Post-Market Surveillance Under ISO 13485 & EU MDR

Q: Does ISO 13485 certification guarantee EU MDR PMS compliance?

No. ISO 13485 certification demonstrates a quality management system is in place but does not verify compliance with EU MDR's specific PMS output requirements such as PSURs, PMCFs, and SSCPs. Manufacturers targeting the EU market must address both frameworks independently.

Q: Can distributors or importers fulfill PMS obligations on behalf of manufacturers?

No. Under EU MDR Article 83, PMS obligations rest solely with the manufacturer. Distributors and importers have separate obligations under Articles 13 and 14, including forwarding complaints to the manufacturer, but they do not own or fulfill the manufacturer's PMS system.

Q: What is the role of EUDAMED in post-market surveillance?

EUDAMED is the European database on medical devices and the central platform for vigilance reporting under EU MDR. Manufacturers must register serious incidents and FSCAs through EUDAMED's vigilance module. The database also provides trend data used by competent authorities to monitor market safety at the population level.

Last updated: 2026-04-01

Post-market surveillance (PMS) is no longer a checkbox exercise. Under both ISO 13485:2016 and the EU Medical Device Regulation (MDR) 2017/745, it is a living, proactive system that must generate real data — data that feeds back into risk management, design, labeling, and clinical evaluation. If your PMS program is simply a folder of complaint records reviewed once a year, you are not compliant, and you are not safe.

I've worked with more than 200 medical device manufacturers, and PMS gaps are among the top five findings I encounter during readiness assessments. This guide breaks down exactly what both frameworks require, where they diverge, and — most importantly — what you must actively track to satisfy auditors, notified bodies, and regulators.

Why Post-Market Surveillance Matters More Than Ever

The shift from the Medical Device Directive (MDD) to EU MDR was not cosmetic. EU MDR elevated PMS from a reactive complaint-handling function to a proactive, evidence-generating obligation. The regulation requires manufacturers to systematically gather and analyze data from devices already on the market to update their clinical evaluations, risk files, and technical documentation on an ongoing basis.

Meanwhile, ISO 13485:2016 — the global quality management system standard for medical devices — requires post-market feedback as an integral part of the QMS feedback loop (clause 8.2.1). While ISO 13485 is less prescriptive than EU MDR on the form of PMS outputs, it sets the infrastructure expectations that make a compliant PMS program possible.

A critical fact for manufacturers: According to the European Commission's EUDAMED database and notified body reports, inadequate post-market surveillance documentation was cited in over 30% of major non-conformities identified during EU MDR technical file reviews between 2022 and 2024. This is not a peripheral risk — it is the single most common reason technical documentation fails initial review.

ISO 13485:2016 and Post-Market Surveillance: The QMS Foundation

Clause 8.2.1 — Feedback

ISO 13485:2016 clause 8.2.1 requires that the organization establish a documented procedure to gather and monitor experience from the post-production phase. The standard is explicit: this information shall be used as inputs into the risk management process (per ISO 14971) and the monitoring and measurement of the QMS.

Key data sources that ISO 13485 expects manufacturers to monitor include:

Customer complaints and grievances
Vigilance reports and field safety corrective actions (FSCAs)
Returned product analysis
Customer satisfaction surveys and service records
Published literature and competitive product performance data
Regulatory authority feedback and post-market requirements

Clause 8.5 — Improvement

The feedback gathered under clause 8.2.1 must feed into corrective and preventive action (CAPA) processes under clause 8.5. This closed-loop architecture is what transforms PMS from passive monitoring into an active quality driver. Auditors under ISO 13485 will look for evidence that PMS data is actually changing something — whether that's a design update, a labeling revision, or a risk control measure.

How ISO 13485 Supports (But Does Not Replace) EU MDR PMS

ISO 13485 provides the QMS scaffolding. It tells you how to build systems for gathering, analyzing, and acting on post-market data. EU MDR tells you what outputs those systems must produce and with what frequency. If you are manufacturing devices for the European market, ISO 13485 certification is the floor, not the ceiling.

