Post-Market Surveillance for Medical Devices: Ultimate 2024 Guide

10  min read | 10/04/2024

Igal Zeifman
Igal Zeifman
Hadas Spektor
Hadas Spektor

What Is Post-Market Surveillance (PMS) for Medical Devices?

Post-Market Surveillance (PMS) is the process of monitoring a medical device when already in the market and in use. While medical devices are released to the market after already undergoing some kind of clinical testing, real-world data from the actual use of the device can provide critical information about its safety and effectiveness.

PMS is part of an effort by regulatory authorities to monitor and ensure the safety of drugs and medical devices. Regulators around the world are shifting their focus from pre-market to post-market regulation of medical devices, with the understanding that PMS can provide a more realistic picture of device effectiveness and adverse effects.

This is part of a series of articles about Medical Device Regulations

Why Is Post-Market Surveillance Important?

Post-market surveillance provides additional information about a medical device and the medical condition it is designed to treat. It also makes it possible to compare a device to other devices on the market.

For device manufacturers, this information is extremely valuable and can be used to inform marketing and pricing strategies, product upgrades, new releases, and updates to clinical characteristics. More importantly, PMS can help manufacturers identify and address critical issues affecting the safety or efficacy of a device.

For medical practitioners and health care providers, post-market surveillance data provides information about the use of the device in patient populations. These often vary from initial clinical data, and the data provides insight about use of the device in a variety of conditions and over a longer time frame. This data helps clinicians make better patient treatment decisions, and can help healthcare providers evaluate their investments.

For regulators, post-market surveillance helps identify whether the safety, efficacy and cost-effectiveness of a device aligns with the results of the initial clinical data. This is crucial because it provides real-life evidence that the device provides benefits for patients and validates its risk-benefit ratio.

Post Market Surveillance Regulation in the U.S.

What Is US FDA 21 CFR Part 822?

PMS requirements in the US were originally determined by the 522 Post-Market Surveillance Studies Program, established within the US Food and Drug Administration (FDA).

Today, the main requirements for post-market regulation in the United States are determined by the Code of Federal Regulations (CFR), Title 21, Part 822. Below is a brief summary of the requirements:

Which Devices are Covered?

FDA requirements for post-market surveillance apply to Class II (intermediate risk devices, such as infusion pumps) and Class III devices (high risk devices, such as pacemakers), which meet at least one of the following criteria:

  1. If the equipment malfunctions it can have serious adverse health effects.
  2. The equipment is designed to be implanted in the human body for more than one year.
  3. The equipment is life-sustaining (supporting the continuation of a bodily function important to human life), and intended for use outside a medical facility.

When can the FDA Require PMS?

In some cases, the FDA can require PMS as a response to adverse event reports related to a medical device, with the aim of evaluating the safety and efficacy of the device. These reports might be collected from medical practitioners and patients as part of the MedWatch program. In other cases, the FDA can require PMS for devices that had limited premarket testing, or to obtain additional information about device performance in actual clinical practice.

What are Manufacturers Required to Do?

The FDA issues post-market surveillance orders, requiring manufacturers to submit a PMS plan. The plan should explain how the manufacturer plans to perform PMS to meet regulatory requirements. Here are common elements of a PMS plan:

  • Equipment background, regulatory history, and approved medical indications.
  • PMS study design, objectives, and hypothesis.
  • Patient population, with inclusion and exclusion criteria and sample size.
  • Primary and secondary endpoints (expected outcomes of the study), with success criteria and expected adverse events.
  • Follow-up plans and evaluation procedures
  • Data collection forms, procedures
  • Statistical analysis guidelines and data analysis procedures
  • Milestones and reporting schedule for interim and final reports

Post Market Surveillance Regulation in the European Union

What Is EU MDR?

In the European Union (EU), the primary regulation that specifies requirements for PMS is the Medical Device Regulation (MDR), also known as EU 2017/745. The regulation requires medical device manufacturers to submit a PMS plan as part of their technical documentation.

Depending on the device class, the MDR might require a manufacturer to produce a post-market surveillance report (PMSR) or a periodic safety update report (PSURs). These reports typically include information about serious and non-serious incidents related to the device, available data on side effects, feedback or complaints from users, distributors, or importers of the device, and information about similar devices available on the market.

Which devices require a post-market surveillance report (PMSR)?

A PMSR is needed for:

  • Devices defined as Class I under the MDR (low-risk devices, such as non-electric wheelchairs).
  • Devices defined as Class A under the in-vitro diagnostic regulation (IVDR) mandate (low patient health and public health risk)
  • Devices defined as Class B under IVDR (moderate patient risk and/or low public health risk)

In a PMSR, the device manufacturer should present data gathered in post-market surveillance, results and conclusions, as well as corrective and preventive actions taken and their rationale.

Which devices require a periodic safety update report (PSURs)?

A PSUR is needed for:

  • Devices classified by the MDR as Class IIa (medium risk), Class IIb (medium to high risk) and Class III (high risk).
  • Devices classified under the IVDR as Class C (high patient risk and/or moderate public health risk) or Class D (high patient risk and high public health risk)

A PSUR is similar to a PMSR, but has additional requirements. It must include an update of benefit/risk ratio, a post-market clinical or performance follow-up, details of sales volume, user population characteristics, and usage frequency.

