Manufacturer Reporting: Understanding Generic Safety Obligations for Companies

Manufacturer Reporting: Understanding Generic Safety Obligations for Companies

When a medical device fails, a children’s toy breaks, or a car’s airbag doesn’t deploy, someone has to tell the government. That someone is usually the manufacturer. And by law, they must report it. These aren’t suggestions. They’re legal duties with real penalties - fines up to $252,756 per violation, lawsuits, product recalls, and even criminal charges in extreme cases.

Why Manufacturer Reporting Exists

The system wasn’t created to punish companies. It was built to save lives. Before mandatory reporting, dangerous products stayed on shelves for years because no one tracked how often they failed. The FDA’s Medical Device Reporting (MDR) system started in 1976 after a series of deadly failures with pacemakers and heart valves. The Consumer Product Safety Commission (CPSC) followed with similar rules for everything from cribs to coffee makers. The goal? Catch problems early - before more people get hurt.

Today, the FDA gets about 1.2 million reports a year from medical device makers. The CPSC gets over 14,000. NHTSA gets thousands more from car and tire makers. These aren’t just numbers. Each one is a potential life saved because someone acted before it got worse.

What You Must Report - And When

The rules change depending on what you make. But there are three universal triggers:

  • Death
  • Serious injury
  • Malfunction that could cause death or injury if it happened again
For medical devices under the FDA, you have 30 calendar days to report. But if your device needs a fix to prevent harm - like a recall or software update - you have just 5 working days. That’s not a typo. Five days.

For consumer products under the CPSC, the clock starts ticking the moment someone in your company learns about a defect that could cause serious harm. You have 24 hours to report. No exceptions. Even if you’re not sure it’s serious. Report it anyway. You can update the report later.

Tire and auto makers under NHTSA have to report quarterly, but only if they hit thresholds: 5 deaths, 10 injuries, or 10 property damage claims tied to the same model. That sounds lenient, but if you hit those numbers, you’re already in crisis mode.

The Big Difference Between FDA and CPSC

The FDA requires you to investigate every report. You need to figure out why it happened, who was affected, whether it’s isolated or part of a pattern. You must document everything. This is where most companies spend their time - and money.

The CPSC doesn’t require that. You just have to tell them what you know within 24 hours. But here’s the catch: they’ll come back. And if your initial report is vague or incomplete, you’ll get a follow-up request. And if you don’t respond? You’re looking at a warning letter, a public notice, or worse.

A 2023 CPSC report found that 37% of initial reports needed major fixes. That’s because companies try to delay or downplay. Don’t. The system is built to catch that.

Split scene: safe medical device use vs. malfunctioning device with warning symbols and shadowy consequences.

How Much It Costs to Comply

Small medical device companies with fewer than 50 employees spend an average of $50,000 a year just on reporting. Some spend up to 18.7% of their entire quality department budget. That’s not profit. That’s survival.

Larger companies spend millions. They hire compliance officers, buy software, train staff, and run audits. One MedTech manager told an industry forum they spend 1,200 hours a year on reporting alone. That’s more than half a full-time employee.

And it’s not just time. The FDA requires electronic submissions through a specific gateway. Setting that up takes IT staff, testing, and ongoing maintenance. One study found it takes 2.5 full-time equivalents just to keep the system running.

Where Companies Get It Wrong

The biggest mistake? Waiting.

A quality manager on Reddit said her team once argued for weeks over whether a malfunction was reportable. One engineer said it was a minor glitch. Another said it could kill someone. By the time they decided, they were 12 days late. They got a 483 observation - a formal FDA warning.

Another common error: thinking “we haven’t had any injuries, so we’re fine.” That’s not how it works. If a device malfunctions in a way that could cause harm, you report it. Even if no one got hurt. The CPSC doesn’t wait for injuries. They act on risk.

And then there’s the “became aware” problem. The FDA says you become aware when any employee who could reasonably pass the info to compliance learns about it. That means a customer service rep who gets a complaint? That’s your trigger. A nurse who emails your tech support? That’s your trigger. You can’t ignore it.

What’s Changing in 2024-2026

The rules are getting tighter - and smarter.

In August 2024, the FDA expanded its Voluntary Malfunction Summary Reporting program. Now, instead of filing hundreds of individual reports for minor glitches, companies can submit one summary report per quarter. Medtronic cut their individual reports by 63% after switching. That’s a win for everyone.

