Post-Market Surveillance in India — Why Most Medical Device Companies Are Doing It Wrong

Post-Market Surveillance in India- Why Most Medical Device Companies Are Doing It Wrong and What CDSCO Is About to Do About It

By Ankur Khare — Biomedical Engineer | Regulatory Affairs Specialist | Founder, MedReg Intel

Ask most Indian medical device companies whether they have a Post-Market Surveillance plan and they will say yes.

Ask them when they last updated their Periodic Safety Update Report and the conversation gets uncomfortable.

Ask them how many adverse events they reported to India's Materiovigilance Programme last year and the number is almost always zero — not because their devices had zero adverse events, but because their post-market surveillance system exists on paper and not in practice.

This gap between documented obligation and actual implementation is one of the most significant compliance vulnerabilities in India's medical device industry in 2026. And it is a gap that CDSCO is actively working to close.

This article explains what post-market surveillance under MDR 2017 actually requires, how far most companies are from genuine compliance, what CDSCO's enforcement trajectory looks like, and what you need to do now to get ahead of what is coming.

Why Post-Market Surveillance Is the Ignored Obligation of MDR 2017

When MDR 2017 was implemented, most industry attention focused on the registration requirements — device classification, application processes, clinical data requirements, and licensing pathways. These were the immediate, visible obligations that companies needed to address to continue operating legally.

Post-market surveillance was the obligation that came after registration. It was future-facing, less immediately enforced, and — critically — it generated no revenue. Quality budgets in most medical device companies are spent on achieving registration, not on maintaining the surveillance systems that registration requires.

The result is predictable. Across the Indian medical device industry, post-market surveillance plans are often filed with CDSCO as part of a Class C or Class D registration application and then effectively forgotten. Periodic Safety Update Reports are not filed on schedule. Adverse event reports are not submitted to MvPI. Post-market clinical follow-up studies are not conducted.

This is not a small compliance gap. It is a fundamental failure to implement one of MDR 2017's most important patient safety provisions. And CDSCO is increasingly aware of how widespread it is.

What MDR 2017 Actually Requires — The Complete Obligation

Let us be specific about what the regulation requires, because vagueness about the requirements is itself part of the problem.

Post-Market Surveillance Plan

Every manufacturer of Class C and Class D devices must have a documented post-market surveillance plan that is device-specific. The plan must describe the methods and procedures for collecting, recording, and analysing data on device performance in the field. It must identify the data sources — complaint files, adverse event reports, literature reviews, registries, and post-market clinical follow-up — and specify how each will be systematically monitored.

The plan must be reviewed and updated whenever significant changes occur — design changes, new clinical findings, changes in the patient population using the device, or signals from the complaint or adverse event data.

Periodic Safety Update Report — PSUR

For Class C devices, a PSUR must be prepared and submitted to CDSCO at minimum every two years. For Class D devices, the requirement is annual. The PSUR summarises all post-market surveillance data collected during the reporting period, evaluates the risk-benefit profile of the device in light of new information, and reports on the implementation and effectiveness of the post-market surveillance plan.

The PSUR is not a formality. It is a substantive document that requires analysis of real data from real device use in the field. Submitting a PSUR that contains no actual field data — or that simply restates the original risk analysis without incorporating post-market experience — will not survive CDSCO scrutiny as the regulator's PSUR review capability develops.

Vigilance Reporting — Adverse Event Reporting to MvPI

This is the most immediately patient-safety-critical component of post-market surveillance and the one where Indian industry compliance is weakest.

MDR 2017 requires manufacturers and importers to report serious adverse events to CDSCO's Materiovigilance Programme of India — MvPI — within specific timeframes. Device-related deaths must be reported within 10 days. Serious injuries must be reported within 30 days. For events that require immediate safety action, reporting is required even earlier.

Healthcare facilities — hospitals and clinics — are also required to report adverse events to MvPI. The infrastructure for facility-level reporting is being developed but awareness and compliance among healthcare providers remains low.

Post-Market Clinical Follow-Up

For devices where clinical questions remain after initial registration — or where new clinical evidence suggests the need for additional investigation — CDSCO may require or manufacturers may initiate post-market clinical follow-up studies. These are formal clinical investigations conducted with marketed devices specifically to gather additional performance or safety data.

The Materiovigilance Gap — India's Biggest Unreported Safety Problem

The gap between actual adverse events involving medical devices in India and reported adverse events in the MvPI system is one of the most significant patient safety challenges in Indian healthcare.

Consider the scale. India has hundreds of millions of patients using regulated medical devices — from simple wound care products and surgical instruments to complex cardiac implants and in-vitro diagnostic equipment. Even with generous assumptions about device safety, the statistical expectation of serious adverse events across this patient population is substantial.

