Internal vs. External Post-Market Surveillance: Complete Operations Guide for RA/QA (2026)

Internal vs. External Post-Market Surveillance: What Every RA/QA Professional Must Do

As a regulatory affairs (RA) or quality assurance (QA) professional, your post-market surveillance responsibility splits into two distinct but interconnected streams: internal PMS (data generated within your own organization) and external PMS (data collected from the outside world). Both are mandatory under every major regulatory framework — FDA, EU MDR, Health Canada, Japan, and others — but the skills, tools, and daily workflows for each are fundamentally different.

This guide explains why both streams exist, what data you must collect, when you must act, and exactly how to build the systems that satisfy regulators while actually improving your device safety.

Why Two Streams? The Regulatory Logic

Regulators require both internal and external PMS because neither stream alone provides a complete safety picture:

• Internal PMS catches what you can see — complaints your customers report directly to you, defects your production team finds, failures your service engineers discover. This data is rich in detail but limited to your direct observation.
• External PMS catches what you cannot see — adverse events reported to regulatory databases by hospitals (not to you), recalls of similar devices by competitors, newly published research showing risks with your device type, changes in regulatory guidance affecting your product. This data is broader but requires active monitoring to find.

Together, they give you the 360-degree view that every regulation demands: FDA's QMSR requires both complaint handling (internal) and post-market data analysis (external). EU MDR Article 84 explicitly lists both internal and external data sources in the PMS Plan. MDSAP Chapter 5 audits both streams.

Internal PMS: What You Generate and Control

1. Complaint Handling System

What: A documented process to receive, record, evaluate, investigate, and close all customer feedback including complaints, product returns, and user reports.

Why it matters: Complaints are the primary data source for adverse event determination. Every major regulatory citation starts with "inadequate complaint handling." Under 21 CFR 803 and EU MDR Article 87, your complaint evaluation process directly determines whether a reportable event exists.

What RA/QA must do daily:

• Review all incoming complaints within 24 hours for potential adverse event reporting
• Apply MDR decision tree (FDA) or serious incident criteria (EU MDR) to every complaint
• Ensure investigation timelines are tracked (typically 30-60 days for routine, 5 days for potential MDRs)
• Document rationale when a complaint is determined NOT reportable — regulators audit your "no" decisions as aggressively as your "yes" decisions
• Trend complaints monthly by device, complaint code, and severity

2. CAPA (Corrective and Preventive Action)

What: Systematic investigation and resolution of quality problems identified through complaints, audits, nonconformances, and PMS data analysis.

Why it matters: CAPA is where PMS data transforms into actual device improvements. FDA's QSIT inspection begins and ends with CAPA — it is the subsystem that connects all others. EU MDR Article 83(3)(d) requires PMS to identify "corrective or preventive actions."

What RA/QA must do:

• Ensure every significant PMS finding generates a CAPA evaluation (not necessarily a CAPA — document why not if no CAPA is opened)
• Track CAPA effectiveness verification — FDA wants to see evidence that your fix actually worked, not just that you implemented it
• Link CAPAs to risk management file updates — every CAPA that changes device risk must update your ISO 14971 risk management file

3. Production Nonconformance and Process Monitoring

What: Data from manufacturing — rejected lots, process deviations, out-of-specification results, supplier nonconformances.

Why it matters: Production data is a leading indicator. When your reject rate for a critical component increases, it may predict a field failure before any complaint arrives.

What RA/QA must do:

• Review production quality data monthly for trends
• Set statistical thresholds (control charts) for key quality parameters
• Ensure supplier quality data feeds into PMS trending

4. Field Service and Repair Data

What: Service reports from field engineers, repair records, preventive maintenance data, calibration failures.

Why it matters: Service data often reveals device performance issues that users don't report as complaints. A pattern of premature component failures or recurring service calls is PMS data that regulators expect you to analyze.

5. Internal Audits

What: Your own audit program assessing PMS system effectiveness — complaint handling adequacy, reporting timeliness, CAPA closure rates.

Why it matters: Internal audits demonstrate that your PMS system is self-correcting. Regulators view lack of internal audit findings on PMS as a red flag — it suggests you are not looking critically at your own processes.

