FDA Medical Device Reporting (MDR): Complete Guide to Adverse Event Reporting Under 21 CFR Part 803

What Is Medical Device Reporting (MDR)?

Medical Device Reporting (MDR) is the FDA's mandatory adverse event reporting system for medical devices. It is codified in 21 CFR Part 803 and authorized by Section 519 of the Federal Food, Drug, and Cosmetic Act (FD&C Act) (21 U.S.C. 360i). The regulation requires manufacturers, importers, and device user facilities to report device-related deaths, serious injuries, and certain malfunctions to the FDA within defined timelines.

The purpose is unambiguous: to create a nationwide early-warning system that detects device-related safety problems before they cause widespread harm. Every MDR report feeds into the FDA's Manufacturer and User Facility Device Experience (MAUDE) database, which the agency uses to identify safety signals, issue Medical Device Safety Communications, mandate post-market studies under Section 522, support recall decisions, and inform the broader regulatory community about emerging device risks.

The MDR regulation is not new. It was first established in 1984 and significantly revised in 1995 and again in 2014. The current framework, as amended, reflects decades of enforcement experience and is one of the most frequently cited regulations in FDA warning letters to medical device companies. Compliance is not optional and the consequences of non-compliance are severe: warning letters, consent decrees, import detentions, product seizures, and criminal prosecution in extreme cases.

Critical point: The FDA will not consider any submitted MDR report compliant unless you evaluate the underlying event in accordance with quality management system requirements. Since February 2, 2026, this means compliance with the new Quality Management System Regulation (QMSR) under 21 CFR Part 820, which incorporates ISO 13485:2016 by reference. MDR does not exist in isolation — it is embedded in your quality system.

Who Must Report

The MDR regulation establishes three categories of mandatory reporters and one category of voluntary reporters. Understanding who falls into each category — and what each category must report — is the starting point for any compliant MDR system.

Manufacturers

Manufacturers bear the broadest reporting obligations under 21 CFR Part 803. A "manufacturer" includes any person who initiates specifications for a device, or who manufactures, prepares, propagates, compounds, assembles, or processes a device. This definition captures:

• Domestic manufacturers — companies with a physical manufacturing facility in the United States
• Foreign manufacturers — companies manufacturing outside the US whose devices are imported into US commerce
• Initial distributors (also called "US Agents") of foreign manufacturers — the US-based entity that first receives a foreign-made device in US commerce is legally considered the manufacturer for MDR purposes
• Specification developers — companies that develop device specifications and have another entity manufacture the device
• Repackers and relabelers — entities that repackage or relabel a finished device
• Manufacturers of accessories — if the accessory is classified as a device, the accessory manufacturer has independent MDR obligations

Manufacturers must report deaths, serious injuries, and reportable malfunctions to the FDA. They must also submit supplemental or follow-up reports when they obtain new information about a previously reported event.

Importers

Under 21 CFR 803.3, an "importer" is defined as the initial distributor of a foreign manufacturer's device — the person who first receives a device in the United States that was manufactured overseas. This is not the same as a general distributor or retailer. Importers must:

• Report deaths and serious injuries to both the FDA and the device manufacturer within 30 calendar days of becoming aware
• Report malfunctions to the manufacturer only (not to the FDA)
• Maintain MDR event files and records as required by 21 CFR 803.18

If the importer is also the US Agent for the foreign manufacturer, it is treated as the manufacturer for MDR purposes and must comply with the broader manufacturer obligations.

Device User Facilities

A "device user facility" is a hospital, ambulatory surgical facility, nursing home, diagnostic center, outpatient treatment facility, or outpatient rehabilitation facility. These facilities must:

• Report deaths to both the FDA and the manufacturer within 10 working days of becoming aware of the event
• Report serious injuries to the manufacturer within 10 working days (or to the FDA if the manufacturer is unknown)
• Submit annual reports to the FDA by January 1 of each year, summarizing all reports filed in the previous year
• User facilities are not required to report malfunctions, though they may do so voluntarily

Important gap: Physicians in private practice, dentist offices, and other non-institutional clinical settings are not "device user facilities" under the regulation. They have no mandatory MDR reporting obligation. This is a well-known blind spot in the US adverse event reporting system.

Voluntary Reporting (MedWatch)

Healthcare professionals, patients, caregivers, and consumers can submit voluntary adverse event reports through the FDA's MedWatch program using Form FDA 3500 (as distinct from Form 3500A used for mandatory reporting). These voluntary reports also appear in the MAUDE database and are an important source of post-market safety intelligence. While voluntary reports carry no legal obligation, they are valued by the FDA and can trigger agency investigations, safety communications, and regulatory action.

