Skip to content
CROSSWALK

QMSR / ISO 13485 §820.198

Maps to

QMSR / ISO 13485: §820.198

ISO 13485: §8.2.3

Requirement text

The organization shall document procedures for reporting to regulatory authorities in accordance with applicable requirements.

What changed

Part 820 addressed regulatory reporting primarily through the complaint handling requirements of 820.198, which required evaluation of each complaint for MDR reportability under 21 CFR Part 803. The specific reporting requirements were defined outside Part 820, in Parts 803 (MDR), 806 (reports of corrections and removals), and 810 (recall authority). ISO 13485 clause 8.2.3 creates an explicit, standalone requirement within the QMS for documented procedures for reporting to regulatory authorities.

The structural change is significant: regulatory reporting is now explicitly a QMS process, not just an adjunct to complaint handling. ISO 13485 requires the organization to document procedures for identifying applicable reporting requirements across all jurisdictions where the device is marketed, not just FDA. This means organizations must have a documented process that addresses MDR reporting (21 CFR Part 803), corrections and removals reporting (21 CFR Part 806), and, if applicable, EU vigilance reporting under MDR 2017/745 and other national authority reporting requirements.

The QMSR also introduces explicit requirements for when regulatory reporting applies and how it integrates with the broader feedback and complaint systems. Under the legacy QSR, the linkage between complaint investigation and MDR determination was procedural but not structurally formalized as a standalone QMS process. Under ISO 13485, regulatory reporting has its own clause, its own procedure requirements, and its own record requirements, creating a more auditable and traceable process.

The FDA preamble noted that regulatory reporting obligations under 21 CFR Parts 803 and 806 remain unchanged by the QMSR; the change is in how these obligations are integrated into the QMS framework.

Atomic constraints

  • MDR reporting criteria must be defined
  • Reportability assessment procedures must exist
  • Reporting timelines must be documented
  • Vigilance reporting must be addressed
  • Documented procedures must exist specifically for regulatory reporting as a standalone QMS process, separate from but linked to complaint handling.
  • The procedure must define the criteria and timelines for reporting adverse events and device-related incidents to applicable regulatory authorities (e.g., FDA 30-day/5-day MDR timelines under 21 CFR Part 803).
  • The procedure must address reporting obligations across all jurisdictions in which the device is marketed, including EU vigilance reporting under MDR 2017/745 where applicable.
  • Records of all reportability assessments — including the determination that an event is not reportable — must be maintained with rationale.
  • Advisory notices (field safety corrective actions) must be reported to regulatory authorities in accordance with applicable regulations, and records of all advisory notices must be maintained.
  • The procedure must define who is responsible for making reportability determinations and submitting reports, ensuring accountability is assigned to named roles.

Common gaps

Lack of MDR/Recall linkage

major

The complaint procedure doesn't have a clear 'Decision Tree' or linkage to the 21 CFR 803 (MDR) or 806 (Recall) procedures. ISO 13485 §8.2.3 requires reporting to be defined.

No Standalone Regulatory Reporting Procedure

moderate

ISO 13485 clause 8.2.3 requires a documented procedure specifically for regulatory reporting. Many Part 820-era organizations embed MDR reportability assessment within their complaint handling SOP without a standalone regulatory reporting procedure that addresses all applicable reporting requirements across jurisdictions.

Single-Jurisdiction Reporting Only

moderate

ISO 13485 requires procedures for reporting to regulatory authorities under applicable regulatory requirements, which may include multiple jurisdictions. Many US-focused organizations have MDR procedures but lack documented procedures for EU vigilance reporting, MDSAP authority reporting, or other international reporting requirements even when they market devices in those jurisdictions.

Missing records of regulatory comms

moderate

Emails or formal letters from the FDA are stored in personal email inboxes rather than the 'Medical Device File.' ISO 13485 §8.2.3 requires maintaining these records.

Reporting Timelines Not Documented

minor

ISO 13485 requires that reporting procedures include awareness of applicable timelines. Some organizations lack clear documentation of reporting deadlines (FDA 30-day, 5-day; EU 15-day, 10-day, 2-day) within their regulatory reporting procedures, relying on institutional knowledge rather than documented requirements.

Evidence signals

  • FILE_EXISTS

    (MDR.*Report|Vigilance|Reportab|Adverse.*Event|Regulatory.*Report)

  • CONTENT_MATCH

    Does this document describe MDR reporting, vigilance procedures, or adverse event reporting requirements?

Audit defense

Regulatory reporting for [your product] is governed by [your document ID]. MDR reportability criteria and timelines are defined, reportability assessments are documented for each qualifying event, and vigilance reporting requirements are addressed per ISO 13485 8.2.3.

Related clauses

Corrective and Preventive Action (CAPA)Complaint HandlingInternal AuditNonconforming Product

Review your documents against this clause →

Further reading

Free compliance review. Pay only for the detailed report.

No credit card. No sales call. No consultants required.

Start My Free Review →

Read-only access. Your documents stay in your Drive.