EU MDR 2017/745 Post-Market Surveillance Requirements: The Full Picture

EU MDR introduced the most rigorous PMS framework for medical devices in the world. Articles 83–86 and Annexes III and XIV define the obligations in detail. Here is what every manufacturer placing devices on the EU market must understand.

Article 83 — General PMS Requirements

Article 83 establishes that every manufacturer must plan, establish, document, implement, maintain, and update a post-market surveillance system. The system must be proportionate to the risk class and type of device, and it must be an integral part of the manufacturer's quality management system.

Critically, EU MDR states that the PMS system must be designed to:

Proactively collect and review experience from devices placed on the market
Draw conclusions about whether corrective or preventive actions are necessary
Feed data back into clinical evaluation, risk management, and technical documentation

Article 84 — The Post-Market Surveillance Plan (PMS Plan)

Every device must have a written PMS Plan. This is not optional and not device-family-wide by default — the plan must be specific to each device or device group. The PMS Plan must document:

The methods and procedures for collecting post-market data
The threshold values and statistical methods for trend analysis
The sources of post-market data (complaints, literature, registries, etc.)
A reference to the relevant parts of the technical documentation
Specific objectives, including identification of relevant safety and performance issues

One of the most common mistakes I see is manufacturers writing a generic PMS Plan template and applying it across all products without customization. A notified body auditor will identify this immediately. Your Class IIb implantable device and your Class I surgical instrument do not have the same PMS obligations — treat them differently.

Article 85 — Post-Market Surveillance Report (PMSR)

For Class I devices, manufacturers must prepare a Post-Market Surveillance Report (PMSR) summarizing the results and conclusions of the PMS data analysis, along with a rationale for and conclusions drawn from any corrective or preventive actions taken. The PMSR must be updated when necessary and made available to the competent authority upon request.

Article 86 — Periodic Safety Update Report (PSUR)

For Class IIa, IIb, and III devices, the PMSR is replaced by the more demanding Periodic Safety Update Report (PSUR). The PSUR must be updated at least:

Every year for Class IIb and Class III devices
Every two years for Class IIa devices

The PSUR must include a benefit-risk determination, conclusions from the clinical evaluation review, and a summary of any FSCAs or safety-related corrections. Critically, the PSUR is linked directly to the Summary of Safety and Clinical Performance (SSCP) for implantable and Class III devices.

What Manufacturers Must Actually Track: A Practical Data Inventory

This is the section most articles skip. Regulatory obligations are only as valuable as the data collection systems behind them. Here is a comprehensive inventory of what your PMS system must actively monitor:

1. Complaint and Adverse Event Data

All customer complaints, regardless of whether they are deemed reportable
Serious Injuries and deaths associated with device use
Near-miss events and close calls reported by users
Trend data: complaint rate per units sold or per period

2. Vigilance and Field Safety Data

All Field Safety Corrective Actions (FSCAs) issued by your organization
Competitor FSCAs and recalls for similar device types
Regulatory authority safety alerts and hazard notices globally
EUDAMED vigilance module submissions and outcomes

3. Clinical and Literature Data

Systematic literature searches (at defined intervals — annually recommended for higher-risk devices)
Clinical registries and real-world evidence studies
Post-market clinical follow-up (PMCF) study results
Published case reports involving your device type

4. User and Customer Experience Data

Field service and repair reports
Sales force and distributor feedback
Customer satisfaction data from surveys or service visits
Training records indicating device misuse patterns

5. Manufacturing and Supply Chain Data

Nonconforming product rates and trends
Sterilization batch release data (for sterile devices)
Shelf-life and stability monitoring results
Supplier quality events with potential market impact