How Should PMS and PSUR Plans Be Structured According to the MDR?

The details of PMS/PSUR plans are defined in Annex III of the MDR. These plans should include:

  • A process for proactively collecting information, including user feedback and incident reports.
  • Methods for analyzing the collected data
  • Threshold values for risk-benefit ratio and methods for risk management
  • Communication protocols for transferring data to authorities, users, and other relevant parties.
  • Assessment of collected results, recommendations and action items
  • Methodology for investigating complaints and reports from the field, including ways to identify devices for which corrective actions are needed, or defective products in case of a recall.
  • Description of how the manufacturer intends to fulfill their obligations for a PMS system, PMS, and PSUR if required.

Postmarket Surveillance Guidance Documents and Standards

MDCG Guidance Documents

The Medical Device Coordination Group (MDCG) provides guidance documents to assist with the implementation of medical device regulations in the EU. These documents cover various aspects of PMS, offering manufacturers insights into compliance with regulatory requirements. They outline procedures for monitoring, reporting, and risk management of medical devices post-market.

Get official MDCG guidance documents

ISO 20416:2020

ISO 20416:2020 presents a standard for medical device post-market surveillance. It establishes a framework for manufacturers to monitor, review, and improve their products after release. This standard guides the systematic collection and analysis of data, ensuring ongoing compliance and improvement of medical device safety and performance.

Learn more about ISO 20416:2020

Team Notified Body

Team Notified Body (Team NB) consists of organizations designated by the EU to assess whether manufacturers comply with regulatory requirements before market entry. This team also plays a critical role in post-market surveillance, reviewing and validating PMS systems and reports produced by manufacturers.

Engaging with Team NB ensures that PMS processes are in line with current regulations and standards. This collaboration between manufacturers and Team NB enhances product safety and fosters trust among users and regulatory bodies.

Read Team NB position papers

Manufacturer and User Facility Experience (MAUDE) Database

The Manufacturer and User Facility Device Experience (MAUDE) database is a source of reports on adverse events involving medical devices. Managed by the FDA, it allows manufacturers, health professionals, and the public to search for and report issues. This transparency is integral to improving patient safety.

By analyzing MAUDE database entries, manufacturers can identify potential patterns or specific device problems, informing their PMS efforts. It’s a valuable tool for proactive risk management and product improvement.

Access the MAUDE database

6 Best Practices for Post-Market Surveillance of Medical Devices

Here are a few tips for success when building a PMS strategy for a medical device:

  1. Conduct pre-market surveillance—data from the development process can provide early warnings about potential safety issues, and help develop the risk profile of the device. An important part of early input is to identify issues in advance, using testing tools that profile the device for quality and security gaps before they are sent to market.
  2. Be proactive about PMS—this involves any activity meant to anticipate and mitigate adverse events before they occur, post-deployment. To be effective, proactive PMS relies on the ability to collect live data from devices deployed in the field, and detect issues early, before they escalate into adverse events. Keep in mind that ISO 13485 (Quality Management Systems for Medical Devices), which applies to almost all medical devices on the market, requires “early warning” of adverse events, which requires proactive PMS.
  3. Don’t forget about Reactive PMS—many PMS activities occur in response to events. These might be complaints from patients or medical practitioners or more severe events known as “vigilance”, which involve serious injury or death. Reactive PMS is important, but not sufficient to fully meet regulatory requirements. It must be combined with proactive, early warning about issues discovered in the field.
  4. Invest in formal documentation—formal documentation for a PMS program should include a description of data sources and methodology for analysis, how to receive complaints and reports on adverse effects, the risk analysis model, details of corrective action taken, communication procedures, and methods of tracing issues in specific devices. In the EU, devices require a formal report known as PMSR or PSUR (see the EU regulations section above).
  5. Implement active monitoring for new devices—for new technology or devices in emerging markets, there will be limited knowledge about patient populations, the complexity of the relevant medical conditions, and interaction with device use. This may result in an under (or over) estimation of risks. To compensate for this, the manufacturer should plan for an active monitoring program to detect unexpected problems or safety issues.
  6. Make use of medical literature—for devices in an established market, where experience has been gathered with similar devices, literature can provide some aspects of post-market clinical evaluation. Literature about similar devices in the market can give manufacturers valuable data about patient populations, comorbidities (other medical conditions experienced by the same patients), and the possible effects of device use.

Common Challenges of Post Market Surveillance

PMS has been one of the medical product industry’s most difficult and expensive aspects for several years. This difficulty is due to the high volume of transactions and manual tasks such as handling complaints, tracking product quality, and monitoring patient safety.

Frequently changing regulatory requirements like IVDR and EU MDR combine with the impact of the FDA. Here are two key technical factors that complicate the PMS process and increase the likelihood of post-pandemic surveillance audits by regulatory bodies:

‍Data Collection and Management

Many medical device manufacturers still rely on manual spreadsheets and in-house databases that contribute to security concerns and often increase the risk of errors in transcriptions, formulas, filtering, etc. These delay the company’s adverse event report submission schedule and create operation inefficiencies that ripple throughout the entire submission process.

