A Guide to Post-market Surveillance for Medical Devices in the EU, UK and US

The PIP scandal, in which faulty breast implants injured thousands of women around the world, served as a powerful reminder of the need for robust oversight of medical devices. In response, global regulatory authorities have increasingly mandated that developers take a proactive role in monitoring their products once they are on the market. This proactive approach is known as Post-Market Surveillance (PMS).

This blog explores the current PMS requirements in three regional regulatory regimes.

• European Union (EU): the Medical Device Regulation (MDR), fully applicable since May 26, 2021, and the In Vitro Diagnostic Regulation (IVDR ), fully applicable since May 26, 2022.
• United Kingdom (UK): the new regulatory framework for PMS effective from June 16, 2025 which are part of the UK's Medical Device Regulations (MDR).
• United States (US): the Food and Drug Administration’s (FDA) PMS requirements, set out in the updated Quality Management System Regulation (QMSR), which takes effect on February 2, 2026.

For many medical device companies operating in the US and Europe, understanding and complying with all three systems has become critical for ensuring both business success and contributing to a new era of proactive thinking around patient safety.

What is post-market surveillance (PMS)?

At its core, post-market surveillance is a systematic process where manufacturers proactively collect and review data about their devices to manage and mitigate potential risks to patients.

A robust PMS system includes several key components designed to monitor a device's performance over its lifetime:

• Active data collection: Going beyond complaint handling to proactively gather data that indicates potential risks based on patient observations, feedback from healthcare professionals, and insights from scientific literature.
• Trend analysis: Analysing collected data to identify emerging safety signals or performance issues before they escalate into serious incidents.
• Preventive action: Using the insights gained to implement necessary corrective and preventive actions (CAPA) to mitigate risk management.

What is PMCF?

Post-market clinical follow-up (PMCF): As a specialised part of PMS, PMCF is a continuous process that proactively collects and evaluates clinical data from a device's use in practice. 

The goal is to confirm the safety and performance of a device throughout its lifetime, ensuring the continued acceptability of the benefit-risk ratio. For devices with valid data, a scientific justification may be provided for why PMCF is not applicable.

Shared principles, different paths

While the EU, UK, and USA all share a common foundational commitment to patient safety, their approaches to PMS differ significantly in practice. 

Accommodating these differences, while retaining complete oversight and control of all your PMS data, demands a well-structured and highly flexible eQMS.

What is the definition of a serious incident?

In the EU MDR and IVDR

A "serious incident" is defined as any incident that directly or indirectly led, might have led, or might lead to: death; temporary or permanent serious deterioration in a person's state of health; or a serious public health threat. The specific reporting obligation depends on the severity: 10 calendar days for death or unanticipated serious deterioration, and 2 calendar days for a serious public health threat. All other serious incidents must be reported within 15 calendar days. A general incident maybe a complaint about a non-serious conformity that requires resolution and tracking but not reporting.

In the UK MHRA regulation

The UK's new regulations expand the definition of serious events to include a wider range of occurrences, such as side effects that have a negative health impact. Manufacturers must report an incident if their device is suspected to be a contributory cause of death or a serious deterioration in health, even if no harm occurred due to a pre-use check. The reporting timelines have been aligned to be 10, 10, and 2 calendar days for death, deterioration, and public health threats, respectively. All other serious incidents must be reported within 15 days. Non-serious incidents, arising from non-conformities should be dealt with and documented internally.

In the FDA QMSR

The FDA’s system is primarily event-driven. A "reportable event" is defined as a death, a serious injury, or a device malfunction that would be likely to cause or contribute to a death or serious injury if the malfunction were to recur. Manufacturers must file a Medical Device Report (MDR) within 30 days of becoming aware of such an event. But in cases where the event requires remedial action to prevent an unreasonable public health risk, a 5-day report is required.

General PMS data gathering and reporting requirements

Beyond alert and investigation timelines, the content and nature of routinely, required reports also vary. This underscores the need for a sophisticated QMS to help you manage multiple workflows.

What the EU MDR and IVDR requires

The EU’s system is based on structured, routine reporting. It is distinct because it requires comprehensive, routine reports on all devices.

For example, a high-risk device requires a Periodic Safety Update Report (PSUR) at least annually, which includes a comprehensive benefit-risk analysis, the main findings of any PMCF, and an overview of all incidents and trends. 

The EU also requires medical device manufacturers to report Field Safety Corrective Actions (FSCAs), which are communicated to users via a Field Safety Notice (FSN). This is a key part of PMS activities.

What the UK MHRA requires

The new UK medical devices regulations which came into effect in 2025, introduced a whole new set of PMS obligations for those selling devices into the UK market.

The UK PMS regulation represents a landmark reform for device safety. As Lawrence Tallon, Chief Executive of the MHRA, stated when the regulatory overhaul came into effect: 

“By strengthening oversight of devices once they’re in use and setting clearer expectations for manufacturers, these new regulations provide a robust framework for identifying risks earlier and responding to protect patients.” 

He added: 

“This represents an important milestone in our work in building a modern, responsive regulatory system – one that puts patient safety first, while also supporting innovation in life sciences and medical technologies across the UK.” 

The MHRA’s system requires not only serious incident reports but also mandatory trend reports and periodic summary reports (PMSRs). These are specifically designed to help the MHRA "spot patterns in data and intervene earlier" when things go wrong.

The PMS reports (PMSR/PSUR) for the UK must include an assessment of the device's performance on the market, a description of any corrective actions taken, and an overview of data from outside the UK, including competitor devices. Manufacturers are also under a strict obligation to provide essential communications, like Field Safety Notices, for MHRA review before sharing them with users.

What the US FDA requires

The FDA's reporting system is primarily event-driven through its Medical Device Reporting (MDR) program. 

Medical device manufacturers are mandated to file an MDR only when a specific, reportable event occurs. While the FDA encourages voluntary reporting, it does not require the same routine PMS reports as the EU and UK for all devices.

However, for certain high-risk devices, the FDA can issue a 522 Order, which mandates a specific post-market surveillance study and the submission of routine progress reports. Additionally, medical device manufacturers of certain Class II and all Class III devices are required to submit annual reports on product-related adverse events, manufacturing changes, and updates from literature.

How a modern eQMS can help you respond

For those working in different regulatory regimes, having a flexible electronic Quality Management System (eQMS) is essential. You need the tools to produce required reports at different intervals, with separate triggers for different workflows. But you also need a way of gathering required PMS data and retaining oversight of it all, in ways that work for your business:

• Centralised data and traceability: An  eQMS should provide a single source of truth for all PMS data, from customer complaints to trend reports. This ensures traceability and makes it easier to pull the specific information required by each regulatory authority during an audit.
• Automated workflows and reporting: An eQMS can automate workflows for capturing incidents and managing CAPA. It can also generate the specific reports needed for each region, whether it's an EU PMSR/PSUR or an FDA MDR, ensuring they are correctly formatted and submitted on time.
• Managing regional differences: The best eQMS platforms are designed to handle the nuances of global regulatory compliance. They can track different timelines, manage submissions to separate portals, and segment data to meet region-specific data reporting requirements.

Conclusion

While the core principles of post-market surveillance remain the same, the EU, UK, and USA each have different regulatory requirements. The unique reporting systems and specific regulatory details in each region still necessitate a flexible QMS that can accommodate these nuances. This is essential for a smooth and compliant operation, ensuring that your commitment to patient safety remains at the forefront of your work and that you can maintain market access in all three major markets.

Last updated on 26/08/2025