Last updated: 2026-03-21
Complaint handling is one of the most scrutinized processes in any ISO 13485 quality management system — and for good reason. A broken complaint process doesn't just create audit findings; it creates blind spots that can allow patient harm to go undetected and unreported. In my eight-plus years working with medical device manufacturers, I've seen more Warning Letters, FDA 483 observations, and Notified Body major nonconformities trace back to complaint handling gaps than almost any other single process.
This pillar guide walks you through the entire complaint lifecycle under ISO 13485:2016 — from the moment a complaint enters your system to the point where you've determined whether regulatory reporting is required, investigated the root cause, and closed the record with evidence that would survive any audit.
What ISO 13485:2016 Actually Requires for Complaint Handling
The core requirement lives in ISO 13485:2016 clause 8.2.2, which mandates that organizations establish documented procedures for receiving, evaluating, and investigating complaints. But clause 8.2.2 doesn't stand alone — it connects directly to:
- Clause 8.2.3 — Reporting to regulatory authorities
- Clause 8.5.1 — General requirements for corrective action
- Clause 8.5.2 — Corrective action procedures
- Clause 4.2.5 — Control of records (complaint files are QMS records)
Citation hook: ISO 13485:2016 clause 8.2.2 requires that complaint handling procedures address the distinction between complaints that require investigation and those that do not, and that documented rationale be maintained for any complaint excluded from investigation.
This is a point where many organizations stumble. The standard explicitly permits you to decide not to investigate a complaint — but it requires you to document why that decision was made. "We reviewed it and it wasn't a complaint" is not sufficient without documented criteria and evidence of evaluation.
Defining a "Complaint" Under ISO 13485
ISO 13485 defines a complaint as any written, electronic, or oral communication that alleges deficiencies related to the identity, quality, durability, reliability, safety, effectiveness, or performance of a medical device after it has been released for distribution.
This definition is deliberately broad. It captures:
| Input Type | Complaint? | Notes |
|---|---|---|
| Customer email alleging device malfunction | ✅ Yes | Classic complaint — log and investigate |
| Verbal phone call about packaging damage | ✅ Yes | Oral communications must be documented |
| Social media post alleging device failure | ✅ Yes | Often missed; requires monitoring process |
| Pre-market inquiry about product specs | ❌ No | No released device involved |
| Service request for routine maintenance | ❌ No | Unless malfunction is alleged |
| Adverse event report from a hospital | ✅ Yes | Also likely triggers MDR evaluation |
| Internal audit finding about device quality | ❌ No | Not a post-market communication |
| Return of product with no complaint stated | ⚠️ Evaluate | Must assess whether deficiency is implied |
The last row is critical. A returned device with no written complaint still requires evaluation. If your team finds a deficiency during inspection of the return, that finding may constitute a complaint that requires investigation and regulatory evaluation.
Building a Complaint Intake System That Captures Everything
Establish a Single Intake Funnel
One of the most common structural failures I see is the "multiple inboxes" problem: customer service receives complaints by phone, the field sales team hears about device failures in person, the quality team monitors a separate email address, and regulatory affairs manages MDR-related calls. None of these channels talk to each other, and complaints fall through the cracks.
Best practice: Designate a single complaint intake owner — typically Quality or Regulatory Affairs — and route all channels through a documented intake process. Every customer-facing employee should be trained to recognize a potential complaint and escalate it through that single channel within a defined timeframe (typically 24–48 hours of receipt).
Train Your Entire Organization, Not Just Quality
Under ISO 13485 clause 6.2, personnel performing work affecting product quality must be competent. Complaint recognition training must extend beyond the QA team. According to FDA data, a significant proportion of complaint handling 483 observations cite inadequate training as a contributing factor — particularly around complaint recognition by non-quality personnel.
Citation hook: The FDA's CDRH has consistently identified failure to recognize and record complaints as one of the top five quality system deficiencies cited in medical device inspections, underscoring the importance of organization-wide complaint recognition training.
Minimum Data Elements at Intake
Every complaint record should capture the following at intake, before investigation begins:
- Date received (not date logged — these can differ)
- Source (customer, distributor, healthcare professional, patient, regulator)
- Device identification (product name, model number, lot/serial/UDI)
- Nature of the alleged deficiency (verbatim, if possible)
- Patient/user information (anonymized where required by privacy law)
- Outcome information — was there injury, death, or serious deterioration in health?
- Country of occurrence (critical for determining applicable MDR regulations)
- Initial MDR/vigilance applicability determination
The Complaint Investigation Workflow
Step 1: Triage and Seriousness Determination (Within 24–72 Hours)
The first decision point after intake is seriousness. ISO 13485 and virtually every applicable MDR regulation distinguish between serious and non-serious events. A "serious injury" determination triggers expedited timelines that you cannot miss.
Under the EU MDI (EU 2017/745), serious incidents must be reported to the relevant Competent Authority within 15 days of when the manufacturer became aware, or within 10 days for serious public health threats. Under FDA 21 CFR Part 803, 30-day and 5-day MDR timelines apply depending on event severity.
Triage questions to answer within your defined window:
- Did the device malfunction, fail, or perform outside specifications?
