LESSON 04
FINAL LESSON
Regulatory Affairs & FDA Strategy
Post-Market Surveillance, Adverse Event Reporting, and Compliance
FDA clearance is not the end of regulatory work. It is the beginning of the obligations that can end a company if they are not managed.
13 min read
Founders who treat FDA clearance as the finish line are setting themselves up for the most dangerous phase of regulatory exposure. Once a device is on the market, the company enters a continuous compliance environment governed by post-market surveillance obligations, adverse event reporting requirements, complaint handling procedures, and the ever-present possibility of an FDA inspection. Companies that manage these obligations systematically build durable regulatory credibility. Companies that treat them as administrative overhead eventually generate the kind of inspection findings that result in warning letters, import alerts, or consent decrees.
The Medical Device Reporting regulation — 21 CFR Part 803 — requires manufacturers to report to FDA when they become aware that a device may have caused or contributed to a serious injury or death, or when a device has malfunctioned in a way that would be likely to cause or contribute to serious injury or death if the malfunction were to recur. These reports are called MDRs — Medical Device Reports. The reporting timelines are specific and non-negotiable: thirty days for deaths, serious injuries, and most malfunctions; five days for events requiring remedial action to prevent an unreasonable risk of substantial harm. Getting the timeline wrong — even by a day — is a reportable compliance failure in an inspection.
Complaint handling is the upstream system that feeds MDR reporting. Under 21 CFR Part 820, manufacturers must establish and maintain procedures for receiving, reviewing, and evaluating complaints. Every complaint must be evaluated to determine whether it represents an MDR-reportable event. A company that does not have a documented complaint handling process — or that has one on paper but does not follow it — is unable to demonstrate MDR compliance, because there is no systematic mechanism for identifying events that require reporting. The complaint file is one of the first things FDA investigators examine in a device inspection.
CAPA — Corrective and Preventive Action — is the quality system mechanism for identifying the root causes of quality problems and implementing systematic fixes before those problems recur or before potential problems materialize. Corrective action addresses existing nonconformances. Preventive action addresses potential nonconformances identified through trend analysis, complaints, audit findings, or post-market surveillance data. CAPA is not a paperwork exercise. A CAPA system that generates investigation records without actually changing processes is one of the most common Form 483 observations FDA investigators issue, and a history of closed-but-ineffective CAPAs is a significant red flag in an inspection.
Post-market surveillance is the broader system of ongoing data collection and analysis that informs a manufacturer's understanding of real-world device performance. It encompasses complaint data, MDR data, literature monitoring, registry participation, and — for some PMA devices — FDA-required post-approval studies. Post-market surveillance is not just a regulatory obligation. It is the primary source of signal for product safety issues that were not detectable in pre-market testing, and companies that analyze that data systematically are better positioned to identify problems before they become enforcement actions.
A recall is not always what founders imagine. In regulatory terms, a recall is any action to remove or correct a marketed product that FDA considers to violate a law it administers. This includes field corrections — where a company sends a letter to customers instructing them to change how a device is used — not just physical product retrievals. Class I recalls involve products where there is a reasonable probability of serious adverse health consequences or death. Class II recalls involve products that may cause temporary or medically reversible adverse health consequences. Class III recalls involve products that are unlikely to cause adverse health consequences but violate FDA regulations. Companies discover they are in a recall situation much more often than they expect, and having documented procedures for recall execution and FDA notification in advance is a quality system requirement under 21 CFR Part 806.
An FDA inspection — conducted by an investigator from the Office of Regulatory Affairs — is a formal examination of a manufacturing facility and quality system. The investigator issues a Form 483 at the close of the inspection listing observations of conditions that appear to violate FDA regulations. A 483 is not a final enforcement action — it is an opportunity to respond. A warning letter, which is posted publicly on FDA's website, is issued when FDA concludes that a company's response to a 483 was inadequate or when violations are serious enough to warrant immediate public notice. A warning letter materially affects the company's ability to file new submissions, obtain financing, and complete acquisitions. Managing the inspection process — including how to respond to 483 observations — is a skill that should be developed well before the first inspection arrives.
The most dangerous compliance failure is not the one you reported late. It is the one you never identified because your complaint handling system was not actually working.
