Guest Column | December 15, 2020

Risk-Based Postmarket Surveillance (PMS) In The Age Of EU MDR: A Systems Approach

By Jayet Moon, author of the book Foundations of Quality Risk Management

As the central focus of the EU’s Medical Device Regulations (MDR), postmarket surveillance (PMS) and its related processes and subsystems have been in the limelight since 2017. This four-part series, using a fresh perspective, takes a bottom-up approach to PMS and starts by elaborating on the state of the art on the incident investigations in Part 1. “Investigations” are the basic iota of the PMS system upon which all further analysis, synthesis, and decision-making is based. With clarity on this most fundamental unit of PMS, a systems approach to both EU MDR and PMS are explored in Part 2. Successful implementation of an effective EU MDR-compliant PMS requires a systems approach which requires appreciation of not only the organizational context within which PMS operates but also the knowledge management as it relates to PMS generated data, information, knowledge, and wisdom. Part 3 will focus on the bedrock of EU MDR: the risk management system. It not only explores the interfaces between risk management and PMS but also discusses the postmarket aspects of risk surveillance and their accomplishments. Part 4 will detail an important upcoming topic with relevance going beyond EU MDR. Risk-based incident trending for postmarket signal detection is quickly becoming an expectation from most regulatory agencies and EU MDR is one of the first regulations to expressly document this requirement. The regulation asks for a methodology to gauge “statistically significant increases” in a certain subset of postmarket incidents. This article details salient features of any such method such that any chosen tool can act as a postmarket risk monitor and, if used right, can also convert the lagging indicator of complaints and incidents into a leading key risk indicator. Key risk indicators can help establish preemptive preventive actions before benefit-risk profile can be adversely impacted.

In Part 2 of this series, let’s take a macro view of PMS. Why is EU MDR different and, for some companies, difficult? A reason is that it is asking us for a systems approach, not linear processes. It’s asking us to not only define processes but also to define systems interfaces. It’s asking us to transfer information and analysis across systems to ensure the most accurate picture of device risk and benefit can be obtained.

Do not mistake process for a system. A system is qualitatively different than a process. Systems are made up of components that may or may not have direct input–output links among them. W.E. Deming, the American engineer, statistician, professor, and author, defined a system as a network of interdependent components that work together to try to accomplish the aim of the system.

Figure 1: System hierarchy of PMS.

There are various spaghetti diagrams that show tortuous connections between PMS Plans (PMSP), Periodic Safety Update Reports (PSUR), Clinical Evaluation Reports (CER), Postmarket Clinical Follow-ups (PMCF), Summaries of Safety and Clinical Performance (SSCP), technical documents, Clinical Evaluation Plans (CEP), Benefit-Risk Analyses (BRA), etc. Looking at these activities as “documents” with inputs from certain other documents is good for making flowcharts. However, to really make sense of these, one must look at them from systems standpoint:

  1. How and at what point(s) does your PMS subsystem interface with the risk management subsystem and its various processes?
  2. How and at what point(s) does your PMS subsystem interface with the clinical and/or medical affairs subsystem and its various processes?
  3. How and at what point(s) does your PMS subsystem interface with other relevant subsystems per your organizational context and its various processes?
  4. How does information flow? How does data flow? How does knowledge flow? How does wisdom flow?
  5. How is information converted to knowledge and wisdom? (i.e., How are incidents aggregated, analyzed, trended, and fed into the risk management file and benefit-risk analysis?)

TIR 20416:2020 specifically identifies six functions that interface with PMS processes:

