Introduction
Vigilance is the cornerstone of post-market safety oversight for medical devices in the European Union. Under Medical Device Regulation (MDR) No. 2017/745 and In Vitro Diagnostic Device Regulation (IVDR) No. 2017/746, manufacturers are required to proactively monitor the safety of their devices once on the market and to report serious incidents and field safety corrective actions (FSCAs) to the relevant national competent authorities (CAs).
This guide is intended for regulatory affairs professionals, post-market surveillance teams, quality managers, and sales and marketing teams at medical device manufacturers operating in the EU. It covers what vigilance requires in practice, the timelines that apply, the common mistakes that lead to enforcement action, and how to build a system that keeps pace with ongoing regulatory expectations.
Ignorance is not an acceptable reason for failing to report serious incidents and FSCAs. Regulatory authorities across EU member states have made this clear, and the consequences of missed or incorrect reporting can be severe.
Fundamental Concepts
What is vigilance?
In the context of EU medical devices regulation, vigilance refers to the systematic processes by which manufacturers detect, investigate, evaluate, and report incidents involving their devices after they have been placed on the market. It forms a core part of the broader post-market surveillance (PMS) system that MDR requires manufacturers to maintain throughout a device’s commercial lifecycle.
Vigilance is not the same as post-market clinical follow-up (PMCF), which involves actively gathering clinical data to confirm ongoing safety and performance. Vigilance is triggered by events: incidents that have occurred, are occurring, or might occur with marketed devices.
Incident vs. serious incident
All incidents involving medical devices should be documented and investigated internally, but only serious incidents require reporting to competent authorities.
An incident is any malfunction or deterioration in the characteristics or performance of a device made available on the market. A serious incident is one where a device issue leads to, or could lead to, specific outcomes: the death of a patient, user, or other person; a temporary or permanent serious deterioration in a person’s state of health; or a serious public health threat.
The Medical Device Coordination Group’s guidance document MDCG 2023-3 provides detailed clarification of vigilance terminology under MDR 2017/745, including the distinction between incidents and serious incidents, the definition of a public health threat, and the treatment of user errors.
Who must report?
Under MDR 2017/745, either the manufacturer or their authorised representative (AR) must file a serious incident report. For non-EU manufacturers, the authorised representative takes on this responsibility within the EU. In Germany specifically, all professional users of medical devices (including physicians) are also obligated to report suspected serious incidents to the BfArM as the national competent authority.
Step-by-Step: Serious Incident Reporting
Step 1: Detect and document the event
Vigilance begins with event detection. Sources include customer complaints, post-market surveillance data, clinical literature, and direct reports from users or healthcare professionals. Every incident that reaches the manufacturer must be documented immediately and entered into the vigilance management system.
The key question at intake is: does this incident involve a malfunction or deterioration in the device’s characteristics or performance? If yes, it is an incident and must be assessed further.
Step 2: Assess whether the incident is serious and reportable
Not every incident triggers a reporting obligation. The assessment must determine whether the incident led to, could have led to, or could lead to death or serious deterioration in health. This assessment should follow a structured process, with documented rationale, and must be completed promptly given the tight reporting timelines.
Where causality is unclear (was the outcome caused by the device or by the patient’s underlying condition?), the default position is to report. The competent authority can then assess whether the reporting obligation applied.
Step 3: Report within the required timeline
Reporting timelines under MDR 2017/745 are as follows:
| Event type | Reporting deadline |
|---|---|
| Serious public health threat | Immediately, not later than 2 days after becoming aware |
| Death or unanticipated serious deterioration in health | Immediately, not later than 10 days after becoming aware |
| All other serious incidents | Immediately, not later than 15 days after becoming aware |
| Significant increase in frequency or severity of non-serious incidents (trend reporting) | As per Article 88 requirements |
Reports are made to the national competent authority (CA) of the member state where the incident occurred. For incidents involving multiple member states, the manufacturer reports to the CA of each relevant state.
Step 4: Submit the Manufacturer Incident Report (MIR)
The Manufacturer Incident Report (MIR) is the standardised format for serious incident reporting. As of January 2020, the current MIR format applies. Reports should include the device identification (UDI where available), a description of the incident and its clinical consequences, the device’s involvement, and initial corrective actions taken or planned.
Initial reports may be submitted before a full investigation is complete, as long as they are followed up with updated reports as more information becomes available.
Step 5: Investigate and submit follow-up reports
Serious incident reports are not one-time submissions. Manufacturers are required to submit follow-up reports as the investigation progresses, and a final report once the investigation is closed and root cause has been determined. Timelines for follow-up reports should be agreed with the competent authority.
Step 6: Submit an FSCA report if corrective action is taken
A Field Safety Corrective Action (FSCA) is any action taken by a manufacturer to reduce the risk of a serious incident in relation to a device already on the market. This includes recalls, device modifications, software updates, labelling changes, and restrictions on use. If an FSCA is taken, an FSCA report must be distributed to the competent authorities in every member state where the device is marketed, as well as the CA of the member state where the manufacturer or their AR is located.
FSCAs that are communicated directly to users and healthcare professionals are communicated via a Field Safety Notice (FSN).
Requirements and Considerations
EUDAMED obligations
Under Article 92 of MDR 2017/745, vigilance reports are to be submitted to the EUDAMED database rather than to individual national CAs. Until the EUDAMED vigilance module is fully operational, national vigilance reporting procedures remain in place, and manufacturers must continue reporting to each relevant national CA.
