Template: SOP Vigilance

Sven Piechottka
Updated June 4, 2024

Template Download

This is a free template, provided by OpenRegulatory.

If you are a user of Formwork, our eQMS software, you can save a lot of time by choosing “QMS” on the top menu and “OpenRegulatory Templates” on the left menu, and then opening the relevant folder to find this template ready to load into Formwork.

If, for some mysterious reason, you’re using a different QMS Software, you can also simply download this template – specifically, as Word (.docx), PDF, Google Docs or Markdown file. Scroll down for a preview!

The template license applies (don’t remove the copyright at the bottom, don’t re-use this for commercial purposes).

Talk To A Human?

We also offer consulting if you need a more hands-on approach. We’ve helped 150+ Healthcare companies. Take a look!

Template preview


This SOP describes how we handle (potentially) serious incidents and field safety corrective action (FSCA). It also instructs on the reporting requirements to competent authorities.

Process Owner<enter role of process owner>
Key Performance Indicators<enter KPIs to be tracked for the Management Review>

Regulatory requirements:

EU Regulation 2017/745 (MDR)Art. 87 – 92 (Vigilance)
ISO 13485:2016Para. 8.2.3

Regulatory references: check MDCG 2023-3 and MEDDEV 2.12./1 for guidance on this topic. As a German manufacturer, you are also subject to national law which lays out more specific requirements (note that in preparation for MDR, the Medizinproduktegesetz (MPG) was replaced by the Medizinprodukte-Durchführungsgesetz (MPDG) and the Medizinprodukte-EU-Anpassungsverordnung (MPEUAnpV) replaced the old Medizinprodukte-Sicherheitsplanverordnung (MPSV)).

General Considerations

Reportable Serious Incident

An incident is defined as any malfunction or deterioration in the characteristics or performance of a device made available on the market, including use-error due to ergonomic features, as well as any inadequacy in the information supplied and any undesirable side-effect.

Any incident that our organization becomes aware of is reportable, if one of our medical devices could be its cause and if it fulfills the definition of a serious incident as outlined in this process. Potentially serious incidents are assessed based on our respective template form for incident assessment [reference document ID here].

A serious incident is defined as “the subset of incidents that directly or indirectly led, might have led or might lead to the death or the temporary or permanent serious deterioration in the state of health of a patient, user or other person or posed a serious public health threat.” (see MDR Art. 2 and MDCG 2023-03). Examples are therefore (non-exclusively):

  • malfunctioning (e.g. a software bug) of one of our medical devices
  • incorrect labeling, instruction for use or advertising material
  • usability deficiency causing a misuse

A serious deterioration in state of health results in at least one of the following:

  • life-threatening illness or injury
  • permanent impairment of a body structure or a body function
  • hospitalization or prolongation of patient hospitalization or a condition which requires medical or surgical intervention to prevent any of the above
  • chronic disease
  • any indirect harm as a consequence of an incorrect diagnostic result when used within manufacturer’s instructions for use

Note that: not all incidents lead to death or serious deterioration in health. The non-occurrence of such a result might have been due to fortunate circumstances or to the intervention of healthcare personnel. It is sufficient that: (a) an incident associated with a device happened, and (b) the incident was such that, if it occurred again, it might lead to death or serious deterioration in health.

Field Safety Corrective Action (FSCA)

A field safety corrective action (FSCA) is an action taken to reduce a risk of death or serious deterioration in the state of health associated with a device that is already placed on the market. Such actions, whether related to direct or indirect harm, should be reported and informed about via a field safety notice. FSCAs can include (non-exclusively):

  • the return of a medical device to the manufacturer (recall)
  • modification of a medical device, which can include: design changes (e.g. software update), permanent or temporary changes to the labeling or the instructions for use, changes to make device temporarily not available to users (software lock)
  • advice provided by the manufacturer regarding the use or operation of the device

Reporting Timescale

  • In the event of imminent danger:
    • Immediately (without any delay that could not be justified)
  • In the event of a serious public health threat:
    • Immediatelybut no later than 2 elapsed calendar days following the date of awareness of the event.
  • Death or unanticipated serious deterioration in state of health:
    • immediately as soon as a causal relationship between the device and the event is suspected, but no later than 10 elapsed calendar days following the date of awareness of the event.
  • Other reportable incidents:
    • Immediately after a causal relationship between the device and the event is established or reasonably possible, but not later than 15 elapsed calendar days following the date of awareness of the event.
  • Field Safety Corrective Action (FSCA):
    • Immediately, at latest with the beginning of the implementation of actions, except in cases of urgency in which FSCA must be undertaken immediately.

All report times refer to when the competent national authority must be notified first. In case of uncertainty whether an incident has to be reported or not, it is reported within the above deadlines.

Responsible Authorities

Incidents are reported to the authority of the country in which the reportable incident occurred:


  • Federal Institute for Drugs and Medical Devices (BfArM)
  • Website: www.bfarm.de
  • Email: [email protected]; Phone: +49 228 207 5355
  • Incident reporting: look for “MIR Formular”




Other national authorities:

More contact data can be found on the website of the European Commission: https://ec.europa.eu/health/medical-devices-sector/new-regulations/contacts_en

FSCA is reported to the authorities in the countries in which the FSCA is carried out, including incidents which occurred outside of the European Economic Area (EEA) but resulted in a recall within European countries.

In parallel to reporting incidents to responsible authorities, our Notified Body is informed where applicable in respect to the applied conformity assessment procedure.

