Under MDR Articles 83 to 86 and Annex III, the post-market surveillance plan is not a generic monitoring document. It is the operational expression of the residual risks documented in the risk management file. Residual risks tell the PMS plan what to monitor, how often, and against which thresholds. PMS signals then feed back into the risk file, updating probabilities and severities as real-world data arrives. EN ISO 14971:2019+A11:2021 requires exactly this loop through its production and post-production information activities. The good case Tibor has seen repeatedly is a manufacturer that triages PMS feedback by risk category, maps each signal to a residual risk entry, and updates the file on a defined cadence. The bad case is a PMS report that summarises complaints without changing a single line in the risk file, even when probabilities have obviously shifted.

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • MDR Article 83(1) requires manufacturers to plan, establish, document, implement, maintain and update a PMS system proportionate to the risk class and appropriate for the type of device.
  • Article 83(3) names updating the benefit-risk determination, the risk management, the design and manufacturing information, the clinical evaluation, and the Summary of Safety and Clinical Performance as required uses of PMS findings.
  • Annex III specifies what the PMS plan must cover, including a proactive and systematic process to collect information, indicators and threshold values used in the continuous reassessment of benefit-risk and risk management, and effective and appropriate methods and tools to investigate complaints.
  • EN ISO 14971:2019+A11:2021 requires a production and post-production information system that feeds the risk file through the device lifecycle.
  • The good case, documented by Tibor from repeated audits, triages PMS input by risk category and updates probabilities on a regular cadence. The bad case updates the risk file every two to three years regardless of signal.
  • A PMS plan built on top of the residual risk list is shorter, more defensible, and easier to maintain than one written from a generic template.

Why this matters

Tibor has audited PMS plans that list every data source on the planet: complaint records, social listening, literature reviews, registry queries, distributor surveys. What those plans often lack is a clear answer to one question. Which residual risks does this activity monitor, and what would a signal look like if it arrived. Without that answer, the plan collects data and produces reports, but nothing changes in the risk file even when the reality of the device has changed.

MDR Article 83 does not accept that pattern. The regulation requires PMS to actively gather and review information about the device in order to update, among other things, the risk management and the benefit-risk determination. The word actively does work. A system that collects input without linking it to specific risk file entries is not actively updating anything.

Felix sees startups fall into the opposite trap: they write a minimal PMS plan that covers complaint handling and a literature scan, declare it proportionate, and move on. The proportionality test in Article 83(1) is not about doing less. It is about matching PMS effort to the residual risks documented in the risk file. A device with five low-severity residual risks has a different PMS footprint than one with twenty mixed-severity risks, and the plan has to show that the effort matches the exposure.

What MDR actually says

Article 83(1) of Regulation (EU) 2017/745 requires that, for each device, manufacturers shall plan, establish, document, implement, maintain and update a post-market surveillance system in a manner that is proportionate to the risk class and appropriate for the type of device. The system shall be an integral part of the manufacturer's quality management system referred to in Article 10(9).

Article 83(2) states that the PMS system shall be suited to actively and systematically gathering, recording and analysing relevant data on the quality, performance and safety of a device throughout its entire lifetime, and to drawing the necessary conclusions and to determining, implementing and monitoring any preventive and corrective actions.

Article 83(3) then lists what the data gathered by the PMS system shall be used for in particular. The list includes updating the benefit-risk determination and improving the risk management referred to in Chapter I of Annex I, updating the design and manufacturing information, the instructions for use and the labelling, updating the clinical evaluation, updating the Summary of Safety and Clinical Performance referred to in Article 32, identifying needs for preventive, corrective or field safety corrective action, identifying options to improve the usability, performance and safety of the device, contributing to the PMS of other devices where relevant, and detecting and reporting trends in accordance with Article 88.

The PMS plan itself is specified in Annex III Section 1.1. That section requires the plan to address the collection and use of information available concerning serious incidents including information from periodic safety update reports, field safety corrective actions, non-serious incidents and data on any undesirable side-effects, information from trend reporting, relevant specialist or technical literature, databases and registers, information, including feedbacks and complaints provided by users, distributors and importers, and publicly available information about similar medical devices. Annex III also requires the plan to set out indicators and threshold values that shall be used in the continuous reassessment of the benefit-risk analysis and of the risk management.

EN ISO 14971:2019+A11:2021 supplies the receiving end. Its production and post-production information clause requires manufacturers to establish, document, and maintain a system to actively collect and review information about the device in the production and post-production phases, and to decide whether any of that information is previously unrecognised, changes the estimation of risk, or is otherwise relevant to risk management. The standard expects the risk management file to be updated when any of those conditions applies.

MDCG 2025-10, issued in December 2025, elaborates on how PMS should be structured in practice. It reinforces the principle that PMS effort is proportionate to device risk and that the PMS plan is a living document tied to the risk management and clinical evaluation outputs, not a standalone compliance artefact.

A worked example

Tibor's good case, from repeated audit experience, runs like this. A manufacturer of a Class IIb therapy device keeps its residual risk list in a structured format with risk categories tagged against each entry: mechanical, electrical, software, usability, biological, and so on. The PMS plan, written against Annex III, uses the same categories. Each data source in the plan is mapped to the categories it can realistically detect signals for.

Complaint handling is the largest single source. Incoming complaints are classified at intake against the same risk categories. A usability complaint is routed to a reviewer who compares it against the usability residual risks. A mechanical complaint is routed against the mechanical residual risks. Each review updates either the probability or the severity of a specific residual risk entry, or explicitly records that the signal did not change the estimate. The review decision is time-stamped and signed.

