QA/RA Consulting, Auditing & Training


Let's get started

Medical Device Complaint Handling: Understanding the Basics

What exactly is complaint handling?

First and foremost, complaint handling is a business and regulatory requirement. If you are going to be in the medical device business, you must document a process for gathering feedback. If you are new to complaint handling, you will first want to start by reading the requirements for complaint handling as spelled out in US FDA regulation 21 CFR Part 820.198 and Clause 8.2.2 of ISO 13485:2016. (The ISO 13485 standard is a copyrighted document so you won’t find the text online, but you can buy it from ISO.)

The word “gather” is important because it implies we are proactively seeking feedback. Complaints, unfortunately, come to us, so complaint handling is a reactive procedure. Let’s take a quick look at the definition of complaint handling according to ISO 13485:2016 and 21 CFR Part 820.

One thing you should note is the inclusion of the word “usability” in ISO 13485:2016. This is an increasingly important issue to which you need to pay attention. The US FDA refers to usability as “Human Factors.”

Distinguishing between feedback and complaints

Feedback and complaints come from a variety of sources, including surveys, focus groups, data analysis, service requests, technical support inquiries, and even online product reviews and social media. All complaints are feedback, but NOT all feedback is a complaint. The following types of feedback are not complaints:


  • Product information inquiries
  • Preventive maintenance service calls
  • Cosmetic defects
  • Shipping errors

This is important to understand, because you need to establish a process to evaluate each piece of feedback and determine whether it meets your requirements to elevate it to a complaint. We’ll talk more about this later.

Sources of customer complaints

Complaints can originate from many sources and be submitted via email, online contact forms, telephone (by far most common), social media, online product reviews, and even good old-fashioned letters. Often the complaints will be submitted directly from customers, but they may also come second-hand from customer service personnel, your sales team, or field service personnel. It is vitally important that every employee be trained on how to deal with the intake of complaints, as this is required in the US by 21 CFR Part 803.

How medical device complaints are categorized

Essentially, postmarket  issues can be placed into one of two buckets. The first type is an “incident-driven” issue. For instance, let’s say you receive a report from a hospital that an electrical malfunction has occurred in your surgical ablation system tool. The failure could have led to serious harm or death for the patient. This is an incident-driven issue that requires immediate action.

The second type of issue that arises is one driven by a review of data. For example, while reviewing service records you may notice a trend in repeated failures of your surgical ablation pens under certain conditions, which qualifies as a complaint. That’s certainly a reliability problem and falls within the ISO 13485:2016 and FDA definitions of complaints.

How complaints reach companies

You may assume that the majority of complaints get reported via the “contact us” form on a company website or a specific email address posted online. Believe it or not, only 3% of medical device complaints come via these channels. In the medical device world, the telephone still reigns supreme. Nearly two-thirds of complaints are reported by telephone. Surprised? The reality is that when people experience a problem with a device, they want to talk to a real person about it right now, not submit an anonymous online form/email into a black hole.



In our increasingly impersonal online world, the process of fielding phone calls from angry customers may seem time-consuming and unpleasant, but it’s worth it. You WANT people to call you because it gives your team an opportunity to ask questions and dig into the underlying issue. A good service rep – trained to listen, probe, and show empathy – can dilute the venom of an upset customer while gathering the data needed to further investigate the claim.

Basic complaint-handling process

Before we talk about reporting, we should take a look at the basic complaint-handling process, which has three phases.

STEP 1 Intake – This is where you do initial triage. Is the complaint valid? Is it potentially reportable? Was it caused by use error or abnormal use?

STEP 2 Investigate -This is where you dig in. How deep you go will depend on the nature of the complaint. In many cases, you will conduct an initial investigation and determine that no further research is necessary. On the other end of the spectrum are incidents where harm was done to a patient or user. These need to be thoroughly investigated to determine the root cause of the issue.