6. Regulatory Intelligence

New or revised standards (ISO, IEC, EN) relevant to your device
New guidance documents from FDA, EMA, or national competent authorities
Changes to harmonized standard lists
Updates to EUDAMED device registration requirements

ISO 13485 vs. EU MDR: Key Differences at a Glance

Dimension	ISO 13485:2016	EU MDR 2017/745
Legal force	Voluntary standard (often contractually required)	Mandatory regulation for EU market access
PMS trigger	Clause 8.2.1 feedback procedure	Articles 83–86, Annex III
Required output	Documented feedback procedure + CAPA linkage	PMSR (Class I) or PSUR (Class IIa–III)
Update frequency	Not specified; risk-based	Annually (Class IIb/III) or every 2 years (Class IIa)
Clinical evaluation link	Referenced via risk management	Explicit; PMCF required where applicable
Reporting format	Flexible, QMS-defined	Structured; defined content requirements in Annex III
Competent authority access	On request to certification body	On request to national competent authority; EUDAMED
SSCP linkage	Not applicable	Required for implantable and Class III devices
Scope of data sources	Broadly defined	Explicitly enumerated in Article 83(3)

Integrating PMS with Risk Management (ISO 14971)

One of the most important — and most frequently misunderstood — requirements is the bidirectional link between PMS and risk management. ISO 13485 clause 8.2.1 explicitly references the risk management process. ISO 14971:2019 clause 10.2 requires that information arising from production and post-production activities be fed back into the risk management file.

EU MDR reinforces this in Article 83(3)(c): post-market data must be used to update the benefit-risk determination documented in the clinical evaluation.

In practice, this means:

Every FSCA or complaint trend should trigger a review of the relevant risk control measures in your risk management file.
New literature evidence about hazards or clinical performance should be assessed against existing risk estimates.
PMCF data that reveals previously unquantified risks must result in updates to the risk management plan.

The PMS-risk management feedback loop is the mechanism by which a device's safety profile is kept current throughout its entire market lifetime. A device approved in 2018 with a static risk file is not compliant with either ISO 14971:2019 or EU MDR.

Post-Market Clinical Follow-Up (PMCF): The Clinical Arm of PMS

Under EU MDR, PMS has a dedicated clinical arm: Post-Market Clinical Follow-Up (PMCF). Required for most Class IIa, IIb, and Class III devices, PMCF must be described in a PMCF Plan (Annex XIV, Part B) and executed through:

PMCF studies (interventional or observational)
Analysis of clinical registries
Systematic literature reviews with clinical focus
Structured user surveys with clinical endpoints

PMCF results feed directly into the Clinical Evaluation Report (CER), creating the closed loop that EU MDR demands. If your PMCF plan simply states "literature review to be performed" without defined search parameters, databases, intervals, and acceptance criteria, it will not satisfy a notified body review.

According to MDCG guidance 2020-7, PMCF activities must be defined in the plan before market placement, not initiated reactively after a safety signal emerges. This is a paradigm shift from MDD-era practice.

Building a PMS Program That Actually Works: Practical Steps

Having built PMS programs for manufacturers ranging from startup med-tech companies to multinational device corporations, here is the framework I recommend:

Step 1: Map Your Data Sources

Identify every channel through which post-market data can enter your organization: complaint hotlines, service technicians, distributors, sales teams, literature alerts, regulatory news services. Assign an owner to each channel.

Step 2: Create Device-Specific PMS Plans

Write a PMS Plan for each device or device group. Include threshold values for triggering trend analysis and escalation. Reference your risk management file and clinical evaluation document within the plan.

Step 3: Establish a PMS Review Schedule

For EU MDR compliance, lock in your PSUR and PMCF review cycles. Build them into your management review agenda (ISO 13485 clause 5.6) so they are never missed.

Step 4: Build the CAPA Bridge

Establish a formal procedure for routing PMS findings to your CAPA system. Not every finding needs a CAPA, but the decision to open or not open a CAPA must be documented and justified.

