Skip to main content

EN

Join us at Kista Entré Konferens in Stockholm, Sweden, on May 12th for the morning seminar "Your Medical Device Development - death by documentation?" 

“Writing documents and putting them into binders does not sound like rocket science.”

Nevertheless, many of us have experienced how documentation and traceability according to ISO 13485 and FDA QSR 820 turns into both a complex and cumbersome activity. Surprisingly enough, as long as regulatory demands are met, the documentation process itself is seldom scrutinized for efficiency improvements.

This seminar highlights how great savings can be made in this area. We uncover bad documentation practices, their consequences, and potential remedies with the intent to make the medical device documentation process more efficient.

This event is a cooperation with Qadvis. Event details can be found here.

Looking forward to seeing you there!

There was standing room only when Mr. Robert Ginsberg, CEO of Qadvis and co-author of IEC 62304, and his team presented best practices and lessons learned at Marriott Courtyard Hotel in Zürich on March 31st.

Ginsberg's session addressed common questions arising from medical device manufacturers' attempt to implement the harmonized standard IEC 62304 "Medical Device Software".

"Even though many IEC 62304 issues are context dependent, there are a few persistent problems that I come across time and again.", says Mr. Ginsberg.

Not enough focus on Software Quality - manufacturers tend to stare themselves blind on the documentation required for IEC 62304 and subsequently lose focus on the intended goal of the standard, namely to increase software quality."

Lost traceability - we keep detecting gaps in the traceability during the audits we perform, particularly regarding how risk control measures are implemented as software requirements and how they are subsequently verified. Traceability is an immensely complex task to manage as the project evolves and I highly recommend using software support tools available to handle this activity."

No connection from the field to R&D - I can't stress this enough: post-market surveillance is one of the main focuses of the regulation. It is an incredibly important indicator on how the software is actually performing. Still, it is also one of the most neglected aspects of the software life cycle. Post-market data contains a virtual goldmine of opportunities for increased software quality and should be properly addressed."

Non-value added activities to fulfill IEC 62304 - The standard is not about producing alibi-documentation, it is about increasing software quality. In one "agile" firm I worked with, the detailed design was extracted from the existing code base after the coding was complete, using a software UML extractor. But documenting the detail design in such a matter provides no added value to the software quality whatsoever."

Too shallow risk management - Risk management is not an administrative activity to make Notified Bodies happy. It is the driver of improved software safety and quality. Therefore, to be able to improve safety, the depth of the analyses needs to increase. 

Mixup of concepts - the terms 'SW validation' (as defined e.g. by AAMI:TIR 36), 'product validation', and 'product verification' do not denote the same thing and these terms can therefore not be used interchangeably. IEC 62304 is not concerned with any types of validation activities. Do be clear vis-a-vis the auditors, formally define the terms as you intend to use them, and apply them consistently within the company and in your documentation.

Too strict interpretation of segregation - There is this note in IEC 62304 that indicates that the only possible segregation of items is to execute them on separate hardware. This is not entirely true. Soft segregation on a functional and/or logical level can be entirely appropriate depending on the risk the segregated items expose. The main point is that your segregation must be well-argued, proven to be effective, and documented.

Using system-level testing as a risk control measure - testing is by most notified bodies no longer accepted as a risk control measure. An RCM should result in a new SW requirement which in turn is verified.

No metrics supporting the process - having no metrics showing how well your software performs, might lead to unconstructive arguments with your auditor about the true level of safety your software retains. It is my advice to define and use performance metrics to support your case of having developed a high-quality software and in particular, make use of the available field data."

"This is by no means an exhaustive list but, as I mentioned, I see these issues a lot and I think the effort needed to address them is relatively cost-effective. Should you have any further questions, I'd be happy to address them afterward.", Mr. Ginsberg concludes.

The Aligned team presentation, with a focus on the documentation tasks required by IEC 62304, addressed the issue of conceptually connecting the software architecture and the risk management in the development documentation.

By using a concrete example, Aligned demonstrated how a Preliminary Hazard Analysis as a risk assessment could be used in their medical device ALM software "Aligned Elements" to not only fulfill the traceability requirements of IEC 62304 but also successfully connect the software architecture with existing risk assessments.