Literature monitoring and registry queries run on a defined cadence. Each search is scoped to the residual risks that the search could inform. A literature scan for adverse events associated with the device's active material targets the biological residual risks. A registry query about unexpected failure modes targets the mechanical residual risks. Results that do not change any risk entry are still recorded, because the recurring absence of adverse signals is itself information that the risk file needs.

Indicators and thresholds, as required by Annex III, are set against the residual risks. Complaint rate for a specific failure mode above X per thousand units per month triggers a review. A new published case report in a relevant patient population triggers a review. A field safety corrective action by a comparator manufacturer for a similar failure mode triggers a review. Each indicator names the residual risk it is monitoring and the action that a breach triggers.

The bad case, which Tibor has also seen repeatedly, is a PMS plan that lists all the same sources but never links them to residual risks. Complaints come in and are logged. A PMS report is produced every year or every two years. It summarises complaint counts. It does not update the risk file. Probabilities and severities in the file are still the numbers that were written at the time of CE marking, even though two years of real-world data now exists. When the notified body reviews the file, the gap between the PMS report and the risk management file version history is the finding.

The Subtract to Ship playbook

Felix advises startups to build the PMS plan after the residual risk list is stable, not before. Writing a PMS plan against an incomplete or draft risk file produces a document that will need to be rewritten. The order matters.

Step one is to tag every residual risk with a category that the PMS plan can use as an index. Categories should be coarse enough to be actionable: usability, mechanical, biological or biocompatibility, electrical, software, environmental, supply-chain. Fine-grained classifications look rigorous but make PMS routing harder.

Step two is to write the PMS plan structure around Annex III Section 1.1. The plan names each required data source and, for each source, lists the risk categories it can monitor. Data sources that cannot inform any residual risk category should not be in the plan. Collecting data with no target is an audit liability, not a compliance asset.

Step three is to define indicators and threshold values against specific residual risks. Annex III requires indicators for the continuous reassessment of benefit-risk and risk management. Startups who skip this step or write vague indicators ("increase in complaints") cannot defend the plan at audit. Specific indicators, tied to specific residual risks, with specific thresholds, are what Annex III asks for.

Step four is to set the risk file update cadence and the trigger list. Tibor's good case updated probabilities and severities on a regular cadence, not every two to three years. The Subtract to Ship version is a quarterly review that covers all residual risks that had any PMS signal, plus an annual review that touches every entry regardless of signal. The PMS management review output is the authoritative input to the risk file update.

Step five is to close the loop with complaint handling. Complaints are PMS data whether or not they are captured by other sources. Complaint classification at intake must match the risk category tags on the residual risk list. Otherwise the signal is there but nobody can find it. Integration at the intake level is the cheapest point to build the loop.

Step six is to make the PMS plan review and the risk management file review a single meeting. Two separate meetings produce two drifting documents. One meeting, on a defined cadence, with outputs that version both files, produces an integrated system the notified body can audit without cross-checking dates.

Reality Check

  • Does the PMS plan list each data source with the residual risks it can realistically inform, or is it a generic list?
  • Are indicators and threshold values defined against specific residual risks, or phrased in general terms?
  • When a complaint arrives, is it classified against the same risk categories as the residual risk list?
  • Has the risk file been updated since the last PMS management review, or does the version history show a multi-year gap?
  • Can Tibor, or any auditor, trace a PMS signal to a specific risk file entry and back again in under two minutes?
  • Is the PMS plan proportionate to the residual risk profile, or was it written from a template?
  • Is the PMS review and the risk management review one meeting or two?

Frequently Asked Questions

Does Annex III of MDR require the PMS plan to reference the risk management file directly? Annex III Section 1.1 requires the plan to set out indicators and threshold values for the continuous reassessment of benefit-risk analysis and risk management. In practice, a plan cannot do that without referencing the risk file. A plan that names residual risks explicitly is easier to defend than one that references risk management only in the abstract.

How often should the risk file be updated based on PMS data? MDR does not prescribe a frequency. EN ISO 14971:2019+A11:2021 requires updates when information changes the estimation of risk. Tibor's good-case example used a regular cadence combined with event-driven updates. A review at least annually is the minimum defensible position, and many devices justify more frequent reviews.

Is the PMS plan the same thing as the PMS report? No. Article 84 (for Class I) and Article 86 (for Class IIa and higher) describe the PMS report or the PSUR, which is the output produced from the plan. The plan is the design document under Annex III. Both are required. Both reference the risk file.

Does trend reporting under Article 88 count as PMS? Article 88 trend reporting is a specific obligation triggered by a statistically significant increase in frequency or severity of non-serious incidents or expected undesirable side-effects. It is part of the broader PMS framework. The PMS plan should include the indicators that feed trend detection.

Can PMS be outsourced for a small startup? Parts of PMS can be operationally outsourced, for example literature monitoring or registry queries. The manufacturer remains responsible under Article 10. The link between PMS signals and the risk file cannot be outsourced in a way that breaks traceability. The manufacturer owns the risk file decisions.

What if the PMS plan and the risk file disagree about a residual risk? The disagreement itself is the finding. Resolve it by reviewing the actual evidence, updating whichever document is wrong, and documenting the reasoning. Leaving two conflicting numbers in the two documents is the worst possible outcome.

Sources

  1. Regulation (EU) 2017/745 on medical devices, consolidated text. Articles 83, 84, 85, 86, Annex III Section 1.1.
  2. EN ISO 14971:2019+A11:2021, Medical devices – Application of risk management to medical devices. Production and post-production information clause and Annex I.
  3. MDCG 2025-10, Post-market surveillance. December 2025.