Reporter Type	Deaths	Serious Injuries	Malfunctions	Reports To	Timeline
Manufacturers	Yes	Yes	Yes	FDA	30 days (5 days for urgent)
Importers	Yes	Yes	No (to manufacturer only)	FDA + manufacturer	30 days
Device User Facilities	Yes	Yes	No	Death: FDA + manufacturer; SI: manufacturer	10 working days
Voluntary (MedWatch)	Yes	Yes	Yes	FDA	No deadline

What Events Are Reportable

Deaths

A death is reportable when the device may have caused or contributed to the death of a patient. The standard is low: you do not need to prove causation. If there is any reasonable possibility that the device was a factor — even among multiple contributing factors — the death must be reported. A patient who dies during or shortly after a device-related procedure, or whose death is associated with a device malfunction, triggers the reporting obligation.

Serious Injuries

A "serious injury" is defined in 21 CFR 803.3 as an injury or illness that:

1. Is life-threatening — meaning there is reasonable probability that the injury or illness places the patient in danger of death at the time of the event
2. Results in permanent impairment of a body function or permanent damage to a body structure — the key word is "permanent." Temporary effects, even if severe, may not meet this threshold
3. Necessitates medical or surgical intervention to prevent permanent impairment — this is the broadest and most frequently debated prong. It includes events requiring emergency surgery, hospitalization, drug therapy, or other medical treatment to prevent lasting damage

The third prong deserves special attention. The FDA's guidance makes clear that interventions such as wound debridement, surgical removal of a fragmented device, administration of anticoagulants to prevent thrombosis caused by a device, or emergency resuscitation all meet the threshold. Even if the intervention is successful and the patient recovers fully, the event is reportable.

Malfunctions

A malfunction is reportable only for manufacturers when the device fails to meet its performance specifications or behaves in an unintended manner, and the malfunction would be likely to cause or contribute to a death or serious injury if it were to recur. This is a forward-looking, risk-based assessment. The malfunction does not need to have caused actual harm in the current incident — the question is whether recurrence could cause harm.

This requires a judgment call, and the FDA expects that judgment to be documented. Factors to consider include:

• The probability of recurrence (higher probability = more likely reportable)
• The severity of potential consequences if recurrence occurs in the worst-case clinical scenario
• Whether the malfunction affects a life-sustaining or life-supporting device
• Whether the device is intended for single use or repeated use
• Whether user intervention could mitigate the consequences of the malfunction

Examples of reportable malfunctions include: battery depletion in an implantable defibrillator, software algorithm errors that produce incorrect dosing calculations, mechanical failures in surgical instruments that could cause tissue damage, and sterilization failures that could lead to patient infection.

Non-Reportable Events and Exemptions

Not every complaint or adverse event is reportable. Events that generally do not require MDR reporting include:

• User errors without device involvement — if the clinician made a mistake and the device was functioning correctly, it is not reportable. However, if the user error was induced or exacerbated by device design, labeling, or human factors deficiencies, the event becomes reportable
• Previously reported events — if the same event involving the same patient and same device has already been reported, a duplicate report is not required (but supplemental information must be reported)
• Events not caused or contributed to by the device — if the adverse outcome was clearly unrelated to the device (e.g., a patient dies of an unrelated disease progression while wearing a passive orthopedic brace)
• Investigational devices under an IDE — adverse events for investigational devices are reported under 21 CFR Part 812, not Part 803
• Therapeutic devices where the adverse outcome is an expected side effect — if the event is a known, labeled side effect and the device performed as intended, it may not be reportable. However, the severity and frequency must be consistent with the labeling

The FDA provides specific exemptions, variances, and alternative reporting mechanisms under 21 CFR 803.19. Manufacturers should consult the FDA guidance document "Medical Device Reporting for Manufacturers" when evaluating borderline cases.

Reporting Timelines

Timing is one of the most critical aspects of MDR compliance. The clock starts when you "become aware" of information that reasonably suggests a reportable event has occurred. "Awareness" is not limited to formal complaint intake — it includes any employee of the company receiving information from any source (sales representatives, field service engineers, customer service, social media, litigation, regulatory correspondence).

30 Calendar Days (Standard)

Within 30 calendar days of becoming aware of a reportable event, manufacturers and importers must submit a complete MDR report to the FDA. This includes deaths, serious injuries, and reportable malfunctions. The 30-day clock is calendar days, not business days — weekends and holidays count.

If the investigation is not complete within 30 days, the manufacturer must still submit the initial report with the information available and follow up with a supplemental report when additional information becomes available. The FDA does not grant extensions to the 30-day deadline.

5 Working Days (Expedited)

Under 21 CFR 803.53, manufacturers must submit a 5-day report no later than 5 working days after becoming aware that:

1. An MDR reportable event necessitates remedial action to prevent an unreasonable risk of substantial harm to the public health, or
2. The FDA has made a written request for the submission of a 5-day report

The first condition is triggered when the manufacturer initiates a recall, field correction, or other remedial action because the event represents a broad public health risk. The second condition gives the FDA direct authority to accelerate reporting on a case-by-case basis.

Note that the 5-day timeline uses working days, not calendar days. This is a significant difference from the 30-day standard.

Baseline Reports (21 CFR 803.55)

When a manufacturer submits its first MDR report for a device, it must also submit a baseline report on Form FDA 3417. This provides the FDA with device identification information, including the product code, model number, catalog number, and marketing history. Baseline reports must be updated when there are changes to the device identification information.

Supplemental and Follow-Up Reports

Manufacturers must submit supplemental reports within 30 calendar days of obtaining new information that was not included in the initial report. This includes investigation findings, root cause analysis, corrective actions, and any additional patient outcome information. The supplemental report references the original report number and includes all new data.

Report Type	Timeline	Who Files	Trigger
30-day (standard)	30 calendar days	Manufacturers, importers	Death, serious injury, reportable malfunction
5-day (expedited)	5 working days	Manufacturers	Remedial action needed or FDA written request
User facility death/SI	10 working days	Device user facilities	Death or serious injury
Supplemental	30 calendar days	Manufacturers	New information on previously reported event
Baseline (3417)	With first MDR for device	Manufacturers	First MDR for a device or updated device info
Annual summary	By January 1 annually	Device user facilities	Summary of all reports in prior year

Electronic MDR (eMDR) Submission

Since August 14, 2015, manufacturers and importers have been required to submit MDR reports electronically through the FDA's eMDR system. Paper submissions from these entities are no longer accepted (with limited exceptions for temporary technical failures). Device user facilities are not currently required to submit electronically, though they may do so voluntarily.

FDA Electronic Submissions Gateway Next Generation (ESG NextGen)

eMDR submissions are transmitted through the FDA Electronic Submissions Gateway Next Generation (ESG NextGen), which became operational on April 14, 2025, replacing the legacy ESG system. ESG NextGen is the FDA's centralized, agency-wide platform for securely receiving and processing all electronic regulatory submissions.

There are three methods for submitting eMDR:

1. AS2 (Applicability Statement 2) system-to-system connection — the preferred method for high-volume submitters. This is an automated, secure data exchange between the manufacturer's system and the FDA. It requires a digital certificate, AS2 software, and registration as a trading partner with the FDA.

2. Unified Submission Portal (USP) — ESG NextGen's web-based interface that replaced the legacy WebTrader. Suitable for low-volume submitters. Users upload submission files directly through a browser-based portal.

3. FDA eSubmitter software — a free, standalone desktop application that generates HL7 ICSR XML files. The output is a .zip file containing both the XML report and a PDF copy. Suitable for organizations that prefer a guided, form-based submission tool.

Technical Requirements

eMDR submissions use the HL7 ICSR (Individual Case Safety Report) XML format, which implements the International Medical Device Regulators Forum (IMDRF) adverse event coding structure. The XML file must conform to the FDA's Implementation Package, which is updated annually with:

• IMDRF code maintenance updates for adverse event codes (sections F10 and H6 of Form 3500A)
• Updated hierarchy files and code tables
• XML schema validation rules

The FDA publishes an annual enhancement cycle: announcements in June, implementation packages released in August, test deployment in September, and production deployment in March of the following year.

eMDR Registration and Setup

Setting up eMDR submission involves several steps:

1. Obtain a digital certificate from an FDA-approved certificate authority
2. Register for an ESG NextGen account through the Unified Submission Portal
3. Complete AS2 configuration (for automated submitters) or set up USP access
4. Send a guidance-compliant test submission to the pre-production environment
5. Receive approval from CDRH after successful test processing
6. Begin production submissions

The FDA provides three acknowledgments for each submission:

• Acknowledgment 1 (MDN) — confirms delivery and signature validation
• Acknowledgment 2 (Ack2) — confirms unpackaging and structural validation
• Acknowledgment 3 (Ack3) — confirms Center-level processing with validation results or technical rejection notification

Complaint Handling Integration

MDR compliance cannot exist independently from your complaint handling system. The FDA has stated explicitly that it will not consider a submitted MDR report compliant unless the manufacturer evaluates the underlying event in accordance with quality management system requirements. Since February 2, 2026, those requirements are defined by the QMSR (21 CFR Part 820, incorporating ISO 13485:2016).

