MedDeviceGuideMedDeviceGuide
Back
Post-Market SurveillanceRegulatoryEU MDR / IVDREU

Field Safety Corrective Action (FSCA): EU MDR Vigilance Reporting Guide

A complete guide to Field Safety Corrective Actions under EU MDR — when an FSCA is required, reporting timelines (2/10/15 days), how to prepare a Field Safety Notice (FSN), competent authority notification, EUDAMED integration, and how FSCA differs from FDA recalls.

Ran Chen
Ran Chen
Global MedTech Expert | 10× MedTech Global Access
2026-04-1114 min read

What Is a Field Safety Corrective Action (FSCA)?

A Field Safety Corrective Action (FSCA) is a corrective action taken by a manufacturer for technical or medical reasons to prevent or reduce the risk of a serious incident associated with a medical device that has already been made available on the market. The definition comes from EU MDR Article 2(68) and IVDR Article 2(71).

FSCAs are a core component of the EU medical device vigilance system. They sit alongside serious incident reporting as one of the two primary mechanisms through which manufacturers fulfill their post-market safety obligations under EU MDR Articles 87–91.

An FSCA is triggered when a manufacturer identifies a risk from a device already on the market that requires action beyond internal process changes. The action must be directed at devices in the field — with customers, distributors, healthcare facilities, or patients — not just devices still in the factory.

What Qualifies as an FSCA

Not every corrective action is an FSCA. Only actions taken to prevent or reduce the risk of a serious incident for devices already on the market qualify. Examples include:

  • Device recall — removal of devices from the market or return of devices to the manufacturer
  • Device modification — software update, hardware replacement, or rework of devices in the field
  • Labeling or instructions for use change — updating warnings, contraindications, or usage instructions
  • Customer notification — informing users of a newly identified risk, even if no physical action is taken on the device
  • Re-labeling — changing the labeling on devices already distributed
  • Destruction — destruction of devices in the supply chain or at customer sites

What does not qualify as an FSCA:

  • Internal process improvements that do not affect devices already on the market
  • Design changes implemented only for future production batches
  • Corrective actions that do not mitigate patient or user risk
  • Routine software updates that address non-safety-related issues

The key test is: does this action address a risk to patients or users from devices that are already distributed?

When Is an FSCA Required?

An FSCA is required when a manufacturer identifies that a device already on the market poses a risk that requires action beyond monitoring. This can arise from:

  1. Serious incident investigation — an adverse event is reported, the investigation reveals a device defect or risk, and the manufacturer determines that action is needed to prevent recurrence.

  2. Post-market surveillance data — trend analysis of complaints, non-serious incidents, or performance data reveals a pattern indicating elevated risk.

  3. Risk management review — updating the risk management file reveals that residual risk for a device in the field exceeds acceptable levels.

  4. Regulatory authority request — a competent authority (CA) or Notified Body identifies a concern and requests action.

  5. New scientific or clinical information — emerging data changes the benefit-risk assessment of a marketed device.

  6. Production nonconformity affecting distributed devices — a manufacturing deviation is discovered that affected units already shipped to customers.

Under EU MDR, the requirement to conduct and report FSCAs is mandatory. Articles 87(1)(b) and 89 require manufacturers to report FSCAs to the relevant competent authorities. Failure to report can result in enforcement action, including suspension of the CE certificate, market withdrawal orders, and administrative fines.

FSCA Reporting Timelines Under EU MDR

The EU MDR sets strict timelines for FSCA reporting, calibrated to the severity of the risk. These timelines are defined in Article 87 and clarified by MDCG 2023-3 (rev.2):

Scenario Reporting Timeline Reference
Serious public health threat Immediately, and not later than 2 calendar days after awareness Article 87(4)
Death or unanticipated serious deterioration in health Immediately after establishing or suspecting causal relationship, and not later than 10 calendar days after awareness Article 87(5)
All other serious incidents and FSCAs Not later than 15 calendar days after awareness Article 87(3)

Key points about timelines:

  • Calendar days — not business days. Weekends, public holidays, and Saturdays all count.
  • Awareness date (day = 0) is the date when the manufacturer first receives information about the incident or the need for corrective action — not when the investigation is completed.
  • Immediate means without any delay that is intentionally or negligently caused by the manufacturer.
  • Initial reports can be incomplete. To ensure timely reporting, manufacturers can submit an initial FSCA report with incomplete data and follow up with a complete report later (Article 87(6)).
  • If the manufacturer is uncertain about whether the incident is reportable, it must submit a report within the applicable timeline anyway (Article 87(7)).

Practical Implications of the Timeline Changes from MDD to MDR

Under the old Medical Device Directive (MDD), the general reporting timeline was 30 days. Under MDR, it is 15 days. This is a significant tightening that requires manufacturers to have more agile internal processes for complaint evaluation, risk assessment, and decision-making.

Additionally, the MDR introduced a specific 10-day timeline for death or unanticipated serious deterioration — a category that was not separately distinguished under the MDD.

