Medical Device Complaint Handling: FDA, ISO 13485 & EU MDR Requirements

What Is a Medical Device Complaint?

A medical device complaint is any written, electronic, or oral communication that alleges deficiencies related to the identity, quality, durability, reliability, safety, effectiveness, or performance of a medical device that has been released for distribution. This definition draws from both FDA 21 CFR Part 820 and ISO 13485:2016 (Clause 3.4).

Not every customer call or email is a complaint. A valid complaint must relate to a distributed device and involve product-specific deficiencies. General product inquiries, requests for information, billing questions, and feedback about desired features are not complaints — though your organization needs a clear process for triaging and categorizing incoming communications so that complaints are not missed.

Complaint handling is not optional, and it is not just a customer service function. It sits at the intersection of quality management, post-market surveillance, regulatory reporting, and risk management. Every major regulatory framework requires manufacturers to establish, document, and maintain complaint handling procedures.

Why Complaint Handling Matters

Complaints are your primary signal that something has gone wrong with a device in real-world use. They are the leading indicator for:

• Adverse event reporting — a complaint may trigger mandatory Medical Device Reporting (MDR) to FDA, or serious incident reporting to EU Competent Authorities
• Field safety corrective actions — complaint trends may necessitate recalls, software patches, or labeling changes
• CAPA — recurring complaints drive corrective and preventive actions
• Risk management updates — complaint data feeds back into ISO 14971 risk files, potentially changing severity or occurrence estimates
• Clinical evaluation updates — complaint trends may affect the benefit-risk assessment in the clinical evaluation report
• Design improvements — complaint patterns reveal design weaknesses that feed into next-generation product development

Regulators take complaint handling failures seriously. FDA warning letters frequently cite inadequate complaint procedures, failure to evaluate complaints for reportability, and failure to investigate. EU Notified Bodies audit complaint handling systems as part of MDR/IVDR conformity assessments.

Regulatory Requirements: Side-by-Side Comparison

Requirement	FDA (QMSR / 21 CFR 820)	ISO 13485:2016	EU MDR
Written procedures required	Yes — §820.198 (now via ISO 13485 incorporation)	Yes — Clause 8.2.2	Yes — Articles 87–91
Complaint definition	Written, electronic, or oral communication alleging device deficiencies	Similar to FDA	Aligned with ISO 13485
Timely handling	Required — must be reviewed, evaluated, and investigated promptly	Required — documented procedures for timely complaint handling	Required — without undue delay
MDR/adverse event evaluation	Must evaluate every complaint for MDR reportability under 21 CFR Part 803	Must determine need for regulatory reporting	Must assess whether incident is a serious incident requiring reporting
Investigation required	Yes — every complaint must be investigated unless clearly non-product-related	Yes — investigation of allegations	Yes — investigations for reportable incidents
Records retention	MDR event files retained for device expected life or minimum 2 years	Per QMS record retention requirements	Per national requirements; vigilance records for 10+ years
CAPA integration	Complaint data must feed into CAPA system	Corrective actions from complaints must be addressed	PMS data (including complaints) feeds into risk management and CAPA

FDA Requirements in Detail

The FDA's Quality Management System Regulation (QMSR), effective February 2, 2026, incorporates ISO 13485:2016 by reference into 21 CFR Part 820. Under the previous Quality System Regulation (QSR), complaint handling was explicitly covered in §820.198. Under QMSR, complaint handling is governed by ISO 13485 Clause 8.2.2, supplemented by FDA-specific requirements.

Key requirements:

1. Written procedures. Manufacturers must establish and maintain documented procedures for receiving, reviewing, evaluating, investigating, and closing complaints.

2. Evaluation for reportability. Every complaint must be evaluated to determine whether it meets the criteria for reporting under 21 CFR Part 803 (Medical Device Reporting). This evaluation must be documented, even if the determination is that the complaint is not reportable.

3. Investigation. Each complaint must be investigated. The investigation must include a root cause analysis where possible and must determine whether corrective action is needed.

4. Designated complaint unit. A formally designated unit must receive, review, and evaluate complaints. This does not mean you need a standalone department, but the responsibility must be assigned to identified individuals.

5. Complaint files. Complaint files must be maintained. Where a complaint is determined to be reportable under MDR, it must be maintained in a separate portion of the complaint file or clearly identified as an MDR reportable event.

6. Integration with CAPA. Complaint data must be analyzed for trends and fed into the CAPA system when corrective or preventive action is warranted.

FDA Medical Device Reporting (21 CFR Part 803) operates in parallel with complaint handling:

Report Type	Timeline	Trigger
Death or serious injury	30 calendar days	Device may have caused or contributed to death or serious injury
Malfunction	30 calendar days	Device malfunction that would be likely to cause or contribute to death or serious injury if it were to recur
5-Day Report	5 working days	Event necessitates immediate remedial action to prevent unreasonable risk of substantial harm, or FDA requests it
Supplemental Report	30 calendar days	New or corrected information about a previously reported event

The FDA will not consider an MDR report compliant unless the underlying complaint was evaluated in accordance with quality system requirements. This means your complaint handling and MDR reporting are inextricably linked.

