When a medical device fails, a children’s toy breaks, or a car’s airbag doesn’t deploy, someone has to tell the government. That someone is the manufacturer. Across the U.S., companies are legally required to report safety problems with their products-not when something goes wrong, but as soon as they become aware of a potential risk. These aren’t suggestions. They’re federal obligations with real penalties.
What Exactly Are Manufacturer Safety Reporting Obligations?
Manufacturer safety reporting means companies must notify federal agencies when their products may be causing harm. These rules exist because waiting for a flood of injuries before acting is too late. The goal is to catch problems early-before more people get hurt. Three major agencies handle these reports, each with its own rules:- FDA oversees medical devices, over-the-counter drugs, and some food products.
- CPSC handles everything else you buy at a store-toys, appliances, tools, electronics.
- NHTSA regulates cars, tires, and vehicle parts.
FDA’s Medical Device Reporting (MDR): The Most Detailed System
If you make a pacemaker, an insulin pump, or even a simple blood pressure cuff, you’re under FDA’s MDR rules (21 CFR Part 803). Here’s what you need to know:- You must report deaths or serious injuries linked to your device within 30 days.
- If a malfunction could cause death or injury if it happened again, you still have to report it-even if no one got hurt.
- If you need to fix the problem quickly to prevent harm, you have just 5 working days to file.
CPSC’s 24-Hour Rule: Faster, But Messier
If you sell a space heater, a high chair, or a Bluetooth speaker, you answer to the CPSC under Section 15(b) of the Consumer Product Safety Act. The rules here are simpler in theory but harder in practice. You must report within 24 hours of obtaining “reportable information.” That means:- You know your product has a defect that could cause serious injury or death.
- You know it doesn’t meet a safety standard.
- You know it’s created a substantial risk-even if no one has been hurt yet.
NHTSA’s Early Warning Reporting: Data-Driven and Quarterly
For car parts and tires, the rules are different. NHTSA doesn’t require you to report every single incident. Instead, you submit data quarterly. You track:- Number of crashes involving your product
- Number of injuries
- Number of property damage claims
How Much Does This Cost Companies?
Compliance isn’t free. For small medical device makers (under 50 employees), the average annual cost is over $50,000. That includes software, staff time, training, and legal review. One company reported spending 1,200 hours a year just on FDA reporting. Larger companies spend hundreds of thousands. A full quality management system (QMS) that handles reporting can cost $185,000 for a small business and over $750,000 for a big one. IT teams need to integrate systems with the FDA’s gateway. Staff need 40 to 80 hours of training just to understand what counts as a reportable event. And it’s getting harder. The FDA received 1.2 million medical device reports in 2023-up 37% since 2018. CPSC reports rose 22% in the same period. More products, more data, more pressure.
Where Companies Struggle the Most
The biggest complaints from manufacturers aren’t about the rules-they’re about the gray areas.- When do you “become aware”? If a nurse emails your customer service rep about a device failure, is that reportable? What if it’s a technician in your warehouse? FDA says: if any employee who might pass the info to compliance hears it, you’re on the clock.
- What’s a “malfunction”? One FDA district says a slightly loose screw is reportable. Another says it’s not. Companies get conflicting advice from inspectors.
- How much detail do you need? CPSC wants a quick 24-hour notice. But if you report too early, you risk a false alarm. Too late, and you’re fined.
What’s Changing in 2025 and Beyond
The system is evolving. The FDA now lets companies submit summary reports for certain types of malfunctions instead of filing each one individually. Medtronic reported a 63% drop in individual reports after joining this program. The FDA is also rolling out new Unique Device Identification (UDI) rules by 2026. Each device will have a barcode that tracks it from factory to patient. That’ll make it easier to trace problems and reduce false reports. Congress is pushing for faster timelines. The Medical Device Safety Act of 2023 proposes cutting the FDA reporting window from 30 days to 15 for high-risk devices. CPSC is spending $25 million to speed up its review process, aiming to cut response time from 17 days to 10 by 2026. And AI is starting to help. Philips Healthcare now uses machine learning to scan customer complaints and flag potential safety issues. Their MDR prep time dropped from over 8 hours to under 4 per report.What You Should Do Right Now
If your company makes a product that’s sold in the U.S., here’s your checklist:- Identify which agency regulates your product (FDA, CPSC, or NHTSA).
- Write down your internal process for receiving complaints-customer service, tech support, warranty claims.
- Train every employee on what counts as “reportable information.”
- Set up a system to log and track all safety-related feedback.
- Know your deadlines: 30 days for FDA, 24 hours for CPSC, quarterly for NHTSA.
- Review your compliance budget. Are you spending enough on software, staff, and training?
Do I have to report if no one was injured?
Yes. For the FDA and CPSC, you must report malfunctions or defects that could cause death or serious injury-even if no injury has occurred yet. The CPSC requires reporting if a product creates a substantial risk of harm. The FDA requires reporting of malfunctions that could cause harm if they recur.
What happens if I don’t report?
You could face civil penalties up to $252,756 per violation. The FDA and CPSC can issue warning letters, demand product recalls, or even block your products from entering the U.S. market. Repeated violations can lead to criminal charges. Companies that delay reporting often end up with worse outcomes than those who report early and cooperate.
How do I know if my product is regulated by the FDA or CPSC?