STEP 3 Close – After you determine the level to which you need to investigate and have assembled the appropriate documentation as required, you will “close” the complaint. While you are investigating and closing complaints, you may also be updating your risk management files, preparing a vigilance report, and/or – in extreme circumstances – taking immediate action to mitigate further harm.

Does your team know what information to collect?

Before we get into the issue of whether a complaint is reportable, let’s talk about what information needs to be captured when a new complaint is received. There is specific information that, at a minimum, you must collect. This includes:


  • Name of the product involved
  • Date the complaint was received
  • Identification or control numbers on the product (e.g., UDI is best)
  • Contact information for the complainant
  • Nature and details of the complaint
  • Determination of event reporting and linkage to event (if filed)
  • Need for further investigation and record of investigation (if needed)
  • Any corrective action taken
  • Any reply to the complainant

What is considered a reportable incident?

During the investigation phase, there will come a moment when you need to decide if the complaint is reportable to regulatory authorities. FDA refers to this as “medical device reporting.” Europe uses the term “medical device vigilance,” while Canada calls it “mandatory problem reporting.” Regardless of the market, reporting is required when you become aware of information from any source that suggests your product may have:


  1. Caused or contributed to a death or serious injury.
  2. Malfunctioned in such a way that, if it were to happen again, there would be a potential for injury or death.

If you decide not to report something, it is absolutely vital that you document the reasons why you made this decision. When in doubt, report it.

During the intake process, a determination will need to be made of whether a complaint is considered a reportable event. Here is a list of incidents that are reportable in many countries:


  • Death or serious injury (or potential to have caused such) to the patient
  • Device output questioned by a medical practitioner after patient management
  • Error affecting proper patient identification
  • Specific system malfunctions or use errors
  • Fire or visible smoke
  • Use of a product outside its “intended use” labeling
  • Receipt of a user FDA MedWatch Report

Examples of incidents that are reportable

Here are some examples of reportable incidents. Keep in mind that the requirements differ among the US, Europe, Canada, and Australia, so make sure you understand the reporting requirements for each market in which you sell you product. Reporting requirements often apply even if the incident did not occur in that market!


  • During use of an external defibrillator on a patient, the defibrillator failed to deliver the programmed level of energy due to a malfunction. The patient could not be revived.
  • An infusion pump stopped due to a malfunction but failed to give an alarm. The patient received an underinfusion of needed fluids and required extra days in the hospital to correct the ensuing condition.
  • A manufacturer released a batch out-of-specification blood glucose strips. A patient used the strips according to instructions but readings provided incorrect values. This led to incorrect insulin dosage, resulting in hypoglycemic shock and necessitating hospitalization.

Remember, if you choose not to report an incident, you need to document why you chose made this decision. Otherwise, you could later be accused of brushing known problems under the rug. When in doubt, pass it along for further investigation or report it.

Timeframes for incident reporting to regulatory authorities

Europe’s Medical Device Regulation (MDR 2017/745) places strict requirements on medical device manufacturers to report incidents to EU Competent Authorities. Serious incidents need to be reported within 15 days of becoming aware of the issue. All of that information will also be stored in a database that allows Competent Authorities in different EU countries to share information; however, at this writing, the database has not yet been released for use.

Typically (e.g., when public health is not threatened) FDA requires medical device reporting within 30 days of becoming aware of an issue, and that’s consistent with the current EU Directives. There are exceptions that may require you to report a serious incident in as few as 5-10 days, so make sure you understand the requirements.

With the EU Regulation now requiring a 15-day reporting timeframe after you become aware of an issue, this means your complaint-handling unit has to be really efficient!

Medical Device Complaint Investigation Procedure

LEVEL I: Conduct an initial investigation
  • Confirm the complaint. Is the alleged deficiency actually a deficiency?
  • Do you have enough information to investigate the complaint? Make earnest attempts to get the information you need.
  • Review use errors against your instructions for use (IFU).

You may be able to close the complaint after an initial investigation into assignable cause. Is there an open CAPA for this issue? Does the complaint suggest that a closed CAPA action was ineffective? Is this being investigated by another entity, such as a supplier or distributor? Make sure you understand when to escalate to Level II and when an initial investigation is enough. In all cases, document, document, document.

