Most manufacturers of medical devices have now established the infrastructure needed to fulfil enhanced post-market surveillance requirements. They have implemented IMDRF coding frameworks, put in place post-market surveillance (PMS) plans, and are now submitting structured incident data to regulators – obligations that are now becoming mandatory.^[1]

Yet up to now the focus for most organizations has been on meeting data capture and submission requirements, without any real anticipation of what regulators intend to do with that data next. For those that have treated device vigilance primarily as a reporting exercise up to now, this could be a challenge.

The progression of medical device safety monitoring

The withdrawal of Bayer’s Essure permanent contraceptive device from global markets^[2] and the recall of DePuy’s ASR metal-on-metal hip system^[3] are among the high-profile safety failures that have seen major regulatory authorities strengthen their post-market surveillance frameworks.

In December 2025, the EU’s Medical Device Coordination Group (MDCG) published its most detailed guidance to date on post-market surveillance (PMS) under the Medical Device Regulation (MDR) and the In Vitro Diagnostic Regulation (IVDR),^[4] making it clear that passive complaint handling is no longer sufficient.

Manufacturers will be expected to apply systematic, documented and reproducible methods to analyze post-market data — not just individual incidents but cumulative trends — and to describe this analysis routinely in PMS plans or PSURs. Findings must feed actively into risk management, benefit-risk reassessments and risk minimization measures.

In the UK, revised Medical Devices (Post-Market Surveillance Requirements) regulations came into force in June 2025, introducing explicit device PMS and vigilance requirements for manufacturers, including shortened timelines for serious incident reporting and requirements for enhanced real-world data collection.^[5] The MHRA notes that the changes are designed to enable faster regulatory response when safety issues emerge — implying active monitoring, not merely passive receipt of data. In the US, the Quality Management System Regulation (QMSR), aligning FDA requirements with ISO 13485, has reinforced similar expectations.^[6]

Taken together, these developments represent a shift to device safety surveillance as an ongoing analytical discipline.

Catching up to pharma surveillance

What makes this regulatory shift particularly significant for many device manufacturers is that they are being asked to build something that pharma companies have had for decades: a dedicated, analytically-driven safety surveillance function. Those organizations have long-established pharmacovigilance (PV) infrastructure — signal detection systems, statistical expertise, governance frameworks — that can be extended to meet device surveillance requirements.

Many device-native manufacturers are starting from a different place entirely. Historically, post-market safety for medical devices has been managed through product quality and complaint systems — platforms such as TrackWise or Veeva Vault, designed to capture and close out incidents and feed findings back into product development. These systems were not built for statistical trend analysis or proactive signal detection, however. Structured regulatory submissions have been added to their scope, but the underlying analytical infrastructure has not kept pace with what regulators now expect.

The result, in many organizations, is a familiar workaround: teams pull incident data into spreadsheets and assess it manually, outside core safety systems. That may have been defensible when regulators’ main concern was whether data was submitted at all — but not as they start asking evidenced questions about how it is being interrogated.

The consequence of failing to supply satisfactory answers is far from abstract. The safety crisis linked to polypropylene transvaginal mesh implants, used to treat stress urinary incontinence and pelvic organ prolapse^[7] demonstrates what can happen when long-term complications accumulate without robust surveillance infrastructure in place, from permanent harm to patients to lasting reputational damage to an entire device category. The regulatory changes now in force were designed, in significant part, to prevent a recurrence of such events.

Statistical relevance

A further complication is that the statistical methods developed for drug safety surveillance cannot simply be applied to device incident data. Disproportionality analysis — the workhorse of PV signal detection — relies on large datasets built up over many years. Even a national regulator’s device incident database may contain only hundreds of thousands of cases in total. Different statistical approaches are needed: ones that can handle the particular characteristics of device data, detecting meaningful changes in frequency where volumes are lower and normalizing findings against exposure levels rather than relying on raw case counts.

There is also an obligation to look beyond a company’s own figures, since many device approvals are based on demonstrated equivalence to similar products. Manufacturers should not just monitor their own data, then; they must also track class-wide data — in major repositories such as FDA’s new unified Adverse Event Monitoring System (which replaces MAUDE), and the European Commission’s EUDAMED.

Software as a medical device (SaMD) adds further complexity. Apps that provide clinically-relevant guidance, AI-enabled diagnostic tools and “connected” monitoring platforms carry the same post-market surveillance obligations as physical devices — a regulatory reality that some organizations may not yet have fully appreciated.

Industry data covering 2024 found that device failure and software issues were the leading causes of medical device recalls globally, with US recall events reaching a four-year high — underscoring the reality that the post-market risks of software-driven products are not theoretical.^[8] The safety stakes of a connected insulin dosing application are immediately apparent; less obvious is that the same analytical rigor expected of a Class III implant now increasingly applies to software products too.

