Post-Market Surveillance

Why modernize 21 CFR 820 to ISO 13485?

The FDA patches the regulations with guidance documents, but there is a desperate need to modernize 21 CFR 820 to ISO 13485.

FDA Proposed Amendment to 21 CFR 820

On February 23, 2022, the FDA published a proposed rule for medical device quality system regulation amendments. The FDA planned to implement amended regulations within 12 months, but the consensus of the device industry is that a transition of several years would be necessary. In the proposed rule, the FDA justifies the need for amended regulations based on the “redundancy of effort to comply with two substantially similar requirements,” creating inefficiencies. In public presentations, the FDA’s supporting arguments for the proposed quality system rule change rely heavily upon comparing similarities between 21 CFR 820 and ISO 13485. However, the comparison table provided is quite vague (see the table from page 2 of the FDA’s presentation reproduced below). The FDA also provided estimates of projected cost savings resulting from the proposed rule. What is completely absent from the discussion of the proposed rule is any mention of the need to modernize 21 CFR 820.

Overview of Similarities and Differences between QSR and ISO 13485 1006x1024 Why modernize 21 CFR 820 to ISO 13485?

Are the requirements “substantively similar”?

The above table provided by the FDA claims that the requirements of 21 CFR 820 are substantively similar to the requirements of ISO 13485. However, there are some aspects of ISO 13485 that will modernize 21 CFR 820. The areas of impact are 1) software, 2) risk management, 3) human factors or usability engineering, and 4) post-market surveillance. The paragraphs below identify the applicable clauses of ISO 13485 where each of the four areas are covered.

Modernize 21 CFR 820 to include software and software security

Despite the limited proliferation of software in medical devices during the 1990s, 21 CFR 820 includes seven references to software. However, there are some Clauses of ISO 13485 that reference software that are not covered in the QSR. Modernizing 21 CFR 820 to reference ISO 13485 will incorporate these additional areas of applicability. Clause 4.1.6 includes a requirement for the validation of quality system software. Clause 7.6 includes a requirement for the validation of software used to manage calibrated devices used for monitoring and measurement. Clause 7.3 includes a requirement for validation of software embedded in devices, but that requirement was already included in 21 CFR 820.30. The FDA can modernize 21 CFR 820 further by defining Software as a Medical Device (SaMD), referencing IEC 62304 for management of the software development lifecycle, referencing IEC/TR 80002-1 for hazard analysis of software, referencing AAMI TIR57 for cybersecurity, and referencing ISO 27001 for network security. Currently, the FDA strategy is to implement guidance documents for cybersecurity and software validation requirements, but ISO 13485 only references IEC 62304. The only aspect of 21 CFR 820 that appears to be adequate with regard to software is the validation of software used for automation in 21 CFR 820.75. This requirement is similar to Clause 7.5.6 (i.e., validation of processes for production and service provisions).

Does 21 CFR 820 adequately cover risk management?

The FDA already recognizes ISO 14971:2019 as the standard for the risk management of medical devices. However, the risk is only mentioned once in 21 CFR 820. In order to modernize 21 CFR 820, it will be necessary for the FDA to identify how risk should be integrated throughout the quality system requirements. The FDA recently conducted two webinars related to the risk management of medical devices, but implementing a risk-based approach to quality systems is a struggle for companies that already have ISO 13485 certification. Therefore, a guidance document with examples of how to implement a risk-based approach to quality system implementation would be very helpful to the medical device industry. 

Modernize 21 CFR 820 to include Human Factors and Usability Engineering

ISO 13485 references IEC 62366-1 as the applicable standard for usability engineering requirements, but there is no similar requirement found in 21 CFR 820. Therefore, human factors are an area where 21 CFR 820 needs to be modernized. The FDA has released guidance documents for the human factors content to be included in a 510k pre-market notification, but the guidance was released in 2016 and the guidance does not reflect the FDA’s current thoughts on human factors/usability engineering best practices. The FDA recently released a draft guidance for the format and content of human factors testing in a pre-market 510k submission, but that document is not a final guidance document and there is no mention of human factors, usability engineering, or even use errors in 21 CFR 820. Device manufacturers should be creating work instructions for use-related risk analysis (URRA) and fault-tree analysis to estimate the risks associated with use errors as identified in the draft guidance. These work instructions will also need to be linked with the design and development process and the post-market surveillance process.

