Surprise! More on unannounced audits, this time on software

Nobo policeFurther to my recent posts on unannounced audits I have been thinking about how unannounced audits could play out in an area that becomes more and more important: standalone software.

Software medical devices

The majority of standalone software under the medical devices directive falls in the scope of rule 12 of Annex IX of the MDD and is therefore subject to self-certification (so no notified body oversight and no unannounced audits).

However, there is also a growing group of higher risk software that is certified by notified bodies. This group is mainly comprised of software controlling or influencing the use of higher risk devices (implementing rule 2.3 of Annex IX of the MDD) or monitoring / providing direct diagnosis of vital physiological parameters (rule 10 of Annex IX of the MDD).

eHealth Law & Policy article

I wrote an article on the subject in the August 2014 issue of the journal eHealth Law & Policy, which I am happy to be able to provide to you now through my blog with the kind permission of the publisher. You can download the article as pdf here. If you like it, there is more similar quality content in that journal well worth your while.

Article unannounced audits
Manage your crucials and criticals, also in software

As you will see in the article, managing your relations with external software developers is critical because they will almost always qualify as crucial suppliers or critical subcontractor, which your notified body may also audit unannounced. For more detail on how you should manage this relation and what should be in your contract with them, see here and here.

Especially in software development it is usually not top of mind to agree with your external developer that they should be able to accomodate an unannounced audit. Yet, you should really have that taken care of that as manufacturer if you do not want to put the certificate for the software concerned at risk.

Any experience with unannounced software audits?

If you have any experience with unannounced audits of software I would be very interested to hear about it. The notified bodies I spoke to recently all said they had not concluded audits on software medical devices yet, but were planning them and were thinking about how to implement them.

Current and mostly future UDI developments in the EU

2014-RAPS-LogoI gave a presentation on current and future developments in UDI at the RAPS 2014 conference in Austin last week, sitting on a panel on global developments in UDI with presentations on developments also in the US and China.

This will be a short post on the subject of UDI, because most of the information will be in my presentation, which you can view right here:

As you can see in the presentation and by way of summary, the EU is not doing a lot presently pending the medical devices regulations revision process (which will feature UDI) except undertaking efforts to make sure that the individual member states do not go out on a limb and impose their own national and divergent UDI systems.

The EU will also will be vigilant not to put anything in place that is very different from what the US is putting in place because that would really drive a nasty compliance wedge in the international medical devices market.

When the regulations finally complete, UDI will be phased in for groups of devices based on their risk profile and a lot is still to be implemented by so-called delegated acts. And, of course, if and when UDI will actually work in the EU will also depend on the completion of the Eudamed cathedral.

Surprise! More about unannounced audits

Nobo policeIf you’ve missed the 2014 RAPS conference you’ve missed out on the opportunity to learn a lot about unannounced audits by notified bodies. Not only were the notified bodies themselves out and about at the conference and very approachable to discuss all kinds of technicalities, there were also several very practical sessions with a lot of good information on the subject, notably the enforcement / unannounced audits session and the product sampling during unannounced audits session were very informative.

If there is one thing that I took away from these sessions it’s the absolute need to take a good look at your relations with critical suppliers and crucial subcontractors. Sounds like a broken record, but it keeps being confirmed.

Here are my main takeaways from the conference sessions on unannounced audits:


Don’t forget to inform your notified body about critical supplier’s production windows, otherwise the notified body shows up there and can’t complete the audit if production is not ongoing that day – result: suspension of your certificate. Also make sure your critical supplier tells you so you can inform the notified body, otherwise: same result.

And how about production locations? Make sure that your critical supplier does not change production locations for a raw material or component without telling you because the notified body will show up in the wrong place and will not be able to complete the audit, resulting in suspension of your device certificate and it’s likely a non-conformity in your QMS if your supplier can do this without telling you. This an actual example from one of the notified bodies I spoke with at  the conference, by the way. In that case you can only hope that the critical supplier did not move the production too far away and the notified body can quickly get there and complete the audit after all.


Not only do you have to have a procedure for unannounced audits (otherwise it’s a QMS non-conformity for which you will be written up by your notified body), also your critical supplier has to have one. You may be written up for a non-conformity if they don’t.