Distinct complexities affecting combination products

For pharmaceutical companies that supply combination products, from connected medicine delivery systems and GLP-1 auto-injectors, to ocular implants, the challenge takes on an additional dimension. Here, the safety environment is interdependent: a safety issue may originate in the medicinal product, in a device component, in the interaction between the two, or in the instructions for use. In an additional level of complexity, the regulatory responsibility of each component often depends on whether products are sold as full combined, co-packaged or cross-labelled for use.

All of this points to a need to unify data in one shared location — drug safety and device complaints have typically been managed by separate teams using separate systems, an approach that is increasingly difficult to sustain. Where drug and device data are managed in parallel but unconnected systems, signals that exist in the relationship between the two may not surface at all. Granularity is important, then. Component-level tracking — using identifiers such as the GMDN code or the UDI — enable safety concerns to be anchored to specific elements and tracked across a portfolio where the same component appears in multiple products.

Getting ahead

Whether organizations are approaching this from the perspective of a pure device company or a pharma organization with a combination product portfolio, the practical requirements are similar. These include documented review processes at defined intervals; statistical methods appropriate to the data volumes and product types involved; a governance framework that creates an auditable trail of signal detection and management activity; and, for combination product companies, a means of assessing drug and device data in relationship to each other.

Companies with mature PV infrastructure will generally be best placed to extend that capability to encompass device surveillance, drawing on established signal management workflows and governance frameworks. Those coming to structured surveillance for the first time will need to build that capability, whether internally or through specialist partners who can bring both the analytical expertise and the understanding of evolving regulatory expectations that this still-maturing field requires.

The companies best positioned for the scrutiny to come will be those that already know what their data shows – because they have not waited for a regulatory query to begin the analytical work. Regulatory findings in safety surveillance carry material consequences beyond reputational damage, and the window for remedial action (once an issue has been identified externally) soon closes.

[1] EUDAMED, European Commission: https://ec.europa.eu/tools/eudamed/#/screen/home

[2] US FDA, FDA Activities Related to Essure. Bayer discontinued US sales of Essure at end of 2018 following a black box warning (2016), sales restrictions (April 2018), and more than 73,000 medical device reports filed with the FDA between 2002 and 2024. https://www.fda.gov/medical-devices/essure-permanent-birth-control/fda-activities-related-essure

[3] DePuy Orthopaedics voluntarily recalled its ASR Hip Resurfacing System and ASR XL Acetabular System in August 2010 after National Joint Registry (England and Wales) data showed 5-year revision rates of 12–13%, far exceeding the expected device lifespan of approximately 15 years. The recall notice stated explicitly that the risk of revision was highest “among female patients” — a finding linked to the device having been tested predominantly in male patients, whose hip anatomy differs significantly from that of women. Johnson & Johnson subsequently settled claims globally for $2.5 billion. See: Health Sciences Authority (Singapore), Recall of Medical Devices — DePuy ASR Hip Resurfacing System and DePuy ASR XL Acetabular System, citing MHRA Medical Device Alert MDA/2010/033 and NJR data. https://www.hsa.gov.sg/announcements/safety-alert/recall-of-medical-devices—depuy-asr-hip-resurfacing-system-and-depuy-asr-xl-acetabular-system; also Hutchison, K., “Gender Bias in Medical Implant Design and Use,” Hypatia (2019); ICIJ Implant Files, https://www.icij.org/investigations/implant-files/are-women-more-likely-to-be-harmed-by-medical-device-failures/ (noting women experienced a 29% higher rate of hip implant failure than men).

[4] European Commission Medical Device Coordination Group, MDCG 2025-10: Guidance on post-market surveillance of medical devices and in vitro diagnostic medical devices, December 2025. https://health.ec.europa.eu/latest-updates/mdcg-2025-10-guidance-post-market-surveillance-medical-devices-and-vitro-diagnostic-medical-devices-2025-12-19_en

[5] UK Government / MHRA, “MHRA guidance on new Medical Devices Post-Market Surveillance requirements.” The Medical Devices (Post-market Surveillance Requirements) (Amendment) (Great Britain) Regulations 2024 came into force 16 June 2025. https://www.gov.uk/government/news/mhra-guidance-on-new-medical-devices-post-market-surveillance-requirements; Medical devices: post-market surveillance requirements: https://www.gov.uk/government/publications/medical-devices-post-market-surveillance-requirements

[6] US FDA, Quality Management System Regulation (QMSR) Final Rule, aligning 21 CFR Part 820 with ISO 13485:2016. https://www.fda.gov/medical-devices/quality-system-qs-regulationmedical-device-good-manufacturing-practices/quality-management-system-regulation-qmsr-final-rule

[7] Mesh implants: Women launch claims against NHS trusts and surgeons for failing to warn of risks, British Medical Journal, June 2020: https://www.bmj.com/content/369/bmj.m2605

[8] Sedgwick/AdvaMed, State of the Nation 2025: Global Medical Device Recall Index Report, March 2025. (Device failure and software were identified as leading causes of medical device recalls in 2024, with US medical device recall events reaching a four-year high.) https://www.advamed.org/wp-content/uploads/2025/03/Sedgwick-Brand-Protection-Recall-Index-Report-Global-Medical-Device-Edition.pdf