---
title: How to Demonstrate Continuous Compliance Through Effective PMS
description: Continuous compliance under MDR is demonstrated through PMS records that auditors can trace end to end. Here is how to make it visible.
authors: Tibor Zechmeister, Felix Lenhard
category: Post-Market Surveillance & Vigilance
primary_keyword: demonstrate continuous compliance PMS
canonical_url: https://zechmeister-solutions.com/en/blog/demonstrate-continuous-compliance-pms
source: zechmeister-solutions.com
license: All rights reserved. Content may be cited with attribution and a link to the canonical URL.
---

# How to Demonstrate Continuous Compliance Through Effective PMS

*By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.*

> **Continuous compliance under MDR is not a state you declare — it is a state you prove, cycle after cycle, through a post-market surveillance system whose records an auditor can trace end to end. Articles 83 to 86 of Regulation (EU) 2017/745 define the obligations; Annex III fixes the plan content; MDCG 2025-10 (December 2025) describes how the system should run in practice. Demonstration lives in the evidence chain that runs from the PMS plan through the data sources, the review records, the risk file updates, the clinical evaluation refresh, and the class-specific PMS Report or PSUR. A system that produces that chain on demand demonstrates continuous compliance. A system that cannot does not, no matter how thick the binder.**

**By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.**

---

## TL;DR

- Continuous compliance under MDR is demonstrated by an evidence chain that an auditor can trace from the PMS plan to the class-specific report without gaps.
- Article 83 of Regulation (EU) 2017/745 requires the PMS system to be planned, established, documented, implemented, maintained, and updated — all six verbs are separate audit questions.
- Annex III, Section 1.1 fixes the mandatory content of the PMS plan; every element in the Annex is a link in the evidence chain.
- The chain closes only when PMS findings are visible in the risk management file under EN ISO 14971:2019 + A11:2021 and the clinical evaluation under Article 61 and Annex XIV Part B.
- MDCG 2025-10 is the current operational guidance notified bodies use to assess whether a PMS system actually runs, not just whether it exists on paper.

---

## Why "continuous" is the word that matters

Compliance under MDR is often described as if it were a point event — a certificate issued, a CE mark granted, a file closed. The Regulation reads differently. Article 83(1) requires a PMS system that is planned, established, documented, implemented, maintained, and updated throughout the lifetime of the device. Article 83(2) requires the system to actively and systematically gather, record, and analyse data on the quality, performance, and safety of the device across its entire lifetime. Lifetime is the operative word. Compliance is not achieved on the day the certificate is issued; it is demonstrated on every day the device remains on the market.

The sleep-monitoring arm strap from [the PMS pillar post](/blog/what-is-post-market-surveillance-mdr) is the quiet case study for this post. The device passed biocompatibility. The file was accepted. The certificate was issued. And then real users, in real conditions, over real weeks, began developing skin irritations that no lab protocol had predicted. The company was compliant on certification day. The question an auditor would ask six months later is a different question entirely: was the company still compliant the week the complaints started, and can you prove it. The only honest answer comes from the PMS evidence chain — the logged complaints, the signed review, the risk-file update, the corrective action. Continuous compliance is that chain. Nothing else demonstrates it.

## What continuous compliance actually means under MDR

Continuous compliance is the state in which, at any point in the device lifetime, the manufacturer can produce records showing that every PMS obligation under Articles 83 to 86 has been met on the correct cadence and that the findings have flowed into the other QMS processes the Regulation connects to.

That definition has four components worth separating.

**Currency.** The PMS records are current against the cadence defined in the plan. A monthly review cadence means the last review is within the last month, not the last quarter. A Class IIb PSUR cadence means the PSUR has been updated within the last year under Article 86. If the cadence is missed, continuous compliance breaks at the moment the gap opened, not at the moment the auditor arrives.

**Coverage.** Every Annex III, Section 1.1 element is addressed in the plan and executed in practice. A plan that addresses nine of the ten elements and silently omits the trend-reporting rule under Article 88 is not a plan in continuous compliance — it is a plan with a permanent open gap.

**Traceability.** Every finding in the PMS records can be traced forward into the documents the Regulation names as recipients of PMS findings — the benefit-risk determination, the risk file, the clinical evaluation, the design and manufacturing information, and the corrective and preventive action system. Article 83(3) lists these recipients directly. If a finding exists and no trace exists, the chain is broken.

**Proportionality.** The depth of every activity matches the risk class and type of device. A Class I non-invasive device with low volume and a Class III implantable do not run the same PMS depth, but both run every layer of the framework. Proportionality is a calibration rule, not an exemption.