The FDA is also rolling out new Unique Device Identification (UDI) rules by 2026. Each device will have a digital barcode. That means if a problem pops up, regulators can instantly find every unit made - and where it was sold.

Meanwhile, the CPSC is investing $25 million to speed up its review process. Right now, it takes them over 17 days to process a report. By 2026, they want to cut that to 10.

And AI? It’s coming fast. Philips Healthcare is already using machine learning to scan customer complaints and flag potential safety issues. Their MDR prep time dropped from 8.2 hours per report to 3.5. Other companies are following.

Team passing a glowing report orb while AI and UDI icons float around them in a hopeful office setting.

What You Should Do Right Now

If you make a product that’s sold in the U.S., here’s your checklist:

  1. Know which agency regulates your product - FDA, CPSC, or NHTSA.
  2. Write down exactly what counts as a reportable event for your product type.
  3. Train every employee - sales, support, engineering - on what to do if they hear about a problem.
  4. Set up a system to log complaints and flag them within 24 hours.
  5. Assign someone to manage reporting. Not “someone on the team.” One person. With authority.
  6. Keep records for at least two years after the product’s last sale.
  7. Consider using software designed for MDR or CPSC reporting. It’s not cheap, but it’s cheaper than a fine.
Don’t wait for an inspection. Don’t wait for a lawsuit. The system is watching. And it’s getting better at catching mistakes.

What Happens If You Don’t Report?

The FDA can issue a warning letter. That goes public. Investors see it. Customers see it. Your reputation takes a hit.

They can seize your product. Force a recall. Shut down your facility.

They can fine you - up to $252,756 per violation. And each late report? That’s one violation.

The CPSC doesn’t mess around either. In 2023, 54% of home appliance makers got warning letters for late reporting. That’s more than half.

And if someone dies because you knew about a defect and didn’t act? That’s not a fine. That’s a criminal case.

Final Thought: Reporting Isn’t a Burden. It’s a Shield.

Yes, it’s expensive. Yes, it’s complicated. But here’s the truth: reporting protects you.

When you report early, you show regulators you’re responsible. You get credit for being proactive. You avoid the worst-case scenario: a product that kills someone, and you didn’t say anything.

The companies that thrive in this space aren’t the ones with the cheapest systems. They’re the ones who treat reporting like a safety feature - not a paperwork chore.

If you’re building something people use, you owe it to them - and to yourself - to get it right.

Do I have to report a product issue if no one got hurt?

Yes. Under both FDA and CPSC rules, you must report malfunctions that could cause death or serious injury - even if no one has been hurt yet. The CPSC, for example, requires reporting if a product has a defect that creates a substantial risk of harm. Waiting for an injury to occur is a violation, not a strategy.

How long do I have to keep my safety reports?

For FDA-regulated medical devices, you must retain all MDR records for at least two years after the device’s last distribution date, or two years after its manufacture date - whichever is later. CPSC requires records to be kept for five years. Always check the specific regulation for your product type.

Can I report a problem anonymously?

No. Manufacturer reporting is a legal obligation tied to your company’s identity. You must provide your company name, address, and contact information. Anonymous reporting is only allowed for consumers or healthcare providers - not for manufacturers.

What’s the difference between MDR and Section 15(b) reporting?

MDR (Medical Device Reporting) applies to medical devices regulated by the FDA and requires detailed investigations and reporting within 30 days (or 5 days for urgent fixes). Section 15(b) reporting under the CPSC applies to general consumer products and requires a 24-hour notification window when you become aware of a substantial risk - no investigation required upfront. MDR is more detailed; Section 15(b) is faster.

Are small businesses treated differently?

No. The legal obligations are the same regardless of company size. However, the FDA and CPSC offer guidance documents and outreach programs for small businesses. But there are no exemptions. A company with 10 employees has the same duty to report as a Fortune 500 firm.

Can I use AI to help with safety reporting?

Yes, and more companies are doing it. AI tools can scan customer service logs, social media, and warranty claims to flag potential safety issues before humans spot them. Philips Healthcare reduced reporting time by over 50% using AI. But AI doesn’t replace human judgment - it just helps you find the problems faster. You still need to review and submit the reports yourself.

Tags: