Unannounced notified body visits recommendation imminent – amend your contracts and procedures now!

RecommendationWhile everybody is running around about the MDR and IVD regulations proposals another storm is brewing in the wings: unannounced audits, which I announced earlier. Currently notified bodies “may” do unannounced audits under the EU medical devices rules. Now they will be required to do a minimum amount of unannounced audits. Required? Yes, EU member states may require this as condition for accreditation of the notified bodies. Will they? Most certainly. Some have already started to require notified bodies to do unannounced audits already now, as a straight consequence of member state action requested by the Commission pursuant to the Commission’s Dalli market surveillance action plan. With all the political turmoil about EU medical devices regulation underperforming in the safety department, it is not an option for a member states to refrain from increasing market surveillance. If they can actually afford to – but that’s another discussion, because what has two thumbs and will be picking up the bill for unannounced audits? Correct: the manufacturer. As you will see below, member states are already planning to use notified bodies to indirectly inspect manufacturers for them.

I have puzzled together some information that gives you a look under the hood of the impending Commission Recommendation that we already had on the horizon. I also benefited a great deal from the insights of Gert Bos of BSi, one of the persons that really knows what is going on in devices regulation in Europe, that he presented at the MD Project event on 25 March in the Netherlands.

Timing and status

We know that the Commission Recommendation is almost finished, with an anticipated release date somewhere in May 2013. The release will concur with the anticipated Commission decision on the designation of notified bodies. The document is in version 18 now and has reportedly been approved by the service juridique (legal service) of the European Commission, so it is more or less in final form. It will be immediately applicable when published, which will trigger applicability of the unannounced audits section in the notified bodies code version 3.0 (more about that below). The instrument of a “recommendation” is a first in medical devices world, because none of the current guidance documents has this status. A recommendation is more ‘law’ than MEDDEV and carries far more political weight, because a MEDDEV is a consensus statement of the member states of the European member states’ authorities and a recommendation is issued by the Commission itself aimed at harmonising member state practice.


The recommendation has two goals:

  • consistent application of conformity assessment
  • laying down general principles for unannounced audits and inspections

The document has three annexes. Annex I applies to audits where the manufacturer applied for design dossier examination or type examination. Annex II applies to audits where the manufacturer applied for quality system assessment. Annex III concerns unannounced audit methods and methodology.

Annex I: design dossier / product assessment

This annex contains 7 points, of which some are new:

  • Notably new: the notified body should review if there is an up to date and complete tech file for all variants and trade names of device (compared to the current usual question: does the documentation produced by the manufacturer check out?). The notified body should do verification of products, e.g. by means of taking and testing products on manufacturer’s costs. It will be big fun when a notified body schlepps off an entire MRI unit and bills you for it, and this is not a hypothetical possibility -said Gert.

Annex II: Quality system

18 points, points 15-18 new:

This annex reflects a strong suspicion towards outsourced elements in supply chain. More specifically notified bodies are to refrain from working with manufacturers unless they receive access to all critical subcontractors and crucial suppliers (and, consequently, to all sites where the devices or its crucial components are produced) regardless of length of contractual chain between manufacturer and subcontractor or supplier. Manufacturers are to integrate their subcontractors’ QMS in their own as much as possible. You can imagine how nice this will be for subcontractors that produce for several manufacturers. The Commission wants Own Brand Labeling to end (piggybacking on other parties’ certificates). OBL is not acceptable in the eyes of the Commission if the OBL does not have full access to all documentation relating to the reference device. In my experience the supply chain contracts that regularly cross my desk are completely unprepared for this.

Annex III: principles of unannounced audits of manufacturers and subcontractors

5 points:

  • al least every 3 year unannounced audit
  • critical subcontractors or suppliers can be visited (make sure you amend contracts – inability to visit subcontractor or critical supplier is ground for immediate revocation of certificate)
  • production sample checking (file review and witness test – or take sample and outsource test on manufacturer if on site test not possible)
  • high risk devices – sampling logical for spot tests
  • activity on-going at time of audit will be audited

The manufacturer must always be ready to accommodate a notified body unannounced audit, also at third parties such as subcontractors and critical suppliers. As a notified body already commented at the RAPS conference last year: as soon as you start your production you must be ready for unannounced audit; if you are not, don’t start production. Supply chain parties must make this possible and account for it in their contracts. If they do not, there is no excuse and the notified body will issue a major nonconformity. In case of limited production runs, the notified body must know when the runs are to be able to show up unexpectedly. The manufacturer pays for notified body for local security measures required, for example body guards.

Member states are free to require application of the recommendation of their notified bodies – and they will in practice because of the pressure put on them in the Dalli action plan.

The recommendation requires that a notified body must establish secret audit plan for manufacturers. Notifed bodies are presently meeting regularly to compare notes on best practice and what works and does not between themselves in unannounced audits.

Notified body code v. 3.0; entry into force of recommendation and code

The new notified body code v 3.0 announced part enters into force immediately upon entry into force of the recommendation, which we already saw coming. The recommendation will enter into force upon publication, as far as I know – NO transitional period. The code has important language on risk management for audit frequency, and I have discussed that before here. It also contains a heading for devices that are often non-compliant – more visits. Gert informed us that authorities are now starting to use notified bodies as extension more and more: they tell notified bodies where to do an unannounced visit if they see spikes in trending of complaints.


Better start preparing pronto by writing procedures and amending those agreements in your supply chain, because as Gwen Stefani sings: “this sh*t is bananas”. And it will hit the fan this May – less than two months! – with no transition period. That just goes to show the political pressure behind all of this. Questions? I’m here.

Navigate through our knowledgebase

Related articles


The German angle

After having contributed to the improvement of medical devices legislation in many ways over the years (most recently by helping the European Parliament to come up with an initiative for targeted amendments…

Read more


Happy 26 May 2024!

The MDR and IVDR are now in force for seven (7) years, and they are not in good shape. I think it is safe to say that they did not deliver on…

Read more


A case of so-called fiscal neutrality

Sometimes you come across cases that violate Mandalorian Creed: “One does not speak unless one knows.”. This happened to me last week when I read the Dutch Supreme Court’s judgment in a…

Read more