Annex IX QMS Audit: What Notified Bodies Actually Review

Annex IX is not just a QMS audit

Teams preparing for an Annex IX assessment sometimes frame it as "a QMS audit" — which is accurate but incomplete. Annex IX covers two things: a QMS audit (Section 2.2) and a review of the technical documentation for at least one representative device (Section 2.3 and Section 2.4). Both happen. The QMS audit gets you a quality system certificate; the technical documentation review is what actually connects your certificate to specific devices. Preparing only for the QMS side leaves teams surprised when the NB asks for the full technical file at the initial audit.

For Class III devices and implantables, the NB must also consult the relevant expert panels on clinical evaluation before issuing a certificate. This adds time that teams should plan for explicitly — it is not a step that can be accelerated once the process is underway.

What the NB is looking at in the QMS

The quality management system under Annex IX must cover the design and development of the device, not just manufacturing. This catches teams that run an ISO 13485-certified QMS focused on manufacturing only. MDR requires coverage of: design controls, risk management integrated throughout the lifecycle, clinical evaluation processes, post-market surveillance and vigilance, and CAPA. The NB will want to see that these processes exist, are documented, are actually followed, and produce the right outputs.

Specifically, auditors look for:

• Design history: is there a documented process connecting user needs to design inputs, verification, validation, and final design output?
• Risk management: does the risk management file reference the device's actual risks, or is it a generic template? Is it linked to usability, clinical evaluation, and post-market data?
• Clinical evaluation integration: is the clinical evaluation process embedded in the QMS, or does it exist as a standalone document with no procedural home?
• Post-market surveillance: is there a functioning PMS system with actual data inputs, not just a plan?
• CAPA effectiveness: when CAPAs are raised, is there evidence they were implemented and that effectiveness was checked?

Auditors are experienced at identifying systems that look complete on paper but have not actually been executed. The things most likely to generate nonconformities are gaps between documented procedures and records that show the procedure was followed.

The technical documentation review

The NB will select at least one device (and sometimes more, for a family of devices) for technical documentation review during the initial assessment. For a device family, they will typically select the highest-risk device. The technical documentation must be substantially complete — not in draft. This means the CER, risk management file, technical specifications, performance testing, labelling, and clinical investigation data (if applicable) must all be available for review.

One thing that catches teams off guard: the NB's technical documentation reviewer may be a different expert from the QMS auditor, and they may have different questions. The QMS audit can proceed in parallel with technical documentation review, but gaps in the technical file can block certificate issuance even if the QMS audit result is positive.

The most common gaps in technical documentation at initial Annex IX review are:

• CER that does not demonstrate sufficient clinical evidence for the device's intended purpose
• Risk management file that references standards but does not demonstrate how GSPR compliance was actually achieved
• Labelling that does not reflect the UDI format or is missing required MDR elements
• Incomplete or missing post-market surveillance plan

Common preparation gaps — what the NB finds most often

Beyond the technical documentation gaps above, the QMS-side findings that appear most regularly include:

Management review: Records are present but show no actual discussion of clinical data, PMS outputs, or regulatory intelligence. The management review should be a working session, not a compliance exercise — auditors can tell the difference.

Supplier controls: Suppliers of critical components or services (sterilisation, software development, clinical studies) are often not adequately qualified or monitored. Check whether your approved supplier list is current and whether periodic re-evaluation is documented.

Change control: Changes to the device or manufacturing process that post-date the last regulatory submission are often not captured in a formal change assessment. The NB will ask whether any changes occurred and what the regulatory impact assessment concluded.

Training records: Procedures require that personnel performing critical tasks are trained and assessed as competent. Gaps in training records for design engineers, clinical evaluators, or risk management personnel are routine findings.

How to use the time before your audit

Request a pre-submission meeting with your NB. Most NBs offer this, and it gives you a structured opportunity to confirm the audit scope, the list of documentation they will want to review, and any areas of particular focus for your device type. Use this meeting to surface assumptions — it is much cheaper to discover a misalignment before the audit starts.

Conduct an internal readiness audit using Annex IX itself as the checklist. Walk through Section 2.2 clause by clause and map each requirement to a documented procedure and a record that shows the procedure was followed. Any clause where you cannot produce both the procedure and the evidence is a preparation gap. Fix it before the NB arrives.

One practical point: NBs do not expect perfection. They expect a system that is operating and improving. A CAPA system with open items and documented progress is better than a system with no open items but no evidence of ever having found anything wrong.