Your own procedure and that of your critical supplier should typically cover these three main subjects:

  • Notification of notified body of production windows and changes
  • Coordination with supplier / manufacturer
  • Training of staff regarding responsibilities and requirements during unannounced audits


Unannounced audits can happen at night if the device is (also) produced in night shifts. Sounds obvious but it means that your management has to be available at night too and your unannounced audits process has to accommodate this. They may not like it, but you have to make provision for management to be on call 24/7 if you or your critical suppliers also produce at night and in the weekend.


Since the unannounced audits are product sampling audits that involve testing, it is actually possible to agree testing methods with your notified body beforehand. Even though you cannot define the sampling criteria, you can define the test methods used, e.g. by reference to the ones you are using already in your production. If those are good already, why subject your devices to something else that may produce unexpected results, right? This may be well worth your while as it takes a degree of unpredictability and risk out of the equation. If the testing method is unclear or not agreed, the notified body will need to haul off the samples and test elsewhere. The same applies for the critical supplier test methods for their production process.

Authorised reps

An authorised representative can also be a crucial subcontractor, depending on what they take on in terms of roles and responsibilities, especially where they do vigilance cases reporting for the manufacturer (as this impacts performance and safety of the device).

Supply agreements

How to deal with suppliers that refuse unannounced audits? As I have blogged here and here, you should have changed your supply contracts with critical suppliers by now to accommodate unannounced audits.

But what if the supplier doesn’t want to cooperate because they just see it as hassle (for example because you are just a small customer compared to the rest of their customers)? That happens even to the biggest of devices companies, we learned at the RAPS conference. The only thing you can do then is work with the critical supplier to find a value proposition that triggers the supplier, and this can differ from one supplier to the other. The problem is that suppliers may know that you have to agree with them or source from elsewhere, so be prepared for some arm-twisting in the negotiations.

Change management regarding the supplied material is vital: make sure that you know when the critical supplier changes material specs or production methods, also if you are too of a small customer to influence this choice, because may have to be reflected in the tech file.

Since the notified body will audit the critical supplier, the supplier had better have their documentation in order, and you have to make sure they do, so cover this in the supply / quality agreement.

Conference bonanza: let’s meet at RAPS or Advamed

EU flagThis is not a substantive post, just a note to say that I am visiting the RAPS Regulatory Convergence conference in Austin next week and then the Advamed MedTech conference in Chicago in the week after that.

RAPS conference

I will speak about the emerging EU UDI policy at the RAPS Regulatory Convergence conference on Monday next week 3:30 to 5:00 pm in the session about UDI, Update & Lessons Learned. This will however be only one of the many interesting EU medical devices related presentations and sessions planned. There are many really good ones, with high profile speakers from notified bodies, the European Commission and industry, for example on:

  • EU Enforcement of Existing Regulation: Unannounced Audits and Increased Oversight of Notified Bodies
  • EU IVD Regulatory Evolutions
  • Potential Impact of the EU Medical Device Regulation
  • Impact of the New Proposed Regulations on Clinical Data Requirements in Europe
  • Product Sampling During Unannounced Audits

Indeed, the RAPS conference is really a very good opportunity to catch up on EU medical devices developments.

Advamed conference

The Advamed MedTech conference on 6-8 October will feature a panel moderated by me on the EU medical devices regulations revision process on Monday 6 October 2:30 pm in the International track, which should be very interesting with currently confirmed panelists:

  • André-Michel Ballester, Chief Executive Officer, Sorin Group
  • John Brennan, Director Regulations and Industrial Policy, Eucomed
  • John Wilkinson, Director of Devices, Medicines and Healthcare Regulatory Agency (MHRA)

Since these panelists are as close to the EU process as you can possibly get, this should be a very interesting panel that you shouldn’t miss if you are interested in EU developments and are attending that conference. Last year’s EU panel was rated very well, and this year’s looks to be at least just as good.

Around the Advamed conference I will also be involved in the Dutch trade mission of companies supplying medical devices companies to Chicago – interesting too because the Dutch really know their materials science and are excellent at component design and production of complex components!

Meet up?

If you happen to attend these conferences and want to meet to catch up with me on whatever EU pharma, medical devices or ATMP issue that you want to discuss, please let me know in the comments to this blog or send me an email directly  (erik.vollebregt[at] I’ll be around at the conference venues for the full program at both conferences and am looking forward to meet many readers of this blog in person!