Process Steps

1. Documentation and Immediate Action

Any employee of the company that obtains knowledge of an event with a potentially negative impact on the state of health shall immediately notify the Person Responsible for Regulatory Compliance (PRRC) to initiate this process.

However, input to this process may arrive through multiple input channels (see below). Input channels must be checked regularly, for example, throw continuous post-market surveillance cycles (see process for post-market surveillance).

  • Own employees
  • Device users (e.g. feedback, see process for feedback management)
  • Authorities (e.g. who were informed of a serious incident)
  • Post-market surveillance (e.g. events with similar devices trigger own FSCA, see process for post-market surveillance)

In a first step, the PRRC opens a CAPA to document the respective event. If necessary, immediate field safety corrective action (see para. 5 below) is initiated without undue delay as also instructed by the CAPA process.

ParticipantsPerson Responsible for Regulatory Compliance (PRRC)
InputEvent with a potentially negative impact on the state of health
OutputDocumented incident and initiated immediate action where necessary

2. Investigation of Causal Relationship

Secondly, the PRRC investigates the root causes of the event to determine if there is a causal relationship between the use of the medical device and the event. The investigation is documented as part of the CAPA process.

If there is no causal relationship, the event is not considered a reportable serious incident. In such cases, the PRRC proceeds with para. 5 to assess if FSCA is required nevertheless (for example, to prevent the occurrence of reportable events).

ParticipantsPerson Responsible for Regulatory Compliance (PRRC)
InputDocumented incident
OutputDocumented evaluation of causal relationship

3. Evaluation as Reportable Incident

If there is a relationship, the PRRC evaluates if the event qualifies as a reportable serious incident by filling out the incident assessment form. In the case of uncertainty, the event is always reported as a serious incident.

Where it is determined that the incident is not reportable, an explanatory statement must be documented in the incident assessment form. Incidents that are not evaluated as reportable serious incidents must still be documented and and considered in other quality management system processes (e.g. CAPA or as trend reporting as part of post-market surveillance).

ParticipantsPerson Responsible for Regulatory Compliance (PRRC)
InputDocumented incident and causal relationship
OutputDocumented evaluation as a reportable incident

4. Reporting to Authorities

Within the applicable reporting timescale (see general considerations above), the PRRC informs the competent national authority about the event using respective reporting forms. The PRRC collects all information required and available at the time in the form of the Manufacturer Incident Report (MIR) provided by the European Commission: https://ec.europa.eu/docsroom/documents/41681 If applicable, a copy of the report is sent to the Notified Body involved in the conformity assessment procedure of the device.

Generally, the competent national authority must be informed:

  • Of any serious incidents with the organization’s own medical devices
  • Of any field safety corrective action (FSCA) initiated by the organization (e.g. in response to serious incidents with comparable devices of other manufacturers)
  • Of any statistically significant increase in the frequency or severity of non-serious incidents or expected undesirable side-effects that could impact the benefit-risk-profile of the device (i.e., which have led or may lead to risks to the health or safety of patients, users or others that are unacceptable when weighed against the intended benefits. See Art. 88 MDR and SOP Post-Market Surveillance).
ParticipantsPerson Responsible for Regulatory Compliance (PRRC)
InputCompleted evaluation of the incident
OutputCompleted reporting to authorities (and Notified Body)

5. Initiate Field Safety Corrective Action (FSCA)

Based on a risk and root cause analysis of the event, the PRRC decides if field safety corrective actions (FSCA) are required to reduce existing risks (note: FSCA may also be required to prevent the occurrence of reportable events). Possible FSCAs are described as part of the general considerations of this process.

Before actions are taken, we identify affected users / customers and inform them about such actions as part of a field safety notice (FSN). The FSN is written in the language of the respective country and must at minimum include:

  • Subject: Safety Alert
  • Manufacturer information (e.g. contact details)
  • Information to identify the affected devices (e.g. device name and software version)
  • Description of the incident including resulting risks and the reasons for FSCA
  • If applicable, actions recommended to the user / customer. For example, this could include actions to restore the safety or recommended clinical investigations.

A copy of the FSN shall be archived. Customers confirm the receipt of FSNs as well as the implementation of recommended actions. If a customer does not respond, at least three attempts for delivery should be made. It is also documented as part of the CAPA if all attempts to inform a customer were unsuccessful.

For B2B customers of our devices, respective contact details for vigilance purposes must be documented as part of the Medical Devices List. For B2C customers, contact details which allow unique identification of end users must be stored separately for every device.

All FSCA are documented as part of the CAPA and must be reported to competent national authorities as described in the previous para. 4.

You may want to consider a separate process regarding the handling of non-conforming products. This process would entail labeling instructions for respective product code and instructions for employees handling those products.

ParticipantsPerson Responsible for Regulatory Compliance (PRRC)
InputRisks resulting from incident
OutputImplemented FSCA, Reporting of FSCA to authorities

6. Verification and Evaluation of Effectiveness

The effectiveness of implemented FSCAs is evaluated as part of the CAPA. As soon as the CAPA is closed, a final report is sent to the responsible authorities to verify that all actions taken are deemed sufficient for completion.

All incident records shall be archived as part of the QMS.

ParticipantsPerson Responsible for Regulatory Compliance (PRRC)
InputImplementation of FSCA
OutputFinal incident report and closed CAPA

Template Copyright openregulatory.com. See template license.

Please don’t remove this notice even if you’ve modified contents of this template.

Template preview


Leave the first comment