Modernize 21 CFR 820 to include Post-Market Surveillance

ISO/TR 20416:2020 is a new standard specific to post-market surveillance, but it is not recognized by the FDA. There is also no section of 21 CFR 820 that includes a post-market surveillance requirement. The FDA QSR focuses on reactive elements such as:

  • 21 CFR 820.100 – CAPA
  • 21 CFR 820.198 – Complaint Handling
  • 21 CFR 803 – Medical Device Reporting
  • 21 CFR 820.200 – Servicing
  • 21 CFR 820.250 – Statistical Techniques

The FDA does occasionally require 522 Post-Market Surveillance Studies for devices that demonstrate risks that require post-market safety studies. In addition, most Class 3 devices are required to conduct post-approval studies (PAS). For Class 3 devices, the FDA requires the submitter to provide a plan for a post-market study. Once the study plan is accepted by the FDA, the manufacturer must report on the progress of the study. Upon completion of the study, most manufacturers are not required to continue PMS.

How will the FDA enforce compliance with ISO 13485?

It is not clear how the FDA would enforce compliance with Clause 8.2.1 in ISO 13485 because there is no substantively equivalent requirement in the current 21 CFR 820 regulations. The QSR is 26 years old, and the regulation does not mention cybersecurity, human factors, or post-market surveillance. Risk is only mentioned once by the regulation, and software is only mentioned seven times. The FDA has “patched” the regulations through guidance documents, but there is a desperate need for new regulations that include critical elements. The transition of quality system requirements for the USA from 21 CFR 820 to ISO 13485:2016 will force regulators to establish policies for compliance with all of the quality system elements that are not in 21 CFR 820.

Companies that do not already have ISO 13485 certification should be proactive by 1) updating their quality system to comply with the ISO 13485 standard and 2) adopting the best practices outlined in the following related standards:

  • AAMI/TIR57:2016 – Principles For Medical Device Security – Risk Management
  • IEC 62366-1:2015 – Medical devices — Part 1: Application of usability engineering to medical devices
  • ISO/TR 20416:2020 – Medical devices — Post-market surveillance for manufacturers
  • ISO 14971:2019 – Medical Devices – Application Of Risk Management To Medical Devices
  • IEC 62304:2015 – Medical Device Software – Software Life Cycle Processes
  • ISO/TR 80002-1:2009 – Medical device software — Part 1: Guidance on the application of ISO 14971 to medical device software
  • ISO/TR 80002-2:2017 – Medical device software — Part 2: Validation of software for medical device quality systems

What is the potential impact of the US FDA requiring software, risk management, cybersecurity, human factors, and post-market surveillance as part of a medical device company’s quality system?

What’s the difference between PMS, PSUR, and PSR?

This blog is intended to help clear your justified confusion if you are wondering what the difference is between PMS, PSUR, and PSR.


The nine most terrifying words in the English language are, “I’m from the Government, and I’m here to help.” That quote is from a speech by President Reagan on August 12, 1986.  One of the goals of the European Parliament and Council was “to ensure effective coordination of [competent authority] market surveillance activities and to clarify the applicable procedures.” After studying the new European MDR, I can confidently say that the European Parliament and Council have done their job well. My boss is a regulatory consultant with 30 years of experience, and he asked me to explain the difference between PMS, PSUR, and PSR.

To answer that question as objectively as possible, and cite my sources, I have included a copy and paste directly from Regulation (EU) 2017/745. Red text is my commentary, while the italicized text is a quotation from the most relevant article within the new EU regulations.

Under the New MDR, the only Class IIa, Class IIb, and Class III products are definitively required to have a Periodic Safety Update Report (PSUR). The PSUR needs to be updated annually for Class III and Class IIb implants, and the PSUR needs to be updated at least every two years for Class IIb (non-implants) and Class IIa devices. The PSUR must be available to your notified body, and upon request, the competent authorities. In contrast with the PSUR, Post-Market Surveillance (PMS) reports are required for Class I devices. Finally, a manufacturer’s Periodic Summary Report (PSR), relates to specific cases of Serious Incidents and Field Safety Corrective Actions (FSCA’s) based upon an agreement between the manufacturer and the competent authority or authorities instead of submitting individual FSCA reports.  This is confusing because the PSUR also meets the requirements of a PMS Report as defined in Article 85, but we don’t call it a PMS Report.

“Article 83 – Post-market surveillance system of the manufacturer

1. For each device, manufacturers shall plan, establish, document, implement, maintain, and update a post-market surveillance system in a manner that is proportionate to the risk class and appropriate for the type of device. That system shall be an integral part of the manufacturer’s quality management system referred to in Article 10(9).”