More movement – new rapporteur for MDR, same for IVDR

European ParliamentFinally things start moving again in EU medical devices regulation dossier: the new rapporteur for the Medical Devices Regulation was appointed, replacing Dagmar Roth-Behrendt.

It’s Glenis Willmott

The new rapporteur is UK MEP Glenis Willmott, of the S&D group in the European Parliament, who is certainly familiar with health issues as she has served for example as rapporteur for the recently revised Clinical Trials Regulation.

Her mandate, with the EU Parliament’s first reading having been fixed on 2 April, is to guide the new rules through the Parliament as well as negotiating with the Commission and national governments joined in the Council.

How will she do?

So, how will Ms. Willmott do different from Ms. Roth-Behrend, who polarized the political debate like no other and was always good for some spectacle and not always evidence based drama? In other words: are the wings on fire or not?

In the announcement of her appointment she said:

“I am delighted to have been appointed as rapporteur for this vital legislation. After the scandals involving PIP breast implants and ‘metal on metal’ hip replacements, the public are rightly concerned about the regulation of medical devices. Patients deserve better and so action at EU level is needed.”


“We must ensure the industry is transparent and works in the interest of patients. This legislation will go a long way to achieving that and I look forward to taking it further in the coming months.”

“I am concerned, however, with the proposals that medical devices should fall under the responsibility of the industry commissioner. Our first priority with these products must be health, and they should be overseen by the health commissioner. I will be doing everything I can to ensure that this is the case.”

For one, Ms. Willmott was an ardent supporter of the transparency initiatives in the new clinical trials regulation. Since the European Parliament’s proposal also contains such provisions for devices, we can expect that this agenda will be pushed. Given her experience with clinical trials, expect more focus on clinical evidence requirements for devices, which may mean that the discussion about RCTs for devices as gold standard will persist. In her acceptance press message she has further announced to put patient safety above everything else – not surprising, what else are you going to say? And I think nobody in industry would say that this is also not what industry wants, even if Ms. Roth-Behrend thought that was not the case. So are the wings (still) on fire? It’s – again – too early to tell at this point in time. Sorry.

Move to Enterprise

From what I know about Ms. Willmott she is certainly a different person than Ms. Roth-Behrendt. But – and that is to be expected for a labour parliamentarian – she is not pro-industry at all and and she has announced that strive to bring devices oversight back to the Health Commissioner after it was decided only recently to bring it back to DG Enterprise after it was with DG SANCO during the last Commission’s term. How she intends that this will be achieved is not clear for the moment.

Eucomed, for its part,

“welcomes Ms. Willmott to the file, who brings a wealth of experience and insight on health issues to the MDD file, and a clear desire, which we share, for driving legislation that puts patients first.”

Eucomed also says it looks

“forward to engaging with her to ensure a Regulation for medical devices that is able to efficiently address patient and user safety requirements, patient access to safe and effective medical devices, effective and non-bureaucratic support systems to authorities and continued medtech innovation in Europe.”

Again, and with all due respect: what else are you going to say, right?

Out of the window

As I have blogged in the past, “effective and non-bureaucratic support systems to authorities and continued medtech innovation in Europe” were out of the window with the Parliament’s text as it was fixed in the first reading on 2 April 2014.

To achieve this we will need a very rational compromise between the Council and the Parliament, brokered by the Commission. So far the efforts of the Council have been aimed at keeping things mostly the way they are (less than effective, fragmented and bureaucratic due to lack of harmonization and different views by national competent authorities).

The efforts of the Parliament, on the other hand, were aimed at maximum disruption of existing structures into a system of market access that has been proven to be hostile to innovation while failing to cause a marginal increase in safety of products. Where will we end up? It’s still too early to say but given the expectation

I have heard from my sources that it may take until the Dutch presidency (first half 2016) before this dossier finally closes, which means that a lot of proverbial water will need to pass through the political Nile before we have a new medical devices regulation in the EU that everybody can agree with.