The seminar was concluded with a host of interesting and constructive discussions among the participants at the subsequent lunch buffet supplied by Marriott.

Medyria is a Swiss Medtech startup that engineers technologies for endovascular catheter navigation and sensing.

Medyria’s core technology is a sensor-based system, called Flowcath, to measure blood flow and revolutionary technology for processing flow data and tracking catheters called Trackcath. The combination of these two technologies creates a set of tools that will redefine how physicians navigate and track catheters during minimally invasive surgical procedures. The technology in its first application provides contrast-dye-free precise catheter guidance for stent placement.

Medyria

Medyria has won a number of awards for its scientific development work. Medyria is using Aligned Elements for managing their medical device-related development documentation management.

Find out more about Medyria here.

Having questions on how to apply and implement IEC 62304 in your company?

Join us as Robert Ginsberg, one of the co-authors of "IEC 62304 Medical Device Software - Software Life Cycle Processes" reveals the initial intent, best practices and lessons learned of this software standard.

In this half-day seminar, we will address the practical challenges of implementing IEC 62304 in medical device software development.

Key Learning Objectives:

  • IEC 62304: best practices and lessons learned
  • IEC 82304: how will it fit in next to other standards
  • IEC 62304 Amendment 1: key changes and their consequences
  • Software risk management, architecture, and software safety classification: bringing it together

Take the opportunity to confront a co-author of IEC 62304 with your own thoughts and questions.

A 30% Earlybird discount applies to all registrations made before March 1st!

When: Tuesday, March 31st, 08:30 - 13:00

Where: Hotel Marriott Courtyard Oerlikon, Zurich (directions)

Price: 250 CHF  (Note! 30% Earlybird discount for registrations before March 1st)

Register here!

Hosted by: Qadvis / Aligned AG

Presented by: Robert Ginsberg CEO, Qadvis, co-author of IEC 62304 and Anders Emmerich, CEO, Aligned AG

ESCATEC is a provider of electronic and mechatronic design and manufacturing services with facilities in Switzerland and Asia.

The company provides local R&D and support throughout Europe backed up by low-cost volume manufacturing in Asia. ESCATEC is one of the few companies in the world providing an integrated contract design and manufacturing service with a certification to Class I, Class IIa, Class IIb, and Class III medical devices.

Excatec

ESCATEC has recently added EMC testing capabilities to its portfolio to better serve their customers' needs throughout the entire R&D process.

ESCATEC is using Aligned Elements for managing their medical device-related development documentation management.

Find out more about Escatec here.

70Percent

Meet us at Medtec Europe on Thursday, June 5th this summer.

Our co-worker Karl Larsson speaks about "Test and V&V Plan Execution and documentation of test reports" at Track B between 15:00 and 15:45 in the context of "Risk, Quality, and Validation".

More information under this link.

Join us as we reveal some of the hard-learned best practices of medical device development on Tuesday, March 4th.

Together with Emenda, Aligned AG presents this half-day seminar at Marriott Courtyard Oerlikon on how improvements in testing and development documentation will make a significant positive impact on your medical device development process.

The presentations for the seminar are available for download below:

 > Emenda - FDA Software Development: bottlenecks and challenges

 > Aligned - Design History File Bad Practices

 > Aligned - Automated Design History File Management

Biocartis, a medical device manufacturer and developer of the PCR platform Idylla, has chosen Aligned Elements to manage the Design History File.

Idylla is a compact and scalable molecular diagnostics platform that allows assays to be performed anywhere, anytime without the need for a specialist laboratory environment and trained technicians.

IdyllaTM rapidly detects biomarkers in cancer samples, amongst other clinical patient samples, with much higher sensitivity as compared to standard diagnostic assays and standard sequencing.

Find more information about Biocartis here.

  • Written by

  • on

  • . Posted in

If you're a medical device manufacturer preparing for MDR compliance or FDA approval, chances are you've already wrestled with the beast known as the Technical File. Whether you're aiming for a CE Mark, submitting for FDA Approval, or maintaining your Design History File, the stakes are high, and the pitfalls are real.