This lesson is coming soon.
TERMS
Term of focus
Medical Device Report (MDR)
A mandatory report to FDA filed under 21 CFR Part 803 when a manufacturer becomes aware that a device may have caused or contributed to a serious injury, death, or a malfunction likely to cause serious injury if it recurs. MDRs must be filed within thirty days for most events and five days for events requiring immediate remedial action. MDR data is publicly accessible in FDA's MAUDE database and is used by FDA to identify safety signals requiring regulatory action.
A quality system process required under 21 CFR Part 820 for identifying the root causes of existing nonconformances and implementing systemic corrections, as well as for identifying and eliminating potential nonconformances before they occur. CAPA effectiveness is measured not by the number of CAPAs opened but by whether the underlying problem recurred. Ineffective CAPAs — those closed without actually solving the root cause — are among the most common and serious FDA inspection findings.
The document issued by an FDA investigator at the conclusion of a facility inspection listing observations of conditions that appear to violate FDA-administered regulations. A 483 is not a final enforcement action and requires a written response from the company within fifteen business days. The quality and completeness of a 483 response determines whether FDA escalates to a warning letter or considers the matter resolved.
A formal FDA communication to a company notifying it of violations of FDA-regulated requirements that are of regulatory significance, issued when a 483 response was inadequate or when violations are serious enough to require public notice. Warning letters are publicly posted on FDA's website and materially affect the company's ability to file new submissions, raise capital, and complete M&A transactions. Resolving a warning letter typically requires demonstrating sustained corrective action over months to years.
The systematic collection and analysis of real-world device performance data after market authorization, including complaint data, adverse event reports, literature monitoring, and registry participation. PMS is both a regulatory requirement and the primary early-warning system for safety signals that pre-market testing cannot detect. For PMA devices, FDA may require formal Post-Approval Studies as a condition of approval.
Any action to remove or correct a marketed product that FDA considers to violate a regulation it administers, including field corrections and customer notifications — not only physical product retrievals. Recalls are classified by FDA into Class I, II, or III based on the probability and severity of health consequences. The existence of documented recall procedures and the speed and completeness of recall execution are quality system requirements assessed during inspections.
FDA's publicly accessible Manufacturer and User Facility Device Experience database, which contains MDR reports submitted by manufacturers, importers, and device user facilities. MAUDE is the primary public record of device safety complaints and adverse events and is used by FDA, researchers, litigants, and competitors to identify safety patterns. Companies should monitor MAUDE for their own product class as part of post-market surveillance.
A standardized numeric or alphanumeric code assigned to a medical device that identifies it in commerce and allows tracking through the distribution chain. UDI compliance requires labeling and database registration in FDA's Global UDI Database (GUDID) and is a prerequisite for post-market surveillance system integrity. UDI data enables FDA to quickly identify and locate devices involved in adverse events or recalls.
BEFORE YOUR NEXT MEETING
— Can we walk through our complaint handling process end-to-end — from how a complaint enters the system, to how it is evaluated for MDR reportability, to how it is documented and closed — and demonstrate that the written procedure matches what actually happens?
— What is our average time from complaint receipt to MDR reportability determination, and do we have documented evidence that no event in the past twelve months exceeded the five-day or thirty-day reporting deadline?
— Have we reviewed our open CAPA records in the last ninety days to verify that corrective actions were implemented and effective — not just that they were closed?
— If FDA announced an inspection tomorrow, which aspect of our quality system would we be least confident presenting to an investigator, and what is the remediation plan for that gap?
— Have we searched the MAUDE database for adverse events reported against devices in our product code, and have we assessed whether any of those events could occur with our device under current design and labeling?
REALITY CHECK
SOURCES
↗FDA — '21 CFR Part 803: Medical Device Reporting'
↗FDA — '21 CFR Part 806: Medical Devices; Reports of Corrections and Removals'
↗FDA — 'MAUDE — Manufacturer and User Facility Device Experience'
↗FDA — 'Inspections, Compliance, Enforcement, and Criminal Investigations: Warning Letters'
↗FDA — 'Postmarket Surveillance Under Section 522 of the Federal Food, Drug, and Cosmetic Act' (2016)
LESSON 04 OF 04