The FSCA Process: Step by Step

Step 1: Detection and Assessment

The trigger for an FSCA begins with detecting a potential safety issue. This can come from:

  • A serious incident report from a customer, distributor, or healthcare professional
  • Complaint trend analysis indicating a pattern
  • Post-market surveillance data analysis
  • Internal quality or manufacturing investigation
  • Information from a third country where the device is also marketed

Upon detection, assess whether the issue requires an FSCA:

  • Is the device already on the market?
  • Is there a risk of a serious incident?
  • Is action needed to prevent or reduce that risk?
  • Does the action need to be taken on devices in the field?

If the answer to all four questions is yes, an FSCA is needed.

Step 2: Determine Reporting Timeline

Based on the severity of the risk, determine which reporting timeline applies:

  • Serious public health threat: 2 days
  • Death or unanticipated serious deterioration: 10 days
  • All other cases: 15 days

When in doubt, err on the side of the shorter timeline. Reporting a potential FSCA early and following up with more information is always better than missing a deadline.

Step 3: Notify Competent Authorities

The FSCA must be reported to:

  1. The competent authority(ies) in the Member State(s) where the devices have been made available and where the FSCA will be carried out
  2. The competent authority in the Member State where the manufacturer or its Authorized Representative is established — even if the FSCA will not be carried out in that Member State

Reports are submitted using the FSCA Report Form provided by the European Commission. The form must include:

  • Manufacturer and device identification
  • Description of the FSCA and the reason for it
  • Affected devices (model, lot, serial numbers, UDI)
  • Description of the risk
  • Actions taken or to be taken
  • Timeline for completion
  • Draft Field Safety Notice (FSN)

Under Article 92 and Regulation 2025/1021, FSCA reports must also be submitted to the EUDAMED electronic system, which is progressively becoming the central reporting platform for vigilance across the EU.

Step 4: Prepare the Field Safety Notice (FSN)

The FSN is the communication that goes to affected customers, users, and distributors. It is not a regulatory form — it is a practical communication tool that explains what the issue is, what the customer needs to do, and what the manufacturer is doing about it.

An FSN must include:

  • Clear identification of the affected device(s) — product name, model, catalog number, lot/serial number, UDI
  • Description of the issue — what the risk is and how it was identified
  • Impact on patients and users — what could happen if the issue is not addressed
  • Actions required by the customer — stop using the device, return it, apply a software update, monitor patients, etc.
  • Actions taken by the manufacturer — recall, replacement, software patch, labeling update, etc.
  • Contact information — how to reach the manufacturer for questions, device returns, or reports of adverse events
  • Acknowledgment of receipt — a mechanism for the customer to confirm they received and understood the FSN

The FSN must be provided to affected customers without undue delay after the competent authority has been notified. It is standard practice to allow a minimum of 48 hours for the CA to review and comment on the FSN before distributing it — unless the nature of the risk dictates a shorter timescale (e.g., a life-threatening issue requiring immediate action). This review period is recommended in established EU vigilance guidance and is expected by most national competent authorities.

The FSN must be translated into the official language(s) of each Member State where the device is distributed. Under MDR Article 89(8), the FSN must be edited in an official Union language or languages determined by the Member State in which the FSCA is taken. This means a single FSCA affecting 10 EU countries may require the FSN in 8–10 different languages. Plan for translation timelines and qualified medical translation resources in advance — they are a common source of delay in FSCA execution.

Step 5: Implement the Corrective Action

Execute the planned action across all affected markets:

  • For recalls: coordinate device return, replacement, or destruction
  • For software updates: develop, validate, and deploy the update
  • For labeling changes: prepare updated labeling and distribute it to all affected customers
  • For customer notifications: ensure the FSN reaches all affected customers

Track implementation progress: how many devices are affected, how many have been returned/repaired/notified, and what the completion rate is.

Step 6: Follow-Up Reporting

After the initial FSCA report, submit follow-up reports as new information becomes available:

  • Final investigation results
  • Updated risk assessment
  • Scope changes (more devices affected than initially estimated)
  • Completion status of the corrective action
  • Any additional incidents related to the same issue

When the FSCA is fully completed, submit a final follow-up report to all relevant competent authorities confirming that all actions have been completed.

Step 7: Update Risk Management and PMS Documentation

The FSCA process does not end with the regulatory report. Update:

  • Risk management file — add the new failure mode, update severity and occurrence ratings, document the risk control (the FSCA itself)
  • Post-market surveillance plan — if the issue was detected through PMS, evaluate whether the PMS plan needs updating to detect similar issues sooner
  • Periodic Safety Update Report (PSUR) — include the FSCA in the next PSUR for the device
  • Clinical evaluation — if the FSCA affects the benefit-risk assessment, update the clinical evaluation report
  • CAPA — ensure the root cause is addressed through CAPA to prevent recurrence

Who Must Report FSCAs

Manufacturers

Manufacturers have the primary obligation to report FSCAs to competent authorities and to communicate with affected customers. If the manufacturer is located outside the EU, this obligation is fulfilled through its EU Authorized Representative (EC REP).

