What Is Post-Market Surveillance? 4-Level Guide for Medical Devices (2026)

Level 1 — Explain It Like I'm Five

Imagine you make toy cars. Before you sell them, you test them to make sure they're safe. But after kids start playing with them, some cars might break in ways you didn't expect — maybe a wheel falls off and a toddler could swallow it.

Post-market surveillance means you keep watching your toy cars after they're sold. You listen when parents call to say something broke. You check if other toy companies had the same problem. And if you find something dangerous, you fix it fast and tell everyone.

For medical devices, it's the same idea — except instead of toy cars, it's heart monitors, surgical tools, and implants. And instead of parents calling, it's hospitals, doctors, and patients reporting problems. The "watching" never stops, for as long as the device is used by anyone, anywhere in the world.

Level 2 — The General Picture

Post-market surveillance (PMS) is the systematic process of monitoring the safety and performance of medical devices after they have been authorized for sale. Every country that regulates medical devices requires manufacturers to operate a PMS system.

Why does it exist?

Clinical trials and lab testing can only catch problems that occur in controlled conditions with limited patients over limited time. Real-world use is different — devices are used by millions of people, in diverse clinical settings, for years or decades. PMS catches the problems that premarket testing cannot predict.

What does it involve?

PMS has two streams:

Internal monitoring — collecting data from your own operations: customer complaints, service records, production defects, returned devices
External monitoring — collecting data from outside: regulatory databases (adverse event reports, recalls), published scientific literature, competitor device events, professional conferences

Who is responsible?

The manufacturer bears primary responsibility. But importers, distributors, and healthcare facilities also have reporting obligations depending on the jurisdiction.

Level 3 — What RA/QA Professionals Must Do

Your core daily responsibilities

Task	Frequency	Regulatory Basis
Review incoming complaints for reportable events	Daily (within 24 hrs)	21 CFR 803, EU MDR Art. 87, CMDR s.59
Check regulatory intelligence alerts for your device category	Daily (10–15 min with automated tools)	EU MDR Art. 84, FDA expected practice
File adverse event reports within jurisdiction timelines	As events occur	FDA: 5/30 days; EU: 2/10/15 days; HC: 10/30 days
Compile complaint trend analysis	Monthly	QMSR, EU MDR Art. 88, ISO 13485 s.8.4
Update PSUR / PMS Report	Annually (Class IIb/III) or biannually (Class IIa)	EU MDR Art. 85–86
Update risk management file with PMS data	At least annually	ISO 14971:2019 s.10
Present PMS data at management review	At least annually	ISO 13485 s.5.6

The regulations by jurisdiction

FDA (US): 21 CFR 803 (MDR reporting), 21 CFR 806 (corrections/removals), 21 CFR 822 (522 studies), QMSR (replacing 820, effective Feb 2, 2026)
EU: MDR 2017/745 Articles 83–92 (PMS system, PMS plan, PSUR, vigilance, trend reporting), Annex III (PMS technical documentation), Annex XIV Part B (PMCF)
Health Canada: CMDR SOR/98-282 s.57–66 (complaints, mandatory problem reporting, recalls), Vanessa's Law (mandatory recall authority)
Global: ISO 13485:2016 s.8.2.1–8.2.3 is accepted by all major jurisdictions. MDSAP Chapter 5 audits PMS across FDA, HC, Brazil, Japan, Australia simultaneously.

What you actually produce

PMS Plan — documented strategy for what data you collect, how you analyze it, and what triggers action (mandatory under EU MDR Art. 84)
Complaint investigation files — with reportability determination for every complaint
Adverse event reports — submitted to applicable authorities within jurisdiction timelines
Trend analysis reports — monthly/quarterly complaint trending with statistical methods
PSUR or PMS Report — periodic summary with benefit-risk conclusions (EU MDR)
Risk management file updates — integrating PMS findings into ISO 14971 risk files
CAPA records — corrective actions driven by PMS data with effectiveness verification

Level 4 — The Deeper Analysis

Why PMS systems fail: the structural problem

PMS failures are rarely about not knowing the regulations. They're about organizational design. In most companies, PMS data flows through complaint handling (owned by QA), gets evaluated for reporting (owned by RA), triggers CAPAs (owned by QA), feeds into risk files (owned by R&D), and gets presented at management review (owned by senior leadership). No single person or function owns the complete PMS loop. This fragmentation is the root cause of the most common audit findings globally.