MvPI's reported adverse event numbers do not reflect this reality. The gap exists for several reasons.

Healthcare providers — the front-line observers of adverse events — are largely unaware of their MvPI reporting obligations. Medical education in India does not systematically cover Materiovigilance. Hospital biomedical engineering departments — the teams most likely to identify device-related incidents — often lack clear protocols for adverse event reporting.

Manufacturers and importers know about the reporting obligation but face a cultural and commercial barrier. Reporting an adverse event creates a regulatory record. It may trigger a CDSCO inquiry. It may affect the device's commercial reputation. The short-term incentive is to not report and the enforcement pressure to report has historically been insufficient to overcome that incentive.

This is exactly the kind of systemic underreporting that eventually produces catastrophic outcomes — devices causing harm at scale that is invisible to the regulatory system until enough incidents accumulate to create an undeniable signal.

CDSCO is aware of this dynamic. The regulatory response — expanded MvPI infrastructure, increased enforcement of reporting obligations, and growing integration of adverse event data into surveillance inspection triggers — is coming.

What Genuine Post-Market Surveillance Looks Like

Let me describe what a functional post-market surveillance system actually looks like for a mid-size Indian medical device manufacturer, because the gap between the paper obligation and the operational reality is where most companies are lost.

A Functioning Complaint Management System

Every complaint received — from a healthcare facility, a distributor, an end user, or any other source — is documented, classified by severity, investigated, and closed with documented findings. The complaint database is reviewed periodically for trends and patterns. Complaints that meet adverse event reporting criteria are automatically escalated to the MvPI reporting process.

This requires a designated complaint handling function, a defined complaint intake process, trained personnel who can classify complaints correctly, and a database system — even a well-structured spreadsheet works for smaller companies — that enables trend analysis.

Regular Literature and Field Data Review

Post-market surveillance is not just about complaints. It includes systematic monitoring of published literature for new safety or performance data about your device type, monitoring of competitor device recalls and safety alerts for signals relevant to your device, and where applicable, monitoring of clinical registries or epidemiological data that may affect your risk-benefit assessment.

This review should be documented — not a general awareness that the literature is being watched, but a recorded, periodic review with specific findings documented.

Annual Internal PMS Review

Before your PSUR is due, conduct an internal review of all post-market surveillance data collected since your last PSUR. This review should feed directly into your PSUR preparation and should also trigger updates to your risk management file if new data has changed your understanding of any device risk.

MvPI Reporting Readiness

Every company with a Class C or Class D device registration should have a designated MvPI reporting contact, a defined internal process for identifying reportable events, template adverse event reports prepared and ready to submit, and awareness of MvPI's submission portal and procedures.

This readiness should be tested periodically — not waited until an actual event occurs to discover that nobody knows how to file a report.

CDSCO's Enforcement Trajectory — What Is Coming

The current gap between MDR 2017's post-market surveillance requirements and industry compliance is not sustainable from a regulatory credibility perspective. CDSCO's enforcement of post-market surveillance obligations is increasing and will continue to increase.

Several specific developments signal where this is heading.

PSUR review is becoming more substantive. CDSCO is developing the capacity to review PSUR content rather than just checking that a PSUR was submitted. Companies that have been submitting template PSURs with minimal real-world data will face increasing scrutiny.

Surveillance inspections are incorporating post-market surveillance verification. Inspectors are specifically checking complaint files, MvPI reporting records, and PSUR documentation as part of standard surveillance inspection protocols.

MvPI is expanding its outreach to healthcare facilities, which will increase the volume of facility-level adverse event reports reaching CDSCO — reports that will be cross-referenced against manufacturer reporting records and create accountability pressure for manufacturers who have not been reporting.

The direction is clear. Companies that establish genuine post-market surveillance systems now — before enforcement pressure forces them to — will be in a significantly better compliance position than those who wait.

Building Your Post-Market Surveillance System — A Practical Roadmap

If your current post-market surveillance system is primarily a plan document filed with your CDSCO application and not much else, here is a practical sequence for building a functioning system.

Start with your complaint management process. Define how complaints enter your system, who classifies them, what the investigation protocol is, and how they are closed. Document this process formally as a Standard Operating Procedure.

Designate your MvPI reporting contact and ensure they are registered on MvPI's reporting portal and trained on the reporting criteria and process.

Review your existing complaint file and identify any complaints that should have been reported to MvPI but were not. Consider a voluntary retrospective report — CDSCO generally responds more favourably to voluntary disclosure than to discovered non-compliance.

