MDR Post-Market Surveillance: The Ultimate Guide

Okay, you managed the ISO 13485 certification, walked through endless discussions with your notified body and finally you can put the CE sticker on your medical device and conquer the world! Congratulations.

The MDR made sure that this love story continues by introducing the concept of “post-market surveillance” and as the name implies you need to monitor your medical device’s performance and safety. You also need to get information from “the field” or in other words from the users or patients.

Regulatory background

Let’s start with the most important regulatory references. The MDR, Chapter VII introduces a PMS system (Article 83), a PMS Plan (Article 84) and two kinds of reports: the PMS Report (Article 85) and the periodic safety update report (Article 86). More detailed information on the PMS plan is provided in Annex III – Technical Documentation on PMS. Luckily the MDCG guidance 2022-21 provides us with a template for the periodic safety update report (PSUR).

The MDR provides no detailed information on specific PMS activities like trending (Article 88) or how to set up a survey. Therefore, I recommend you to get a cup of coffee and read a copy of the ISO/TR 20416 Guidance on PMS for medical device manufacturers. This PMS playbook provides you with more background on PMS concepts, explains data collection methods and even provides some examples! Alternatively, you can read our article on trending.

What is the concept of post-market surveillance?

The MDR introduces two surveillance systems. The first is the more “reactive” PMS-system explained in Annex III and in the MDR articles mentioned above. The second system is the “pro-active” Post-Market Clinical Follow-up (PMCF) described in Annex XIV of the MDR.

Imagine you have a secured facility with two guards. The first guard sits in the warm surveillance room and stares at screens, answering alerts and waits for the telephone to ring. That is the PMS system. The second guard has a flashlight and a gun and walks through your facility on his search and destroy mission. That is the PMCF system.

Part I – The PMS system: Process, Plan & Report(s)

Let’s start with the guard in the surveillance room. The PMS system described in Annex III and Chapter 7 of the MDR describes that you need to implement a PMS system, or in other words an SOP for your QMS. You could use our QMS procedure as a template. The SOP describes the systematic analysis of data generated by the use of your device in the field. Subsequently you will evaluate this information and update some documents (e.g. clinical evaluation and risk management).

Following the PMS SOP you will bring up a plan covering the different channels of PMS data input. You also need to explain how you evaluate the data and what you will do with the results. Take a look into our PMS plan template.

The PMS plan covers basically three activities.

1. Assessment of feedback

The PMS plan forces you to document and evaluate all incoming feedback about your device. You need to cluster this information and distinguish serious incidents from non-serious incidents.

Examples for serious incidents:

  • Malfunction of an Implantable Device: A pacemaker or an insulin pump malfunctions, resulting in irregular heartbeats or incorrect insulin dosage, potentially leading to severe health complications or even death.
  • Defective Surgical Instrument: A surgical instrument breaks during a procedure, causing injury to the patient or delaying critical surgery, which can result in complications such as infection or prolonged recovery time.
  • Software Error in a Monitoring Device: Glucose monitoring software fails to provide accurate readings for a patient with diabetes, leading to incorrect insulin dosing and subsequent hypoglycemia or hyperglycemia.

Describe the incidents; reference all incident reports, field safety corrective actions, field safety notices, and the influence on the risk-benefit evaluation. Demonstrate that you learned from the incident and explain how this safety gap has been closed.

Examples for non-serious incidents:

  • Temporary Sensor Error in a Blood Pressure Monitor: A blood pressure monitor temporarily displays an error message due to incorrect positioning of the cuff, but it quickly resolves after repositioning, without causing any harm to the patient.
  • Temporary Loss of Connectivity in a Wireless Monitoring System: A temporary loss of connectivity occurs between a patient’s wearable device and the monitoring system, resulting in a brief interruption in data transmission. However, the issue resolved automatically without affecting patient care.
  • Minor Cosmetic Damage to a Mobility Aid: A wheelchair sustains minor cosmetic damage during transportation, such as a scratch on its frame, which does not affect its functionality or compromise patient safety.

The same procedure applies to non-serious incidents, you investigate what happened, and you may open a CAPA, improve or change your device. In the end, these non-serious incidents are a valuable dataset for the trend analysis (see Article 88).

2. Trend Analysis

Trending tools can help you identify potential incidents or dangerous situations before they happen. The MDR requires you to document all non-serious incidents and run a statistical analysis to identify trends. We published an article on how to do the trending with some very basic methods. No statistician required. I highly recommend reading the ISO/TR 20416 Guidance on PMS for medical device manufacturers. The technical report includes more background information and some useful examples.

