MDR reportability evaluation and 21 CFR Part 803 obligations remain fully in force — complaint-to-MDR linkage from 820.198 continues.
Regulatory reporting becomes a standalone QMS process with its own documented procedure; multi-jurisdiction reporting (EU vigilance, MDSAP) must be addressed.
Standalone regulatory reporting SOP and jurisdiction coverage — single-country procedures without EU or MDSAP pathways are a common gap for global manufacturers.
Maps to
QMSR / ISO 13485: §21 CFR Part 803 (MDR)
ISO 13485: §8.2.3 Reporting to regulatory authorities
Requirement text
The organization shall document procedures for reporting to regulatory authorities in accordance with applicable requirements.
Why this clause exists
Regulatory reporting procedures must be documented as a standalone QMS process — not embedded in complaint handling — because the reportability determination is a distinct legal obligation with defined timeframes and accountability that complaint intake alone does not capture. FDA MDR requirements under 21 CFR Part 803 impose 30-day and 5-day reporting timelines from the date the manufacturer becomes aware of information reasonably suggesting a reportable event; a procedure that does not name a responsible role, define criteria, and establish the timeline triggers creates conditions for late or missed reports — regulatory violations with potentially severe consequences. The requirement to document reportability assessments for events determined not to be reportable is equally important: it demonstrates that the evaluation was made deliberately, not omitted, and provides a record that survives inspector review of the event file. The inclusion of advisory notices (field safety corrective actions) within the regulatory reporting obligation reflects the full scope of manufacturer reporting duties: adverse event reporting and field corrective action reporting are both regulatory obligations, and a QMS that documents only MDR criteria will lack procedures for the advisory notice component. Multi-jurisdiction reporting obligations — EU MDR 2017/745 serious incident reporting, Health Canada problem reports, and other national competent authority notifications — must be addressed wherever the device is marketed, making the procedure scope a function of the device's geographic distribution, not just the US regulatory context.
What changed
Part 820 addressed regulatory reporting primarily through the complaint handling requirements of 820.198, which required evaluation of each complaint for MDR reportability under 21 CFR Part 803. The specific reporting requirements were defined outside Part 820, in Parts 803 (MDR), 806 (reports of corrections and removals), and 810 (recall authority). ISO 13485 clause 8.2.3 creates an explicit, standalone requirement within the QMS for documented procedures for reporting to regulatory authorities.
The structural change is significant: regulatory reporting is now explicitly a QMS process, not just an adjunct to complaint handling. ISO 13485 requires the organization to document procedures for identifying applicable reporting requirements across all jurisdictions where the device is marketed, not just FDA. This means organizations must have a documented process that addresses MDR reporting (21 CFR Part 803), corrections and removals reporting (21 CFR Part 806), and, if applicable, EU vigilance reporting under MDR 2017/745 and other national authority reporting requirements.
The QMSR also introduces explicit requirements for when regulatory reporting applies and how it integrates with the broader feedback and complaint systems. Under the legacy QSR, the linkage between complaint investigation and MDR determination was procedural but not structurally formalized as a standalone QMS process. Under ISO 13485, regulatory reporting has its own clause, its own procedure requirements, and its own record requirements, creating a more auditable and traceable process.
The FDA preamble noted that regulatory reporting obligations under 21 CFR Parts 803 and 806 remain unchanged by the QMSR; the change is in how these obligations are integrated into the QMS framework.
Common gaps (what we see in audits)
- Lack of MDR/Recall linkage — The complaint procedure doesn't have a clear 'Decision Tree' or linkage to the 21 CFR 803 (MDR) or 806 (Recall) procedures. ISO 13485 §8.2.3 requires reporting to be defined.
- No Standalone Regulatory Reporting Procedure — ISO 13485 clause 8.2.3 requires a documented procedure specifically for regulatory reporting. Many Part 820-era organizations embed MDR reportability assessment within their complaint handling SOP without a standalone regulatory reporting procedure that addresses all applicable reporting requirements across jurisdictions.
- Single-Jurisdiction Reporting Only — ISO 13485 requires procedures for reporting to regulatory authorities under applicable regulatory requirements, which may include multiple jurisdictions. Many US-focused organizations have MDR procedures but lack documented procedures for EU vigilance reporting, MDSAP authority reporting, or other international reporting requirements even when they market devices in those jurisdictions.
- Missing records of regulatory comms — Emails or formal letters from the FDA are stored in personal email inboxes rather than the 'Medical Device File.' ISO 13485 §8.2.3 requires maintaining these records.
- Reporting Timelines Not Documented — ISO 13485 requires that reporting procedures include awareness of applicable timelines. Some organizations lack clear documentation of reporting deadlines (FDA 30-day, 5-day; EU 15-day, 10-day, 2-day) within their regulatory reporting procedures, relying on institutional knowledge rather than documented requirements.