This article breaks down the five most common problems manufacturers face when compiling their Technical Documentation, and offers practical, actionable advice to help you avoid them. Based on insights from top regulatory consultants and notified bodies, this guide is designed to be more helpful than the usual checklist, style posts. 

Let’s dive in.

1. Inadequate or disorganized Documentation

One of the biggest traps manufacturers fall into is assuming that “having the documents” is the same as being compliant. In reality, regulators don’t just care that you have the information, they care that it is complete, consistent, and logically structured. You might have all the right content, but if it’s buried in a maze of folders or inconsistently formatted, it becomes a problem.

Imagine an FDA reviewer trying to confirm your device’s intended use only to find three slightly different versions across three separate documents, or a notified body assessor giving up after scrolling through 1400 pages of an unindexed PDF.

Notified bodies and FDA reviewers expect clear, organized, and searchable documentation. For MDR, Annex II and III explicitly require this, and reviewers won’t dig through your files to find what they need.

Common symptoms:

  • Missing or inconsistent device descriptions
  • Poor document version control
  • Scattered or duplicated information / documents

Fix it:

  • Use a structured STED, check with your Notified Body if they recommend a particular one
  • Implement document control systems with traceability
  • Use a Design Control tool to manage reoccurring texts, such as Intended use and other parts of the Device Description

Remember: Your Technical Documentation isn’t just a formality, it’s your regulatory proof of safety and effectiveness. If reviewers can’t follow the story, they won’t sign off on the ending.

2. Weak Risk Management Integration

Risk management shall not be treated as a “binder exercise” created once during design and then filed away. Regulators expect risk management to be a living process permeating the design, fully aligning design, verification, usability, cyber security and clinical evidence.

Avoid submitting risk files that read like theoretical paperwork with little connection to how the device is actually used in the real world. As a bad example, a catheter manufacturer may list “tip breakage” as a hazard, but the clinical evaluation and V&V testing make no reference to how breakage risks were verified or mitigated. Or software documentation may claim cybersecurity risks being mitigated but provide no verification evidence of penetration testing or post-market surveillance updates.

ISO 14971 requires continuous risk evaluation, yet in practice, risks are rarely updated when design changes occur or when new field data emerges. When notified bodies or FDA reviewers see risks that don’t align with usability data, labeling, or design outputs, they quickly conclude that the risk management process is superficial.

Risk management is not a standalone FMEA document, it must be woven into the fabric of the entire Technical File. 

Common issues:

  • Risk analysis not reflecting real, world use
  • No traceability between risks and design changes
  • Incomplete hazard identification

Fix it:

  • Align risk management with ISO 14971 and clinical evaluation
  • Use one or more structured Hazard identification methods and update risk files with post, market surveillance (PMS) data
  • Use traceability tools to link risks to mitigation

3. Poor Traceability

Traceability is the regulator’s map to understand how your device moved from concept to clinical reality. Without it, the coherence to the story of your carefully laid-out design work is broken.  Are you familiar with situations like incomplete connections between risk mitigations and verification evidence: the file may list “risk of overheating mitigated by thermal cutoff,” but there’s no test showing the cutoff works across all device variants?

For FDA, these traceability gaps are red flags that the design process is not under control. For MDR, they can trigger a major finding under Annex II requirements. In one real case, a Class II manufacturer was delayed by nine months because their verification reports couldn’t be traced to the correct device configuration, making it impossible to prove the tested version matched the one in the submission.

For FDA submissions, traceability is critical. It must show a logical flow from user needs to design inputs, outputs, verification, and validation. Without it, regulators will assume the worst: that your design is uncontrolled, your risk mitigations are paper product, and your device may not be safe. 

    Common pitfalls:

    • Missing traces between design inputs and outputs
    • Missing traces between design input / output and tests
    • Missing traces between design inputs and risks as well as mitigations and design inputs

    Fix it:

    • Establish the expected traceability matrices early
    • Use traceability tools with automatic trace checking
    • Audit your traceability for completeness before submission

    Remember: Traceability isn’t optional, it’s the backbone of your design integrity, driving the design forward.

