CB/Auditor Requiring a change in scope

[Ralba]

Last year, we finished a AS9100 audit and a ISO13485 Audit, and a maintenance audit on our ISO9001. We just were notified that the auditor for the ISO13485 audit put in a change for our scope without telling us to add "of medical devices" to the end of the scope, thus limiting our entire scope of ISO9001 to ONLY medical devices.

We wholeheartedly believe that compliance can be applied from the perspective of best business practices, so we apply each of our compliances across our entire QMS, and do not have any separation aside from Medical Device Files, which we currently have none of (we mostly do prototypes in medical devices). During the audit, the auditor did mention the scope change as an Opportunity for Improvement, but we just ignored it as we did not want to limit our scope. The audit was not solely over the medical projects, so it did not make sense to us to do from the start.

I asked the CB what prompted the change, and found out that he had put it in his audit report that our scope needed to change. I wanted to ask if anyone here has experience with this issue before I respond further to our CB.

 

[somashekar]

Last year, we finished a AS9100 audit and a ISO13485 Audit, and a maintenance audit on our ISO9001. We just were notified that the auditor for the ISO13485 audit put in a change for our scope without telling us to add "of medical devices" to the end of the scope, thus limiting our entire scope of ISO9001 to ONLY medical devices.

We wholeheartedly believe that compliance can be applied from the perspective of best business practices, so we apply each of our compliances across our entire QMS, and do not have any separation aside from Medical Device Files, which we currently have none of (we mostly do prototypes in medical devices). During the audit, the auditor did mention the scope change as an Opportunity for Improvement, but we just ignored it as we did not want to limit our scope. The audit was not solely over the medical projects, so it did not make sense to us to do from the start.

I asked the CB what prompted the change, and found out that he had put it in his audit report that our scope needed to change. I wanted to ask if anyone here has experience with this issue before I respond further to our CB.

Seems like your CB missed out on the basic scope clarification in line with the standard ISO 13485 with you at the outset....
This cannot be done to the ISO 9001 certificate. You will have to get a new ISO 13485 certificate and the scope in this has to be clear in respect to medical devices.
Scope change as an opportunity for improvement ... ?? Sorry, your CB is confused.

 

[yodon]

We're registered to both 9001 and 13485 and we are issued 2 certifications. The scope in each is slightly different. Are they saying they'll issue 1 cert to you against all 3 standards? That doesn't seem right.

I have seen an increase in "pickiness" about the scope. Don't know if it's a battle you can win outright.

 

[Tagin]

It is outrageous for an auditor to submit a change to your scope without your knowledge or approval. The scope is something your company defines - it speaks to what your company is and does. If the auditor had a problem with the wording, he should have created an audit NC.

The CB should undo that unauthorized change at their expense. If they still feel the scope language is a problem they can issue you an NC. You can then choose to reword the scope, or to fight the NC.

 

[mpfizer]

We're registered to both 9001 and 13485 and we are issued 2 certifications. The scope in each is slightly different. Are they saying they'll issue 1 cert to you against all 3 standards? That doesn't seem right.

I have seen an increase in "pickiness" about the scope. Don't know if it's a battle you can win outright.

We're registered to both 9001 and 13485 and we are issued 2 certifications. The scope in each is slightly different. Are they saying they'll issue 1 cert to you against all 3 standards? That doesn't seem right.

I have seen an increase in "pickiness" about the scope. Don't know if it's a battle you can win outright.

Just a question
Do the scopes of ISO 9001 and 13485 be exactly similar ?
michelle

 

[somashekar]

Just a question
Do the scopes of ISO 9001 and 13485 be exactly similar ?
michelle

It can be exactly similar., provided it meets the scope for the 13485...

 

[Ralba]

It is outrageous for an auditor to submit a change to your scope without your knowledge or approval. The scope is something your company defines - it speaks to what your company is and does. If the auditor had a problem with the wording, he should have created an audit NC.

The CB should undo that unauthorized change at their expense. If they still feel the scope language is a problem they can issue you an NC. You can then choose to reword the scope, or to fight the NC.

The auditor they used was also the auditor who did our initial cert, but he did not do the first surveillance audit. From my conversations on here and with him, I am thinking he made a mistake when he first issued the 13485 certification and was supposed to ask for the medical designation then. This is NOT the kind of auditor to admit he made a mistake, or even hint at it. I believe he wanted us to say we made a mistake and request the change when he gave it as an OFI during the audit. When we didn't, he just tried to sneak it into the audit report. I have to say the 7:00PM email I received on Friday about this had me saying worse things than "outrageous" .

Changing the ISO13485 to medical is not a big deal for us, but trying to change our ISO9001 is a huge deal for us, especially with our AS9100 needing the same scope unless we want two separate audit schedules.

 

[Ralba]

We're registered to both 9001 and 13485 and we are issued 2 certifications. The scope in each is slightly different. Are they saying they'll issue 1 cert to you against all 3 standards? That doesn't seem right.

I have seen an increase in "pickiness" about the scope. Don't know if it's a battle you can win outright.

We have three certifications, one that is ISO13485, one that is ISO9001, and one that is AS9100. They had all the same scope (everything that we do) until this issue. They sent me a revised ISO9001 certificate, so I am beginning to think they just got their wires crossed and meant to revise the ISO13485 certification only.

Still not okay to do without our approval or a formal explanation on how we fail to meet our stated scope, but much more understandable.

 

[Ralba]

UPDATE-in case anyone was following this and would benefit from knowing how this went down:

I emailed the CB and informed them that changing the ISO13485 would make sense, but changing the ISO9001 would be problematic. I asked if maybe there was some miscommunication on their end and asked them to check. The auditor was CC'd into the email chain.
The administrator that sent me the revised ISO9001 certification then sent me two more certifications, a medically only ISO13485 and a reverted ISO9001. They apologized for the mixup.

Alls well that ends well.