Your Complaint Files Just Got a New Address (and a UDI Requirement)

If you’ve made it this far in the QMSR, you’ve worked through the general provisions: who’s covered, what the key terms mean, why you need ISO 13485 on your shelf, and what it means to document a compliant QMS. Now we’re into Subpart B — the supplemental provisions — which is where FDA retained requirements that go beyond what ISO 13485 covers on its own.

Section 820.35 is the first stop in Subpart B, and it’s titled “Control of records.” Don’t let that name lull you — this is not just a housekeeping section about retention schedules. It’s where FDA specifies exactly what information must appear in your complaint files and servicing records, on top of whatever ISO 13485 already requires. For many manufacturers, this is familiar territory. The specific content requirements here are largely carried over from the old QSR. But there are changes, and at least one of them — the UDI requirement — is genuinely new.

The Structure: “In Addition To” Means Both

Section 820.35 opens with a phrase you’ll want to internalize: “In addition to the requirements of Clause 4.2.5 in ISO 13485… the manufacturer must include the following information in certain records.”

That “in addition to” is doing a lot of work. It means you’re not replacing ISO 13485’s records requirements with §820.35 — you’re stacking the QMSR’s specific content requirements on top of them. ISO 13485 Clause 4.2.5 tells you how to manage records (retention, storage, access, disposal). Section 820.35 tells you what specific information certain records must contain. You need both.

The same logic applies to complaint handling: §820.35(a) supplements ISO 13485 Clause 8.2.2 (Complaint Handling), not replaces it. ISO 13485 gives you the process framework; §820.35 gives you the specific data elements FDA wants to see.

Complaint Records: The Seven Required Elements

For complaints that must be reported to FDA under Part 803 (Medical Device Reports), complaints the manufacturer determines must be investigated, and complaints the manufacturer investigated regardless of any requirement, §820.35(a) requires recording seven specific pieces of information:

1. The name of the device
2. The date the complaint was received
3. Any unique device identifier (UDI) or universal product code (UPC), and any other device identification(s)
4. The name, address, and phone number of the complainant
5. The nature and details of the complaint
6. Any correction or corrective action taken
7. Any reply to the complainant

If you were compliant with the old §820.198 complaint file requirements, this list will look almost identical. Items 1, 2, 4, 5, 6, and 7 were all required under the old QSR. The significant addition is item 3: the explicit UDI or UPC requirement. The old QSR required recording device identification — type, control number, model, catalog number, batch number — but it didn’t explicitly call out UDI. The QMSR does. If your devices have UDIs (and if they’re subject to Part 830, they do), those UDIs need to appear in your complaint records.

The “Similar Complaint” Exception Still Applies

One thing that carried forward unchanged in spirit: if you’ve already investigated a substantially similar complaint, you don’t have to investigate the new one from scratch. But you do have to document your justification for not investigating. This was true under the old QSR — it’s true under the QMSR.

What’s worth noting is a small but meaningful difference in how the old and new rules handle this. The old §820.198 required you to record not only the justification but also the name of the individual responsible for the decision not to investigate. The new §820.35 requires only the documented justification — no named individual. It’s a minor relaxation of administrative overhead, but it’s a real one.

Servicing Records: Similar Story, Same UDI Twist

Section 820.35(b) addresses servicing records, supplementing ISO 13485 Clause 7.5.4 (Servicing Activities). The six required data elements for service records are:

1. The name of the device serviced
2. Any UDI or UPC, and any other device identification(s)
3. The date of service
4. The individual(s) who serviced the device
5. The service performed
6. Any test and inspection data

Again, manufacturers who were compliant with the old §820.200 (Servicing) will recognize this list. The UDI requirement is the notable addition. If you’re servicing devices, UDI needs to go into the service record.

The UDI Thread Running Through §820.35

The UDI requirement shows up three times in §820.35. It’s in complaint records (§820.35(a)(3)), in servicing records (§820.35(b)(2)), and then again as its own standalone paragraph: §820.35(c) states that “the UDI must be recorded for each medical device or batch of medical devices,” in addition to the existing ISO 13485 clauses on identification and traceability.

This reflects something broader about the QMSR: FDA is serious about UDI integration across the quality system. It’s not enough to assign UDIs and put them on labels. The regulation is now explicitly requiring that UDIs flow through your records — including the records you keep when something goes wrong (complaints) and when a device gets repaired or maintained (servicing). Think of §820.35(c) as FDA closing a loop: every device, every batch, UDI recorded.

What About the Old MDR-Complaint Separation Requirement?

Under the old §820.198(c), complaints that were MDR-reportable had to be maintained in a “separate portion of the complaint files or otherwise clearly identified.” The new §820.35 doesn’t replicate that specific language. The seven required data elements apply to investigated and reportable complaints alike, but the explicit segregation or clear-identification requirement for MDR complaints isn’t in §820.35.

This doesn’t mean you can throw all your complaints into one undifferentiated pile — ISO 13485 Clause 8.2.2 still requires an effective complaint handling process, and being able to identify and track MDR-reportable events is essential for Part 803 compliance. But if your SOP previously required a dedicated MDR-complaint subfolder or flag specifically to satisfy old §820.198(c), you may want to revisit whether that requirement is still driven by the QMSR text or just by your existing procedure.

The Confidentiality Provision

Section 820.35(d) carries forward a provision from the old §820.180: records deemed confidential by the manufacturer may be marked as such, to help FDA determine whether information may be disclosed under the public information regulation in Part 20. This is a small but useful provision. If you have records you believe contain trade secrets or commercially sensitive information, marking them as confidential is the mechanism for flagging that for FDA during an inspection. It’s not a guarantee — Part 20 governs what FDA can actually disclose — but it’s the right first step.

What Manufacturers Should Actually Do

If your complaint handling procedure was built around the old §820.198, the most important thing to check is whether UDI is now captured in your complaint and service records. For most manufacturers with UDI-labeled products, this is probably a procedure update and a form field, not a systemic overhaul.

You’ll also want to make sure your complaint handling SOP references ISO 13485 Clause 8.2.2 — because that’s the baseline your §820.35 requirements layer on top of. If your procedure was written entirely against the old QSR without reference to ISO 13485, it’s time for a revision that acknowledges the two-document structure.

The records management framework — retention schedules, access controls, storage and disposal requirements — lives in ISO 13485 Clause 4.2.5. Section 820.35 is purely about content. Make sure your procedures reflect both layers.

Section 820.35 is one of those parts of the QMSR where the changes look modest on paper but have practical ripple effects in your quality system. The UDI thread in particular is worth tracing through your records carefully. Up next: §820.45, where FDA addresses device labeling and packaging controls — and has some specific requirements that ISO 13485 didn’t cover to their satisfaction.

---