Written by: Will Brambley, Lead Medical Writer

Cyber Alchemy × Mantra Systems — Episode 2

This article is published in partnership with Cyber Alchemy. Mantra Systems specialises in medical device regulatory strategy and technical documentation for UK and EU MDR/IVDR pathways. Cyber Alchemy focuses on cybersecurity, helping teams develop and evidence security for software-enabled and connected medical devices. Together, we’re producing a practical series for MedTech teams: what to build, what to defer, and how to avoid avoidable rework when moving between UK, NHS procurement, and EU routes.

In the highly regulated world of regulatory affairs, technical documentation serves as a cornerstone for ensuring product compliance, safety, and efficacy. Yet even the most meticulously prepared documents can face non-conformities during review.

What is a non-conformity and why do they happen?

In the context of the EU Medical Device Regulation (EU MDR), a non-conformance refers to a situation where a medical device, process, or quality management system does not meet the requirements outlined in the regulation (EU MDR, ISO 13485) and the organisation’s aligned procedures. Non-conformities can occur during numerous stages of the medical device lifecycle, including design, manufacturing, post-market surveillance, or quality management, and may include:

Clinical data gaps

Inappropriate equivalence claims

Incomplete or inaccurate document content

Use of outdated or superseded regulations or standards

Non-conformities can significantly disrupt the approval process, leading to extended review timelines, increased costs, and further revision cycles. Since Notified Bodies cannot accept a technical file with unresolved non-conformities, correcting them is critical for market access.

In my experience many non-conformities, particularly those relating to clinical evaluation or risk management, arise because the technical file is disjointed and does not tell a coherent story. The technical file is not simply a library of information relating to a device. It should guide a reviewer through the life of the device from conceptualisation right through to pre-clinical and clinical testing of a device, while clearly demonstrating safety, performance and an acceptable benefit-risk profile.

Companion perspective (Cyber Alchemy)

This article examines common regulatory non‑conformities in medical device submissions. A companion article from Cyber Alchemy addresses cybersecurity‑specific non‑conformities. Together, these articles provide a comprehensive approach to aligning your strategy for managing non‑conformities.

Read Cyber Alchemy’s expert perspective

Common non-conformities for SaMDs

Quality Management

Lack of evidence that existing procedures have been followed

A lack of design controls for software changes

Poor documentation of suppliers and Software of Unknown Provenance (SOUP)

Ineffective Corrective and Preventive Action (CAPA) system

Clinical evaluation and evidence gaps

A lack of state-of-the-art safety and performance benchmarks

Appraisal of literature has not been conducted properly

A weak justification of equivalence

No links between clinical data and clinical claims made by the manufacturer

Lack of clinical data supporting safety and performance of the device

Software lifecycle documentation which falls short of the standards of IEC 62304

A missing or incomplete software development plan

Poor traceability between user requirements, design, verification and validation

Lack of detail in the documentation of software architecture

Insufficient verification & validation evidence

Poor SOUP version control

Risk Management

Risk files not updated throughout device lifecycle

Poor linkage between hazards, risks, controls, and verification

Missing software-specific risks (e.g., cybersecurity, data corruption, incorrect outputs)

Lack of a quantitative benefit-risk analysis

Issues with Annex II/III documentation

An unclear or vague intended purpose statement

No clear post-market surveillance plan or procedure

How to address non-conformities

The first step to addressing non-conformities is to have a clear discussion with your Notified Body about the non-conformities that they have raised. Notified Bodies are obligated to communicate non-conformities to you, but there is no legislative requirement for them to provide a video-call or structured dialogue discussion, so it’s worth knowing whether your Notified Body offers this before starting the assessment process.

During a discussion about non-conformities, your Notified Body can only offer clarification, as opposed to recommendations or guidance about how to fix them. They can give you more detail as to why an issue has been flagged, but they can’t tell you exactly how to fix them.

Once you have the non-conformity report from the Notified Body, I always recommend creating your own summary list of non-conformities that will need to be addressed. Formats for these reports vary between Notified Bodies and can be confusing sometimes.

With your summary list, you can group non-conformities together and identify solutions which may address multiple issues. You can also clearly assign each non-conformity a solution and a team member to action it.

Notified Bodies will give you a timeline for response and resubmission of your documents. Where you feel that you require more time to adequately address deficiencies, you should ask for an extension to the timeline early on.

If you’re still unclear about how to address non‑conformities, engaging expert support can be the most effective way to navigate the review process and achieve your UKCA or CE mark. Where issues are concentrated in a specialist area, a focused consultant may be appropriate (think Cyber Alchemy for cybersecurity deficiencies!). However, if non‑conformities reflect broader weaknesses across your technical file, Mantra Systems can rapidly assess deficiencies and establish an actionable recovery plan through a no-obligation call.