LEVEL II: Investigate to probable cause

After your initial Level I investigation, you may find it necessary to investigate the probable cause to find out if there is a new problem. That’s usually due to the fact that a new (previously unreported) issue has occurred, or your trend alerts have been exceeded. At this point you may choose to end an investigation because the failure is within the limits you have established based on labeling, intended use, and risk files. Or, you may have a situation in which the failure is a known issue but falls outside a risk threshold or trending (frequency) limits. These risk thresholds or trending limits are outputs of your risk management process. For example, in design you reduced the risk of battery failure by adding a backup battery, but you still want to trend failures of the first battery. The failure rate is pretty low, as expected, but then you see a sudden shift upward in the occurrence rate. This triggers you to investigate, uncovering a supplier issue and allowing you to solve the problem before any patients are harmed.

LEVEL III: Investigate to root cause

If your Level II investigation reveals that you have a new failure mode on your hands, you may need to take the next step and open a CAPA. You certainly need to update your risk management file. Before doing so, you need to define the problem and then investigate its root cause. You will also need to determine whether a recall is needed or if some other corrective/containment action is warranted. It’s important to know that not all complaints require a root cause investigation or CAPA! That being said, there are some events that may require a root cause investigation:


  • Nonconformity caused or contributed to a death or serious injury (or could have)
  • Nonconformity is a violation of an applicable regulation or product specification
  • Nonconformity exceeds predefined trending limits
  • Management team requests investigation

How and when to close complaints

So, now that you have conducted your investigation and taken appropriate actions, it’s time to close the complaint. Before you begin that process, you need to document parallel processes such as vigilance reporting, risk management file updates, and CAPA, if applicable. If you ended your investigation after Level I, you need to document in your complaint files that further investigation was not required and why. It’s important that you codify the closeout type so you can use this for trending.

If the complaint proceeded to Level II but ended there, you will again need to document why a root cause analysis was determined to be unnecessary. Include all data and reports, as well as a summary statement for the complaint file.

Finally, if the complaint proceeds all the way to Level III and you end up preparing a CAPA, your system may allow you to close the complaint by referencing the ongoing work in the CAPA. This is useful, as you may have additional complaints for the issue before your corrections and corrective actions are implemented.

Communicating the outcome

Finally, you need to have a process established so that you properly communicate the issues to the appropriate people internally (and perhaps externally). After all, investigating the root cause of an issue is time wasted if that knowledge is not shared with the people who can prevent the issue from happening again.

Internally, your design team incorporates complaint information as an input to design changes. Your manufacturing team incorporates complaint information as an input to improve their processes. Internal communication mechanisms include:


  • CAPA: Complaint trending used for determining effectiveness must be defined by the product, failure code(s), and trigger. Make sure there is a link between the complaint and the CAPA.
  • Statistical monitoring: In addition to trending, monitor cycle times from complaint receipt to investigation to closure, as well as filing time for reports.

Customers may need feedback for their own records, and customers also include regulators. External communication mechanisms include:


  • Vigilance reporting: Submitting a vigilance report to regulatory authorities on the complaint investigation closure.
  • Recall/customer communication: This should include a summary of the investigation and CAPA, plus link a recall to complaints affected by the failure.

Embrace PMS for the data it gives you

A well-developed and well-executed complaint-handling and reporting process has a lot of moving parts and can sometimes feeling burdensome to the company. You need to develop clear metrics to track safety and quality and then train your employees on these metrics. Without clear metrics, you won’t be able to see whether you are making meaningful progress or spotting trends. Numbers aside, always remember why you do it: to continually improve the safety and effectiveness of your devices for patients and users.

Building an effective PMS process from the ground up

According to the FDA, postmarket surveillance is the process of “active, systematic, scientifically valid collection, analysis and interpretation of data and other information about a marketed device.” Europe has a similar definition but adds the word “proactive” – a systematic procedure to proactively collect and review experience gained from devices placed on the market.

