Software audit: What really matters

“Will a software audit take place?” is a question that reached me via our micro-consulting. ‘And can I avoid a software audit by choosing the appropriate software safety class?”

At first, I didn’t realize exactly what ‘software audit’ meant or what the exact concern was. But then I understood and found the question to be very important for all medical device manufacturers.

1. Software audit: What it could be

The term “software audit” is not clearly defined. It is usually associated with one of the following activities:

As part of a QM audit (e.g., ISO 13485 or FDA 21 CFR part 820), an auditor or inspector also checks the code of either the medical device, process software, or software for the QM system. ISO 80002-2 provides guidance for the validation of the latter software.

As part of a CB review (e.g., an “IEC 62304 certification”), an expert inspects the software and associated development documentation, such as software requirements, architecture, and tests.

The manufacturer itself tests its software, for example, in the context of code reviews or design reviews.

In this specific case, the request related to the first, i.e., code inspections in the audit

Fig 1: Magnifying glass: Software audit: What it could be

2. Software in the QM audit

2.1. Manufacturers’ concerns

In this particular case, the manufacturer had two concerns:

The auditor sees our code and thus learns company secrets.
The auditor finds errors in our code.

I want to put both concerns into perspective a little.

2.2. Why these fears are usually unfounded

Non-disclosure agreement
On the one hand, your auditor has signed a non-disclosure agreement with you. If this is missing, you know what you have to do. Apart from that, I also think it is hardly possible for an auditor to learn anything significant by reading a few code snippets.
Competence of the auditors
On the other hand, it is unlikely that the auditor will find errors in your code. Most auditors are not computer scientists, so they will only understand the code to a limited extent.
The objective of the audits
The reviews relate less to the correctness of the product or code and more to the correctness of the process. IEC 62304 is a process standard: it sets out requirements for the process, not the code’s quality. You can find more information on the regulatory requirements below.
Available time
It is almost impossible to find errors in software with a reasonable amount of effort. That is why the focus is not on analytical quality assurance but (also) on constructive quality assurance. This is exactly how the notified bodies have formulated it in a MEDDEV. For this reason, they do not want to have type examinations for software either, and that is precisely why IEC 62304 also requires a QM system and a development plan that designates the processes, methods, and tools. Whether you have adhered to these processes and methods and used the tools as planned is the subject of the audit.

1.3 What is really audited with regard to software

Therefore, when we, as auditors, look at the code, we want to check whether

You adhere to your requirements, such as those formulated in coding guidelines.
Alternatively, we can check whether artifacts such as the detailed design or the unit tests required for class C are available for this class.
One of the classic reviews is traceability: for example, have all software requirements been verified?
Do the date stamps on the code (check-in) and documents (requirements, architecture) indicate that the process is being adhered to—and in the correct order?
You can very quickly outperform a company by asking them to reproduce an old test. This requires that the configuration management really works.
You may also want to see a piece of code to check whether a risk-minimizing measure has actually been implemented and whether the manufacturer can prove this traceability.

But we don’t check the quality, either the architecture or the code.

3. Software audits: Regulatory requirements

First, the good news: Neither European nor US authorities require a software audit. This means that, in most cases, the software itself is not reviewed, and IEC 62304 certification is also not required.

However, auditors notified bodies and FDA inspectors to review the quality of the software development process based on the software development documentation. These reviews occur as part of ISO 13485 audits or when the technical documentation is submitted. However, neither of these are software audits.

4. “Software audit”: Where to get support

We support medical device manufacturers in developing and documenting their software according to standards and legal requirements. After all, what is in the standards is one thing, but what is checked in the (QM) audit or during submission is sometimes another. My team and I (consisting of auditors ourselves) constantly take part in audits and document reviews—on different sides of the table.

1. Offer: Free Starter-Kit

Get the free starter kit (e-book, tutorial, FAQ) to help you pass your “software audit” in safety.

Request your free starter kit.

2. Offer: Micro-Consulting

Have you experienced problems with your software (documentation) during an audit? Are you concerned about these problems? Or do you have a quick question about how to get your software documentation in shape for the audit?

Then simply contact us and take advantage of our micro-consulting. Yes, it’s true 🙂 (Auditors also regularly ask about this).

3. Offer: Audit checklist

We have drawn up the audit checklist for notified bodies (“TÜVs”), which are used to plan and carry out software audits (you know that they are QM audits).

Safe through software audit — Fig. 2: Audit checklist

With this checklist, you

can review your software documentation’s standards and legal compliance,
find out where there is room for improvement (before your auditor does and it becomes embarrassing and expensive),
and be sure that you have thought of everything. This way, you avoid too much documentation and, thus, QM bureaucracy.

4. Offer: Medical Device University

The Medical Device University is a series of video training courses that show you step by step not only how to document the software for your medical device in compliance with FDA and IEC 62304 but also how to create audit

Name	Borlabs Cookie
Provider	Owner of this website, Imprint
Purpose	Saves the visitors preferences selected in the Cookie Box of Borlabs Cookie.
Cookie Name	borlabs-cookie
Cookie Expiry	1 Year

Name	Google Tag Manager
Provider	Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose	Cookie by Google used to control advanced script and event handling.
Privacy Policy	https://policies.google.com/privacy?hl=en
Cookie Name	_ga,_gat,_gid
Cookie Expiry	2 Years

Accept	Google Analytics
Name	Google Analytics
Provider	Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose	Cookie by Google used for website analytics. Generates statistical data on how the visitor uses the website.
Privacy Policy	https://policies.google.com/privacy?hl=en
Cookie Name	_ga,_gat,_gid
Cookie Expiry	2 Months

Accept	YouTube
Name	YouTube
Provider	Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose	Used to unblock YouTube content.
Privacy Policy	https://policies.google.com/privacy?hl=en&gl=en
Host(s)	google.com
Cookie Name	NID
Cookie Expiry	6 Month