  1. Design and Development: PMS data can provide input toward design changes of existing devices based on safety and quality of design features (e.g., failure rates attributed to design). PMS data can also be used to inform new product development projects for similar devices so that quality, risk avoidance, and reliability can be introduced by design in early stages.
  2. Clinical Evaluations: PMS data forms an integral part of the device’s safety and performance conclusions. PMS is a rich data source that can supplement and complement the knowledge gained from clinical investigations of the device and help the manufacturer reach more accurate conclusions about benefit-risk.
  3. Activities to Meet Regulatory Requirements: Vigilance reporting should have a smooth and efficient interface with other PMS functions, notably complaint intake, clinical trials/investigations, and postmarket incident trending. In addition, new premarket approvals and technical document updates also require analysis and summarization of PMS data.
  4. Improvement: PMS data should be linked actively to the corrective and preventive actions (CAPA) and other improvement vehicles not only to fix issues with device performance but also to capitalize on opportunities to expand on intended use, indications for use, or processes (logistics, training, etc.).
  5. Marketing and Sales: More decisions to award large contracts are being informed by postmarket data analysis. Clear, concise, and well-explained postmarket safety and performance analysis can become a great tool for advertisement of device performance. If the PMS function truly works well, the device marketability will keep becoming more and more attractive as the benefit-risk ratio improves.
  6. Risk Management: Part 3 in this article series will focus on risk management.

All of the PMS processes are generating data, either continually or intermittently. Staff members from processes and subsystems within the organization that interface with PMS (e.g., the six listed above) are expecting a level of analysis on PMS data for their own decision-making purposes. There needs to be a high level of knowledge management from the PMS function to make sure that any organizational, strategic, or operational objectives tied to PMS data and its analysis are met without confusion or last-minute work.

PMS knowledge management is a proactive, cross-functional process that includes holistic planning, checking, action, and standardization of creation, usage, sharing, and maintenance of organizational PMS data. TIR 20416:2020 identifies some sources of PMS data as:

  1. Complaints (including malfunction and adverse events)
  2. Device maintenance/refurbishing/repair records
  3. Device installation records
  4. Analysis of returned device (with or without an associated complaint event)
  5. Device explants
  6. Medical device registries and publicly accessible databases (e.g., MAUDE, DAEN, MedSun, EUDAMED)
  7. Clinical follow-up studies
  8. Advisory notices
  9. Scientific literature
  10. Social and public media
  11. Benchmarking data from conferences and tradeshows
  12. Audits
  13. Market surveillance (e.g., competitor research, customer preference surveys, patient group experiences, training programs, user feedback, etc.)

Data sources can be classified as active or passive sources, and a good PMS data collection system should use a combination of the two. If the manufacturer suo moto engages stakeholders and interested parties to provide information regarding the device or to gain information about the use of the device, it’s an active source. If the manufacturer receives data on safety and performance of the device from the stakeholders, it’s a passive source. A systems approach to data management recommends using a framework like one shown in Figure 2 below.

Figure 2: Knowledge management framework.

Knowledge management goes beyond simple data management. It is intelligent systems-level management of all knowledge processes, which include data collection and organization, summarization and analysis, and eventual synthesis for decision-making purposes. PMS knowledge management is a feedback loop not unlike Plan–Do–Check–Act (PDCA), as shown in Figure 2 above, in which the creators and customers of data, information, and knowledge continually refine the workflow to give rise to efficiencies and remove redundancies whereby, the best decisions regarding device safety and performance can be made.

In conclusion, a systems approach to PMS gives due consideration to process interfaces with other organizational functions and knowledge management. It would not only make compliance to EU MDR easy but also make the organizational processes much more effective and efficient in terms of decision-making, information exchange, and risk response.


The author thanks the following two colleagues for input:

  • Angelina Hakim, founder and CEO of Qunique, a quality and regulatory consultancy based in the European Union
  • Veronica Cavendish-Stephens, vice president of quality and risk management of Auchincloss-Stephens, a global firm specializing in quality risk management solutions.

About The Author

Jayet Moon earned a master’s degree in biomedical engineering from Drexel University in Philadelphia and is a Project Management Institute (PMI)-Certified Risk Management Professional (PMI-RMP). Jayet is also a Chartered Quality Professional in the UK (CQP-MCQI). He is also an Enterprise Risk Management Certified Professional (ERMCP) and a Risk Management Society (RIMS)-Certified Risk Management Professional (RIMS-CRMP). He is a doctoral candidate at Texas Tech University in systems and engineering management. His new book, Foundations of Quality Risk Management, was recently released by ASQ Quality Press. He holds ASQ CQE, CQSP, and CQIA certifications.