3. Databases and registries

The third PMS activity is to screen databases and registries. For example, you search the SOUP incident report database to identify and close cybersecurity risks. You also search technical, specialist and regulatory literature. Identify the relevant ISO standards that apply to you and check for updates. Search for applicable product related common specifications published by the EU commission.

What’s next?

Okay, you read all these publications, your technical documentation is up to date. Now what? Well, now you go out there and see if other manufacturers screwed up. That means you ask your marketing department to send you a list of competitor devices with the same intended purpose and the same principle of operation. You pick one or two from that list and define them as “similar devices”. They are similar to your device with respect to the basic functionality. Every legislation and most of the EU member states have their own database filled with case reports, field safety notices and other reports on what went terribly wrong in the past. Here is a brief list of the most important databases out there:

  • Bundesinstitut für Arzneimittel und Medizinprodukte (BfArM)– German recall and incident database
  • Medicines and Healthcare products Regulatory Agency (MHRA) – British database on recalls and safety information
  • SwissMedic – As the name implies, this is the database for Switzerland
  • Manufacturer and User Facility Device Experience (MAUDE) – FDA’s database for incidents

Now you search for similar devices and analyze what went wrong and if these cases are applicable to you too. For example if a serious cybersecurity breach has been reported with a similar device, you check if your device might be affected too. If so: Close the gap, document your activities and update your technical documentation and risk management if necessary. If not: awesome, document the search and move on.

PMS Report vs. Periodic Safety Update Report vs. SSCP

The PMS plan outlined what you want to search and how you analyze data about your device’s performance in the field and similar devices. Now it’s time to write a report about that. What shall we call the Report? Intuitively, I would call it PMS Report but that would be too easy. The content, the name and the update cycle of the report depends on the risk class. There are three kinds of reports. Here is the comprehensive overview:

Risk classReport typeUpdate cycleRegulatory reference
ClassIPMS ReportWhen necessaryMDR Article 85
Class IIaPeriodic safety update report (PSUR)When necessary, at least every 2 yearsMDR Article 86
Class IIbPeriodic safety update report (PSUR)At least annuallyMDR Article 86
Class IIIPeriodic safety update report (PSUR) and Summary of safety and clinical performance (SSCP)At least annuallyMDR Article 86, Article 32

For Class I devices summarize the activities of the above mentioned plan in the PMS Report. Add a summary of the safety related CAPAs if applicable. For all other risk classes you need to set up the Periodic Safety Update Report (PSUR). This document includes additional requirements and forces you to document more stuff. You will also need to:

a. Summarize the conclusion of the risk benefit assessment b. Summarize the main findings of the PMCF activities (see below) and c. Summarize the sales volume and the usage frequency.

Last but not least, think about the next PMS plan and whether you want to change your surveillance strategy. Maybe you pick another similar device or search another database. Check out our template for the PSUR. In case you set up the PMS Report for your Class I device, you can modify our template and erase the parts that are not applicable.

What is the SSCP?

What is better than one report? Exactly, more reports.

If you manufacture Class III or implantable devices you need to create a Summary of Safety and Clinical Performance (SSCP). The background information can be found in Article 32 of the MDR. The report shall be written in a way that is clear to the intended user and, if relevant, to the patient and shall be made available to the public via Eudamed. Summarize the clinical evaluation and data from PMCF activities in the SSCP. Luckily the MDCG published the Guidance 2019-9 and provides us with a template for the SSCP.


Create an SOP for your QMS, set up a PMS plan for each device in your portfolio, collect the data over the surveillance period and summarize the surveillance data in a report. Update the report based on the risk classification.

The most important articles of the MDR that you need to know are listed below:

In addition I recommend reading the guidance documents:

  • MDCG 2019-9 SSCP A guide for manufacturers and notified bodies
  • MDCG 2022-21 PSUR Template and concepts
  • MDCG 2023-3 Vigilance terms and concepts
  • ISO/TR 20416 Medical devices: Post-market surveillance for manufacturers

Part II – The PMCF system

Now we come to the more interesting part, the post-market clinical follow-up activities. The basic idea is that you pro-actively collect information from the field about your device. Annex XIV Part B describes the PMCF plan. The respective PMCF process is part of your SOP Clinical Evaluation. Sounds confusing in the beginning but think of the PMCF activities as the trigger to update the Clinical Evaluation Report (CER) with fresh data. The PMS system and the PMS plan reference the PMCF activities and the PMCF plan. Our SOP Clinical Evaluation covers the PMCF activities. This graphic illustrates the big picture:

The figure illustrates the reactive and proactive collection of data. Note that the PMCF Evaluation Report can be part of the CER. We will focus on that later. The centerpiece of the technical documentation is the CER. You can see how the different processes are interconnected and that data from the clinical evaluation and the field (PMS) serve as input to the risk management and the usability engineering.

