A notified body review of your biological evaluation documentation is not a pass/fail exam with a single correct answer. It is a structured assessment of whether your documentation demonstrates, with adequate specificity and traceability, that the biological risks of your device have been identified, evaluated, and reduced to an acceptable level within your risk management framework.
This article covers what notified body reviewers typically focus on, what preparation looks like in practice, and how to identify and address weaknesses in your package before submission.
Understand what the reviewer is evaluating
The notified body reviewer is not primarily checking whether you performed the correct tests. They are assessing whether your biological evaluation tells a coherent story: from hazard identification through risk assessment to risk control, with each conclusion supported by referenced evidence.
Under the EU Medical Device Regulation (EU 2017/745), the biological evaluation is part of the broader technical documentation assessed during conformity assessment.1 Medical Device Coordination Group (MDCG) guidance documents, while not legally binding, are treated as authoritative by notified bodies, and failure to address MDCG recommendations can result in findings.2
The reviewer will typically evaluate your documentation across several dimensions: whether required sections are present and complete, whether the rationale within each section is specific and supported, whether conclusions reference the data they rely on, and whether the biological evaluation is traceable to the risk management file.
Start with internal consistency
The single most productive pre-submission exercise is checking your documentation for internal consistency. This means verifying that statements made in one document do not contradict statements in another, and that conclusions in the BER are supported by data referenced in the same document.
Common consistency failures include a BEP that identifies endpoints for evaluation that are not addressed in the BER, a chemical characterization section that identifies extractable constituents that do not appear in the toxicological risk assessment, and a risk management file that lists biological hazards not referenced in the biological evaluation report.
These cross-document inconsistencies are among the most common deficiency findings and are often the easiest to fix, yet they persist because each document is frequently written or updated at a different time, sometimes by different authors.
Practical step: Create a simple cross-reference table that maps each biological hazard identified in your risk management file to the corresponding section of your BER where it is addressed, and to the specific data (test report, literature reference, or risk assessment) that supports the conclusion. If any cell in the table is empty, you have a traceability gap.
Verify your BEP is current
The biological evaluation plan is the first document many reviewers examine because it establishes the framework for everything that follows. A BEP that references outdated categorization schemes, omits required evaluation areas, or does not align with the BER that was actually written is an immediate signal that the documentation may not have been systematically planned.
For teams that have not yet updated to the 2025 revision, this is a critical area. ISO 10993-1:2025 restructures device categorization significantly, replacing the single Table A.1 with four separate tables organized by contact type.3 A BEP that still references the 2018 categorization scheme may be flagged, particularly as notified bodies begin applying 2025 expectations.
The BEP should also address foreseeable misuse, which is a new requirement in the 2025 standard. If your BEP does not include a section on foreseeable misuse and its biological safety implications, reviewers applying the 2025 framework will note the omission.
Strengthen your toxicological risk assessment
The TRA under ISO 10993-17 is where reviewers spend the most time, because it is where the scientific argument for safety is made. A strong TRA identifies each chemical constituent of concern from the extractable and leachable data, cites tolerable exposure or tolerable intake values from recognized toxicological sources, calculates margins of safety, and reaches a conclusion that is specific to the substances and exposure conditions relevant to the device.
A weak TRA makes general statements about material biocompatibility without substance-specific analysis. It may reference "generally recognized as safe" materials without identifying which specific constituents were evaluated, or it may calculate margins of safety for some identified substances but not others. The FDA has specifically noted that risk assessments should include documented health-based endpoints such as NOAEL, TI, TE, and MOS calculations.4
If your TRA was written before ISO 10993-17:2023 was published, review it against the current edition. The 2023 revision introduced updated methodological expectations that reviewers are now applying.5
Check your risk management integration
ISO 10993-1:2025 explicitly frames the biological evaluation as part of the ISO 14971 risk management process. The standard adopts the terminology of "biological hazard," "biologically hazardous situation," and "biological harm," establishing a direct parallel with the risk management vocabulary.3
In practice, this means your biological evaluation documentation should not exist as an isolated set of documents. The BER should reference specific entries in your risk management file. Biological hazards identified in the evaluation should appear as line items in the risk analysis. Risk control measures documented in the risk management file should be traceable back to the biological evaluation that identified the hazard.
If your biological evaluation and risk management file were developed independently, or if they reference each other only in general terms, this is an area to strengthen before submission. The gap between "we have a risk management file and we have a biological evaluation" and "our risk management file and biological evaluation are explicitly integrated" is exactly what reviewers are looking for.
Address the 2025 transition explicitly
If your documentation was originally written against ISO 10993-1:2018 and has not been updated for the 2025 revision, consider addressing this proactively rather than waiting for the reviewer to raise it.
The transition from 2018 to 2025 involves more than editorial changes. New requirements include foreseeable misuse documentation, restructured device categorization tables, stronger risk management integration, and a revised framework for biological equivalence. A package that was fully compliant under 2018 may have significant gaps under 2025.
Running your existing documentation through a structured gap analysis against the 2025 standard provides a clear picture of what needs to change. This can be done using an internal checklist, an external consultant, or a structured evaluation tool. The important thing is to identify and address the gaps systematically rather than discovering them during the notified body review.
Review your supporting evidence
Every conclusion in your BER should be traceable to a specific piece of supporting evidence: a test report, a published study, a chemical analysis, or a documented risk assessment. Reviewers will follow these references, and missing or incorrect references undermine the credibility of the entire document.
Common issues include references to test reports that are not included in the submission package, citations to outdated literature that has been superseded by more current data, and conclusions that reference "internal data" or "company records" without sufficient documentation to allow the reviewer to evaluate the underlying evidence.
Before submission, verify that every referenced document is included in the package, that test reports are complete (including raw data where required), and that literature references are current and directly relevant to the claims they support.
Prepare for questions, not just review
A well-prepared submission is not one that avoids all questions. It is one where the answers to foreseeable questions are already documented in the package. Reviewers will always have questions about judgment calls: why certain endpoints were excluded, why a particular comparator device was selected for equivalence, why a specific extraction condition was chosen over an alternative.
The most effective way to prepare for these questions is to ensure your documentation includes the rationale for your decisions, not just the decisions themselves. A BEP that states "cytotoxicity testing was not performed" will generate a question. A BEP that states "cytotoxicity testing was not performed because existing test data from [referenced report] conducted under [specified conditions] adequately addresses this endpoint for the device's intended contact duration and tissue type" may not.
The audit preparation principle: Reviewers do not penalize judgment calls. They penalize undocumented judgment calls. If you made a decision, write down why you made it.
Pre-submission review options
Before your documentation reaches the notified body, running it through a structured review process significantly reduces deficiency risk. This can take several forms: an internal peer review by someone who did not write the documentation, an external consultant engagement, or a structured evaluation tool that checks for completeness, unsupported claims, and cross-document consistency.
For a detailed comparison of these approaches, see 3 ways to review your ISO 10993 package before submission.
The most effective approach combines at least two of these methods. A structured evaluation tool catches the consistency and completeness issues systematically, while an expert review addresses the scientific judgment questions that require human evaluation. Together, the documentation that reaches the reviewer is stronger than either approach alone. request a gap analysis to try BioEvalPro on your next package, or get in touch if you have questions about what the tool covers.
1 Regulation (EU) 2017/745 of the European Parliament and of the Council (Medical Device Regulation), Annex II: Technical Documentation, and Annex XIV: Clinical Evaluation and Post-Market Clinical Follow-Up.
2 EU MDCG Guidance Documents, available at health.ec.europa.eu
3 NAMSA, "ISO 10993-1:2025 Updates: Top 10 Biological Evaluation Essentials in the Revision," October 2025. namsa.com
4 FDA Guidance, "Use of International Standard ISO 10993-1: Biological evaluation of medical devices, Part 1: Evaluation and testing within a risk management process," updated 2023. fda.gov
5 ISO 10993-17:2023, "Biological evaluation of medical devices, Part 17: Toxicological risk assessment of medical device constituents."
You just read what notified bodies look for. Now check whether your package holds up.
BioEvalPro evaluates your documentation against the same patterns reviewers scrutinize: missing rationale, unsupported conclusions, and traceability gaps between your BEP, BER, and risk management file.