Prepare your first genuine PSUR — even if it covers a period when your surveillance system was not fully functional, a PSUR that honestly addresses the limitations of your data and describes your improvement plan is more credible than one that pretends perfect compliance.

Update your risk management file to incorporate whatever you have learned from field experience since registration.

Then build the ongoing processes — quarterly complaint trend reviews, annual literature reviews, annual internal PMS reviews — that will keep your system genuinely current.

The Patient Safety Argument

Behind the compliance requirements is a patient safety reality that sometimes gets lost in the regulatory discussion.

Medical devices fail. Not always catastrophically, but they fail in ways that affect patients — performance degradation, unexpected interactions with patient physiology, software errors, use errors that a better designed device could prevent, and in some cases genuine safety failures that cause serious harm.

Post-market surveillance is how manufacturers learn about these failures and how the regulatory system prevents them from becoming larger problems. It is how a device that is performing below expectations in real-world use gets identified before it harms more patients. It is how a rare but serious adverse event that was not predicted in pre-market testing gets identified and addressed.

When post-market surveillance systems do not function — when complaints are not systematically collected, adverse events are not reported, and PSUR analysis is not genuinely performed — patients are harmed by problems that could have been identified and corrected.

This is not a theoretical risk. It is a documented reality in regulatory systems globally where post-market surveillance has been inadequate, and it is a risk that India's rapidly growing medical device market cannot afford to ignore.

Resources for Post-Market Surveillance Compliance

MedReg Intel provides detailed guidance on MDR 2017 post-market surveillance requirements, PSUR preparation, and MvPI reporting at medregintel.com

For specific PMS compliance support or consultation, reach out at ankur@medregintel.com

Ankur Khare is a Biomedical Engineer and Regulatory Affairs Specialist and the founder of MedReg Intel. This article is for educational purposes and does not constitute formal regulatory or legal advice.

Comments

Post a Comment

Popular posts from this blog

The ₹50 Lakh Mistake Killing Indian MedTech Startups — And How to Avoid It

The One Regulatory Mistake That Costs Indian MedTech Startups ₹50 Lakh and 2 Years — And How to Avoid It By Ankur Khare — Biomedical Engineer | Regulatory Affairs Specialist | Founder- MedReg Intel There is a mistake so common in Indian MedTech startups that I have started calling it the Silent Killer of early stage medical device companies. It does not show up in your pitch deck. Your investors will not catch it. Your product team will not flag it. Even your legal counsel may miss it — unless they have specific medical device regulatory experience. By the time most startups discover this mistake, they have already spent ₹30 to ₹50 lakh in product development, hired a team, signed letters of intent with hospital procurement departments, and told their investors they are six months from launch. Then CDSCO sends a deficiency notice. Or worse — a rejection. And suddenly those six months become two years. This article is about that mistake. What it is, why it keeps happening, what ...
Read more

A Practical Roadmap for Developing Medical Devices in India

A Practical Roadmap for Developing Medical Devices in India From Idea to Market — Without Costly Regulatory Mistakes By Ankur K. Khare – Biomedical Engineer | Regulatory Affairs Specialist | AI Ethics & Medical Innovation Developing a medical device in India is not just an engineering challenge. It is a regulatory, clinical, manufacturing, and ethical journey — and most failures happen not because the product is bad, but because the roadmap is wrong . Too many teams build first and think about regulation later. By the time CDSCO enters the picture, timelines are already broken. This guide lays out a clear, India-specific roadmap for medical device development — grounded in MDR 2017, CDSCO scrutiny patterns, and real-world failures — so teams can build right , not just fast. Why This Matters An incorrect development sequence can: Delay approvals by months Multiply compliance costs Force redesigns late in the lifecycle Undermine regulatory credibility Most of this is preventable —...
Read more

How to Classify Medical Devices in India (Class A, B, C & D) – MDR 2017 Guide

Medical Device Classification in India Class A, B, C & D — Practically Explained Under MDR 2017 By Ankur K. Khare – Biomedical Engineer | Regulatory Affairs Specialist | AI Ethics & Medical Innovation Medical device classification in India is not paperwork. It is the single decision that determines: Your regulatory pathway Your documentation burden Your clinical evidence requirements Your approval timelines Your compliance cost Under the Medical Device Rules (MDR), 2017 , every medical device is classified into Class A, B, C, or D based on risk. Misclassify your device — and everything downstream becomes unstable. This article explains classification practically , not just legally. Why Classification Matters More Than You Think Your classification affects: Whether you apply to State or Central authority Which forms you submit (MD-5, MD-9, MD-14, etc.) Whether clinical investigation is required How intense CDSCO scrutiny will be Post-market obligations ⚠️ Common Founder Mistake...
Read more