If your product is a medical device-like a glucose monitor, hearing aid, or surgical glove-it’s FDA-regulated. If it’s a household item like a toaster, toy, or power tool, it’s CPSC-regulated. Some products fall in between, like wearable fitness trackers. The FDA considers them medical devices if they claim to diagnose, treat, or prevent disease. If they’re just for general wellness, CPSC covers them.
Can I use third-party software to handle reporting?
Yes. Many companies use quality management system (QMS) software designed for FDA or CPSC compliance. These tools help track complaints, auto-generate reports, and ensure deadlines are met. Popular platforms include MasterControl, Veeva, and EtQ. But software alone isn’t enough-you still need trained staff to interpret what’s reportable.
Are small businesses held to the same standards?
Yes. The law applies to all manufacturers, regardless of size. But the FDA does offer guidance and resources for small businesses, including simplified reporting options like the Voluntary Malfunction Summary Reporting program. Still, small companies often struggle more because they lack dedicated compliance teams.
Robert Cardoso
January 27, 2026 AT 21:48The FDA's 30-day window is a joke. If a pacemaker's battery drains 2% faster than spec, you're supposed to wait a month? That's not compliance-it's negligence dressed up as bureaucracy. And don't get me started on how they define 'serious injury.' One inspector says a skin rash from a monitor strap is reportable. Another says it's not. There's no consistency, only chaos.
Rose Palmer
January 29, 2026 AT 10:12This is one of those rare cases where regulation actually saves lives. I work in medtech compliance, and I’ve seen firsthand how early reporting prevents cascading failures. Yes, it’s expensive. Yes, it’s tedious. But imagine the alternative: a recall that comes too late because someone waited to ‘confirm’ the pattern. That’s not just a cost-it’s a moral failure.
Rhiannon Bosse
January 29, 2026 AT 21:45They’re watching you. Every email. Every Slack message. Every intern who sees a loose screw. The FDA’s ‘any employee who might pass it along’ rule? That’s not compliance-it’s corporate paranoia engineered into law. Next they’ll require you to record your bathroom breaks in case someone sneezes near a device.
fiona vaz
January 30, 2026 AT 09:51Small biz owners: don’t panic. The FDA has a Voluntary Malfunction Summary Reporting program for under-50-employee companies. It cuts your reporting load by 70%. You don’t need a $750k QMS-you need to know where to look. I’ve helped three startups get compliant for under $10k. It’s doable.
Jeffrey Carroll
January 31, 2026 AT 13:43While the regulatory burden is substantial, the underlying principle remains ethically sound: prevent harm before it occurs. The cost of compliance pales in comparison to the human and financial toll of unaddressed product failures. Systems like UDI and AI-driven triage represent not just efficiency, but a necessary evolution toward responsible innovation.
Ambrose Curtis
January 31, 2026 AT 21:45CPSC’s 24-hour rule is a nightmare. We had a customer complain that a toaster’s cord got warm. We reported it. Turns out it was a faulty outlet. But we still got flagged for ‘delayed reporting’ because our internal triage took 18 hours. Meanwhile, the guy who actually made the faulty outlet? No one’s auditing him.
Katie Mccreary
February 2, 2026 AT 04:52They’re not trying to help you. They’re trying to cover their asses. Every report is a liability shield. You report a glitch? Now you’re on the hook. You don’t report? You’re a criminal. It’s a trap. And the worst part? Most of these reports are noise. 90% of them are useless. But you still gotta file.
Lance Long
February 2, 2026 AT 18:17I used to think this was overkill. Then my cousin’s kid got burned by a malfunctioning space heater. The company didn’t report the 17 prior incidents because they ‘didn’t meet the threshold.’ That’s not a failure of the system-it’s a failure of the people who think ‘maybe’ isn’t enough. Report early. Report often. Even if it hurts.
Phil Davis
February 3, 2026 AT 09:31So we’re supposed to report a malfunction before we even know if it’s real? That’s like calling 911 every time your smoke detector beeps. The system’s designed for paranoia, not precision. And now we’re paying consultants $200/hour to interpret whether a ‘slight wobble’ counts as ‘substantial risk.’ Brilliant.
Linda O'neil
February 5, 2026 AT 02:17AI is the real hero here. We implemented a tool that scans customer service logs and flags keywords like ‘smoke,’ ‘sparks,’ ‘doesn’t turn off.’ It cut our prep time from 6 hours to 45 minutes. No more guessing. No more panic. Just clean, automated alerts. If your company still uses Excel for this, you’re already behind.
Amber Daugs
February 5, 2026 AT 22:03Anyone who says small businesses are held to the same standards is lying. Big companies have teams of lawyers who argue with inspectors. Small ones get fined for typos in Form 3500A. This isn’t regulation-it’s class warfare disguised as safety.
Bryan Fracchia
February 6, 2026 AT 07:15Look, I get the fear. But here’s the truth: if your product kills someone because you waited to see if it happened again-you’re not a victim of bureaucracy. You’re a villain. The system’s broken? Fix it. Don’t complain about the alarm. Fix the fire.
James Dwyer
February 6, 2026 AT 09:23Just report it. Seriously. Don’t overthink it. If you’re even slightly unsure, file it. The system’s designed to catch the edge cases. You’re not a snitch-you’re the only thing standing between a kid and a broken toy blade.