The Complaint-to-MDR Pipeline

Every complaint must be evaluated for MDR reportability. This is not a separate process — it is an integral step in the complaint handling workflow:

1. Complaint intake — document all complaints from all sources (phone, email, field reports, social media, litigation, regulatory correspondence)
2. Initial triage — determine whether the complaint involves a death, serious injury, or malfunction
3. Reportability assessment — apply the MDR criteria. Is the event reportable? Document the rationale regardless of the conclusion
4. MDR event file creation — if reportable, create a separate MDR event file linked to the complaint file
5. Investigation — investigate the event per quality system requirements
6. Submission — file the MDR within the required timeline
7. Follow-up — submit supplemental reports as investigation results become available
8. CAPA evaluation — determine whether the event warrants corrective or preventive action

MDR Event Files vs. Complaint Files

Under 21 CFR 803.18, manufacturers may maintain MDR event files as part of their complaint files, provided they prominently identify these records as MDR reportable events. MDR event files must contain:

• Copies of all submitted MDR forms and electronic acknowledgments
• Internal investigation notes and decisions on reportability
• All related correspondence with the FDA
• Links to relevant medical, engineering, testing, and customer communication records
• Documentation explaining why any required information was not submitted or could not be obtained
• The results of the evaluation for each event

CAPA Integration

MDR data must feed into the CAPA system. Adverse event trends, recurring malfunction types, and patterns of serious injuries should trigger CAPA evaluations. The connection between MDR reporting and CAPA is a frequent focus of FDA inspections. Inspectors will trace a sample of MDR reports through the complaint file, into the investigation, and evaluate whether CAPA was appropriately considered.

Record Retention

• Device user facilities: retain MDR event files for 2 years from the date of the event
• Manufacturers and importers: retain MDR event files for 2 years from the date of the event or a period equivalent to the expected life of the device, whichever is greater. If the device is no longer distributed, the retention requirement still applies
• All reporters must permit authorized FDA employees to access, copy, and verify records at all reasonable times

MDR vs. EU Vigilance Reporting

Manufacturers selling devices in both the US and the EU must navigate two distinct adverse event reporting frameworks. While the underlying goal — protecting patient safety — is the same, the specifics differ significantly.

Aspect	US FDA MDR (21 CFR Part 803)	EU MDR Vigilance (Article 87)
Legal basis	21 CFR Part 803; Section 519 FD&C Act	EU Regulation 2017/745, Articles 87-92
Reportable events	Death, serious injury, malfunction (potential-based)	Serious incidents, Field Safety Corrective Actions (FSCAs)
Serious public health threat	5 working days	2 calendar days
Death or serious deterioration	30 calendar days	10 calendar days
Other serious incidents	30 calendar days	15 calendar days
Malfunction reporting	Yes, if recurrence could cause harm	No direct equivalent — captured via trend reporting
Trend reporting	Not required	Mandatory (Article 88) — statistically significant increase in non-serious incidents
Submission system	ESG NextGen (eMDR)	EUDAMED (when fully functional) or National Competent Authorities
Report form	FDA Form 3500A / HL7 ICSR XML	Manufacturer Incident Report (MIR) per IMDRF format
Periodic safety reports	Not required under MDR (annual reports for PMA devices under separate regulation)	PSUR (Periodic Safety Update Report) required for Class IIa/IIb/III
Who must report	Manufacturers, importers, device user facilities	Manufacturers, importers, distributors (to manufacturer)
Scope	Events in US and abroad (if device also marketed in US)	Events in EU and events outside EU that may affect EU devices
Philosophy	Rapid identification of adverse event patterns; signal detection	Continuous lifecycle safety monitoring; proactive PMS integration

Key differences:

• The EU has shorter reporting timelines for serious events (10 days vs. 30 days for deaths)
• The EU requires trend reporting — manufacturers must monitor and report statistically significant increases in the frequency or severity of non-serious incidents. The FDA has no equivalent requirement.
• The EU requires Periodic Safety Update Reports (PSURs) for most device classes, providing a holistic periodic safety assessment. The FDA relies on individual event reports and, for PMA devices, annual reports.
• The FDA's malfunction reporting is forward-looking (would recurrence cause harm?), while the EU focuses on actual serious incidents and field safety corrective actions.
• The FDA includes device user facilities as mandatory reporters; the EU MDR does not impose equivalent obligations on healthcare institutions directly.

The MAUDE Database

Every MDR report submitted to the FDA — whether mandatory or voluntary — is incorporated into the Manufacturer and User Facility Device Experience (MAUDE) database. MAUDE is publicly accessible, free, and searchable by anyone.

How Reports Become Public

After an MDR report is received and processed by the FDA's Center for Devices and Radiological Health (CDRH), it is entered into MAUDE. There is a lag — typically 30 to 90 days — between submission and public availability. Reports are de-identified to remove patient-identifying information before publication.

Searching MAUDE

MAUDE can be searched by device product code, manufacturer name, event type (death, injury, malfunction), date range, model number, catalog number, and brand name. The search interface is available at the FDA's website.

For more detailed guidance on searching and using MAUDE, including search strategies, data interpretation, and limitations, see our FDA MAUDE Database Guide.