6. Management Review

What: Periodic (at least annual) leadership review of PMS data, trends, and system effectiveness.

Why it matters: Required by ISO 13485 Section 5.6 and referenced by every jurisdiction. Management review ensures that PMS findings reach decision-makers who can allocate resources for corrective actions.

Inputs that must include PMS data:

• Complaint and adverse event trends
• CAPA status and effectiveness
• Regulatory reporting summary (how many MDRs/serious incidents filed)
• Field safety actions taken
• External PMS findings (see below)
• Changes to regulatory requirements

External PMS: What You Must Monitor From the Outside World

1. Regulatory Database Monitoring

What: Systematic monitoring of adverse event databases, recall databases, and enforcement actions from regulatory authorities — for your own devices and similar/equivalent devices.

Which databases to monitor:

Why it matters: EU MDR Article 84 explicitly requires monitoring "similar devices." FDA expects you to be aware of adverse events on predicate devices and competitive products. MDSAP auditors check that your external monitoring is systematic, not ad hoc.

How to do it effectively: Manual monitoring of all these databases is impractical for most teams. This is exactly the problem that TrueMedDevice's regulatory intelligence platform solves — aggregating 548,000+ records from FDA and Health Canada databases into a single searchable interface with automated monitoring alerts for your specific device categories.

2. Literature Monitoring

What: Systematic review of published scientific literature for safety and performance data relevant to your devices.

Why it matters: EU MDR requires literature monitoring as part of both PMS (Article 84) and clinical evaluation (Annex XIV). FDA expects literature monitoring as part of the risk management process. New publications may reveal previously unknown risks, new contraindications, or new clinical evidence affecting your benefit-risk determination.

What RA/QA must do:

• Define search terms and databases (PubMed, Embase, Cochrane at minimum)
• Run searches at defined intervals (quarterly for most devices, monthly for high-risk)
• Document search strategy, results, and evaluation of relevant papers
• Feed findings into clinical evaluation report (CER) updates and risk management files

3. Competitor and Similar Device Monitoring

What: Tracking recalls, adverse events, and regulatory actions on devices that are similar to yours — same intended purpose, same technology, same product codes.

Why it matters: A recall on a competitor's device using the same technology may indicate a risk that also applies to your device. Regulators expect you to proactively assess whether similar-device events are relevant to your own products.

4. Standards and Guidance Monitoring

What: Tracking changes to applicable standards (IEC, ISO), regulatory guidance documents, and regulatory interpretations that affect your device.

Why it matters: New or revised standards may change your device's compliance status. New guidance may change reporting obligations or PMS expectations.

5. Social Media and Patient Forums

What: Monitoring online discussions about your device or device category for unreported safety signals.

Why it matters: FDA has stated that manufacturers should consider social media as a source of complaint data. While not explicitly required by most regulations, sophisticated PMS programs include social listening as an early warning system.

Connecting Internal and External PMS: The Integration Point

The real value of PMS comes from connecting internal and external data streams. Here is how they interact:

This integration is what regulators evaluate during inspections. They want to see that you don't operate PMS in silos — external data must influence internal actions, and internal data must be contextualized against external information.

RA/QA Daily and Weekly PMS Workflows

Daily Tasks

1. Review incoming complaints for reportable event determination (15-30 min)
2. Check regulatory intelligence alerts for own-device and similar-device events (10 min with automated platform)
3. Process any open adverse event reports approaching deadline (varies)

Weekly Tasks

1. Compile complaint and event summary for the week
2. Review CAPA progress and upcoming effectiveness checks
3. Run external database search for similar device events (or review automated alerts)
4. Update PMS tracking log

Monthly Tasks

1. Generate complaint trend analysis — codes, rates, severity distribution
2. Review production nonconformance trends
3. Run literature search (or review accumulated results)
4. Prepare PMS input for management review (if scheduled)

Quarterly/Annual Tasks

1. Update PSUR (EU MDR Class IIb/III: annually; Class IIa: every 2 years)
2. Update clinical evaluation report with PMS data
3. Update risk management file based on PMS findings
4. Annual management review with PMS input
5. Internal audit of PMS system effectiveness