Post-Market Surveillance for Biotech-Adjacent Devices and Tests

PostedJune 27, 2025

ByIuliia Gorshkova

Post-market surveillance (PMS) is not a discrete project or a periodic audit; it is a continuous, risk-based system that begins only after a device is placed on the market and persists until the end of its lifecycle. For in vitro diagnostic devices (IVDs) and devices that sit adjacent to biotech workflows—such as sample preparation instruments, liquid handling robotics, or laboratory information management systems (LIMS) that materially influence diagnostic decisions—the obligations under the EU regulatory framework are both technical and cultural. They require a shift from reactive complaint processing to proactive data collection, statistical analysis, and timely intervention. The European regulatory landscape, anchored by the Medical Devices Regulation (MDR) and the In Vitro Diagnostic Medical Devices Regulation (IVDR), demands that manufacturers demonstrate not just initial safety and performance, but continued assurance in real-world use.

This article explains the practical implementation of PMS obligations for IVDs and biotech-adjacent devices. It distinguishes EU-level requirements from national enforcement nuances, outlines the interplay between vigilance, complaint handling, trend reporting, and corrective actions, and offers a practitioner’s view on how to operationalize these obligations across complex laboratory ecosystems. The focus is on what must be done, when, and why—grounded in the regulatory text and the expectations of notified bodies and competent authorities.

Regulatory Foundations: MDR, IVDR, and the Logic of Continuous Assurance

The MDR (Regulation (EU) 2017/745) and IVDR (Regulation (EU) 2017/746) reposition PMS from a compliance checkbox to a central pillar of patient safety and device performance. Both regulations require manufacturers to establish, document, and implement a PMS system that is proportionate to the device’s class and risk profile. The outputs of this system feed into the Periodic Safety Update Report (PSUR) for higher-class devices and into the Summary of Safety and Clinical Performance (SSCP) for certain classes under the IVDR. The regulations also mandate vigilance procedures for serious incidents and field safety corrective actions (FSCA), alongside trend reporting for non-serious but statistically significant patterns.

At the EU level, the core obligations are harmonized. In practice, however, competent authorities (CAs) retain discretion in enforcement practices, inspection focus, and timelines for reporting. For example, while the regulation sets the clock for reporting serious incidents (e.g., within 15 days for serious public health threats, or without delay for life-threatening incidents), national authorities may interpret “without delay” strictly and expect same-day notification in extreme cases. Manufacturers should therefore adopt conservative internal service levels and ensure their vigilance workflows can meet the most stringent practical expectations across multiple member states.

Scope and Applicability to IVDs and Biotech-Adjacent Devices

IVDs fall squarely under the IVDR, with classification rules that determine PMS depth (e.g., Class D, C, B, A). Devices used in biotech workflows that are not IVDs but are integral to diagnostic processes—such as certain robotic sample processors or specialized incubators—may fall under the MDR if they are medical devices, or under other regimes if they are general lab equipment. The critical determinant is the intended purpose and whether the device is used in a medical context or influences a diagnostic outcome. If a device is marketed with a medical purpose or is essential to the performance of an IVD, it likely falls within the scope of the MDR/IVDR and the associated PMS obligations.

Software that supports diagnostic workflows (e.g., LIMS, middleware, or AI-driven image analysis) may be regulated as a medical device if its intended purpose includes diagnosis or monitoring. In such cases, the PMS system must account for software-specific risks, including cybersecurity, data integrity, and algorithmic drift. Even when not regulated as a medical device, such systems can be part of the broader laboratory ecosystem that manufacturers must consider when assessing real-world performance and potential causes of incidents.

Building a PMS System That Works in Practice

A compliant PMS system is a structured set of activities, resources, and responsibilities that enables continuous collection and analysis of data. It is not a standalone procedure but an integrated part of the quality management system (QMS). The manufacturer must define the scope, frequency, and methods for data collection, and assign accountable roles. The system should be capable of detecting early signals of deteriorating performance, emerging risks, or usability issues in diverse laboratory settings.

PMS Plan and Data Sources

At the heart of the system is the PMS plan, which outlines the methods and metrics for proactive surveillance. For IVDs and biotech-adjacent devices, relevant data sources typically include:

Complaints and customer feedback: From laboratories, hospitals, and research institutions, including issues related to sample integrity, reagent stability, instrument calibration, and software errors.
Post-market clinical follow-up (PMCF) data: For higher-risk IVDs, ongoing collection of performance data in real-world settings, potentially through targeted studies or registry linkages.
Service and maintenance logs: Instrument error codes, calibration drifts, environmental conditions (temperature, humidity), and consumable lot anomalies.
Supplier and subcontractor data: Critical for reagent stability, packaging integrity, and third-party software components.
Scientific literature and external databases: Signals of new interferences, genetic variants affecting assay performance, or emerging pathogens impacting test sensitivity.
Cybersecurity monitoring: For connected devices, vulnerability disclosures, patch status, and incident attempts.

The PMS plan should specify how these sources are accessed, how data is aggregated, and which statistical methods are used to detect trends. It must be a living document, updated when new risks are identified or when the device’s use context changes (e.g., deployment in home testing or decentralized labs).

Roles, Competence, and Escalation

Effective PMS requires clear accountability. The Person Responsible for Regulatory Affairs (PRRC) plays a central role in ensuring compliance, but operational execution typically involves Quality, Regulatory, Pharmacovigilance (for devices with medicinal components), Service, and IT teams. For IVDs, the Qualified Person (QP) for batch release may be relevant where manufacturing controls are involved. The PMS system must define escalation criteria, timeframes for investigation, and interfaces with the Notified Body (NB) and CAs. In cross-border supply chains, manufacturers should establish a single point of contact for vigilance across member states to avoid inconsistent reporting.

Vigilance: Serious Incidents and Field Safety Corrective Actions

Vigilance is the most time-sensitive part of PMS. It focuses on serious incidents and field safety corrective actions (FSCA). A serious incident is any event that led to or could have led to death, serious deterioration in health, or a serious public health threat. For IVDs, this includes situations where a test result is materially wrong and could lead to inappropriate clinical decisions (e.g., false-negative oncology results, false-positive infectious disease results), or where sample contamination or mix-ups occur due to device failure.

Reporting Timelines and Content

The regulations set strict reporting timelines:

Serious public health threats: Report within 15 days.
Death or life-threatening incidents: Report without delay, no later than 10 days.
Other serious incidents: Report within 15 days.

Manufacturers must also submit an initial report followed by a final report with root cause analysis and corrective actions. The content must include device identification, use context, sequence of events, and preliminary risk assessment. For IVDs, it is critical to specify the clinical context (e.g., screening vs. confirmatory testing) and the potential impact on patient management pathways.

“Without delay” is interpreted by many CAs as immediate notification, often within 24 hours of confirming the seriousness of the incident. Manufacturers should have a 24/7 intake capability and a clear triage protocol.

Field Safety Corrective Actions (FSCA)

When a systemic risk requires action beyond individual incident management—such as a recall, firmware update, or labeling change—the manufacturer must initiate an FSCA. This includes drafting a Field Safety Notice (FSN) and submitting it to CAs and, where relevant, to the NB. The FSN must be clear, targeted, and practical for laboratory staff to execute. For IVDs, FSCAs often involve reagent lot withdrawals, instrument recalibration procedures, or software patches that correct algorithmic thresholds. Distribution lists must include all affected customers, including distributors and end-users in different member states.

Coordination across national authorities is essential. Some CAs may require additional language versions of FSNs or specific communication channels. Manufacturers should maintain a harmonized FSN template and a process for rapid translation and validation by local regulatory staff.

Complaint Handling: From Intake to Investigation

Complaint handling is the backbone of incident detection. Under MDR/IVDR, manufacturers must document and investigate complaints, including those related to device deficiencies that did not cause serious harm but indicate potential risks. The process must be traceable, timely, and risk-based. For IVDs, complaints often concern:

Reagent stability or lot variability affecting assay performance.
Instrument calibration drifts leading to out-of-range results.
Software errors causing data loss or misclassification.
Usability issues in high-throughput labs leading to sample mix-ups.