If you are just getting started building an internal PMS process, the first thing to do is organize a team that will manage product safety and quality. This may include representatives from QA/RA, manufacturing, design, field sales, and technical support. You will also want to be sure you have medical or clinical expertise and the support of your legal department, as they will be more involved than you may think. The structure of PMS teams will vary depending on the size of your company, its organizational structure, and geographic dispersion of locations.

Once a team has been identified, you’ll want to structure activities to continually assess the balance between the risk of the device and the clinical benefit, taking into account the state of the art in technical innovation. (See our highly rated risk management class for more helpful information on determining clinical benefit.) From a practical sense, this means both a reactive (incident-driven) process as well as a proactive (review-driven) process.

Reactive (incident-driven) PMS: Part of this process will involve the maintenance of risk management files and a clear definition of the trigger events that necessitate further investigation of complaints. Other examples of reactive PMS are:


  • Information about serious incidents, including field safety corrective actions
  • Records referring to nonserious incidents and data on any undesirable side effects
  • Information and actions from trend reporting
  • Information (including feedback and complaint) provided by users, distributors, and importers

Proactive (review-driven) PMS: This can include many nontraditional sources, such as social media (e.g., Facebook, Instagram and X), online product reviews, online discussion forums, or blogs. As part of PMS activities, have a plan or method for evaluating this information. Other examples of proactive PMS are:


  • Relevant specialist or technical literature, databases, and/or (patient) registers
  • Publicly available information about similar medical devices, such as FDA’s Total Product Life Cycle database
  • Information from other industries using the same technology as your device (e.g., network connectivity)
  • Innovations from your competitors and introduction of alternatives to your device, as these lessen the clinical benefit of your device

Data without action is just math

Once you have organized your team and established a framework for gathering PMS data, you need to translate data into information. This is where complaints, PMS, and risk management intersect. Evaluate the information using sound statistical rationale and objective risk-based decision making. Continually assess the intended use and actual use of your device, and the clinical benefit the device provides to maintaining public health. Many organizations evaluate information but fail to take credit for this in updating their risk management files. You don’t want an audit finding for failing to document the good work you are doing in evaluating PMS information.

Finally, you need to have a process established so that you properly communicate the issues to the appropriate people within the company. Complaints and PMS are important inputs to management review, and outcomes of this review include resources and actions. After all, investigating the root cause of a failure is time wasted if that knowledge is not shared with the people who can prevent it from happening again.

Don’t wait for problems to knock on your door…

Any company that has endured a high-profile product failure issue can tell you that the cost of maintaining an effective, proactive complaint-handling process is far lower than the cost of a preventable recall, patient harm, or PR disaster. Yet, although it is required in ISO 13485:2016 and 21 CFR Part 820, many companies do not have a complaint-handling process and discover this the hard way during an audit or a field failure. We know this because FDA keeps excellent records and “lack of complaint-handling procedures” is one of the most oft-cited violations.

This is a bigger deal than ever before, and it’s being driven by changes in European regulations. Compliance to the new EU MDR requires more emphasis on postmarket surveillance (PMS) activities, especially postmarket clinical follow up (PMCF). Chapter VII of the MDR (2017/745) points out the specific requirements for PMS and the data that must be collected. This includes information from Field Safety Corrective Actions (FSCA), Periodic Safety Update Reports (PSUR), plus data on trending, minor incidents, and general feedback. Annex III of the MDR also states that you must have a proactive and systematic process for collecting and analyzing postmarket data.

Want to learn more?

Check out our intensive training classes on Medical Device Complaint Handling, Event Reporting, and Recall Management and Medical Device Postmarket Surveillance (PMS) Implementation. Both classes are offered as public seminars, either in person or virtually, or can be held just for your company.

Our team is here to help. Contact us online
Get answers right now. Call

US OfficeWashington DC


EU OfficeCork, Ireland

+353 21 212 8530