Postmarket Surveillance and Vigilance: Making Risk-based Decisions


Miss Part One of this series on
Risk Management? Read it here: 
The Science of Minimizing Uncertainties


Metal-on-metal hip implants represent a timely example of why concerns about device safety have increased. The metal-on-metal design was supposedly more durable than metal-on-plastic hips, which have a tendency to wear down over time. Companies marketed these products based on the success of engineering-focused tests and surgeons and patients clamored to use “the next big thing.” After the products were launched, registry data from Australia and the U.K. reported observations of cobalt entering patients’ bloodstreams as a result of metal shavings, leading to complications and a high rate of revision. These reports were largely ignored, and the hips remained on the market for another eighteen months in Australia and even longer in the United States, before huge recalls—and lawsuits—made headlines around the world. Catastrophes like this could potentially be avoided with better postmarket surveillance. The problems in this case stemmed not from a lack of postmarket data, but rather from the lack of a consistent approach to collecting  and analyzing data with sufficient medical input.

Cohen, Deborah. “Out of Joint: The Story of the ASR (articular surface replacement),” British Medical Journal 2011; 342:d2905 (Published 14 May 2011) – Post Market Surveillance and Medical Devices, as seen in MD&DI, February 2012, By: Stephen Rothenberg, J.D. and Matt Levy, J.D.

Your Quality Management System (QMS) must have a process in place to capture customer and regulatory feedback and record market trends, to regularly monitor data and have an ongoing process of review/risk assessment. Medical device risk management is not a one-time project. It is an ongoing process of review and risk assessment throughout the life of the device. The overarching idea is to improve quality and safety controls, even after the device is in the commercialized arena of the user … even after you have moved on to your next design and development project.

According to the International Medical Device Regulators Forum (IMDRF, formerly the Global Harmonization Task Force or GHTF), postmarket surveillance is defined as “the pro-active collection of information on quality, safety or performance of Medical Devices after they have been placed on the market.” Conversely, vigilance refers to incidents that can occur with medical devices when they do not perform as intended, thereby leading, in the worst case, to injury or death.

The Risk Management Process is Ongoing
The first step in implementing an effective medical device risk management process is to perform a full risk assessment. This consists of two parts: risk analysis and risk evaluation. It should be noted that this applies to all phases of the device lifecycle, including planning/product realization, design and development, purchasing, service and change control.

After you have performed a comprehensive medical device risk assessment and evaluation and made internal decisions concerning the acceptability of those risks, you must now create a plan of attack for monitoring and controlling those identified risks. The collection of medical device postmarket surveillance data can include customer concerns (feedback) and complaints, control of non-conforming devices, corrective and preventive actions, postmarket surveillance, servicing, customer surveys, supplier performance and the scope, extent and quantity of changes. Finely-tuned procedures should identify how the collected data is reviewed, investigated, analyzed and trended and, as mentioned previously, identify the frequency with which this is performed. The individuals who report and review this data must be trained and competent so as to preclude obtaining skewed trends and alarming statistical anomalies.

These procedures that generally explain how the data is collected and analyzed often include measurement and analysis, management review meetings, risk management, the use of a formal Quality Review Board (QRB), regulatory searches, the extent of vigilance activities and, if you are a worldwide company, data extracted from foreign search engines. This process, quite simply, will explain how the feedback gathered from using these procedures is analyzed and evaluated, identify the frequency for evaluation and reporting and describe how this postmarket surveillance data is used to re-evaluate the risk of the medical device.

Feedback is analyzed and determinations are made whether corrective and preventive action (CAPA) needs to be taken to fix the issues, through product re-design or manufacturing changes, revised product labeling or user training, etc. Feedback and data also need to be evaluated to determine whether regulatory action such as Medical Device Reporting (FDA), Medical Device Vigilance Reporting (EU), advisory notices, recalls and other actions are needed. Product and process risks can never be totally eliminated. One of the key requirements of ISO 14971 is to manage the risk of the product throughout its entire lifecycle. This includes managing process risks, as well. Your risk management procedure should be openly connected to your postmarket surveillance procedure and the requirement of the European Medical Device Directive (93/42/EEC).


Postmarket surveillance of medical devices (or post-production monitoring as described in ISO 14971) should include:

  • Determining whether changes must be made to the original medical device risk assessment
  • A systematic process to evaluate product (not just customer complaints)
  • Inclusion of objective evidence in the risk management file
  • Evaluation of any new hazards and appropriate action toward resolution
  • Determining whether there have been changes in the acceptability of risks as originally defined
  • Inclusion of feedback and revisions of risk assessment/management as necessary

FDA, Competent Authorities and Notified Bodies are placing more emphasis on ensuring that manufacturers have implemented and maintain a postmarket surveillance process. The concept of postmarket surveillance is aligned with the New Approach Directives, but also by the updated ISO Quality Management and Risk Management Standards and FDA’s Quality System Regulation.

Medical device postmarket surveillance is not just regulatory-driven, but should also be considered as good business practice. It helps the manufacturer to obtain an understanding of the performance of the device once placed on the market and provides continuous feedback that enables manufacturers to maintain a high standard of product quality and consumer satisfaction. It also helps to minimize exposure arising from incidents through effective warning and product recall processes and procedures.

