Threeqa / Guides / Your first technical file

Your first technical file, in the right order.

One device, a small team, no regulatory department. The technical file looks like a mountain of documents — but most of it is records you'll produce anyway, if you produce them in the right order. Here's the sequence that works, what must start on day one, and what can wait.

Written by the Threeqa founding team Last reviewed: June 2026 11 min read
The one mental shift

The file is a side effect of working correctly.

First-time manufacturers picture the technical file as a writing project that happens near the end. That picture is what costs teams their launch quarter. Nearly everything Annex II asks for — requirements, risk analysis, design information, verification results — is a record of decisions you make during development. Make the records as you decide, and the file assembles itself; decide first and document later, and you're paying twice for everything.

Teams that treat the file as a continuous output measure final assembly in weeks. Teams that start at the end measure it in quarters.
The eight steps

The sequence that works.

STEP 1
WEEK ONE

Write the intended purpose. Then classify.

One paragraph: what the device does, for whom, in what context. Every word becomes something to evidence — the claims, the clinical evaluation, the risk file all hang off it. Then classify against MDR Annex VIII with a documented rationale. Software teams: under Rule 11, software informing diagnostic or therapeutic decisions is at least Class IIa — Class I software is the exception. The class decides whether a notified body reviews your file, your timeline and your budget; settle it before you build.

STEP 2
WEEK ONE

Stand up document control before documents.

IDs, versions, an approval rule, a place where the current version of anything is unambiguous. It feels bureaucratic with five documents; it's survival with five hundred. Every later artifact — requirements, risk entries, test reports — cites these IDs for a decade, so this is the one piece of infrastructure that cannot be retrofitted painlessly.

STEP 3
EARLY

Baseline the requirements, in levels.

User needs in user language; system requirements as their measurable restatement; software/hardware requirements below. The levels are what make validation and verification provable later. Resist writing implementation notes as requirements — the 800-row flat list is the classic first-timer trap.

STEP 4
EARLY, THEN ALWAYS

Open the risk file with the design, not after it.

Hazard → hazardous situation → harm, per ISO 14971, starting from your earliest architecture sketches. Risk controls become requirements with a second parent, and the risk file keeps evolving with every design decision. A risk analysis written after the design is finished reads exactly like what it is — and reviewers have seen thousands of them.

STEP 5
CONTINUOUS

Develop under a lifecycle you can show.

For software, that's IEC 62304: a plan, a safety class with rationale, traced requirements, controlled SOUP, verification at every level. Most healthy engineering teams already behave this way — the gap is the controlled record, and it's much cheaper to keep as you go than to reconstruct from git history.

STEP 6
CONTINUOUS

Run the GSPR matrix as a living gap analysis.

Open the GSPR checklist early and fill it as evidence appears. Used this way it's a to-do list that tells you which testing and documentation you still owe while you can still plan for it. Used at the end, it can only report the gaps you no longer have time to close.

STEP 7
MID-PROJECT

Plan the clinical evaluation and PMS early.

The clinical evaluation (Article 61, Annex XIV) takes calendar time — literature work, possibly data collection — so its plan belongs in the middle of the project, not the end. The PMS plan (Annex III) is mandatory for every class and is mostly process description: cheap to write early, painful to fake later.

STEP 8
ASSEMBLY

Assemble the Annex II views, sign the DoC.

If steps 1–7 produced controlled records, assembly is exactly that: the device description chapter, the labeling set, the V&V summaries, the GSPR matrix export, each citing records at named versions. Then the Declaration of Conformity — the document where you, not your notified body, assert that everything above is true.

What can wait

Records can't wait. Prose can.

The useful triage rule: anything that is a record of a decision or a result — intended purpose, requirement rows, risk entries, test results, SOUP inventory — must be captured when it happens, under control. Anything that is a narrative view over records — the formatted device description, the executive summaries, the final matrix exports — can be produced late and cheaply, provided the records exist.

This is also the honest answer to "do we need a QMS tool from day one?" You need the discipline (IDs, versions, links) from day one. Whether a spreadsheet carries that discipline for your first year is a question of change volume — see the traceability guide for the symptoms that tell you it no longer does.

Costly mistakes

The five that cost first-timers the most.

  • Classifying by hope. Assuming Class I because it's cheaper, then discovering Rule 11 at the notified-body conversation. Months lost, sometimes an architecture rework.
  • An intended purpose that drifts. Marketing says more than the file supports; every added claim is unfunded evidence debt. One person owns the wording; everything cites it.
  • Retrofitted risk management. A risk file written in the last month satisfies the letter of nothing and the spirit of less. Reviewers spot it instantly.
  • Uncontrolled evidence. Test results in Slack threads, requirements in someone's head, three "final" versions of the IFU. If a record can't be cited by ID and version, it isn't evidence yet.
  • Treating CE marking as the finish line. Annex III makes the file a living obligation — PMS data flows back in for the device's lifetime. Budget for maintenance, not just for assembly.
FAQ

Common questions.

When should we actually start the file?
The day you commit to building a medical device. Not for the regulator's sake — for yours: the file's contents are records of decisions you're already making, and reconstructing them later is slower, costlier and visibly retrofitted.
Is our software really Class I?
Probably not. MDR Rule 11 puts software that informs diagnostic or therapeutic decisions at Class IIa or above — Class I software is the exception, not the rule. Settle classification early, in writing, against the Annex VIII rules.
How long does a first technical file take?
The writing is weeks; the evidence accumulates over the whole development. Run the file continuously and final assembly stays measured in weeks. Start at the end and you'll measure it in quarters.
Do we need consultants?
Two places outside help reliably pays: classification and regulatory strategy at the start, and clinical evaluation methodology. The structural discipline — requirements, risks, traceability, document control — your team should own, because you'll maintain it for the device's lifetime.
What's safe to leave for later?
Narrative views over records: the formatted chapters, summaries and matrix exports. What can't wait are the records themselves — requirements with IDs, the risk file, verification evidence at named versions. Records first, prose later.
Sources & further reading

Regulation (EU) 2017/745 (MDR), consolidated text — Annex VIII (classification), Annexes II & III (technical documentation), Article 61 (clinical evaluation).

MDCG guidance documents — in particular MDCG 2019-11 on the qualification and classification of software.

Get started

Start the file on day one.

Threeqa gives a one-product team the structure from step one: controlled requirements, a living risk file, traced evidence — so the technical file is assembled continuously, not excavated at the end. Book a 30-minute walkthrough.

Book a demo Talk to a regulatory engineer