- Was there patient injury, death, or potential for serious harm?
- Is this a known, previously documented failure mode, or a new signal?
- Is the device still in the field? Does a field safety corrective action (FSCA) need to be considered?
Step 2: Investigation Decision
ISO 13485 clause 8.2.2(d) requires you to determine whether investigation is necessary. If you decide not to investigate, you must document the rationale. Acceptable rationale might include:
- The complaint is a duplicate of an already-open investigation
- The complaint does not allege a deficiency in the device (e.g., it relates to a service issue unrelated to device performance)
- The complaint cannot be substantiated and no safety signal exists
What is never acceptable: closing a complaint as "not a complaint" without documented evaluation criteria applied to the specific facts.
Step 3: Technical Investigation
Once you've determined investigation is required, assign a lead investigator (typically someone with technical knowledge of the device) and set a due date based on your procedure. A strong technical investigation should:
- Request the device back if possible, or request photos/video of the failure
- Evaluate retained samples from the same lot
- Review manufacturing records for the device (DHR) — batch records, in-process inspection data, test results
- Consult design history — was this failure mode anticipated? Is it within the known failure mode envelope?
- Apply root cause analysis methodology — 5 Why, Fishbone/Ishikawa, or FTA depending on complexity
The output of the technical investigation must answer: Was the device defective? If yes, what is the likely root cause and scope?
Step 4: MDR/Vigilance Regulatory Reporting Determination
This is the step where many QMS processes break down — either because the determination is made too late, or because the evaluation isn't documented rigorously enough to demonstrate the decision rationale.
Citation hook: Regulatory reporting determinations under ISO 13485 must be documented with sufficient detail to demonstrate the specific criteria applied, the evidence reviewed, and the qualified individual who made the determination — a vague notation of "no MDR required" is insufficient for most regulatory frameworks.
Regulatory Reporting Timelines by Region
| Region | Regulation | Serious Injury | Death | Malfunction (potential for serious harm) |
|---|---|---|---|---|
| USA | 21 CFR Part 803 | 30 days | 30 days | 30 days (5 days if imminent hazard) |
| EU | EU MDR 2017/745 | 15 days | 10 days | 15 days |
| UK | UK MDR 2002 (as amended) | 15 days | 10 days | 15 days |
| Canada | CMDR SOR/98-282 | 10 days | 10 days | 30 days |
| Japan | PMDA Regulations | 15 days | 15 days | 30 days |
| Australia | TGA Regulations | 48 hours (death/serious) | 48 hours | 30 days |
Important: The clock starts when the manufacturer becomes aware of the event, not when it enters your complaint system. If a sales rep heard about a patient death on Monday and didn't log it until Friday, your 30-day (or 10-day) clock started Monday. This is why complaint intake timeliness training is not optional.
Connecting Complaint Handling to CAPA
Every substantiated complaint that identifies a systemic deficiency should be evaluated for Corrective and Preventive Action (CAPA) under ISO 13485:2016 clause 8.5.2. Not every complaint requires a CAPA — but the evaluation of whether a CAPA is needed must be documented.
When to Trigger CAPA From a Complaint
Open a CAPA when: - Root cause investigation identifies a systemic manufacturing, design, or process deficiency - Trend analysis reveals that the same failure mode is recurring beyond acceptable limits - The complaint resulted in a serious injury or death, regardless of apparent root cause - Regulatory reporting was required (MDRs and FSCAs almost always warrant CAPA)
Complaint Trending: The Signal You're Probably Missing
ISO 13485 clause 8.2.2(f) requires procedures to address the aggregation of complaint data to detect trends. Trend analysis is where your complaint handling system transitions from reactive to proactive.
At minimum, your trending process should: - Define complaint categories and subcategories (failure codes) consistently - Set statistical thresholds for when a trend triggers a quality event review - Review complaint data at defined intervals (monthly or quarterly for active product lines) - Feed complaint trends into your Management Review (clause 9.3) agenda
According to industry benchmarking data, manufacturers with structured complaint trending programs identify emerging field issues an average of 30–60 days earlier than those relying solely on individual complaint investigation — a gap that can be the difference between a voluntary recall and a regulatory-mandated one.
Records and Documentation: What Auditors Actually Look For
Your complaint files are QMS records subject to clause 4.2.5 controls. They must be legible, readily identifiable, retrievable, and retained for the period specified in your procedures (at minimum, the lifetime of the device plus the regulatory retention requirement — often 5–10 years depending on jurisdiction).