The PMCF Plan

Annex XIV describes the content of the PMCF plan. The MDCG 2020-07 provides you with a template, as do we on our website. You will need to describe your device and describe and justify the methods of data collection. The PMCF universe knows general and specific methods.

1. General methods

General methods include gathering of clinical experience, feedback from users, screening of scientific literature and of other sources of clinical data (whatever that means). The bare minimum is to include your literature search protocol from the CER and to update the literature evaluation. If you are super fancy you can consider a small survey among the users of your device. Address safety and performance parameters and try to identify new risks or off-label use. The results of the survey will provide real world data about the number of usages of the device and they can provide valuable input to product development and improvement. What auditors don’t like to see are survey questions like “Do you like to use our software?” Set the focus on safety and performance characteristics.

2. Specific methods

The specific methods include the evaluation of suitable registers or PMCF studies. The MDR is often vague and does not explain the term “suitable register”. However, a PMCF study is basically the follow-up of an initial pre-market clinical study. Be careful with these as they produce more work for you than a survey or a database search. Check out our PMCF Plan Template for more examples and a structure.

In the last part of the PMCF Plan you will describe the search for equivalent devices. Read MDCG 2020-05 and MDCG 2023-07 for more information about the concept of equivalence. It is highly unlikely that you can claim equivalence but we left the option for you in the template.

Last but not least describe the surveillance period and make sure that the PMCF update period aligns with the CER update.

PMCF Evaluation Report

Now comes the tricky part. You can follow the template described in the MDCG 2020-08 and start a separate PMCF evaluation report. That sounds a bit like double documentation and it will become very confusing in the long run. Remember the figure above: The PMCF Evaluation Report can be part of the CER and it updates the clinical evaluation. Therefore, I recommend you to add the PMCF data in separate chapters of the CER and update the literature accordingly. You will save time, energy and you will end up with a more comprehensive document.

Unlike the PMS Report/PSUR, there are no explicit update cycles for PMCF activities and the update of the CER. However, according to Article 61 (11) the clinical evaluation and its documentation shall be updated throughout the life cycle of the device with data from the post-market surveillance plan. For class III devices and implantable devices, the PMCF evaluation report is updated at least annually. Therefore, I would argue that the same update cycles as for the PMS apply. In addition, it makes sense to align the surveillance periods to ensure consistent documentation. Sightly outdated information can be found in the Guideline MEDDEV 2.7/1 rev 4 Clinical Evaluation: A guide for Manufacturers and Notified Bodies under the MDD. Chapter 6.2.3 is a bit vague but highlights that the CER is updated when PMS data has the potential to change the risk-benefit evaluation. If no such information is received, then

  • at least annually if the device carries significant risks or is not yet well established; or
  • every 2 to 5 years if the device is not expected to carry significant risks and is well established, a justification should be provided.
Risk tableReport typeUpdate cycleRegulatory Reference
Class IPMCF Evaluation Report (can be part of the CER)When necessary, at least every 2 – 5 yearsMEDDEV 2.7/1 rev 4
Class IIaPMCF Evaluation Report (can be part of the CER)When necessary, at least every 2 – 5 yearsMEDDEV 2.7/1 rev 4
Class IIbPMCF Evaluation Report (can be part of the CER)When necessary, at least every 2 – 5 yearsMEDDEV 2.7/1 rev 4
Class IIIPMCF Evaluation Report (can be part of the CER)At least annuallyArticle 61 (11)


You need a process covering the PMCF activities, put them under the roof of the SOP clinical evaluation. Set up a plan and choose your methods wisely. Summarize the surveillance period in the CER.

The most important articles of the MDR that you need to know are listed below:

  • Annex XIV, Part B Post-Market Clinical Follow up

In addition I recommend reading the guidance documents:

  • MDCG 2020-07 PMCF Plan Template
  • MDCG 2020-08 PMCF Evaluation Report Template
  • ISO/TR 20416 Medical devices: Post-market surveillance for manufacturers
  • MEDDEV 2.7/1 rev Clinical Evaluation: A guide for Manufacturers and Notified Bodies under the MDD

On a slighty different note: You want to get your medical software certified under MDR but don’t know where to start? No worries! That’s why we built the Wizard. It’s a self-guided video course which helps you create your documentation yourself. No prior knowledge required. You should check it out.

Or, if you’re looking for the most awesome (in our opinion) eQMS software to manage your documentation, look no further. We’ve built Formwork, and it even has a free version!

If you’re looking for human help, did you know that we also provide consulting? We’re a small company, so we can’t take on everyone – but maybe we have time for your project? We guide startups from start to finish in their medical device compliance.

Congratulations! You read this far.
Get notified when we post something new.
Sign up for our free newsletter.


Leave the first comment