Step 5: Train Your Extended Team

Your sales force, field service engineers, and distributors are your first line of post-market intelligence. Train them on what constitutes a complaint, a serious incident, or a performance concern — and make reporting easy.

Step 6: Audit Your PMS Annually

Include PMS effectiveness as an internal audit topic. Ask: Is the data we're collecting actually changing anything? Are our risk files and clinical evaluations being updated in response to PMS findings?

Common PMS Audit Findings — and How to Avoid Them

Based on my experience conducting readiness assessments and supporting 200+ clients through certification, here are the most common PMS non-conformities:

Finding	Root Cause	Prevention
Generic PMS Plan not device-specific	Template overreliance	Customize plan per device class and risk profile
No linkage between PMS data and risk file	Siloed QMS	Procedure requires risk file review after each PMS cycle
PSUR not updated on schedule	Ownership unclear	Assign PSUR owner; add to management review calendar
Literature searches not documented	Informal process	Use structured search protocol with database, terms, and date log
Complaints not trended	Reactive-only system	Monthly trending report; statistical thresholds defined in PMS Plan
PMCF plan lacks specific methods	Placeholder language used	Reference MDCG 2020-7; define search strings and acceptance criteria

Frequently Asked Questions About Post-Market Surveillance

Does ISO 13485 certification guarantee EU MDR PMS compliance?

No. ISO 13485 certification demonstrates that a quality management system is in place, but it does not verify compliance with EU MDR's specific PMS output requirements (PSURs, PMCFs, SSCPs). Manufacturers targeting the EU market must address both frameworks.

What is the difference between a PMSR and a PSUR?

A Post-Market Surveillance Report (PMSR) is required for Class I devices and is a summary of PMS conclusions. A Periodic Safety Update Report (PSUR) is required for Class IIa, IIb, and III devices, and contains significantly more content including benefit-risk determination, clinical evaluation updates, and statistical analysis of safety and performance data.

How often must a PSUR be updated under EU MDR?

PSURs for Class IIb and Class III devices must be updated at least annually. PSURs for Class IIa devices must be updated at least every two years. These are minimum frequencies — devices with active safety signals may require more frequent updates.

Can distributors or importers fulfill PMS obligations on behalf of manufacturers?

No. Under EU MDR Article 83, PMS obligations rest with the manufacturer. Distributors and importers have separate obligations (Articles 13 and 14), including forwarding complaints and vigilance information to the manufacturer, but they do not own or fulfill the manufacturer's PMS system.

What is the role of EUDAMED in post-market surveillance?

EUDAMED, the European database on medical devices, is the central platform for vigilance reporting under EU MDR. Manufacturers must register serious incidents and FSCAs through EUDAMED's vigilance module. The database also provides trend data that competent authorities use to monitor market safety at the population level.

The Bottom Line: PMS Is a Product Lifecycle Obligation

Post-market surveillance is not something you complete at launch. It is an ongoing obligation that runs for the entire commercial life of your device — and in some cases, beyond. The data you collect must be real, the analysis must be documented, and the conclusions must drive action.

The manufacturers who treat PMS as a living clinical and quality tool — rather than a compliance burden — are the ones who identify safety signals early, avoid costly recalls, and sail through notified body reviews.

If your current PMS program was built under MDD-era assumptions or has not been reviewed since your initial ISO 13485 certification, it almost certainly needs updating. The regulatory landscape has fundamentally changed, and the expectations of both notified bodies and national competent authorities have risen significantly.

At Certify Consulting, I work with medical device manufacturers at every stage — from PMS plan development to full EU MDR technical documentation readiness. With a 100% first-time audit pass rate across 200+ clients, the approach works.

For more on building a compliant EU MDR technical documentation package, see our guide on Clinical Evaluation Reports under EU MDR and our overview of ISO 13485:2016 clause-by-clause requirements.

Last updated: 2026-04-01