Risk as a Baseline for Decision Making
ISO 14971:2012 sets a formal process for dealing with risk and focuses on how your company can produce safer products. ISO 14971 defines risk as the “combination of the probability of occurrence of harm and the severity of that harm.” Risk management for medical devices is “the systematic application of management policies, procedures and practices, to the tasks of analyzing, evaluating, monitoring and controlling risk.” Clause 7 under Product Realization of ISO 13485:2012 makes reference to ISO 14971 to use as guidance for medical device risk management. It should be noted that the “As Low as Reasonably Possible (ALARP)” approach is no longer accepted and neither Notified Bodies, FDA or medical device manufacturers (yes, you!) should consider a risk as acceptable with regards to economic considerations. Risk reduction “As Far As Possible (AFAP)” applies, instead. Additionally, all risks—regardless of their initial risk level—need to be individually reduced as far as possible and balanced against the expected benefits throughout the life cycle of the medical device. Postmarket surveillance is one aspect of the AFAP that makes this quest to reduce risk on an ongoing basis more plausible. Consequently, the risk reduction should be performed regardless of the cost of the risk reduction measures. Companies that take the process seriously will potentially gain the rewards of fewer defects, increased user safety and, in some cases, reduced risk of a lawsuit. Postmarket surveillance and vigilance (sustained attention) are key tools in this process of managing risk in the open market.

Monitoring risk is an important part of the risk management process. Medical device companies need to ensure that they have processes in place to capture customer feedback (through inquiries, complaints, market studies, focus groups, servicing, etc.). More importantly, you need to trend and review that data on a periodic basis. The results of the risk management process should be reviewed frequently to take into account new knowledge and user experience. Once a quality risk management process has been initiated, that process should continue to be utilized for events that might impact the original quality risk management decision, whether these events are planned (e.g., results of product review, inspections, audits, change control) or unplanned (e.g., root cause from failure investigations, recall, complaints, adverse events, etc.). The frequency of any review should be based upon the level of risk and the intended use of the medical devices under scrutiny. At the very least, this should be done semi-annually at the formal management review meeting. However, to have an effective process, this should be performed more frequently (monthly, quarterly, etc.), depending on the quantity and type of feedback being received.


Responsibility for Success – Quality Review Board
The responsibility of postmarket surveillance for medical devices is assigned to Competent Authorities, Custom
Officials, Notified Bodies, Manufacturers, Authorized Representatives, Importers/Distributors and Users. From a manufacturer’s standpoint, an effective postmarket surveillance process monitors the performance of the entire range of actual devices under all actual usage conditions. The manufacturer must ensure that the assumptions and verifications applied during the product development process were accurate and remain so throughout the total product lifecycle.

The QRB approach ensures that a viable channel remains open and is procedurally defined in terms of addressing, e.g. postmarket surveillance data and process inputs. This QRB procedure addresses the processes and resources necessary for resolving and determining various stages of disposition for alleged, higher risk defective products and quality system-related compliance issues. This QRB will identify and track corrections, corrective or preventive actions to be taken on behalf of this postmarket focus.

The QRB is a conduit for information that is generated concerning product and process-related issues throughout the life of the medical device and the processes supporting same. The QRB meets when there is a necessity to resolve or redirect issues of alleged, higher risk subjects such as postmarket surveillance activities.

Important Facets of One Approach
Postmarket Surveillance subjects addressed by the QRB should at least include:

  • Individual occurrences and recurrences with alleged high risk for already shipped devices
  • Trended occurrences and recurrences from patient care data
  • Non-Conforming product
  • Clinical studies by your company and competitors
  • Audit findings generated by your ISO Registrar
  • Customer complaints
  • Service reports for a suspected connection to a complaint to a medical device reporting opportunity
  • Improvement opportunities
  • Customer feedback, worldwide
  • Revised regulatory requirements having a possible impact on your devices and process controls
  • Returned products and ensuing investigations
  • Regulatory activities such as recalls, FDA 483, warning letters, re-submissions of premarket notifications, addendums to premarket approvals, etc.
  • Post-commercialization trends, adverse events that could represent the filing of an MDR (Medical Device Report) or MDV (Medical Device Vigilance)
  • Possible re-design opportunities because of realized defectives in the marketplace
  • Remedial actions concerning field reports about your devices or the competition
  • Hazard analysis adjustments and mitigation challenges
  • Human factors that could lead back into the design controls area for devices
  • Decisions concerning the lifetime of the medical device (stability, reliability, shelf-life, product failures, etc.)

It is important to note the following points when approaching the task of putting an overarching surveillance process in place at your company:

  • An adverse episode with a medical device is an unexpected event associated with its use. Not all incidents lead to adverse events, but all incidents should be investigated to identify product or use problems.
  • Devices can contribute to adverse outcomes by their complex nature or labeling, unique features and functions or failure to meet your manufacturing specifications.
  • Care should be taken not to depress reporting by assigning blame; remain objective.
  • Most surveillance activities rest with the manufacturer, but the user is the eventual monitor of device performance and reporter of problems encountered in the field.
  • The chance of discovering device problems increases with the number of devices in use. Therefore, it is recommended to be connected to an international database, which will maximize the effectiveness of postmarket surveillance.
  • Complaints are an early indication of potential problems, and they should not be ignored. Proper investigation may lead to the discovery of more serious problems. It is essential to include the user in the investigation.
  • User errors can be minimized through design and incorporating human factor principles and user experience into the mix.
  • Post-surveillance activities are not measured in qualitative terms but, in fact, using quantitative results as part of the decision making process.

Postmarket surveillance and vigilance is necessary to ensure that medical devices in use continue to be safe and effective. Because of the worldwide increase in the use of medical devices, the ability to access coordinated and analyzed global postmarket surveillance/vigilance data would greatly improve your efforts concerning surveillance and vigilance activities.

Miss Part One of this series on Risk Management? Read it here: The Science of Minimizing Uncertainties

John Gagliardi has had success over the past 43 years in the Medical Device and Pharmaceutical industries because of his practical approach to process-orientation and business. He has been actively involved in research and development, quality assurance, training, operations, process architecture, FDA inspections and regulatory affairs. John specializes in building systems in a compliant and business-ready manner. John can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it..

MidWest Process Innovation, LLC
www.midwestprocessinnovation.com