On the other end of the spectrum, some companies invest heavily in highly customized on-premise solutions, making it difficult to upgrade, adapt to new regulatory requirements, and maintain a product’s validated state. Ultimately, such solutions become unusable over time, even after heavy investment in their maintenance.

Moreover, each of the above approaches often results in multiple data collection methods being deployed by the same company, with different data management techniques applied by different teams for different device types. This results in a chaotic situation, preventing manufacturers from having a single source of truth, uniform process and standardized format that can be applied across all product offerings.

‍Lack of In-field Visibility

Many organizations face technical challenges that prevent them from collecting granular device-level data from devices in the field. For connected devices, real-time visibility is a missed opportunity – one that could have been leveraged for preemptive issue detection.

When it comes to isolated/gated devices, providing any kind of visibility becomes a challenge, and yet that data is still needed to address PMS requirements.

Medical device companies often address this situation with DIY solutions. According to a media report, one healthcare organization spends $500,000 per month on additional resources to handle growing transaction volumes. However, even such solutions fail in providing granular visibility about user interactions with the device and specifics like temperature level, resource utilization and security events. Meanwhile, an issue across any of these could endanger the patient, lead to a recall, or worse.

And so, improving product quality and adapting to changing regulations requires a new technical approach to post-market surveillance. This makes the case for innovative solutions that streamline the entire end-to-end PMS process. Solutions that enable device manufacturers to achieve dramatic improvements while controlling operating costs.

How We Can Help

Post-market surveillance raises many requirements for medical devices, most prominently the need to collect and manage data from devices, and the need for visibility into anomalies occurring in the field. Existing technological tools do not provide this capability out of the box, and manufacturers are scrambling to build home-grown solutions.

Sternum is a security and analytics platform for IoT, proven for use with medical devices. Embedded in the device itself, it provides deterministic security with runtime protection against known and unknown threats, coupled with observability features that granularly monitor and log all of the device functions.

Sternum operates at the bytecode level, making it universally compatible with any IoT device or operating system including RTOS, Linux, OpenWrt, Zephyr, Micirum, and FreeRTOS. It also has a low overhead of only 1-3%, which makes it a great fit even for the most resource-restricted legacy devices.

Check out the video below to see our platform in action:

This is how Sternum helps with post-market observability:

  • Granular flexibility – Sternum can be used to collect any type of data, no matter how granular (e.g., user interactions, error logs, connectivity and battery data, temperature information, crash reports and more). The monitoring strategy can be easily configured to your needs, reducing noise and offering a clear view of the things that matter most.
  • Live in-field insights – As long as the device is connected, Sternum sends a continuous live data stream to the cloud. This offers live access to detailed device-level information, enabling rapid error detection, remote debugging, and other mission-critical tasks for devices in the field.
  • Monitoring of isolated devices – The platform is also built to support devices with intermittent connectivity, whether fully connected, gateway connected, etc. To address these deployment scenarios, Sternum can double as a proxy, storing data until a connection is established.
  • AI-based anomaly detection – Sternum leverages AI to learn the specifics of each device and detect unwanted deviations from its typical behavior. For example, Sternum can detect unusual communications, an abnormal number of events, an atypical combination of even values, sequence violations, and security issues like DDoS.
  • Detailed incident reports – For each alert, customizable investigation views provide a visual chronology of the incident, offering additional context and streamlining root cause analysis. Furthermore, this information can be used for CAPA and Customer Complaint investigations.
  • Centralized fleet management – Sternum dashboard allows you to streamline large deployments and easily track device inventory, helping you manage device profiles and operations, surface fleet-wide security issues, and analyze trends for product innovation.

‍Learn more about Sternum observability features>>

This is how we help post-market security requirements:

  • Agentless security – On-device security integrates directly into the firmware, making it a part of the core build. This ensures that the solution cannot be externally compromised and leveraged as a point of failure.
  • Automatic mitigation of known and zero-day threats – Sternum prevents 96.5% attacks in benchmark (RIPE) security tests. Its vulnerability-agnostic approach makes it equally effective in dealing with known and zero-day threats. This not only improves security but can also cut security patch management costs by as much as 60%.
  • Supply chain protection – The solution relies on binary instrumentation, making it able to protect all running code. This extends to 3rd party and operating system libraries, effectively preventing all supply chain exploit attempts.
  • Protection of isolated devices – Sternum’s security solution does not rely on external communication to secure devices, making it equally effective for connected and isolated devices.
  • Streamlined compliance – helps meet the latest cyber regulations for IoT devices (IEC 62443, FDA, NIST, etc) and the most current FBI recommendations for Internet of Medical Things (IoMT) endpoint protection.

‍Learn more about Sternum security features>>

Related content:



The information provided in this article is meant purely for an educational discussion and contains only general information about legal, commercial and other matters. It is not legal advice and should not be treated as such. You must not rely on the information in this article as an alternative to advice from your professional legal, compliance or regulatory services provider.

This article also contains links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites.



Enter data to download case study

By submitting this form, you agree to our Privacy Policy.