Limitations of MAUDE Data

MAUDE is an invaluable resource, but it has well-documented limitations that anyone using the data must understand:

• Under-reporting is significant. Studies consistently estimate that only a fraction of adverse events are reported to the FDA. One oft-cited finding is that the FDA receives reports for as few as 1-5% of device-related adverse events, though this varies widely by device type and reporting entity.
• Reports are not verified. The FDA does not independently verify the accuracy or completeness of every report. The database includes a disclaimer that the existence of a report does not mean the device caused the event.
• Duplicate reports exist. The same event may generate multiple reports — from the user facility, the importer, and the manufacturer — creating the appearance of more events than actually occurred.
• Late reporting is common. Research shows that a significant percentage of MAUDE reports are filed beyond the regulatory deadline.
• Incomplete data fields. Many reports contain missing or incomplete information, particularly in the device identification, patient outcome, and event description fields.
• Voluntary reports vary in quality. MedWatch reports from consumers and healthcare professionals may contain inaccurate or subjective information.

Investigation Requirements

When a manufacturer becomes aware of a reportable event, it must conduct a timely and thorough investigation. The investigation must be documented in the MDR event file and must address:

• Device identification — the specific device involved (model, lot/serial number, UDI, software version)
• Event description — what happened, when, where, and who was involved
• Patient information — age, sex, clinical context (as available)
• Device evaluation — physical examination of the returned device, if available, including visual inspection, functional testing, and engineering analysis
• Root cause analysis — what caused or contributed to the event (device failure, user error, labeling deficiency, environmental factor, patient anatomy, etc.)
• Prior occurrence — whether similar events have been reported previously
• Corrective action assessment — whether the event warrants a recall, field correction, labeling update, design change, or other action

The investigation must be initiated promptly and must not wait for the 30-day reporting clock. If the investigation is ongoing at the time of the initial report, the manufacturer submits the initial report with available information and follows up with supplemental reports as findings emerge.

FDA expectation: The agency expects manufacturers to obtain the device involved in the event for evaluation whenever possible. Failure to request the device return or to perform an adequate evaluation of returned devices is a common inspection finding.

Written Procedures

Under 21 CFR 803.17 and 803.18, manufacturers must establish and maintain written procedures for MDR compliance. These procedures are not optional and are among the first things an FDA inspector will request during a QSIT (Quality System Inspection Technique) or MDSAP audit.

Required SOP Elements

Your MDR written procedures must address, at minimum:

1. Internal reporting chains — how adverse event information flows from field personnel, customer service, sales, service engineers, and other sources to the designated MDR decision-maker
2. Reportability evaluation criteria — clear definitions and decision criteria for determining whether an event is reportable, including the definitions of death, serious injury, and malfunction from 21 CFR 803.3
3. Timely submission processes — procedures for ensuring that reports are submitted within the 30-day or 5-day deadlines, including escalation paths when decision-makers are unavailable
4. MDR event file management — how MDR event files are created, maintained, linked to complaint files, and retained for the required period
5. Supplemental reporting — procedures for identifying when new information triggers a supplemental report and for submitting it within the required timeline
6. Investigation procedures — how investigations are initiated, conducted, documented, and linked to the MDR event file and CAPA system
7. Annual certification — procedures for the designated individual to review and certify that the facility has or has not identified information that reasonably suggests a reportable event has occurred (21 CFR 803.33(b))
8. Training — requirements for training all relevant personnel on MDR procedures, definitions, and reporting obligations

Complaint Evaluation Procedures

Because MDR reportability is determined through complaint evaluation, your complaint handling SOP must explicitly address MDR. At minimum, the procedure must include:

• A step to evaluate every complaint for MDR reportability
• Criteria for distinguishing reportable from non-reportable events
• Documentation requirements for the reportability determination (including the rationale for non-reportable decisions)
• A process for resolving disagreements about reportability
• Timely referral to the MDR submission process when an event is determined to be reportable

Enforcement

The FDA takes MDR violations seriously. MDR-related findings appear regularly in warning letters, and the consequences of non-compliance extend far beyond the warning letter itself.

Warning Letters

FDA warning letters citing MDR violations typically allege:

• Failure to submit MDR reports within required timelines
• Failure to establish and maintain adequate MDR written procedures
• MDR procedures that do not include key definitions from 21 CFR 803.3
• Failure to document the reportability determination for complaints
• Failure to submit a malfunction report when the event met the reporting threshold
• Inadequate investigation of adverse events before determining reportability
• Failure to maintain MDR event files with required documentation

In fiscal year 2024, the FDA issued 47 warning letters to medical device companies — a 96% increase from the 24 issued in 2023. MDR-related deficiencies were among the most common findings, alongside CAPA failures and design control violations. In 2025, approximately 54 warning letters were issued for medical devices, with complaint handling, MDR reporting, and correction/recall insufficiency cited in multiple letters.

