QA/RA Consulting, Auditing & Training


Let's get started

ISO/TR 20416: Best Practices for Medical Device Postmarket Surveillance

How do I define a PMS objective? What postmarket data needs to be collected? How do I analyze it? What’s the connection to other QMS processes such as risk management?

As many QA/RA practitioners know all too well, these questions are not well addressed in ISO 13485:2016 and ISO 14971:2019. The goal of this technical report (it’s not a full standard) is to share best practices on how to interpret the general postmarket requirements of the European Medical Device Regulation (MDR), ISO 13485 and ISO 14971.


Relationship of ISO/TR 20416 to the EU MDR, ISO 13485, and ISO 14971

The best way to think about the relationship between these documents is to use the Great British Bake Off show as an analogy. The hosts (in this case the European MDR, ISO 13485, and ISO 14971) tell you to make and bake a lemon chiffon cake, but they don’t give you the recipe. ISO/TR 20416 contains the recipe, so you can think of it as a cookbook of sorts. In fact, two-thirds of the report are dedicated to providing examples of data sources (Annex A), data analysis methods (Annex B) and PMS plans (Annex C).

Let’s dive in.


How to Create the Framework of Your Medical Device Postmarket Surveillance (PMS) Plan?

Section 5 of ISO/TR 20416 provides helpful advice on how to outline and develop a postmarket surveillance plan. That’s a welcome relief, because you certainly won’t find much helpful advice in Articles 83-85 and Annex III of the EU MDR. According to this technical report (and common sense), here are six areas that should form the backbone of any medical device PMS plan.


1. Scope of the PMS Plan

The extent of scoping really depends on the complexity of the device. Normally you want the scope to include the medical device type or the family, its lifecycle stage in relation to state of the art, regulatory classification(s) and countries where it is sold. You should also include the expected lifetime of the device or the expected frequency of use plus basic information on intended use and safety/performance data.

2. Objective of the Plan

Not sure how to formulate an objective without it sounding like a toothless cliché? Don’t worry; this one flummoxes many people. The point of setting up a PMS plan is to provide a mechanism for minimizing medical device risk and monitoring use during the public phases of its lifecycle. There are a wide range of questions you can seek to address that will help you formulate robust and meaningful objectives. Section 5.3 of ISO/TR 20416 provides a great start. Here are example objectives taken from Annex C:

The objective of a post-market surveillance plan for a radiation therapy system is to maintain product compliance, improve the radiation therapy system and gather actual (clinical) evidence. In particular:

  • to maintain currency of the benefit-risk determination and to update the risk management documentation;
  • to evaluate the generally acknowledged state of the art;
  • to maintain currency of the design and development and manufacturing information, the instructions for use, the labelling, training and servicing activities;
  • to maintain currency of the clinical evaluation e.g. regarding residual risk of treatment in pediatrics related to radiation dose;
  • to generate and submit regulatory reports on trends, clinical evidence and radiation and transport safety;
  • to identify needs for preventive, corrective or field safety corrective action;
  • to identify options to improve the usability, performance and safety of the system;
  • to detect and report trends such as on clinical safety, (long-term) performance, reliability, use and misuse.
3. Who Is Responsible?

As you know from ISO 13485:2016, top management is ultimately responsible for defining, assigning, and communicating responsibilities for postmarket surveillance. A PMS team should be cross-functional, drawing in expertise from R&D, regulatory, quality assurance, production, marketing/sales, field service, and other relevant departments. Smaller companies with simpler products may not need that level of resource depth of course. The point here is that you need to make very clear who is responsible for collecting specific pieces of information that will populate your PMS data stream. The best way to do this is to create a matrix that defines the activity, which functions are responsible (don’t use names use functions), and a brief statement of competence needed to collect that data. For example, if your production department is responsible for the collection of wait for it production data, they need to understand manufacturing methodologies and production of nonconformance processes.

4. Data Sources

We could write a book on this topic, but it would likely put you to sleep by chapter 2. But seriously, how much PMS data is enough, and where do you get it? Ultimately it is your responsibility to determine and document the sources of information you use for postmarket surveillance data and the frequency of collection. Among other things you’ll want to consider your analysis methods, sample sizes, and goals (e.g., to establish cause, explore ideas, etc.). This will all be part of your data collection protocol. Your protocol may also become part of your postmarket clinical follow-up study plan (PMCF). Annex A of ISO/TR 20416 provides a bounty of examples for data sources that can be used for postmarket surveillance including:

  • Complaints, including reported adverse events
  • Maintenance and installation records
  • Returned medical devices
  • Medical device registries
  • PMCF studies
  • User training
  • Advisory notices
  • Scientific literature
  • Market surveillance activities by regulatory authorities
  • Public databases
  • Social and public media
  • Medical device distribution and tracking
  • Product quality information
  • Internal audits and more!