    4. Insufficient Clinical Evaluation and PMCF Planning

    Under the MDR, clinical evaluation has shifted from being a one-time hurdle to being an ongoing, evidence-driven process. Unfortunately, many manufacturers still treat it as a formality, dusting off old literature reviews or relying on shaky equivalence claims.

    A classic mistake is submitting a Clinical Evaluation Report (CER) with outdated studies on a comparator device that is no longer on the market, or with no access to the full data sets behind published literature. Notified bodies are increasingly rejecting these “paper exercises,” especially when the technical, biological, and clinical equivalence is not solid.

    Even worse, many companies overlook Post-Market Clinical Follow-up (PMCF) planning, assuming that general PMS activities will suffice. But MDR Article 61 requires PMCF to actively confirm safety and performance in the real world.

    For instance, a company marketing an orthopedic implant with only pre-market data and no plan for long-term follow-up studies, risks having their CE certificate pulled at the first surveillance audit. Regulators want to see a continuous loop of data collection, analysis, and risk reassessment. If your clinical evaluation looks static or generic, you are signaling that your device may not withstand real-world scrutiny.

    Common mistakes:

    • Outdated or generic Clinical Evaluation Reports (CERs)
    • No Post Market Clinical Follow-up (PMCF) plan available
    • Reliance on literature without access to full comparator data

    Fix it:

    • Conduct systematic literature reviews and clinical studies
    • Develop robust PMCF plans with measurable objectives
    • Justify equivalence with technical, biological, and clinical data

    5. Verification and Validation Gaps

      Verification and validation are supposed to be the cornerstone of your Technical File: the hard evidence that proves your device is safe and effective. Yet, time and again, submissions are undermined by V&V documentation that is fragmented, incomplete, or outdated.

      Common scenarios include test reports that summarize results in a few bullet points with no raw data, missing details about which device version was tested, or reports from third-party labs with no accreditation information.

      For example, a notified body once rejected a submission for a surgical instrument because the sterilization validation was performed on an earlier prototype, not the final production version. Another manufacturer faced FDA scrutiny because their biocompatibility reports didn’t specify which device configuration was actually tested, leaving reviewers unsure whether the evidence applied to the marketed product.

      If your reports don’t clearly show test conditions, acceptance criteria, and results, they will not just delay your submission; they can cast doubt on whether your device is truly ready for patients. 

      Common issues:

      • Abbreviated or partial test reports, not stating who did the test, when it was made or which version of the test case that was executed
      • No linkage to device configurations, leaving unclear which version and/or variant of the device was actually tested
      • Lack of accreditation details for external labs

      Fix it:

      • Include full test reports clearly stating which version of the device was tested, who tested in and time of test execution
      • Conduct early research on which external labs to engage, evaluate their accreditation and book your slot early

      Your Technical Documentation isn’t just a formality, it’s your regulatory proof of safety and effectiveness.

      Quick Checklist to Avoid These Pitfalls

      Here’s a quick reference to help you stay on track:

      • Structure your Technical File
      • Align risk management with ISO 14971 appropriately
      • Maintain traceability across all Design Controls 
      • Back clinical evaluations with real data and PMCF plans
      • Provide complete, accredited V&V documentation

      Final Thoughts

      Creating a compliant Technical File isn’t just about ticking boxes, it’s about telling a coherent, evidence, based story that proves your device is safe, effective, and ready for market. Whether you're pursuing CE Marking under MDR or FDA Approval, avoiding these five common problems will save you time, money, and headaches.

      Need help managing your Technical Documentation? Reach out to the experts at Aligned who specialize in software to bring your technical documentation to the next level.  Because in this industry, getting it right the first time isn’t just ideal, it’s essential.

      About the Author
      [rocket]

      Accelerate your journey to CE Mark and FDA approval

      Try aligned elements 30 days for free!

      Start Today

      Continue reading

      {fastsocialshare}


      After not releasing the 2019 edition, the 2021 release was also officially cancelled in May this year.