A system that holds all four components simultaneously is in continuous compliance. A system missing any one of them is not.

## The audit trail an auditor expects to see

When a notified body lead auditor reviews a PMS system, the question is rarely "do you have a plan." The question is "show me one finding from your last PMS cycle and walk it through the system." That single question tests every layer at once. What the auditor expects to see is a specific sequence of records, each with a date, an owner, and a document reference.

The expected sequence, for any finding worth tracing, runs like this. The finding enters the system through a defined data source — complaint intake, literature monitoring, similar-device review, trend analysis, or PMCF data. The source is one of the elements named in Annex III, Section 1.1. The finding is logged with a timestamp, an owner, and an initial classification. A defined assessment method is applied — the method is named in the plan, not improvised. The assessment produces a conclusion: no action required, further investigation, preventive action, corrective action, or vigilance escalation under Articles 87 to 92. The conclusion is recorded in a signed review record. Where the conclusion triggers a downstream action, the action appears in the relevant document — the risk file, the clinical evaluation, the design file, the IFU, the labelling, or the CAPA log. The class-specific PMS Report under Article 85 or the PSUR under Article 86 reflects the finding and its resolution in the cycle summary.

A competent auditor can walk this sequence in ten minutes. A PMS system in continuous compliance produces the records at every step without the team scrambling. A system that is not in continuous compliance breaks the chain at the weakest link — usually the step between the assessment and the downstream document, where the finding was reviewed but nothing changed anywhere else.

## The evidence chain from PMS plan to PMS report

The evidence chain is the thing that makes continuous compliance demonstrable rather than claimed. Every link is a specific document type required by the Regulation or the plan.

The first link is the PMS plan itself, required by Article 84 and specified by Annex III, Section 1.1. The plan is the contract the rest of the chain is measured against — an auditor comparing records to the plan is measuring execution against the contract the manufacturer wrote.

The second link is the data source records. For each source named in the plan — complaints, literature, similar-device monitoring, user feedback, service records, PMCF data — there is a log with timestamps, content, and owners. The log exists regardless of whether findings emerged. A literature search that returned zero relevant results is still a logged activity with a date, a search string, and a signature.

The third link is the assessment records. For each review cycle defined in the plan, there is a signed record of the review — who attended, what was reviewed, what was concluded, and what actions were assigned. MDCG 2025-10 (December 2025) makes the expectation for documented assessment explicit.

The fourth link is the downstream impact records. For every finding that concluded in an action, the action appears in the document the action belongs to — the risk file if it was a risk change, the clinical evaluation if it was a clinical signal, the CAPA log if it was corrective or preventive, the technical documentation if it was a design or labelling update. Each downstream record references the PMS finding that triggered it. Cross-references are the hinges the chain swings on.

The fifth link is the class-specific output report. For Class I, the PMS Report under Article 85 summarises the cycle's results and conclusions. For Class IIa, IIb, and III, the PSUR under Article 86 summarises results plus the benefit-risk conclusions, the PMCF main findings, and the sales and population data. The report ties every significant finding back to the earlier records in the chain — it is not a standalone summary but a closing document that points backwards at the evidence.

An evidence chain with all five links, on the correct cadence, for every cycle the device has been on the market, is the demonstration of continuous compliance. Nothing shorter demonstrates it.

## Integration with the risk file and the clinical evaluation

Two specific downstream documents carry the weight of continuous compliance more than any others. The risk management file, maintained under EN ISO 14971:2019 + A11:2021, and the clinical evaluation, maintained under MDR Article 61 and Annex XIV Part B, are the living documents the PMS system must keep current. An auditor reviewing these two documents is checking whether the PMS chain actually closes, because if PMS is running but the risk file and the CER are unchanged over the device lifetime, the loop has broken somewhere.

The integration points are specific. Under Article 83(3), PMS findings must be used to update the benefit-risk determination — that update lands in the risk file. Under Article 83(3), PMS findings must be used to update the clinical evaluation — that update lands in the CER. Under Annex III, Section 1.1, the PMS plan must include a PMCF plan or a written justification, and PMCF findings feed the clinical evaluation refresh cycle.

In practice, this means two cross-references the plan must make explicit. The PMS plan names the risk file as the destination for any finding that changes a hazard, an occurrence rate, a severity estimate, or a residual risk. The PMS plan names the clinical evaluation as the destination for any finding that affects clinical performance, clinical safety, or the benefit-risk balance. Both documents, in turn, reference the PMS finding that triggered the update. The auditor can walk the trace in either direction — from PMS into the risk file, or from a risk file update back to the PMS finding.