Real-World Enforcement Examples

The FDA's enforcement history provides concrete illustrations of MDR violations and their consequences:

• Medtronic (2021): Warning letter cited failure to report malfunctions associated with a recall and inadequate MDR standard operating procedures that did not address reporting criteria, timely transmission, and investigation documentation.
• Smiths Medical: Warning letter cited failure of MDR procedures to address key definitions, failure to report an event where medical intervention was required to preclude permanent impairment, and failure to report malfunctions associated with a recall.
• Augustine Surgical (2024): Warning letter alleged MDR violations — including inadequate procedures and failure to submit an MDR after a healthcare provider reported a second-degree burn requiring debridement and skin graft — that were not even included in the original Form 483 inspectional observations. The FDA expanded its findings beyond what the inspector documented on-site.

Escalation Beyond Warning Letters

When a company fails to adequately respond to a warning letter, enforcement can escalate to:

• Consent decrees — court-ordered agreements requiring specific corrective actions, often with third-party oversight, at significant cost to the manufacturer
• Product seizures — FDA can seize devices that are adulterated due to MDR violations
• Injunctions — court orders prohibiting the company from distributing devices until violations are corrected
• Import detentions — devices from foreign manufacturers with MDR violations may be detained at the US border
• Criminal prosecution — in cases of intentional or flagrant violations, including false statements (18 U.S.C. 1001), the Department of Justice can pursue criminal charges
• Civil monetary penalties — fines for each violation

Important: FDA warning letters are public documents posted on the FDA website. They do not expire or get removed (except in rare cases where rescinded). A warning letter can be introduced as evidence in product liability litigation, used to demonstrate a company's knowledge of a defect, and cited by plaintiffs to support claims. The reputational and legal consequences can far exceed the direct regulatory penalties.

Common Mistakes

After reviewing FDA warning letters, enforcement actions, and industry practice, the following patterns emerge as the most frequent MDR compliance failures:

1. Late Reporting

The single most common MDR violation. Companies often fail to recognize that the reporting clock starts at the moment any employee becomes aware of information that reasonably suggests a reportable event — not when the complaint is formally logged, not when the investigation is complete, and not when senior management is briefed. Sales representatives hearing about an adverse event from a surgeon at a conference, field service engineers discovering a device malfunction during a service call, and customer service representatives taking a complaint call all trigger awareness.

2. Under-Reporting

Systematic failure to report events that meet the reporting threshold. This often stems from overly narrow interpretations of the reportability criteria. Common patterns include:

• Classifying events as "user error" without evaluating whether device design or labeling contributed
• Requiring a higher standard of proof than the regulation demands (the standard is "may have caused or contributed to," not "definitely caused")
• Failing to report malfunctions because no patient was harmed in the specific instance (ignoring the forward-looking recurrence test)

3. Inadequate Investigation

Submitting MDR reports with superficial or incomplete investigations. FDA inspectors look for evidence that the manufacturer conducted a genuine investigation — not just a cursory review. This includes failure to request and evaluate the returned device, failure to perform root cause analysis, and failure to investigate service records and complaint trends for similar events.

4. Poor Complaint-to-MDR Triage

The connection between the complaint handling system and the MDR reporting process is broken or undefined. Complaints are evaluated for MDR reportability inconsistently, by untrained personnel, or without documented rationale for non-reportable decisions. This is one of the most frequently cited findings in FDA inspections.

5. Inadequate Written Procedures

MDR procedures that exist on paper but fail to address required elements. Common gaps include: missing definitions from 21 CFR 803.3, no escalation path for reportability decisions, no process for supplemental reporting, and no link between MDR and CAPA.

6. Failure to Document Non-Reportable Decisions

The regulation requires manufacturers to document the rationale for concluding that an event is not reportable. Many companies only document the events they report, leaving a gap that inspectors interpret as failure to evaluate complaints for reportability.

Best Practices

Building an effective MDR system requires more than checking regulatory boxes. The following practices distinguish companies with robust, inspection-ready MDR processes from those scrambling during an FDA audit.

1. Centralize Adverse Event Intake

Designate a single functional group (typically within Quality Assurance or Regulatory Affairs) as the point of intake for all adverse event information, regardless of source. Sales, service, marketing, clinical specialists, and customer service should all have clear, simple mechanisms for reporting adverse event information to this central group.

2. Train Broadly and Repeatedly

MDR awareness training should extend far beyond the quality department. Anyone who might receive adverse event information from customers — sales representatives, field service engineers, clinical specialists, customer service agents, social media monitors — should receive initial and annual refresher training covering:

• What constitutes a reportable event (with real examples specific to your device types)
• When the reporting clock starts
• How to report information to the designated MDR coordinator
• That reporting to the internal group is mandatory, even if the event seems minor

3. Use a Standardized Reportability Assessment

Develop a standardized decision tree or checklist for evaluating MDR reportability. Include the regulatory definitions of death, serious injury, and malfunction, with examples specific to your device portfolio. Require documented rationale for every reportability decision — both reportable and non-reportable.

