifecycle Failures

The failures at Exer Labs (ranging from unvalidated diagnostic claims to appropriate mechanisms for vendor oversight) demonstrate the danger of a "fragmented" AI strategy that doesn’t integrate with the QMS. Phanero was built to close these gaps by providing a dedicated GxP-AI Management System (AMS) that brings order to the entire AI ecosystem.

1. Establishing Ecosystem Oversight Phanero acts as a centralized "System of Record," providing a single dashboard to register and track every AI asset (whether it is developed internally, supplied by a third party, or embedded in existing SaaS tools). By maintaining an inventory that maps every model to its specific, validated intended use, Phanero prevents the "regulatory scope creep" that led in part to the Exer Labs warning letter.

2. A Repeatable Framework for Design Controls To satisfy 21 CFR 820.30, organizations must move beyond technical metrics like F1 scores and prove a model is safe for its specific purpose. Phanero facilitates this through a standardized, 3-step validation framework:

• Initial Validation: Benchmarking predictions against ground truth and mapping model limitations.
• Real-World Evaluation: Validating intended use by comparing "Human + AI" team performance against a manual baseline.
• Operational Integration: Deploying with end-to-end workflow monitoring.

3. Strengthening Purchasing Controls and Vendor Vetting As seen in the Exer Labs case, failing to audit suppliers is a major compliance "red flag". Phanero addresses this by standardizing the way vendor-supplied models are registered and monitored. This ensures that even "Black Box" models are governed under the same rigorous quality standards as internal systems, providing the audit-ready evidence required for regulatory inspections.

4. Maintaining the Validated State via continuous oversight for AI models. Phanero provides a repeatable framework for the periodic re-evaluation of models to observe and track performance over time. By linking these validation deliverables directly to your existing QMS, Phanero ensures that your AI assets remain in a state of controlled compliance throughout their entire lifecycle.