For the detailed mechanics of the risk file loop, see [risk management file updates driven by PMS](/blog/risk-management-file-pms-updates). For the clinical evaluation loop, see [clinical evaluation update cycles under Article 61](/blog/clinical-evaluation-update-cycles).

## What auditors actually sample

An auditor cannot check every finding. Sampling is the tool the audit uses to test whether the system holds up under inspection. Knowing what is typically sampled is how a startup prepares without guessing.

The first sample is the most recent complete review cycle. The auditor asks for the signed review record, the data sources reviewed, the findings assessed, and the actions assigned. Any gap in that cycle is a finding against Article 83 or Article 84.

The second sample is a specific finding the auditor selects — usually from the complaint log, sometimes from the trend data. The auditor traces the finding forward through assessment, action, and downstream document update. Any broken link is a finding.

The third sample is the class-specific output report under Article 85 or Article 86. The auditor checks the cadence, the content elements, and the traceability of the summary back to the underlying records. A PSUR that summarises complaints but skips benefit-risk conclusions, PMCF main findings, or population data is non-compliant on its face.

The fourth sample is the intended-purpose alignment check. The auditor compares the current marketing materials and website claims to the intended purpose in the technical file. Drift between the two is a signal that PMS is not monitoring what it should, because intended purpose is part of what the PMS system is obligated to track under Article 83's proactive monitoring clause.

The fifth sample is the PMCF activity or the PMCF justification, depending on whether PMCF applies. A PMCF plan that was written and never executed is worse than no PMCF plan at all, because it shows the system knows what it should do and is not doing it.

A startup that can survive all five sample types without scrambling for records is a startup in continuous compliance. A startup that cannot is one audit away from findings.

## Common mistakes that break the chain

Five mistakes come up repeatedly in early-stage PMS work. Each one breaks the evidence chain at a specific link.

**Mistake 1: the plan exists, the reviews do not.** A PMS plan sits in the QMS folder and the monthly review cadence never runs. Continuous compliance breaks at the assessment link.

**Mistake 2: reviews happen, records do not.** The team meets, talks through complaints, agrees on actions, and no signed record is produced. The chain is invisible to the auditor.

**Mistake 3: findings are assessed, actions are not traced.** A review concludes that a hazard needs re-evaluation, and the risk file never gets the update. The chain ends at the assessment link.

**Mistake 4: the class-specific report skips content elements.** A PSUR under Article 86 summarises complaints and omits benefit-risk conclusions or PMCF findings. The report is non-compliant on content, not on cadence.

**Mistake 5: intended purpose drift is never checked.** Marketing updates the website, adds claims, and the PMS system never compares website claims to the authorised intended purpose. The drift becomes a finding at the first audit that checks it.

Every mistake is recoverable if caught before the auditor arrives. Every mistake is a finding if caught during an audit.

## The Subtract to Ship angle

The [Subtract to Ship framework for MDR](/blog/subtract-to-ship-framework-mdr) applied to continuous compliance produces a single test. For every document in the PMS chain, ask: does this document exist because Article 83, 84, 85, 86, Annex III, or MDCG 2025-10 requires it, or does it exist because a template added it. Keep the first category. Cut the second category.

The surprising outcome of running this test is that lean PMS systems are easier to keep in continuous compliance than bloated ones. A lean system has fewer links in the chain, so every link gets attention. A bloated system has dozens of documents nobody maintains, which means the maintenance backlog compounds, which means the chain breaks somewhere every cycle. Subtraction is the friend of continuous compliance, not its enemy. For the lean build pattern, see [how to build a PMS system on a startup budget](/blog/build-pms-system-startup-budget).

## Reality Check — where do you stand?

1. If an auditor asked to walk one finding from your last PMS cycle through the plan, the review, the risk file, and the class-specific report, how long would it take and how many gaps would appear?
2. Is every Annex III, Section 1.1 element covered by a documented activity in the last review cycle?
3. Can you produce a signed review record for every scheduled PMS review in the last twelve months?
4. Does your risk file show at least one update traceable to a PMS finding in the device lifetime, or has nothing changed since pre-market?
5. Does your clinical evaluation reflect PMCF findings collected under your PMCF plan, or is the CER unchanged since certification?
6. Is your Article 85 PMS Report or Article 86 PSUR current against the class-specific cadence?
7. When did you last compare your live marketing claims against the authorised intended purpose in the technical file?
8. For every document in your PMS chain, can you name the specific article, annex, or MDCG 2025-10 section that requires it?