Complaints should be triaged using objective criteria, with clear definitions for “major” vs. “minor” complaints. Investigations must include device history, environmental conditions, and, where applicable, laboratory SOPs. For complex biotech workflows, it is often necessary to engage field service engineers and technical specialists to reproduce the issue. The outcome of each investigation—whether it leads to a corrective and preventive action (CAPA), a design change, or updates to instructions for use (IFU)—must be documented and linked back to the PMS data analysis.

Customer Feedback Beyond Formal Complaints

Not all relevant signals arrive as formal complaints. Informal feedback from lab managers, proficiency testing schemes, or user forums can indicate emerging issues. Manufacturers should establish channels to capture this “soft” intelligence and integrate it into the PMS analysis. For example, consistent reports of increased hands-on time for a new IVD instrument may signal a usability problem that could lead to errors under time pressure.

Trend Reporting: Detecting Patterns Before They Become Incidents

Trend reporting is a proactive requirement. Manufacturers must monitor complaint data and other metrics for statistically significant increases in the frequency or severity of incidents. The threshold and method for trend detection should be defined in the PMS plan and may include statistical process control (SPC) techniques, such as control charts, or more advanced analytics for high-volume data.

For IVDs, typical trend indicators include:

Increasing rates of calibration failures for a specific instrument model.
Lot-related performance drifts in reagents across multiple sites.
Software error codes clustering around a specific update version.
Usability-related sample mix-ups in high-throughput environments.

When a trend meets predefined thresholds, the manufacturer must report it to the NB and CAs, typically as part of the PSUR or via a dedicated notification. The report should include the analytical method used, the data period, the significance level, and the proposed mitigation. Even if the incidents are not serious, trend reporting demonstrates that the PMS system is functioning and that risks are being managed proactively.

Periodic Safety Update Reports (PSURs) and Summary of Safety and Performance (SSCP)

For Class III devices and implantable devices under MDR, and for Class C and D IVDs under IVDR, manufacturers must prepare a PSUR at least annually. The PSUR consolidates PMS data, including benefit-risk analysis, conclusions on safety, and proposed actions. It is reviewed by the NB as part of surveillance. For certain IVDs under IVDR, an SSCP is also required and made publicly available via EUDAMED. The SSCP summarizes safety and performance data in a format accessible to healthcare professionals and, increasingly, patients.

From a practical standpoint, the PSUR should not be a narrative summary; it must be data-driven. It should include:

Quantitative metrics on complaints, incidents, and trends.
Analysis of PMCF data or real-world performance studies.
Updates on risk management files and residual risks.
Justification for the benefit-risk profile, considering intended purpose and alternative diagnostics.
Actions taken or planned, with timelines and responsibilities.

Manufacturers often underestimate the effort required to compile PSURs. A robust PMS data infrastructure—ideally integrated with QMS and complaint management systems—can automate much of the data aggregation, leaving analysts to focus on interpretation and risk assessment.

Corrective and Preventive Actions (CAPA): Closing the Loop

CAPA is the mechanism by which PMS findings lead to tangible improvements. Under MDR/IVDR, manufacturers must implement appropriate corrective actions to address identified nonconformities and risks, and preventive actions to reduce the likelihood of recurrence. Actions must be proportionate to the risk and may include:

Design changes to improve robustness or usability.
Software patches or algorithm recalibration.
Updates to IFU, training materials, or labeling.
Changes to manufacturing or supplier controls.
Enhanced service protocols or remote monitoring.

Crucially, CAPA effectiveness must be verified. This means defining metrics and timelines for post-action surveillance to confirm that the risk has been reduced to an acceptable level. For IVDs, effectiveness checks might involve monitoring calibration failure rates after a firmware update or tracking lot rejection rates after supplier process improvements. The results should be documented and fed back into the PMS analysis.

Interplay with Risk Management and Clinical Evaluation

PMS is not isolated from risk management and clinical evaluation. The Risk Management File (RMF) must be updated with new information from PMS, and the Clinical Evaluation Report (CER) must reflect ongoing evidence of safety and performance. For IVDs, clinical evaluation often centers on analytical and clinical performance characteristics (sensitivity, specificity, predictive values) rather than therapeutic benefit. PMS provides the real-world data to validate these characteristics across diverse populations and settings.