The regulatory philosophy divergence

FDA and the EU have fundamentally different PMS philosophies:

FDA's approach is enforcement-driven: The QSIT inspection framework (now transitioning to CP 7382.850 with 6 QMS Areas and 4 OAFRs) uses pre-inspection intelligence — your own MDR reports, your MAUDE data, your recall history — to target what to inspect. FDA finds problems by working backwards from your reported events. Warning letter volume increased 96% from FY2023 to FY2024, reflecting more targeted, data-driven enforcement.
EU MDR's approach is documentation-driven: The MDR prescribes exactly what documents you must produce (PMS Plan, PSUR, PMCF plan/report), what they must contain, and how often you must update them. Notified Bodies audit the quality and completeness of these deliverables. The risk is paper compliance without substance.
MDSAP bridges both: MDSAP Chapter 5 audits the process (are you actually doing PMS?) across 5 jurisdictions simultaneously, with a grading system (1–5) that forces prioritization. This is the closest thing to a unified audit approach.

Where the field is heading

Three trends are reshaping PMS:

Real-world evidence (RWE): FDA removed major barriers to using RWE in December 2025 — registry data, claims databases, and EHR data can now support 510(k)s, PMAs, and post-market studies. This transforms PMS from a compliance exercise into a competitive advantage.
AI-powered signal detection: Natural language processing applied to MAUDE reports, social media, and complaint data enables earlier detection of safety signals that manual review would miss. Regulatory acceptance is increasing.
Regulatory intelligence automation: Platforms like TrueMedDevice that aggregate regulatory databases (548K+ FDA and HC records) with automated device-profile matching represent the shift from reactive, manual PMS to continuous, proactive monitoring — exactly what EU MDR Article 84 demands and what FDA QMSR expects.

The cost asymmetry that drives everything

The total cost of a robust PMS system is typically $50K–$200K/year for a mid-size manufacturer. The cost of a single Class I recall averages $3M–$10M+. An FDA consent decree costs $10M–$100M+ and can shut down operations for years. The non-routine quality events across the industry cost an estimated $7.5–9 billion annually. This 50-to-1 cost asymmetry means PMS investment has one of the highest ROIs of any regulatory function — yet it remains systematically underinvested because the return is in avoided catastrophe, which is invisible when it works.

Frequently Asked Questions

What is post-market surveillance for medical devices?

Post-market surveillance (PMS) is the systematic, ongoing process of collecting, analyzing, and acting on safety and performance data about medical devices after they have been authorized for sale. It includes monitoring complaints, adverse events, regulatory databases, scientific literature, and competitor devices. PMS is mandatory in every major regulatory jurisdiction including the US (FDA), EU (MDR 2017/745), Canada (CMDR), Japan (PMDA), and Australia (TGA). The manufacturer bears primary responsibility for operating the PMS system throughout the entire device lifecycle.

Why is post-market surveillance required if devices are tested before approval?

Premarket testing — clinical trials, bench testing, biocompatibility studies — occurs under controlled conditions with limited patients over limited time periods. PMS catches problems that only emerge in real-world use: rare adverse events (1 in 10,000+ patients), long-term degradation, use errors in diverse clinical settings, interactions with other devices, and off-label use patterns. Real-world performance data from millions of patients over years or decades reveals risks that no premarket study can predict.

What happens if a medical device manufacturer does not have a PMS system?

Failure to maintain a PMS system results in regulatory enforcement: FDA issues 483 observations and warning letters (CAPA and complaint handling are the #1 and #3 most cited categories), which can escalate to consent decrees, import alerts, or production shutdowns. In the EU, the Notified Body will issue nonconformities that can lead to CE marking certificate suspension — effectively removing the device from the entire European market. Health Canada can suspend or cancel device licences. MDSAP Grade 4–5 findings trigger mandatory regulatory authority notification within 5 business days.

How much time does PMS take for a small medical device company?

For a single-product company selling in 1–2 markets, expect 30–60 minutes of daily PMS activities (complaint review, monitoring alerts) plus 5–10 hours per month for trending, reporting, and documentation. This drops to 15–30 minutes daily with automated regulatory intelligence tools. For multi-product, multi-market companies, PMS typically requires a dedicated team member or significant portion of an RA/QA role. The EU MDR's PSUR and PMCF requirements add 40–80 hours annually per device family.

What Is Post-Market Surveillance? Explained at 4 Levels (2026)