Surprise! More on unannounced audits, this time on software

Nobo policeFurther to my recent posts on unannounced audits I have been thinking about how unannounced audits could play out in an area that becomes more and more important: standalone software.

Software medical devices

The majority of standalone software under the medical devices directive falls in the scope of rule 12 of Annex IX of the MDD and is therefore subject to self-certification (so no notified body oversight and no unannounced audits).

However, there is also a growing group of higher risk software that is certified by notified bodies. This group is mainly comprised of software controlling or influencing the use of higher risk devices (implementing rule 2.3 of Annex IX of the MDD) or monitoring / providing direct diagnosis of vital physiological parameters (rule 10 of Annex IX of the MDD).

eHealth Law & Policy article

I wrote an article on the subject in the August 2014 issue of the journal eHealth Law & Policy, which I am happy to be able to provide to you now through my blog with the kind permission of the publisher. You can download the article as pdf here. If you like it, there is more similar quality content in that journal well worth your while.

Article unannounced audits
Manage your crucials and criticals, also in software

As you will see in the article, managing your relations with external software developers is critical because they will almost always qualify as crucial suppliers or critical subcontractor, which your notified body may also audit unannounced. For more detail on how you should manage this relation and what should be in your contract with them, see here and here.

Especially in software development it is usually not top of mind to agree with your external developer that they should be able to accomodate an unannounced audit. Yet, you should really have that taken care of that as manufacturer if you do not want to put the certificate for the software concerned at risk.

Any experience with unannounced software audits?

If you have any experience with unannounced audits of software I would be very interested to hear about it. The notified bodies I spoke to recently all said they had not concluded audits on software medical devices yet, but were planning them and were thinking about how to implement them.

Navigate through our knowledgebase

Related articles


The German angle

After having contributed to the improvement of medical devices legislation in many ways over the years (most recently by helping the European Parliament to come up with an initiative for targeted amendments…

Read more


Happy 26 May 2024!

The MDR and IVDR are now in force for seven (7) years, and they are not in good shape. I think it is safe to say that they did not deliver on…

Read more


A case of so-called fiscal neutrality

Sometimes you come across cases that violate Mandalorian Creed: “One does not speak unless one knows.”. This happened to me last week when I read the Dutch Supreme Court’s judgment in a…

Read more