In Matthew’s words, “Manufacturers are required to establish a PMS system for every device or device family.”

“Article 84 – Post-market surveillance plan

The post-market surveillance system referred to in Article 83 shall be based on a post-market surveillance plan, the requirements for which are set out in Section 1.1 of Annex III. For devices other than custom-made devices, the post-market surveillance plan shall be part of the technical documentation specified in Annex II.”

In Matthew’s words, “Article 84 requires you to have a PMS plan in your quality system.”

“Article 85 – Post-market surveillance report

Manufacturers of class I devices shall prepare a post-market surveillance report summarizing the results and conclusions of the analyses of the post-market surveillance data gathered as a result of the post-market surveillance plan referred to in Article 84 together with a rationale and description of any preventive and corrective actions taken. The report shall be updated when necessary and made available to the competent authority upon request.”

In Matthew’s words, “A Class I device requires a PMS report, while the other product classifications require a PSUR.”

“Article 86 – Periodic safety update report

1.1 – Manufacturers of class IIa, class IIb, and class III devices shall prepare a periodic safety update report (‘PSUR’) for each device and were relevant for each category or group of devices summarizing the results and conclusions of the analyses of the post-market surveillance data gathered as a result of the post-market surveillance plan referred to in Article 84 together with a rationale and description of any preventive and corrective actions taken. Throughout the lifetime of the device concerned, that PSUR shall set out:


the conclusions of the benefit-risk determination;


the main findings of the PMCF; and


the volume of sales of the device and an estimated evaluation of the size and other characteristics of the population using the device and, where practicable, the usage frequency of the device.

Manufacturers of class IIb and class III devices shall update the PSUR at least annually. That PSUR shall, except in the case of custom-made devices, be part of the technical documentation as specified in Annexes II and III.

Manufacturers of class IIa devices shall update the PSUR when necessary and at least every two years. That PSUR shall, except in the case of custom-made devices, be part of the technical documentation as specified in Annexes II and III.

For custom-made devices, the PSUR shall be part of the documentation referred to in Section 2 of Annex XIII.

  1. For class III devices or implantable devices, manufacturers shall submit PSURs by means of the electronic system referred to in Article 92 to the notified body involved in the conformity assessment in accordance with Article 52. The notified body shall review the report and add its evaluation to that electronic system with details of any action taken. Such PSURs and the evaluation by the notified body shall be made available to competent authorities through that electronic system.
  2. For devices other than those referred to in paragraph 2, manufacturers shall make PSURs available to the notified body involved in the conformity assessment and, upon request, to competent authorities.”

In Matthew’s words, “Barring specified exemptions, manufacturers of a Class IIa device would need to submit a PSUR and update it at least every two years.”

“Article 87 – Reporting of serious incidents and field safety corrective actions

9. For similar serious incidents that occur with the same device or device type and for which the root cause has been identified or a field safety corrective action implemented or where the incidents are common and well documented, the manufacturer may provide periodic summary reports instead of individual serious incident reports, on condition that the coordinating competent authority referred to in Article 89(9), in consultation with the competent authorities referred to in point (a) of Article 92(8), has agreed with the manufacturer on the format, content, and frequency of the periodic summary reporting. Where a single competent authority is referred to in points (a) and (b) of Article 92(8), the manufacturer may provide periodic summary reports following an agreement with that competent authority.”

In Matthew’s words, “Periodic summary reports (PSRs) refer to significant incidents (SIs) and field safety corrective actions (FSCAs). PSRs require an agreement between the manufacturer and the competent authority(s) for cases where there is a group of common, well-known, and documented SIs or FSCA’s with a known root-cause. PSRs are an alternative to submitting individual SI and FSCA reports.”

Additional Quality System Resources

My boss also asked me to update the procedures for post-market surveillance (SYS-019) and vigilance (SYS-036). The PMS procedure includes requirements for Articles 83-86. The vigilance procedure includes the requirements for Articles 87-92.

About the author

20190531 005146 150x150 Whats the difference between PMS, PSUR, and PSR?

Matthew is a talented writer that missed his calling as a political satirist. Medical Device Academy is lucky to have him as a quality system expert and gap analysis guru. Matthew was asked to answer this question for a client in response to an email. He wrote the entire blog in less than one hour, but he didn’t think it was worthy of publishing. The boss disagreed. Please show Matthew some love with your comments below or by ordering the book from Amazon ($5 pre-order discount until August 28, 2020).

Scroll to Top