4. Implement Calendar Controls

Use your quality system software or case management tool to automatically track reporting deadlines. The moment a complaint is identified as potentially reportable, the system should generate a 30-day countdown. Configure escalation alerts at 15 days, 7 days, and 3 days before the deadline.

5. Audit Your Own MDR Data

Conduct periodic internal audits of your MDR process. Sample closed complaints and evaluate whether the reportability determination was appropriate. Review the timeliness of submissions. Check whether supplemental reports were filed when investigation results emerged. Track metrics and report them in management review.

6. Maintain Traceability

Every MDR report should be traceable from the original complaint through the investigation, reportability assessment, submission, supplemental reports, and CAPA evaluation. This chain of documentation is what FDA inspectors will reconstruct during an inspection.

7. Establish Quality Metrics

Track and trend the following metrics at management review:

• Number of complaints received vs. number determined reportable
• Percentage of MDR reports submitted on time
• Average time from awareness to submission
• Number of supplemental reports filed per initial report
• Number of FDA requests for additional information
• CAPA initiation rate from MDR events

Transition to QMSR and Impact on MDR

On February 2, 2026, the FDA's Quality Management System Regulation (QMSR) became effective, replacing the legacy Quality System Regulation (21 CFR Part 820) and incorporating ISO 13485:2016 by reference. This is the most significant change to US medical device quality system requirements in three decades.

What QMSR Changes for MDR

The short answer is: 21 CFR Part 803 remains in force and unchanged. The FDA has confirmed that the MDR regulation is not affected by the QMSR transition. Manufacturers must continue to meet all MDR obligations under current law.

However, the QMSR changes the quality system framework that MDR compliance plugs into:

• Complaint handling was previously governed by 21 CFR 820.198. Under QMSR, complaint handling is governed by ISO 13485:2016 clauses 8.2.1 and 8.2.2 (feedback and complaint handling), supplemented by FDA-specific provisions in the new 21 CFR 820.
• CAPA was previously governed by 21 CFR 820.100. Under QMSR, it is governed by ISO 13485:2016 clauses 8.5.2 (corrective action) and 8.5.3 (preventive action).
• Record retention and document control follow ISO 13485:2016 clause 4.2 (document requirements).
• MDR reporting itself (21 CFR Part 803) is explicitly cross-referenced in the new QMSR framework under the mapping to ISO 13485 clause 8.2.3 (reporting to regulatory authorities).

Practical Impact

For manufacturers already certified to ISO 13485:2016 and compliant with 21 CFR Part 803, the QMSR transition has minimal direct impact on MDR operations. The key actions are:

• Update your MDR procedures to reference QMSR/ISO 13485 clause mappings where applicable
• Ensure your complaint handling SOP explicitly links to MDR evaluation steps per 21 CFR Part 803
• Maintain the connection between MDR event files and the broader quality system as required by the updated 21 CFR 803.18(e), which now references "quality management system requirements described in part 820"
• Be prepared for FDA inspections conducted under the new QMSR inspection process (Compliance Program 7382.850), which replaces the legacy QSIT-based approach

Frequently Asked Questions

1. When does the MDR reporting clock start?

The clock starts when any employee of the company becomes aware of information that reasonably suggests a reportable event has occurred. This is not limited to the complaint handling department. A sales representative hearing about a patient injury from a surgeon, a service engineer observing a device malfunction, or a regulatory affairs specialist reading about a problem on social media all constitute "awareness."

2. Does the 30-day reporting deadline apply to malfunctions?

Yes. Manufacturers must report reportable malfunctions within 30 calendar days of becoming aware, the same as deaths and serious injuries. There is no separate, longer timeline for malfunctions.

3. Do we need to report events that occur outside the United States?

Yes, if the device is also marketed in the United States. The MDR regulation applies to information that comes to your attention from any source, including foreign sources, when the same device is distributed in US commerce. This is different from the EU system, which focuses on events within the EU.

4. Is a user error reportable?

Pure user errors — where the clinician made a mistake and the device was functioning correctly — are generally not reportable. However, if the user error was induced or exacerbated by device design, labeling, unclear instructions for use, or human factors deficiencies, the event becomes reportable. Document your rationale for every user-error determination.

5. What if we are not sure whether an event is reportable?

When in doubt, report. The standard is low: "may have caused or contributed to." If you cannot definitively rule out device involvement, the event should be reported. You can always file a supplemental report later if the investigation exonerates the device. The risk of under-reporting far exceeds the risk of over-reporting.