      This implies that IEC 62304:2006 + Amd1:2015 is still the most current and official version of the standard. Even if the last two attempts failed, this doesn’t mean that we cannot learn for the future. Sooner or later there will be a new edition of IEC 62304, just wait and see! Let's take a look at the proposed changes in the Version 2 that we will not be able to enjoy, given the cancellation.

      New extended Scope

      The older (IEC 62304:2006 + Amd1:2015) version was, as the title already implies, “Medical Device software – Software life-cycle processes, targeted for Software for Medical devices. The Version 2.0 title implied an enlarged scope to include any Health software, thus the proposed new name, ‘Health Software - Software life cycle processes’.

      The scope boundaries are clarified by Figure 1:

      pic1Figure 1 – HEALTH SOFTWARE field of application


      Any software-only medical device, is still regulated by IEC 82304-1:2016, but the whole sector of health devices would then have been covered by IEC 62304 Version 2.
      Some examples to these categories:

      1. Software as a part of a medical device: software that is an integral part of a device, such as an infusion pump or dialysis machine.
      2. Software as part of specific health hardware: patient wristband software, healthcare software, health app on specific wearable hardware (i.e. watch, wristband, chest band).
      3. Software as a medical device (SaMD): software that is itself a medical device, such as a software application that performs diagnostic image analysis for making treatment decisions.
      4. Software-only product for other health use: hospital information systems, electronic health records, electronic medical records, mobile applications running on devices without physiologic sensors or detectors, software as a service, i.e. software executed in an external environment, providing calculation-results that fulfil the definition of a medical device.

      Software Safety Class is now Software Process Rigor Level

      IEC 62304 has taught us to work with a Safety Classification for the Software system or parts of the Software system. In the proposed draft of Version 2, this would in the future change towards classifying the process needed to develop the Software system. The 2021 edition calls this Software process rigor level. This is intended to be the first activity in any software project. To perform a risk analysis on the software’s intended use worst-case scenarios to upfront detect and determine what process rigor to use.

      The purpose of the software process rigour level is to determine the required rigour of the software processes prior to their start.

      The classifications would still be:

      A - Any software system failure cannot contribute to a hazardous situation leading to injury or death and considering external risk control measures, no risk controls are needed within the software system to reduce the risk of the hazardous situation.

      B - A software system failure can contribute to a hazardous situation which results in non-serious injury.

      C - When A or B does not apply. I.e. For serious injuries or death.

      The proposed decision flow is described in Figure 2:

      pic2

      Figure 2 - Assigning software process rigour level


      Now, the new approach has actually a big resemblance to how many companies have tried to tackle the challenge of finding a suitable Safety class. The most common approach that we have seen is that the complete system is labelled as A, B or C. Only rarely do we see different classifications used within the same development project. The classification system should in theory give us the possibility to gauge the documentation effort according to the risk posed by a particular part of the software, i.e. it is a system that should save us time and effort on the documentation level. So why not using it? The excuses we have comes across often lands in one of the following three categories:

      1. the effort of disentangling a software architecture that works great technically into an architecture that would isolate risky parts for "the sake of IEC 62304" is "not worthwhile"
      2. the effort of documenting the argumentation of why some parts are less risk is not worth the effort   
      3. all parts of the software genuinely belongs to the same risk class 

      The possibility of using different rigour levels for different parts of the software system is still part of the proposed V2 draft, as are all the well-known decomposition levels ‘SW Item, SOUP, SW Unit and Detailed Design’. As we have got used to it from the 2006 + Amd1:2015 edition, you need to argue with some means of segregation between SW Item to assign different levels of rigour in the development process.

      So why did IEC 62304:2021 fail?

      How is it possible to work for so long on an update only to finally cancel its publishing? It is, honestly, the first time I ever hear of such a cancellation. How bad must the result have been to end up in the dustbin? For an in depth explanation, one of the committee members presents his view on the events that led to the cancellation in this article.

      Mr. Kaestner later also published a poll on whether the software safety classifications should be deleted from the standard as a whole. A whopping 66% of the voters were happy to keep the Software Safety Classifications as they exist today, which is on the whole a proof that the community values a risk-based approach to medical device software development.