Surprise! More on unannounced audits, this time on software

Nobo policeFurther to my recent posts on unannounced audits I have been thinking about how unannounced audits could play out in an area that becomes more and more important: standalone software.

Software medical devices

The majority of standalone software under the medical devices directive falls in the scope of rule 12 of Annex IX of the MDD and is therefore subject to self-certification (so no notified body oversight and no unannounced audits).

However, there is also a growing group of higher risk software that is certified by notified bodies. This group is mainly comprised of software controlling or influencing the use of higher risk devices (implementing rule 2.3 of Annex IX of the MDD) or monitoring / providing direct diagnosis of vital physiological parameters (rule 10 of Annex IX of the MDD).

eHealth Law & Policy article

I wrote an article on the subject in the August 2014 issue of the journal eHealth Law & Policy, which I am happy to be able to provide to you now through my blog with the kind permission of the publisher. You can download the article as pdf here. If you like it, there is more similar quality content in that journal well worth your while.

Article unannounced audits
Manage your crucials and criticals, also in software

As you will see in the article, managing your relations with external software developers is critical because they will almost always qualify as crucial suppliers or critical subcontractor, which your notified body may also audit unannounced. For more detail on how you should manage this relation and what should be in your contract with them, see here and here.

Especially in software development it is usually not top of mind to agree with your external developer that they should be able to accomodate an unannounced audit. Yet, you should really have that taken care of that as manufacturer if you do not want to put the certificate for the software concerned at risk.

Any experience with unannounced software audits?

If you have any experience with unannounced audits of software I would be very interested to hear about it. The notified bodies I spoke to recently all said they had not concluded audits on software medical devices yet, but were planning them and were thinking about how to implement them.


Navigate through our knowledgebase

Related articles

Article

First notified body EU MDR designated!

BSI reports that it has achieved designation as UK notified body for the MDR. So far, it’s the first notified body to appear in the NANDO database with an MDR designation –…

Read more

Article

MDR and IVDR in 2019: up or out, sink or swim

Happy new year and welcome to 2019, a truly decisive year for the medical devices industry with interests in the EU. If you haven’t spent any time so far getting ahead of…

Read more

Article

Ceci n’est pas une période de transition and first reaction to the Implant Files

As we are just past the halfway point of the MDR transitional period for the MDR and are well into the one for the IVDR there is one thing that has become…

Read more