The Anatomy of a Complete Complaint File
A complete, audit-ready complaint file contains:
- Intake record — all minimum data elements captured at receipt
- Complaint classification — complaint vs. non-complaint, serious vs. non-serious, with rationale
- Investigation decision — investigate or not investigate, with documented rationale
- Technical investigation report — findings, evidence reviewed, root cause conclusion
- MDR/Vigilance determination — reportable or not reportable, with regulatory basis cited
- Copies of any regulatory submissions filed (MDR, PSUR contribution, SAC)
- CAPA linkage — CAPA number if opened, or documented rationale if CAPA not required
- Closure approval — signature of authorized Quality representative
- Customer feedback — if a response was provided to the complainant, retain a copy
Common Audit Findings in Complaint Handling
Based on my experience across 200+ client engagements, these are the most frequently cited complaint handling nonconformities:
| Finding | Root Cause | Fix |
|---|---|---|
| Complaints not identified as complaints | Inadequate training; narrow complaint definition | Broaden training; update complaint definition in procedure |
| No documented rationale for "no investigation" decisions | Procedure gap; checkbox culture | Add required rationale field to complaint form |
| MDR determination not documented | Determination made verbally; no form | Implement MDR evaluation checklist as required record |
| Clock start date unclear or incorrect | Unawareness that clock starts at awareness, not logging | Train all customer-facing staff; add awareness date field |
| No trending analysis | Process exists on paper but not executed | Automate trending reports; add to management review agenda |
| CAPA not evaluated for substantiated complaints | Siloed QA and CAPA owners | Cross-reference CAPA evaluation in complaint closure checklist |
Technology and Complaint Management Systems
Many small-to-midsize medical device companies manage complaints in spreadsheets or basic document management systems. While technically compliant, these approaches create significant operational risk — particularly around trending, MDR clock tracking, and cross-referencing across complaint records.
eQMS platforms with dedicated complaint modules (such as Veeva Vault QualityDocs, MasterControl, or Greenlight Guru) offer workflow automation, automated trending dashboards, and MDR submission tracking that dramatically reduce human error risk and audit preparation time. The investment is typically justified when a company reaches 50+ complaints per year or operates in multiple regulatory jurisdictions simultaneously.
How Complaint Handling Fits Into Your Broader Post-Market System
Complaint handling doesn't exist in isolation. Under ISO 13485:2016, it is one component of a broader post-market surveillance (PMS) framework that includes:
- Post-Market Clinical Follow-Up (PMCF) — particularly relevant under EU MDR
- Periodic Safety Update Reports (PSURs) — required for Class IIa and above under EU MDR
- Post-Market Performance Follow-Up (PMPF) — for IVDs under EU IVDR
- Post-Market Surveillance Plans — documenting how you collect and analyze post-market data
Complaint data feeds all of these. A well-functioning complaint system is the engine that powers your entire PMS program. If the complaint data is incomplete, inaccurate, or delayed, your PSUR will be wrong, your benefit-risk assessments will be flawed, and your regulatory submissions will be vulnerable.
For a deeper dive into how complaint data integrates with your post-market surveillance obligations, see our guide on Post-Market Surveillance Under ISO 13485 and EU MDR.
Practical Checklist: Is Your Complaint Process Audit-Ready?
Use this checklist to evaluate your current state:
- [ ] Written complaint handling procedure references clause 8.2.2 and 8.2.3 explicitly
- [ ] Complaint definition in procedure aligns with ISO 13485 (post-distribution, all communication channels)
- [ ] All customer-facing personnel trained on complaint recognition and escalation
- [ ] Intake process captures awareness date (not just logging date)
- [ ] MDR/Vigilance evaluation is a required, documented step for every complaint
- [ ] Regulatory reporting timelines by jurisdiction are defined in the procedure
- [ ] Investigation decisions (including "no investigation" decisions) are documented with rationale
- [ ] Trending analysis is performed at defined intervals and linked to management review
- [ ] CAPA evaluation is documented in every complaint closure
- [ ] Complaint records retained per applicable regulatory requirements
- [ ] Complaint system performance metrics are tracked (e.g., on-time closure rate, MDR timeliness)
Working With a Consultant on Complaint Handling
If your complaint process has gaps — whether identified in an internal audit, a Notified Body finding, or an FDA 483 — the remediation path is predictable but requires expertise to execute correctly. At Certify Consulting, I've helped more than 200 medical device manufacturers build, rebuild, and optimize complaint handling systems that pass first-time audits and, more importantly, actually protect patients.
The most valuable thing a consultant brings to complaint handling remediation isn't a template procedure — it's the ability to read your current process through the eyes of a regulatory auditor and identify the gaps before the auditor does.
If you're preparing for an ISO 13485 certification audit, a Notified Body surveillance visit, or an FDA inspection, a complaint handling process review is one of the highest-ROI investments you can make. Learn more about how Certify Consulting supports ISO 13485 audit preparation or reach out directly at certify.consulting.
Key Takeaways
- ISO 13485 clause 8.2.2 requires documented procedures covering the full complaint lifecycle — intake, evaluation, investigation decision, MDR determination, and closure.
- The complaint clock starts at awareness, not at logging — train every customer-facing employee accordingly.
- MDR reporting timelines vary by jurisdiction; manufacturers selling in multiple markets need a matrix approach to regulatory reporting.
- Every complaint must be evaluated for MDR reportability and CAPA necessity, with documented rationale whether or not action is taken.
- Trending analysis is a mandatory requirement, not an optional best practice — it's where reactive complaint handling becomes proactive risk management.
- A complete, audit-ready complaint file contains 9 specific elements; missing any one of them is a finding waiting to happen.
Last updated: 2026-03-21
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.