ISO 13485 Requirements in Detail

ISO 13485:2016 Clause 8.2.2 (Complaint handling and adverse event reporting) requires organizations to:

1. Document procedures for complaint handling that include the timing and steps for receiving, logging, evaluating, investigating, and closing complaints.
2. Evaluate all complaints to determine if they need to be reported to regulatory authorities.
3. Determine the need for investigation — if the complaint involves a potential product quality issue, safety concern, or regulatory reporting obligation, an investigation must be conducted.
4. Maintain records of all complaints and their disposition.
5. Feed results into CAPA when the analysis of complaints indicates that corrective or preventive action is warranted.
6. Report to regulatory authorities as required by applicable regulations (this ties into jurisdiction-specific reporting requirements — FDA MDR, EU MDR vigilance, etc.).

EU MDR Requirements in Detail

Under the EU MDR, complaint handling is embedded within the broader post-market surveillance and vigilance system:

• Article 10 (Manufacturer obligations): Manufacturers must immediately report serious incidents and FSCAs to competent authorities.
• Articles 87–91 (Vigilance): Define when and how to report serious incidents, including timelines (2 days for public health threats, 10 days for death or unanticipated serious deterioration, 15 days for other serious incidents).
• Article 84 (PMS plan): The PMS plan must include methods for investigating complaints and communicating with competent authorities.
• Annex III (PMS documentation): Complaint data is a mandatory input into PMS analysis and periodic safety update reports (PSURs).

EU MDR introduces a broader concept of reportable events compared to the old Medical Device Directive. A "serious incident" under MDR Article 2(65) includes any event that has led, could have led, or may lead to death, serious deterioration of health, or a serious public health threat.

The Complaint Handling Process: Step by Step

Step 1: Intake and Logging

Every communication that potentially alleges a device deficiency must be logged. This includes phone calls, emails, letters, social media mentions, field service reports, distributor notifications, and any other channel through which information about device performance reaches the manufacturer.

At intake, capture:

• Date received
• Source (customer, distributor, healthcare professional, patient)
• Device identification (product name, model, catalog number, lot/serial number, UDI)
• Description of the alleged deficiency
• Patient outcome information (if available)
• Reporter contact information

Do not filter at intake. The triage step comes later. The intake step captures everything; the triage step determines whether it is a complaint and whether it is reportable.

Step 2: Triage and Categorization

Evaluate each incoming communication to determine:

1. Is this a complaint? Does it allege a deficiency related to a distributed device? If it is a product inquiry, training request, or billing issue, document the disposition and route it appropriately, but do not process it as a complaint.

2. Is it MDR-reportable? Does the complaint involve a death, serious injury, or a malfunction that could cause or contribute to death or serious injury if it were to recur? If yes, it must be reported under 21 CFR Part 803 (US) or as a serious incident under EU MDR Article 87 (EU).

3. What is the risk level? Based on the potential severity and the nature of the alleged deficiency, assign a risk level that will determine the urgency and depth of the investigation.

4. Has this been seen before? Check complaint history for similar issues. A new complaint may be part of a trend that changes its priority.

Document the triage decision and its rationale, even if the conclusion is "not a complaint" or "not reportable."

Step 3: Investigation

Every complaint must be investigated. The depth of investigation should be proportionate to the risk, but some level of investigation is always required.

An investigation may include:

• Reviewing the device history record (DHR) or Medical Device File (MDF) for the specific lot/serial number
• Requesting the device back for analysis (device evaluation)
• Reviewing manufacturing records for deviations or nonconformances
• Analyzing the failed component or assembly
• Reviewing risk management files to determine if the failure mode was previously identified
• Interviewing the reporter for additional information
• Reviewing trend data for similar complaints
• Conducting root cause analysis

The investigation must be documented. If information is missing and cannot be obtained, the complaint file must include an explanation of what efforts were made to obtain it and why they were unsuccessful.

Step 4: Reportability Determination

After the investigation, confirm or update the initial reportability assessment:

FDA MDR (21 CFR Part 803):

• Did the device cause or contribute to a death? Report within 30 days.
• Did the device cause or contribute to a serious injury? Report within 30 days.
• Did the device malfunction in a way that could cause or contribute to death or serious injury if it were to recur? Report within 30 days.
• Is immediate remedial action needed to prevent unreasonable risk? Report within 5 working days.

EU MDR Vigilance (Articles 87–91):

• Is the incident a serious incident (death, serious deterioration of health, or could have led to these)?
• Is there a serious public health threat? Report within 2 calendar days.
• Did the incident involve death or unanticipated serious deterioration? Report within 10 calendar days.
• All other serious incidents? Report within 15 calendar days.

