Post-Market Surveillance That Actually Works (Not Just a Procedure)

Post-Market Surveillance That Actually Works (Not Just a Procedure)

Most post-market surveillance (PMS) systems fail because they collect data but don’t use it. Under ISO 14971, PMS must actively feed risk management, CAPA, and product decisions—not just exist as a documented procedure.

This is one of the biggest gaps auditors and regulators are focusing on today.

The Problem: PMS Systems That Do Nothing

Most companies have a PMS procedure.

It usually includes:

  • Complaint handling
  • Customer feedback
  • Vigilance reporting

On paper, it looks compliant.

In reality, the system is passive.

It collects data—but does not:

  • Trend it properly
  • Feed risk management
  • Trigger meaningful CAPA
  • Drive product improvements

This is where most systems fail.

What ISO 14971 Actually Requires

ISO 14971 requires a continuous feedback loop from production and post-production information into risk management.

This means:

  • Collecting real-world data
  • Evaluating its impact on safety
  • Updating risk assessments
  • Implementing corrective actions where needed

This is not optional—it is part of the core risk management process.

If your PMS system does not feed your risk file, it is not compliant.

If you're already seeing gaps, start here: Fix Your ISO 14971 Risk Management File

The Real Role of PMS (What It Should Be Doing)

A functional PMS system should:

  • Detect emerging risks early
  • Identify trends before they escalate
  • Trigger CAPA when needed
  • Update risk evaluations
  • Feed management review decisions

In other words:

PMS is your early warning system—not just a reporting function.

Where PMS Systems Fail in Practice

1. Data Is Collected But Not Analysed

Companies gather complaints and feedback—but do not trend them effectively.

Missing:

  • Trend analysis
  • Thresholds for action
  • Signal detection

This creates blind spots.

2. No Link to Risk Management

This is the biggest failure.

PMS data should feed directly into:

  • Hazard identification
  • Risk estimation updates
  • Residual risk evaluation

But most systems operate in isolation.

3. CAPA Is Reactive, Not Data-Driven

CAPA is triggered only when problems become obvious.

Instead of:

  • Being driven by trending data

Learn how this should work: ISO 13485 CAPA Requirements Explained

4. No Defined Escalation Criteria

Many PMS systems lack:

  • Clear thresholds for action
  • Defined triggers for CAPA or investigation

This delays response to risk.

5. Weak Integration With QMS

PMS should connect to:

Without this, it becomes a silo.

What Auditors and Regulators Look For

They are not just checking if you have PMS.

They are asking:

  • How do you identify trends?
  • How do you decide when to act?
  • How does PMS feed risk management?
  • What decisions have you made based on PMS data?

If you cannot show real outcomes, your system is weak.

What a High-Performing PMS System Looks Like

A strong PMS system includes:

  • Defined data sources (complaints, feedback, service data)
  • Structured data collection
  • Trend analysis with thresholds
  • Clear escalation rules
  • Integration with CAPA
  • Direct linkage to risk management updates
  • Regular review in management review

This is what regulators expect.

How to Build a PMS System That Actually Works

Step 1: Define Data Inputs

Include:

  • Complaints
  • Customer feedback
  • Service/repair data
  • Field performance data

Step 2: Structure the Data

Standardise how data is captured to enable analysis.

Step 3: Implement Trend Analysis

Define:

  • Metrics
  • Thresholds
  • Alert triggers

Step 4: Link to CAPA

Ensure trends trigger:

  • Investigations
  • Corrective actions

Step 5: Feed Risk Management

This is critical.

Update:

  • Risk estimations
  • Hazard identification
  • Residual risk decisions

Step 6: Review at Management Level

PMS must feed into management review decisions.

This links to:

Management Review Dashboard Kit

Where This Becomes a Regulatory Risk

Weak PMS systems lead to:

  • Delayed issue detection
  • Inadequate risk updates
  • Regulatory non-compliance

This is why regulators are increasing focus on PMS globally.

Tools to Fix PMS Properly

If your PMS system is already weak, this is the fastest path to remediation: Fix ISO 13485 Audit Findings

The Commercial Reality

PMS is not just a compliance requirement.

It is:

  • A risk control mechanism
  • A product improvement driver
  • A regulatory safeguard

Companies that treat it as paperwork fall behind.

Final Takeaway

If your PMS system only collects data, it is not working.

If it drives decisions, updates risk, and triggers action—it is compliant.

That is the difference auditors are looking for.

Back to blog

Leave a comment

About ISO Cloud Consulting

Structured, regulator-aligned guidance for medical-device teams building ISO 13485 systems, MDR/FDA documentation, PMS/Vigilance frameworks, and validated digital QMS environments.

Learn More About ISO Cloud Consulting

Featured Blog Posts

  • Blog post

    Give your customers a summary of your blog post

    Blog post

    Give your customers a summary of your blog post

  • Blog post

    Give your customers a summary of your blog post

    Blog post

    Give your customers a summary of your blog post

  • Blog post

    Give your customers a summary of your blog post

    Blog post

    Give your customers a summary of your blog post

1 3
Ultra-clean white–blue regulatory workspace with structured binders labeled Document Control, Risk Management, Supplier Lifecycle, Training & Competence. Faint ISO 13485 documents layered in background. Crisp clinical lighting, no people.

Need a Fully Structured, Audit-Ready QMS?

Implement ISO 13485, MDR, FDA QMSR, and complete documentation systems with validated workflows and regulator-aligned templates.

Contact Us Today