Medical Device Reporting and Vigilance in the EU


Post-market surveillance is a vast topic and a vital element of compliance with the EU Medical Device Regulation. It covers the manufacturer’s pro-active and passive activities in the post-market phase of their device. However, manufacturers must also have a process in place for identifying and handling reports of product noncompliance on the market; we call this Vigilance.

The primary objective of the medical device vigilance system is to enhance the protection of patients, healthcare professionals, and users by minimising the likelihood of recurring incidents associated with medical device usage. Adverse incidents shall be carefully assessed and, when necessary, the information shall be reported to a National Competent Authority (NCA) in the EU. This dissemination aims to prevent the recurrence of such incidents by implementing appropriate corrective actions in the field.

Manufacturers complying with Regulation (EU) 2017/745 on medical devices (EU MDR) must have in place a system for surveilling the market, investigating and reporting suspected or known adverse events which involved their product. Whilst not being the most descriptive document, the EU MDR does provide a good amount of information on what this process should entail in Articles 87 to 92. Here, we will focus on two main reporting mechanisms:

  • Incident reporting.
  • Field safety corrective actions.

Incident Reporting in the EU

Not all incidents which have occurred will need to be reported, only those which are considered to be serious incidents.

An incident is defined in the EU MDR as “any malfunction or deterioration in the characteristics or performance of a device made available on the market, including use-error due to ergonomic features, as well as any inadequacy in the information supplied by the manufacturer and any undesirable side-effect.”

On the other hand, a serious incident is a subset of the above, defined as “any incident that directly or indirectly led, might have led or might lead to any of the following:

  • The death of a patient, user or other person,
  • The temporary or permanent serious deterioration of a patient’s, user’s or other person’s state of health,
  • A serious public health threat;”

As seen in the above definition, there are various severities of serious incidents. Nevertheless, all incidents shall be investigated (serious or not) to determine whether they could have potentially led to any of the above scenarios. If the manufacturer believes that it could have led to a serious incident, then the incident should be treated as serious.

We recommend that your system’s default mode should be set to “Report” such that even in those cases where it is difficult to determine whether or not to report an incident, the answer should be to report.

The following three criteria (when met together) are used to define an incident as ‘serious’ and whether it should be reported:

A: An incident has occurred.

B: The incident directly or indirectly led, might have led or might lead to any of the outcomes of a serious incident.

C: A causal relationship between the serious incident and the manufacturer’s device has been established, is reasonably possible or suspected.

MDCG 2023-3 provides an excellent elaboration on each of the above criteria.

Whilst the EU envisages that all reports eventually be made through Eudamed, the Vigilance Module is not yet at 100% functionality. Therefore, currently we default to the previous system of completing and submitting forms to the relevant stakeholders. In the case of incident reporting, this is done through the use of the Manufacturer’s Incident Report (MIR) form.

The form should be completed using all available information at that time. You can always submit a follow-up MIR with additional information at a later stage.

The completed MIR shall be sent to the NCA in the country or countries in which the incident has occurred. It is also recommended to keep your EU Authorised Representative (EU AR) in copy or provide them with the report for their records. The NCA may request additional information which the manufacturer should promptly address. In general, however, the manufacturer should continue their investigation and conclude their findings and any actions taken within a final MIR sent to the NCA.

In all cases, the investigation shall also include conducting a risk assessment to determine any changes in the overall benefit-risk as well as the implications of this incident. This may lead to the manufacturer carrying out further action to eliminate this risk, covered in Field Safety Corrective Action further on in this article.

Reporting Timelines

The EU MDR sets timelines within which serious incidents shall be reported. In all cases, an initial report may be sent to the NCA even in the absence of sufficient data.

Incident TypeDescriptionReporting Timeline
General Serious IncidentCausal relationship identified between the device and serious incident (or potential).Immediately, not later than 15 days after becoming aware of the threat.
Serious Public Health ThreatAn event that could result in imminent risk of death, serious deterioration in a person’s state of health, or serious illness, that may require prompt remedial action, and that may cause significant morbidity or mortality in humans, or that is unusual or unexpected for the given place and time.Immediately, not later than 2 days after becoming aware of the threat.
Death or an unanticipated serious deterioration in a person’s state of healthIt has been established or suspected that the device has led to a serious incident which led to the death of a patient or serious deterioration in that person’s state of health i.e. an ‘unanticipated’ condition leading to the deterioration that was not considered in the manufacturer’s risk analysis.Immediately, not later than 10 days after becoming aware of the incident.

Field Safety Corrective Actions

A Field Safety Corrective Action (FSCA) is any action taken by the manufacturer on devices which have been made available on the market in order to reduce the risk of a serious incident. The need to perform an FSCA may result from an investigation into an incident or may be identified internally through other activities conducted by the manufacturer. MDCG 2023-3 provides the following examples of FSCA:

  • The return of a device to the supplier or a recall.
  • A device exchange.
  • A device modification.
  • Retrofit by purchaser of manufacturer’s modification or design change.
  • Device destruction.
  • Advice given by the manufacturer regarding the use of the device, such as additional information on maintenance, cleaning instructions, and training and/or the follow-up of patients, users or others.
  • Recommended inspections/examination by device user (e.g. regular professional checks of proper functioning in a testing setting).
  • Changes of software/firmware in the device, including device update (e.g. version rollback).

The manufacturer must immediately inform the NCA in the country in which the devices have been made available and in which the FSCA shall be carried out. Once agreed upon by the relevant NCA, the FSCA may be undertaken with a Field Safety Notice (FSN) being provided to the end users without undue delay. The FSN will need to be translated accordingly.

Furthermore, the FSCA shall be reported to the appropriate Notified Body (where applicable) and to the NCA in which the manufacturer or their EU Authorised Representative is based in, even if no FSCA will be carried out in that Member State.

In the event that the manufacturer is carrying out an FSCA in a country outside of the EU, then the relevant EU NCAs shall be notified unless the products are only made available in that third country.

NCAs may have additional requests or suggested amendments to the FSN. In all cases, the manufacturer shall promptly reply and make the appropriate changes without undue delay.

FSCAs are currently reported using the FSCA Report Form and a draft FSN template can be found here.

Vigilance and Reporting Procedure

Medical device manufacturers placing products on the EU market must have a robust procedure for vigilance and reporting in place. Legacy device manufacturers must also comply with the specifics indicated in the EU MDR which has introduced some slight changes in the way this is performed.

NOTE: A lot of the information provided in MEDDEV 2.12/1 is still relevant. So if your procedure is currently based on that guidance, we recommend conducting a gap assessment against Articles 87 to 92 of the EU MDR to assure compliance.

The procedure should include, at least:

  • Definitions.
  • Responsibilities.
  • Resources and tools.
  • Process for identifying and recording incidents or suspected incidents.
  • Process for qualifying the incident as serious and reportable.
  • Process for reporting and reporting timelines.
  • Process for investigation and follow-up.
  • Process for conducting an FSCA and issuing an FSN.

The procedure should be clear in defining who the manufacturer shall report to and by when. We recommend having a list of contacts to report to, or at least a reference to contact details for suppliers or end users, NCAs, and where applicable, the Notified Body and EU AR.

The procedure shall also give reference to other related processes within your Quality Management System and medical device technical files, including the CAPA system, Design Change Control, and Risk Management.

How can Specculo help?

Reach out to us if you are having issues or doubts about how to meet your vigilance and reporting obligations in the EU. We will guide you through the process and assist you in communicating with NCAs and other related stakeholders.