Sources of data can be both proactive and reactive. Proactive sources may include surveys, interviews of users, literature searches, or the use of medical device registries. Reactive sources may include a review of complaint data, service maintenance reports, or regulatory compliance notifications.

Also, as you collect historical data over a long period of time, make sure that the time span is appropriate with the current state of the art. For instance, if you are making a blood glucose meter that connects to a smartphone, is data from 10 years ago relevant’ Software changes quickly; scalpels do not.
5. How to Analyze All That Data

You’ve identified sources of data. Now what? Well, as part of your plan, you’ll need to consider the proper way(s) to analyze it. Section 5.6.2 of ISO/TR 20416 offers this advice:

It should be determined, which parameters are analyzed and what are the respective reference values (e.g. batches, sub-batches, total number of medical devices manufactured, hours/frequency of use, number of medical devices in-use, patient populations, if more than one exists). As an example, the down time (parameter) of an electric medical device can be compared with its hours of use (reference value).

Your chosen analysis methods will depend on the type of raw data collected. Naturally, qualitative data from customers is analyzed differently from quantitative reports in a scientific publication. The point is that you need to associate an analysis method with each source of data. If Poisson distribution and Pareto analysis gets you excited, don’t miss Annex B.

6. Reporting on Data Analysis

The output of all of this analysis will be a report (remember: considered as quality records) which should answer all the questions contained in your postmarket surveillance plan and provide evidence that you are meeting your stated objectives. Generally, your postmarket surveillance report should contain the following:

  • Summary
  • Background information on the medical device
  • Overview of the postmarket surveillance data you have gathered
  • References to the sources of the original data
  • Your analysis and evaluation of that data
  • Your recommendations for any actions that should be taken
  • Conclusions on benefit-risk determination


Review of the Postmarket Surveillance Plan

One perk of being a regulatory professional is that your job is never done. Yeah job security! Risk can be controlled through many means, but never eliminated. With that in mind, ISO/TR 20416 points out that your plan must include defined timeframes for reviewing PMS data, which is proportionate to the risk of the device, intended use, and other factors. But there’s more to it than simply reviewing what already exists. You should also step back and look it holistically. Are the data sources still appropriate’ Is that data adequate? Does it address the objectives of the plan’ Is the data useful for risk management, product improvement, communicating to regulatory authorities, or as input to future design and development activities? These are all factors you should consider when summarizing changes you plan to make for the next period.


How Your Medical Device PMS Efforts Connect to Other QMS Processes?

Your postmarket surveillance plan does not exist in a vacuum. Your PMS efforts will inform several other processes, including the following:

Risk management

Your postmarket data can be used to verify the frequency of occurence and severity of harm or identify new or changing risks.

Clinical evaluation

Your clinical evaluation report (CER) should be updated with information you gather. For example, postmarket data you gather can be used to confirm and maintain the benefit-risk determination.

Activities to meet regulatory requirements

There are a variety of applications here. For instance, you may use your data in reporting adverse events or trends to regulators or to update your technical documentation.

Product improvement

Postmarket data you gather can be used to support recommended improvements to your medical device for its intended use.

Marketing and sales

PMS data also includes data from end users that may be very useful and interesting to people in your sales/marketing departments.


Is ISO/TR 20416:2020 Required?

No. That’s the technically correct answer. The real life answer is that you can think of standards and technical reports such as ISO/TR 20416 the same way you think about software end user license agreements: you’re not required to click the accept button, but is it really a choice? While you can forge your own path with PMS compliance, your next Notified Body auditor will likely trot out ISO/TR 20416 as their reference guide. Thus, you are advised to enthusiastically click the mental accept button.


Want to Learn More?

Oriel STAT A MATRIX offers a variety of training classes on medical device QA/RA compliance. If you want to learn more about Postmarket Surveillance and how to apply ISO/TR 20416, register for our new PMS class. Our consulting team is also available to assist with all aspects of EU and FDA compliance.

Our team is here to help. Contact us online
Get answers right now. Call

US OfficeWashington DC


EU OfficeCork, Ireland

+353 21 212 8530