In the highly regulated world of regulatory affairs, technical documentation serves as a cornerstone for ensuring product compliance, safety, and efficacy. Yet even the most meticulously prepared documents can face non-conformities during review.
This article is published in partnership with Cyber Alchemy. Mantra Systems specialises in medical device regulatory strategy and technical documentation for UK and EU MDR/IVDR pathways. Cyber Alchemy focuses on cybersecurity, helping teams develop and evidence security for software-enabled and connected medical devices. Together, we’re producing a practical series for MedTech teams: what to build, what to defer, and how to avoid avoidable rework when moving between UK, NHS procurement, and EU routes.
What is a non-conformity and why do they happen?
In the context of the EU Medical Device Regulation (EU MDR), a non-conformance refers to a situation where a medical device, process, or quality management system does not meet the requirements outlined in the regulation (EU MDR, ISO 13485) and the organisation’s aligned procedures. Non-conformities can occur during numerous stages of the medical device lifecycle, including design, manufacturing, post-market surveillance, or quality management, and may include:
- Clinical data gaps
- Inappropriate equivalence claims
- Incomplete or inaccurate document content
- Use of outdated or superseded regulations or standards
Non-conformities can significantly disrupt the approval process, leading to extended review timelines, increased costs, and further revision cycles. Since Notified Bodies cannot accept a technical file with unresolved non-conformities, correcting them is critical for market access.
In my experience many non-conformities, particularly those relating to clinical evaluation or risk management, arise because the technical file is disjointed and does not tell a coherent story. The technical file is not simply a library of information relating to a device. It should guide a reviewer through the life of the device from conceptualisation right through to pre-clinical and clinical testing of a device, while clearly demonstrating safety, performance and an acceptable benefit-risk profile.
Common non-conformities for SaMDs
Quality Management
- Lack of evidence that existing procedures have been followed
- Lack of design controls for software changes
- Poor documentation of suppliers and Software of Unknown Provenance (SOUP)
- Ineffective Corrective and Preventive Action (CAPA) system
Clinical evaluation and evidence gaps
- Lack of state-of-the-art safety and performance benchmarks
- Appraisal of literature has not been conducted properly
- Weak justification of equivalence
- No links between clinical data and clinical claims made by the manufacturer
- Lack of clinical data supporting safety and performance of the device
Software lifecycle documentation which falls short of the standards of IEC 62304
- Missing or incomplete software development plan
- Poor traceability between user requirements, design, verification and validation
- Lack of detail in the documentation of software architecture
- Insufficient verification & validation evidence
- Poor SOUP version control
Risk Management
- Risk files not updated throughout device lifecycle
- Poor linkage between hazards, risks, controls, and verification
- Missing software-specific risks (e.g., cybersecurity, data corruption, incorrect outputs)
- Lack of a quantitative benefit-risk analysis
Issues with Annex II/III documentation
- Unclear or vague intended purpose statement
- Unclear post-market surveillance plan or procedure
How to address non-conformities
The first step to addressing non-conformities is to have a clear discussion with your Notified Body about the non-conformities that they have raised. Notified Bodies are obligated to communicate non-conformities to you, but there is no legislative requirement for them to provide a video-call or structured dialogue discussion, so it’s worth knowing whether your Notified Body offers this before starting the assessment process.
During a discussion about non-conformities, your Notified Body can only offer clarification, as opposed to recommendations or guidance about how to fix them. They can give you more detail as to why an issue has been flagged, but they can’t tell you exactly how to fix them.
Once you have the non-conformity report from the Notified Body, I always recommend creating your own summary list of non-conformities that will need to be addressed. Formats for these reports vary between Notified Bodies and can be confusing sometimes.
With your summary list, you can group non-conformities together and identify solutions which may address multiple issues. You can also clearly assign each non-conformity a solution and a team member to action it.
Notified Bodies will give you a timeline for response and resubmission of your documents. Where you feel that you require more time to adequately address deficiencies, you should ask for an extension to the timeline early on.
Free 30-minute review call
If you’re still unclear about how to address non‑conformities, engaging expert support can be the most effective way to navigate the review process and achieve your UKCA or CE mark. When deficiencies span both regulatory and cybersecurity domains, no single perspective is enough.
That’s why Mantra Systems and Cyber Alchemy are offering a free 30-minute joint review, so you get a complete picture of your technical file and cybersecurity gaps, and a clear, actionable recovery plan in one conversation.