EU Authorized Representatives

The Authorized Representative must:

  • Cooperate with competent authorities on vigilance matters
  • Forward incident information to the manufacturer without delay
  • Retain vigilance reports for at least 10 years (15 years for implantable devices)
  • Be available as a contact point for competent authorities

Importers and Distributors

Importers and distributors must:

  • Immediately inform the manufacturer of any known or suspected incidents
  • Retain records of complaints and incidents
  • Cooperate with manufacturers and competent authorities during investigations

Competent Authority Roles

The competent authority in the Member State where the incident occurred receives the report, reviews the FSCA and FSN, may request changes to the FSN, and coordinates with other Member State CAs through the vigilance network.

EUDAMED and the Future of FSCA Reporting

EUDAMED is the EU's electronic system for medical device regulation. Under Regulation 2025/1021, EUDAMED is progressively becoming the central platform for vigilance reporting, including FSCAs.

Key developments:

  • FSCA and serious incident reports must be submitted through EUDAMED under Article 92
  • Reports will be published in a standardized format — while clinical data will be anonymized, details like manufacturer name, device type, corrective actions, and dates will be publicly accessible
  • The new MIR form (version 7.3.1, updated March 2026, mandatory from May 2026) is aligned with EUDAMED data structures

This increased transparency means FSCAs will have greater visibility to regulators, healthcare professionals, and the public. Manufacturers should ensure that their FSNs and FSCA reports are clear, accurate, and professionally prepared.

FSCA vs. FDA Recall: Key Differences

For manufacturers operating in both the US and EU, understanding the differences between FSCA and FDA recall mechanisms is critical.

Dimension EU MDR FSCA FDA Recall (21 CFR Part 7)
Legal basis EU MDR Articles 87–91 21 CFR Parts 7, 806
Trigger Any action to reduce risk of serious incident for devices on the market Correction or removal of a device that violates FDA law or presents a health risk
Classification Based on incident severity (public health threat, death, other) Class I (reasonable probability of serious adverse health consequences or death), Class II (may cause temporary or medically reversible health consequences), Class III (not likely to cause adverse health consequences)
Reporting timeline 2/10/15 calendar days depending on severity 10 working days for corrections and removals under 21 CFR 806
Customer notification Field Safety Notice (FSN) — specific format, must be reviewed by CA Customer notification letter — content specified by FDA but format is more flexible
Competent authority role CA reviews FSN before distribution; can request changes FDA classifies the recall, monitors effectiveness, and may issue public notifications
Public database EUDAMED (progressively) FDA Enforcement Reports, Medical Device Recalls database
Root cause Risk-based — can be triggered by any device risk to patient/user Violation-based — must involve a violation of the FD&C Act or a health hazard

A single issue may trigger both an FSCA in the EU and a recall in the US. Manufacturers should have procedures that evaluate reportability under both frameworks simultaneously, rather than treating them as separate processes.

Practical Checklist for FSCA Management

Before an FSCA Occurs

  • Establish written FSCA procedures as part of your vigilance system
  • Identify contact points at competent authorities in all markets where your devices are distributed
  • Prepare FSN templates in advance (in English and relevant EU languages)
  • Train staff on FSCA triggers, timelines, and reporting requirements
  • Establish a cross-functional FSCA team (regulatory, quality, engineering, clinical, customer service)
  • Ensure your EU Authorized Representative has a clear FSCA communication procedure

During an FSCA

  • Document the awareness date precisely — the clock starts ticking
  • Assess the severity and determine the reporting timeline
  • Notify the relevant competent authorities within the applicable timeline
  • Prepare the FSN and submit it for CA review (allow minimum 48 hours)
  • Track all affected devices and customers
  • Submit follow-up reports as new information becomes available
  • Keep management informed throughout the process

After an FSCA

  • Submit the final follow-up report confirming completion
  • Update the risk management file
  • Include the FSCA in the next PSUR
  • Conduct a lessons-learned review
  • Evaluate whether the PMS plan or complaint handling procedures need updating
  • Verify CAPA effectiveness

Summary

Field Safety Corrective Actions are a mandatory component of EU MDR vigilance that require manufacturers to take and report actions to reduce risks from devices already on the market. The process involves competent authority notification, Field Safety Notice preparation and distribution, implementation of the corrective action, and follow-up reporting — all within strict timelines.

Key takeaways:

  • An FSCA is required whenever a manufacturer takes action to reduce the risk of a serious incident from a device already on the market
  • Reporting timelines are 2, 10, or 15 calendar days depending on severity — these are significantly tighter than under the old MDD
  • The FSN must be reviewed by the competent authority before distribution (minimum 48 hours)
  • FSCAs in the EU and recalls in the US follow different frameworks and timelines — global manufacturers need dual procedures
  • EUDAMED is progressively becoming the central platform for FSCA reporting, with reports becoming publicly accessible
  • Every FSCA must feed back into risk management, PMS, and clinical evaluation