How to Create a Compliant Periodic Safety Update Report (PSUR) Under EU MDR and EU IVDR

The requirement for a periodic safety update report (PSUR) or post-market surveillance report (PMSR) is new under EU MDR and EU IVDR. MDD and IVDD had post-market requirements, but the MDR and IVDR requirements are more formal, and for most classes, these reports must be updated and submitted to notified bodies (NBs) on an annual or biennial basis. 

Because medical device and IVD companies weren’t required to provide this report in the past and official guidance hasn’t yet been released, there is a certain amount of guesswork that goes into creating a compliant document. Fortunately, RQM+ has industry insights into what notified bodies will be looking for because we have people on staff who contributed to creating the guidance.

What is a PSUR?

PSURs have been required for pharmaceutical products for some time, but they are a new requirement for medical devices. The goal of periodic safety reporting is to improve medical devices and the benefits they offer to patients. All devices require either a PMSR or PSUR. The risk level of the device class determines which type of report, whether it must be reviewed by a notified body, and the frequency of review.

Manufacturers of low-risk devices aren’t required to submit a PSUR, but they must maintain a PMSR and make it available to competent authorities. The PMSR must summarize the results and conclusions of post-market surveillance (PMS) data and include a rationale and description of any corrective actions taken. Moderate- and high-risk devices and IVDs require a PSUR that is more comprehensive and rigorous than a PMSR. 

What are the requirements for PSURs?

PSURs must be updated at a certain frequency that depends on the device class as outlined in the table above. For high-risk devices and IVDs, PSURs must be updated annually. This is true even when certification is for a two-year period. Additionally, PSURs for Class III devices and Class C and D IVDs must be submitted to NBs via an electronic system. For all other classes, the PSUR must be made available to NBs and by request to competent authorities.

According to MDR and IVDR, PSURs must include:

• Post-market surveillance data
• A rationale and description of any corrective actions taken for product on the markets
• A summary of post-market information
• Vigilance reporting
• The current status of the device on the market in the EU
• A comprehensive risk-benefit analysis and conclusions of risk-benefit determination
• Main findings of your post-market clinical or performance follow-up (PMCF/PMPF)
• Sales volume of the device
• Estimates of the size of other characteristics of the audience using the device (plus usage frequency if known)

Although this is a comprehensive list of elements that must be included, it isn’t reflective of the level of analysis that is required in a PSUR. It’s not enough to just include these sections—the data presented in them must be connected in the narrative you present. For example, sales volume is connected to product usage for complaint rate calculations to understand how often complaints occur. Without this connection, sales data or complaint data on its own isn’t very meaningful. 

How do you create a compliant PSUR?

When they review PSURs, notified bodies are looking for you to do more than checkboxes. They want to see that you are not only collecting data but are also using it to make improvements. Follow these tips to create a compliant PSUR that will stand up to notified body review.

Remember the goal. 

The intent of PSURs isn’t to create paperwork, it’s to improve products and to have an accurate (full picture) understanding of a product’s post-market performance. View your report through this lens and you will find that your business will actually benefit from the effort. Look across all departments to get the big picture of safety as it relates to your device and tell that story consistently in your technical documentation. Track data through the process outlined in the quality management system. Complaints, usage, and other data go into the PSUR and also get added to the CER/PER. All of this information together allows you to make more informed PMCF/PMPF planning decisions.  

Gather all your data. 

Although this might seem like a simple process, it’s actually one of the most challenging for manufacturers, so it pays to plan. Some of the data sources that should be referenced in periodic safety update reports include:

Analyze data.

This is the biggest gap in PSURs, and the level of detail in data analysis is the main holdup for manufacturers. Notified bodies want to see more than a data dump—they want to know what the data means for your device or IVD. One of the advantages of compiling and analyzing PMS data from multiple sources is the ability to identify trends. NBs will look for this level of analysis, so take the time to do it with your first submission to reduce the number of reviewer questions you get. 

Write the report.

We recommend following all line items in the regulation. With no official guidance yet, this is the primary reference point for NBs. Refer to other guidance on SSCP and PMCF to learn more about how the MDR is being interpreted. Similarly, refer to the guidance on SSP and PMPF to learn more about how the IVDR is being interpreted, which is very close in line with MDR, including the application of MDCG 2020-7 and 2020-8 guidance.

Coordinate multiple groups to write and approve the report so that PSUR data is integrated into risk management and any other affected documents to create a continuous feedback loop of information that flows between PSURs, CER/PER, SSCP/SSP, and PMCF/PMPF plans. If there are product issues, the risk file may need to be updated after the PSUR as well. The bottom line is that organizational alignment is key to creating a compliant PSUR. 

Include the most common or severe device problems in the report along with a record of all complaint reasons in the appendix. More data is better, but it’s also important to connect the dots for notified bodies. 

Finally, use consistent administrative data throughout your documentation. Notified bodies don’t have time to decipher inconsistencies and will reject reports if the administrative data doesn’t align with your other technical documents.

What are some practical tips for creating a compliant PSUR?

One of the first steps is to get your organization in alignment about how data will be gathered. This can actually be quite challenging because each system is different. Follow these steps:

• Identify data sources: risk management, CERs/PERs, PMCF/PMPF, PMS/complaints, various business units, external databases, and so on
• Use common terminology among all systems that capture data to avoid recoding
• Know how to access all of your data sources
• Identify the experts you can tap for questions
• Ensure part numbers align between systems
• Understand the data exporting limits of each system: how long data is stored, formats, and so on

Once you have determined how data will be gathered, create a schedule for doing it. Ideally, monitor data every month so you can identify issues when they arise. At a minimum, gather and evaluate data on a quarterly basis. Include analysis reports at management reviews so data is being viewed frequently and there are no surprises when annual reports are compiled. 

Set up systems so it’s easy to extract the data you need on the schedule you have determined. This might include:

• Instructions for accessing databases
• Login credentials
• Search terms to use
• Similar devices to include in search
• Identifying the people responsible
• File naming conventions
• A document management system

Create report templates so data is presented consistently. This is especially important when multiple departments are involved in gathering, analyzing, and presenting data. When everybody works from the same templates, it helps ensure that all of your documentation aligns. 

Create a checklist to use at the end of the PSUR process that lists any follow-up activities, which may include PMCF/PMPF activity and risk management file updates. Remember that the PSUR doesn’t stand alone, but is an integral part of a feedback loop between multiple systems. 

How can RQM+ help?

We know how challenging it can be to maintain regulatory and quality compliance, especially with new regulations in place. The PSUR is a new requirement for most manufacturers, but RQM+ is here to help with deep experience and a dedicated team who knows what notified bodies to want to see. 

RQM+ has extensive thought leadership and experience creating post-market surveillance, PMCF/PMPF, and PSUR documentation along with the development and execution of user surveys. Head of Clinical Regulatory Affairs Dr. Amie Smirthwaite contributed to the development of the soon-to-released guidance on PSUR. 

Our team knows what standards the notified bodies will be using. Integrated services ensure that data from PMCF/PMPF inputs (IFUs, PMS data, CER/PER, and RMF) gets fed into PSUR, CER/PER, and PMCF/PMPF reports.

Schedule a consultation today to get started.