6. How do we handle duplicate reports for the same event?

You are required to submit only one initial report per event per patient. However, if you receive additional information about a previously reported event — from the user facility, the importer, or your own investigation — you must submit a supplemental report. Duplicate reporting from different entities (e.g., both the user facility and the manufacturer reporting the same death) is expected and normal.

7. Can we submit MDR reports on paper?

Generally, no. Since August 14, 2015, manufacturers and importers must submit MDR reports electronically through the FDA's eMDR system (ESG NextGen). Paper submissions are accepted only in very limited circumstances, such as temporary technical failures of the electronic system. Device user facilities may still submit paper reports.

8. What is the difference between Form 3500 and Form 3500A?

Form FDA 3500 is the MedWatch form used for voluntary reporting by healthcare professionals, patients, and consumers. Form FDA 3500A is the mandatory reporting form used by manufacturers, importers, and device user facilities. The forms collect similar information but serve different reporting populations.

9. What happens after we submit an MDR report?

The FDA processes the report through CDRH, acknowledges receipt through the ESG NextGen acknowledgment system, enters the data into the MAUDE database (with a typical lag of 30-90 days before public availability), and may contact you with a Request for Additional Information if the report is incomplete or unclear. The FDA uses the aggregate data for signal detection, safety communications, and regulatory decision-making.

10. Do we need to report events for devices under an Investigational Device Exemption (IDE)?

No. Adverse events for investigational devices under an IDE are reported under 21 CFR Part 812 (Investigational Device Exemptions), not Part 803. However, once the device receives marketing authorization and is in commercial distribution, Part 803 applies.

11. What if the patient outcome is unknown?

Report the event with the information available. Unknown patient outcome does not relieve you of the reporting obligation. If the device malfunctioned in a way that meets the reportability criteria, you must report regardless of whether you can confirm the patient's condition. You can submit a supplemental report when patient outcome information becomes available.

12. Are software-related adverse events reportable?

Yes. Software malfunctions, cybersecurity vulnerabilities, and algorithm errors that could cause or contribute to death or serious injury are reportable. The FDA has issued specific guidance on cybersecurity that intersects with MDR obligations. A software bug that causes an infusion pump to deliver an incorrect dose, even if caught before patient harm, may be reportable as a malfunction.

13. How does MDR interact with the corrections and removals regulation (21 CFR Part 806)?

They are separate but related obligations. Part 803 requires reporting of adverse events. Part 806 requires reporting when you initiate a correction or removal to reduce a health risk or remedy a violation. A single event may trigger reporting under both regulations. For example, a device-related death reported under Part 803 may also trigger a recall reported under Part 806.

14. Do foreign manufacturers need to submit MDR reports directly?

Foreign manufacturers must submit MDR reports electronically through the eMDR system, just like domestic manufacturers. The initial distributor (US Agent) also has independent reporting obligations as an importer. Both the foreign manufacturer and the initial distributor may end up reporting the same event, which is expected.

15. How should we handle social media reports of adverse events?

Information from social media that comes to your attention — whether through active monitoring or passive discovery — can trigger the MDR reporting clock. If a social media post reasonably suggests a reportable event involving your device, you must evaluate it for reportability. This is an emerging area of enforcement focus. Companies that actively monitor social media for adverse event information should have documented procedures for doing so.

16. What is the annual certification requirement?

Under 21 CFR 803.33(b), manufacturers must designate an individual responsible for reviewing and certifying annually that the facility has or has not identified information that reasonably suggests a reportable event has occurred. This certification is submitted to the FDA and is a separate obligation from individual event reporting.

17. Can the FDA require us to submit 5-day reports?

Yes. Under 21 CFR 803.53, the FDA can make a written request that you submit 5-day reports for a specific device or device type. This typically happens when the agency identifies a safety concern through MAUDE data analysis, inspection findings, or other sources. Once requested, you must comply for the duration specified in the request.

18. What is the relationship between MDR and the National Evaluation System for health Technology (NEST)?

NEST is a broader FDA initiative to leverage real-world evidence and electronic health data for device surveillance. MDR is one data source that feeds into the broader post-market surveillance ecosystem. While NEST does not impose additional reporting obligations on manufacturers, it reflects the FDA's increasing use of diverse data sources — beyond traditional MDR — for signal detection and regulatory decision-making. Manufacturers should be aware that the FDA's view of device safety is informed by more than just MAUDE data.

---

Related guides:

• FDA MAUDE Database: Complete Guide — how to search and interpret adverse event reports in MAUDE
• Post-Market Surveillance for Medical Devices — building a comprehensive PMS system across FDA and EU frameworks
• CAPA for Medical Devices — corrective and preventive action processes integrated with MDR
• QSR to QMSR Transition — navigating the new Quality Management System Regulation