## Frequently Asked Questions

**What does "continuous compliance" mean under MDR?**

Continuous compliance means the manufacturer can demonstrate, at any point in the device lifetime, that every Article 83 to 86 obligation has been met on the correct cadence and that PMS findings have flowed into the risk file, the clinical evaluation, and the other documents named in Article 83(3). It is a state proven by records, not declared by certificates.

**How does an auditor test continuous compliance during a PMS review?**

An auditor samples the most recent review cycle, traces a specific finding from its source through assessment and into downstream documents, checks the class-specific report against Article 85 or Article 86 content and cadence requirements, checks intended-purpose alignment, and reviews PMCF execution or justification. A gap at any sample is a finding.

**What is the single strongest evidence of continuous compliance?**

A signed review record from the most recent cycle, paired with a cross-reference into an updated risk file or clinical evaluation document, is the strongest single artefact. It shows the system ran, produced a finding, and closed the loop.

**Does MDCG 2025-10 define "continuous compliance" explicitly?**

MDCG 2025-10 (December 2025) describes how the PMS system should work in practice, including data collection, assessment, and conclusions, and how PMS interacts with risk management, clinical evaluation, and vigilance. It frames PMS as an ongoing lifecycle activity, which is the operational meaning of continuous compliance even where the phrase is not used as a defined term.

**Is a PMS Report under Article 85 enough to demonstrate continuous compliance for a Class I device?**

The report is the closing document of the chain, not the whole chain. Demonstration requires the plan, the data source logs, the signed review records, the downstream impact records, and the report. The report alone is a summary of work that must already exist in the underlying records.

**What happens if a PMS review cycle is missed?**

Continuous compliance breaks at the missed cycle. The correct response is to document the gap, execute a make-up review that covers the missed period, record the cause, and update the plan or cadence if the gap reveals a capacity problem. Hiding the gap is worse than the gap itself.

## Related reading

- [What is post-market surveillance under MDR?](/blog/what-is-post-market-surveillance-mdr) — the pillar post for this cluster.
- [MDR Articles 83 to 86 — the PMS framework explained](/blog/mdr-articles-83-86-pms-framework) — the article-by-article backbone.
- [The PMS plan under MDR Annex III](/blog/pms-plan-mdr-annex-iii) — the plan content specification.
- [The PMS Report for Class I devices under Article 85](/blog/pms-report-class-i-devices) — the Class I output mechanics.
- [PSUR for Class IIa, IIb, and III devices under MDR](/blog/psur-class-iia-iib-iii) — the higher-class output mechanics.
- [Trend reporting under MDR Article 88](/blog/trend-reporting-mdr-article-88) — the trend-reporting rule the PMS plan operationalises.
- [How to build a PMS system on a startup budget](/blog/build-pms-system-startup-budget) — the lean build that supports continuous compliance.
- [PMS audit readiness for startups](/blog/pms-audit-readiness-startups) — the pre-audit preparation checklist.
- [PMS cycle review records — what good looks like](/blog/pms-cycle-review-records) — the signed record template and content.
- [PMS closing loops — from finding to file update](/blog/pms-closing-loops-finding-to-file) — the downstream action mechanics.
- [The Subtract to Ship framework for MDR compliance](/blog/subtract-to-ship-framework-mdr) — the methodology behind the lean chain test.

## Sources

1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 83 (post-market surveillance system of the manufacturer), Article 84 (post-market surveillance plan), Article 85 (post-market surveillance report), Article 86 (periodic safety update report), and Annex III (technical documentation on post-market surveillance). Official Journal L 117, 5.5.2017.
2. MDCG 2025-10 — Guidance on post-market surveillance of medical devices and in vitro diagnostic medical devices. Medical Device Coordination Group, December 2025.
3. EN ISO 13485:2016 + A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes.
4. EN ISO 14971:2019 + A11:2021 — Medical devices — Application of risk management to medical devices.

---

*This post is part of the Post-Market Surveillance & Vigilance series in the Subtract to Ship: MDR blog. Authored by Felix Lenhard and Tibor Zechmeister. Continuous compliance is not a claim a manufacturer makes — it is a chain of records a manufacturer can walk an auditor through, any day of the device lifetime, without scrambling for the next link.*

---

*This post is part of the [Post-Market Surveillance & Vigilance](https://zechmeister-solutions.com/en/blog/category/pms-vigilance) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*