When PMS identifies new risks or performance drifts, manufacturers must revisit the RMF, update risk controls, and, if necessary, initiate a new PMCF study or targeted data collection. This iterative loop ensures that the device’s benefit-risk profile remains current and defensible.

Software, Connectivity, and Cybersecurity Considerations

Many modern IVDs and biotech-adjacent devices are software-driven and networked. This introduces unique PMS challenges:

Algorithmic drift: Performance may degrade over time due to changes in sample types, reagent formulations, or user practices. Continuous monitoring of algorithm outputs against reference methods is essential.
Software updates: Even minor updates can affect performance. Manufacturers must maintain version control, regression testing, and clear communication of changes to users.
Cybersecurity: Vulnerabilities can lead to data integrity breaches or device malfunction. PMS must include monitoring of vulnerability databases, patch deployment rates, and incident attempts. For regulated devices, cybersecurity incidents can be serious incidents if they compromise diagnostic integrity.
Cloud and third-party services: When devices rely on external platforms, manufacturers must ensure contractual obligations for monitoring and incident reporting align with MDR/IVDR timelines.

For IVDs that use AI or machine learning, PMS should include plans for monitoring model performance, detecting bias, and managing updates. The regulatory expectation is that any change that could affect safety or performance is validated and communicated, and that users are informed of limitations and residual risks.

Practical Implementation Across European Countries

While the MDR and IVDR are directly applicable across the EU, national competent authorities have different enforcement styles and priorities. Manufacturers should anticipate variability in:

Inspection focus: Some CAs emphasize complaint handling and trend analysis; others prioritize vigilance reporting and FSCA execution.
Language requirements: FSNs and IFUs may need to be available in multiple languages to reach all end-users effectively.
Data access expectations: Some authorities may request access to raw PMS data during inspections, while others focus on aggregated reports.
Coordination mechanisms: In cases involving multiple member states, the lead CA (often where the manufacturer has its registered place of business in the EU) coordinates, but local CAs may issue specific requirements.

To manage this variability, manufacturers should establish a European PMS playbook that includes:

Standard operating procedures for vigilance intake and reporting, with conservative timelines.
Templates for initial and final reports, FSNs, and trend notifications.
A matrix of national language and communication requirements.

AI in Education: Fundamentals & Tools

Understanding AI Basics

Practical AI Tools for Educators

Integrating AI into Teaching

Case Studies & Success Stories

Ethical AI & Inclusive Practices

Ethical & Legal Frameworks for AI Systems

Equity & Inclusion

Transparency & Trust

Algorithmic Bias, Discrimination & Legal Risk

AI Errors, Accountability & Legal Responsibility

Institutional AI Governance & Policy Design

AI, Security & GDPR Compliance

Data Protection & Privacy

Cybersecurity in AI

EU Regulations & Policies

Engaging Parents & Guardians

Data Protection, Privacy & AI Governance

Additional Resources

Glossary of Terms

Templates & Guides

Webinars & Research

AI for Administrative & Pedagogical Support

AI for Time Management

AI in Student Performance Tracking

AI for Automated Communication

AI for Document Management

AI, Robotics & Biotech Regulation in Europe

EU AI Act Explained: Scope, Risk Levels, Obligations

AI-Enabled Products: Robots, Medical Software, Smart Devices

Machinery Regulation & Safety Standards for Intelligent Systems

AI in Healthcare & Biotech: MDR, IVDR, EMA

Liability & Responsibility for AI-Driven Systems

Compliance in Practice: From Risk Assessment to CE Marking

Country-Specific AI Regulation & Enforcement

How EU AI Law Is Applied at National Level

Different Compliance Models

National AI Sandboxes & Regulatory Experiments

Public Sector AI Rules Across Europe

Cross-Border AI Deployment Challenges

When National Law Overrides EU Guidance

Legal Cases, Enforcement & Real-World Precedents

AI Act, GDPR & Algorithmic Decision-Making Cases

Liability Disputes Involving Automated Systems

Robotics Accidents & Legal Responsibility

Medical & Biotech AI Failures: Lessons Learned

What Enforcement Trends Tell Us About Future Regulation