Manufacturers, authorised representatives, and importers must register in EUDAMED and obtain a Single Registration Number (SRN). Device registration, including UDI information, must also be maintained in EUDAMED.
Post-market surveillance system
Vigilance reporting sits within the wider PMS system that MDR requires manufacturers to maintain throughout a device’s market lifecycle. Manufacturers must systematically and actively collect, analyse, and review experience from devices placed on the EU market, including complaint data, literature reviews, registries, and clinical follow-up data.
The PMS system must be documented in a Post-Market Surveillance Plan, and the outputs must be summarised in either a Periodic Safety Update Report (PSUR, for Class IIa, IIb, and III devices) or a Post-Market Surveillance Report (for Class I devices).
Notified Body role in vigilance
Notified Bodies do not serve as primary actors in the vigilance reporting system. Their role is to audit the implementation of vigilance procedures, assess vigilance data that may impact certification during their audits, and liaise with competent authorities when relevant. Manufacturers report directly to national CAs, not to their notified body, for incident reporting purposes.
Common Mistakes
| Mistake | Why it happens | Consequence |
|---|---|---|
| Failing to report because “causality is unclear” | Manufacturers over-apply the causality threshold at intake | Missed reportable events, regulatory action |
| Reporting to only one CA when multiple member states are involved | Misunderstanding of multi-territory reporting obligations | Non-compliant reporting, enforcement risk |
| Treating the MIR as a one-time submission | Not knowing that follow-up and final reports are required | Incomplete regulatory file |
| Confusing FSCAs with voluntary recalls | Not recognising that precautionary modifications also trigger FSCA obligations | FSCA reporting omitted |
| Not documenting non-reportable incidents | Assuming only reportable events need internal documentation | Gaps in PMS data, trend reporting failures |
| Delay in recognising reportable events | Incident assessment handled outside the vigilance team | 2-day and 10-day deadlines missed |
Advanced Considerations
Trend reporting under Article 88
MDR 2017/745 introduces a trend reporting requirement for significant increases in the frequency or severity of incidents that are not individually serious enough to require reporting, but which collectively indicate a worsening safety profile. Trend reporting requires manufacturers to define statistical thresholds in their PMS plan and monitor for exceedances systematically.
Sales and marketing team responsibilities
Sales and marketing teams are often the first point of contact when a customer or healthcare professional reports a problem with a device. The sales team’s response to that complaint, and whether it reaches the vigilance team promptly, can determine whether reporting timelines are met or missed. Teams in commercial roles need to understand: what constitutes a complaint, how to document it, and how to escalate it to the regulatory or quality team without delay.
Global vigilance coordination
Manufacturers selling devices in multiple jurisdictions face the challenge of coordinating vigilance across regulatory frameworks that differ in terminology, timelines, and reporting formats. The International Medical Device Regulators Forum (IMDRF) has published terminologies for categorised adverse event reporting (AER) designed to reduce ambiguity and improve harmonisation. Manufacturers with global portfolios should consider how their internal vigilance classification system maps to both EU MDR terminology and IMDRF/AER codes.
Frequently Asked Questions
Does vigilance reporting apply to Class I devices? Yes. MDR vigilance requirements apply to all CE-marked medical devices regardless of risk class. Class I manufacturers must also maintain a PMS system and submit post-market surveillance reports.
What if the device malfunction caused no harm? If a malfunction did not lead to harm but could have, the serious incident definition may still be met if the outcome (death or serious deterioration in health) was a realistic possibility. The assessment should be documented either way.
Do authorised representatives have separate reporting obligations? The manufacturer or their AR must submit the report. For non-EU manufacturers, the AR typically takes the primary reporting responsibility within the EU, though the manufacturer retains overall accountability.
What is the difference between a recall and an FSCA? All recalls are FSCAs, but not all FSCAs are recalls. An FSCA includes any corrective action taken to reduce risk: software patches, labelling updates, use restrictions, and market withdrawals, as well as physical recalls of devices from users.
When does EUDAMED replace national reporting? Once the EUDAMED vigilance module is operational and mandatory, manufacturers will submit vigilance reports there instead of to individual national CAs. Until then, national procedures apply.
Related Resources
Summary
European vigilance for medical devices requires manufacturers to maintain a continuously active system for detecting, assessing, and reporting incidents involving their marketed devices. The key points:
Serious incidents must be reported within 2 days (public health threat), 10 days (death or serious health deterioration), or 15 days (all other serious incidents) of the manufacturer becoming aware. FSCAs require separate reporting to every CA in member states where the device is marketed. Vigilance reporting sits within the wider PMS obligation, which requires active data collection and periodic safety reporting throughout the device lifecycle. All incidents must be documented internally, not just reportable ones. EUDAMED will eventually centralise vigilance reporting, but national procedures remain in place until the relevant module is operational.
Sources
- Emergo by UL, “EU Medical Device Vigilance and Incident Reporting”
- MedTech Europe, “Submission of vigilance reports to Notified Bodies under EU MDR and IVDR”
- EUMDR.com, “Vigilance compared to the MDD: Regulation (EU) 2017/745”
- Medicept, “New Guidance on EU MDR Vigilance Terms and Concepts (MDCG 2023-3)”
- EUR-Lex, “Regulation (EU) 2017/745 of the European Parliament and of the Council”