IVD’s, the regulatory stepchild

In IVDs, which everybody seems to just ignore in the legislative discussion, persistence is the virtue with Peter Liese staying on as rapporteur. Whether that is a good thing or not remains to be seen, as he will defend his unconstitutional genetic testing amendment. If this passes, we can expect an attack on the validity of the IVD regulation that may well succeed, which will set IVD regulation reform back a year or so at the very least.

Mr. Liese, you are still welcome by the way to consider our counter opinion on the competence of the EU to legislate in this area and reconsider this amendment. It would save a lot of hassle.

Otherwise, the only controversial point under the IVD regulation seems to be the transitional period (3 or 5 years) which will make it nearly impossible or just difficult for the IVD industry to re-certify the large majority of self-certified IVDs on the market by notified bodies. I have started to refer to this situation as the regulatory cliff for IVDs – too many IVDs to rectify, too little regulatory expertise in the market and too little capacity at the notified bodies. Brace for impact if you’re in IVDs and better plan ahead for this transition because if you don’t you will run out of road at some point during the transitional period and drive right off the regulatory cliff.


is there any impact on timing of the legislative procedure with these developments?

The pessimist view is that it still may take until early 2016 for the regulations to be agreed, with the possibility of the IVD regulation being even more because of an attack by one or more of the member states at the European Court of Justice immediately when it is adopted.  This will make the work on improving market surveillance under the Joint Action Plan and the unannounced audits in the mean time more and more important as these will be the major moving targets.

The optimist view is that of the Italian presidency put forward after the Greek presidency terminated: the announced pre-pack first reading and then a speedy close of the dossier.

Next week the Parliament will have hearings of the new Commissioners, and no doubt the Enterprise Commissioner will receive a thorough quizzing on the plans with the move of pharma and devices oversight to DG Enterprise. These hearings will produce additional clarity on what the Commission intends, and whether Ms. Willmott’s statement that she will strive to bring devices oversight back to the Health Commissioner may have any chance of succeeding.

So, watch this space heat up as things have started moving again!

Movement in the Commission – medical devices policy back to DG Enterprise

European CommissionLast week we finally had some new interesting developments (sorry for the boring silence on this blog but there was really nothing to report): the new Commission has completed and we are getting some first glances into how the new Commission sees EU medical devices policy going forward. With the unveiling of the new #teamjunkcer of Commissioners, it transpired that as part of the inevitable reshuffling that is part of a political process, the unit responsible for medical devices policy (together with medicinal products policy and the whole EMA organization) moves (back) to DG Enterprise.

It started with internal market legislation

I think this is significant news because the regulatory system for medical devices, CE marking, is originally an internal market oriented system that started out in DG Enterprise as part of the New Approach that created the CE marking legislative technique that helped complete the EU internal market in time for the political deadlines on the table in the early nineties of the last century. It was only moved to DG SANCO in 2010 when the last Commission started its term.

EU rules on market authorization for medicinal products are historically intended to primarily reduce regulatory burden of having to go to each member state separately, while ensuring safety and performance by means of the essential requirements, medical device specific conformity assessment procedures. And no, this does not mean that medical devices are regulated as toasters. If the people that said that would only take a look at how the medical devices directives work in the flowcharts of the unfortunately abandoned annex 8 of the old Blue Guide

In the mean time the Lisbon Treaty entered into force which contains quite clear restrictions on the EU to legislate in healthcare (article 168 (4) TFEU)

“[The EU] shall contribute to the achievement of the objectives referred to in this Article through adopting in order to meet common safety concerns:


(c) measures setting high standards of quality and safety for medicinal products and devices for medical use.”

provided that (article 168 (7) TFEU)

“7. Union action shall respect the responsibilities of the Member States for the definition of their health policy and for the organisation and delivery of health services and medical care. The responsibilities of the Member States shall include the management of health services and medical care and the allocation of the resources assigned to them. [...]“

Practical problems

These restrictions cause practical problems in situations where the EU does more than take common action with a view to meeting safety concerns in the medical devices field (yes indeed, for example the Joint Immediate Action Plan) or arrange for a common market access and post market surveillance mechanism (that sounds a lot like the three medical devices directives and their implementing measures).

Sometimes this level of involvement works (when member states are defending their national healthcare reimbursement systems) and sometimes it doesn’t (for example when the European Parliament tries to outstep for the In Vitro Diagnostics Regulation proposal with its genetic testing devices proposal, see for background here).