Step 5: Corrective and Preventive Action

If the investigation identifies a quality or safety issue that requires action:

• Initiate a CAPA if the issue is recurring, affects patient safety, or indicates a systemic problem
• Update risk management files if the complaint reveals a failure mode or severity that was not previously captured
• Consider the need for a field safety corrective action (recall, software update, labeling change)
• Update design or process FMEA if the failure mode was not previously identified

Step 6: Trend Analysis

Individual complaints tell you about specific events. Trend analysis tells you about patterns. Your complaint handling system must include periodic analysis of complaint data to identify:

• Increasing complaint rates for specific failure modes
• Clusters of complaints from specific regions, facilities, or user groups
• New failure modes not previously identified in risk analysis
• Complaints indicating that risk controls are not performing as expected

Trend analysis is explicitly required by ISO 13485 (Clause 8.2.3 — reporting to regulatory authorities can be based on statistically significant increases in complaint frequency) and by EU MDR Article 88 (trend reporting).

Step 7: Close-Out and Record Keeping

Close each complaint when the investigation is complete and any required actions have been taken. Maintain the complaint file with:

• The original complaint communication
• Triage and categorization documentation
• Investigation records
• Reportability determination and rationale
• Any MDR or vigilance reports submitted
• CAPA references
• Device evaluation results
• Trend analysis references
• Close-out summary

Retain complaint files for the required retention period. Under FDA, MDR event files must be retained for the expected life of the device or a minimum of 2 years, whichever is longer. Under EU MDR, vigilance records must generally be retained for at least 10 years (15 years for implantable devices).

Common Mistakes in Complaint Handling

1. Not Logging All Potential Complaints

If a customer calls to say the device "didn't work right" and the call center agent doesn't log it as a potential complaint, you have a compliance gap and a blind spot in your post-market data. Train all customer-facing personnel to recognize and route potential complaints.

2. Inadequate Reportability Evaluation

Every complaint must be evaluated for MDR reportability — not just the ones that seem serious. The evaluation must be documented. Writing "not reportable" without documenting the rationale is a common audit finding.

3. Investigation Without Root Cause Analysis

Closing complaints with a description of the failure but without a root cause analysis is insufficient. Even if the investigation concludes that the device performed as intended, that conclusion must be supported by evidence.

4. Disconnected CAPA and Risk Management

Complaints that reveal new failure modes or higher-than-expected occurrence rates must feed back into the risk management file. Complaints that indicate systemic problems must trigger CAPA. Keeping these systems in silos is a regulatory risk and a missed opportunity for improvement.

5. Treating Complaint Handling as a Back-Office Function

Complaint data is one of the most valuable sources of post-market intelligence. It should be reviewed by management, discussed in design reviews, and used to inform product development decisions.

Complaint Handling Under QMSR (2026 Transition)

With the FDA's Quality Management System Regulation (QMSR) now in effect as of February 2, 2026, the transition from the old Quality System Regulation (QSR) changes how complaint handling is referenced but not the fundamental requirements:

• ISO 13485 Clause 8.2.2 is now the basis for FDA complaint handling expectations
• FDA-specific requirements are preserved in the supplemental provisions of QMSR, including complaint documentation and MDR integration
• Terminology changes include "Medical Device File" replacing "Device Master Record" and "Design and Development Files" replacing "Design History File"
• Record access changes — QMSR removes the previous exception that allowed companies to withhold management review and internal audit records from FDA inspectors, which affects how complaint trend data is documented and accessible

Manufacturers with existing ISO 13485 certification should be largely compliant with QMSR complaint handling requirements but should verify that FDA-specific additions (MDR integration, complaint file identification) are addressed.

Documentation Checklist

Your complaint handling system documentation should include:

• Procedure for receiving, evaluating, investigating, and closing complaints
• Complaint intake form or electronic system for logging complaints
• Triage criteria for determining reportability
• Investigation templates with fields for root cause analysis
• MDR/vigilance reporting forms (FDA Form 3500A for US; MIR form for EU)
• Complaint trend analysis reports (periodic, typically monthly or quarterly)
• Management review inputs — complaint data summarized for review
• Training records for complaint handling personnel
• CAPA references linking complaints to corrective and preventive actions

Summary

Complaint handling is a core quality system process that connects post-market surveillance, regulatory reporting, risk management, and continuous improvement. Every major regulatory framework — FDA QMSR, ISO 13485, EU MDR — requires documented complaint handling procedures with evaluation for reportability, investigation, CAPA integration, and trend analysis.

Key takeaways:

• Every complaint must be logged, evaluated, investigated, and documented — no exceptions
• Reportability evaluation is mandatory for every complaint and must be documented with rationale
• Complaint data must feed into CAPA, risk management, and clinical evaluation
• Trend analysis transforms individual complaints into actionable intelligence
• Under QMSR (effective February 2, 2026), complaint handling aligns with ISO 13485 Clause 8.2.2 plus FDA-specific supplements
• Complaint handling is not a back-office compliance function — it is a strategic source of post-market intelligence