The Cross-Border Patient Rights Directive and the eHealth measures based on it are a good example of some of the tightrope exercises the EU is doing when trying to regulate things it perhaps is not completely allowed to regulate in healthcare.

Re-orientation on internal market

So to me the move looks like a re-orientation on the internal market aspects of medical products.

The consequences – I think – will be an EU policy that is more about integration and harmonization with a view to a more efficient and innovative market than careful but active intervention in the delivery and development as such as of healthcare as a matter of EU policy, which is exactly what the EU is supposed to do.

This will likely have have consequences for the developing mobile health market, which is all about how healthcare is delivered to individuals. It will be more about bottom up harmonization than the Commission proposing top-down interoperability standards and patient rights in relation to cross-border mHealth.

Also, SANCO has not been able to get the EMA to make regulation and market access of ATMPs a success, which has deprived innovative biotech SMEs of opportunities in the European market. In my professional activities I see SMEs run into the ground at the EMA with innovative ATMPs all the time. The consequence is that many SME have given up seeing their products through to market access and instead hope to be acquired on a proof of concept before their money runs out.

More in general SANCO has been less than innovation friendly in its regulatory policy so far putting NOs in innovation with a perhaps overly cautious approach, for example with the eLabeling regulation that requires paper labeling of apps.

Maybe this will also be fixed under the new Commission. A lot of ifs and buts remain of course while the political dust settles, but from where we are now, this is how it looks to me. Those who claim the moral high ground in health policy will say this is bad and innovative industry will say this is good.

So what will this mean

for the MDR and IVDR in the legislative process? The Commission is still an important voice in the process and takes an important role in the trialogue to bring the Council and Parliament closer together. With this reshuffling the Parliament could perceive the Commission as more biased towards the internal market and on the side of the member states that are no fans of the Parliament’s proposal – even if they have formally not even looked at that yet. The ENVI committee has not formally appointed a new rapporteur for the MDR with Dagmar Roth Behrend, famous for polarizing this dossier, on the way out. And it’s unclear still if the rapporteur for the mostly ignored IVDR (Peter Liese) will change as he is still member of ENVI.

It is safe to say that DG Enterprise will stick strongly to the internal market aspects in the MDR and IVDR proposals that come from Regulation 765/2008 and Decision 768/2008, which basically shape CE regulation and market surveillance on the markets thus regulated that comes after the Goods Package in 2008 (e.g. the supply chain rules in them).

Conclusion: no definitive answers yet unfortunately, as there are too many things that still have to become clear. But, with the new Commission’s plans we have a first idea of where things might be going.

Updates, patches, add-ons, plugins & the Blue Guide

Schermafbeelding 2014-08-13 om 20.36.51Here is some follow up on the previous Blue Guide post: the new version of the Blue Guide is the first to address software updates to CE marked products, including software. For the purpose of this blog this would typically be standalone software that constitutes a medical device in the meaning of MEDDEV 2.1/6.

Harmonised standards

When standalone software that constitutes a medical device is updated, patched or has its functionality expanded with a plug-in or add-on, the same rules apply as to a normal medical device that it is serviced during its lifetime, except that the EU harmonized standard for medical devices software EN 62304 has a few processes to add that are relevant to updates, patches, plug-ins and add-ons. These processes are explained up to a point in the helpful EN 62304 FAQ.

New requirements in MDR and IVDR

The proposed new medical devices and IVD regulations have some new additional clauses with respect to repairs and replacement parts that would also apply to standalone software as medical device, even though they are written for widgets, which is one of the flaws of the proposals. They are supposed to modernize EU medical devices law for decades to come, but fail to account adequately for the development of standalone software medical devices.


Why such a brief post – you are used to a lot more detail from me normally, right?

Well, that’s because this post is a summary of the article I wrote in the legal and regulatory journal eHealth Law & Policy, which the publisher kindly permits me to put on my blog and you can download it here. I warmly recommend the journal if you want to stay in touch with legal and regulatory developments in eHealth and mHealth.

I have just written an article on unannounced audits by notified bodies specifically with manufacturers of standalone software medical devices in mind, so if you’re curious, take a look.


Get every new post delivered to your Inbox.

Join 3,764 other followers

%d bloggers like this: