ISO 13485 Certificate Location / Scope

#1
Hello,

A little background: I am a QM for a small software company with ISO 13485:2016 certification. We do not manufacture a medical device; we have a customer that uses our software to support their medical device and, in order to be an approved supplier, we became certified.

My question is regarding the scope of our certification. Our current certificate lists three locations. Our HQ and two manufacturing facilities - one in the US and one in EU.

We have no physical manufacturing. Everything is digital and the majority of our employees are remote.

Can anyone provide background or information on the requirements for listing "locations" on a ISO 13485 cert?

All of our processes are the same, regardless of location. I would prefer to be certified by business unit rather than a brick-and-mortar location.

I hope this makes sense. Thank you for your time and input!

Beth
 
Elsmar Forum Sponsor
#3
Yes, all locations follow the QMS (including training, doc control, supplier management, internal audit, CAPA, etc.)

The location's registered activities are design, development, distribution and support of the software. Each location follows identical sets of policies, procedures. Everything is harmonized and well documented.

When we are audited, it is completely redundant. Each requirement is essentially audited in duplicate.
 

yodon

Leader
Super Moderator
#4
The manufacturing work is outside the scope of your QMS? I don't understand when you say you do not manufacture medical devices but you have 2 manufacturing facilities (but no physical manufacturing).

If you limit the scope to just the software development work, can you limit the locations to wherever your server is? (AOs are going to have to come to grips with remote working!)
 

Ed Panek

QA RA Small Med Dev Company
Leader
Super Moderator
#5
Let me ask this differently, does each location have its own local storage for testing and other documents? If you let your NB know everything is centralized here and if you ask for records there they will all point to "Here." If that is the case it should be ok to have an HQ where all outputs are collected, analyzed, and approved.


For example, we have SW engineers doing work hundreds of miles away but that isnt relevant to an audit.

Auditing bodies are business units themselves so revenue matters. We were recently contacted by our NB to tell us we can start our remote MDR audit this month. Me - "But you said last year that's only when we are 95% done with the technical review?!" NB_ "Our policies have changed" What I suspect has happened is all that planned billing revenue for 2023 has moved out 5 years because of the MDR delay to 2028. Their "policy" changed so they can bill for this fiscal year. It's a business, not regulatory-driven, decision.
 
Last edited:
#6
My apologies, I should have stated our cert scope is "Design, development, sales, distribution, and support of software." We list HQ and two other locations on the certificate. HQ registered activities are "Administrative Support, HR & Sales," all of which are remote. The other two locations registered activities are "Design, development, sales, distribution, and support of software".

We have on-prem servers in only one of the two locations. Our quality output data are primarily stored in cloud storage.
 

yodon

Leader
Super Moderator
#7
I would think that trying to get the AO to visit just one site, despite centralized storage, would be difficult. They're doing different things at each site, both sites contributing to the QMS. And if you have both 'manufacturing' sites doing D/D work, it would be difficult to exclude them.

You might see if they could organize the surveillance audits around what each site does and so alternate visits during the surveillance audits. I expect they'd still want to visit both sites for a recert.

Another option might be to see if they would consider on-site audits at one location and remote for the other (maybe alternating years). Historically, I haven't seen a lot of flexibility from AOs but I guess it wouldn't hurt to ask.
 
#8
The two sites dedicated to design / development are performing the same work, following the same processes. Currently, we are audited remotely for all three locations listed on our certificate.

I am attempting to get a better way of managing the certificate because the two design/development sites are duplication of efforts (and costs). I was hoping to list all of the registered activities under the HQ location.
 
#9
The two sites dedicated to design / development are performing the same work, following the same processes. Currently, we are audited remotely for all three locations listed on our certificate.

I am attempting to get a better way of managing the certificate because the two design/development sites are duplication of efforts (and costs). I was hoping to list all of the registered activities under the HQ location.
1. If your business accepts listing the HQ only on the certificate, it is better to then not have the site/s mentiond on the certificate. Your resources can be operating from anywhere on the globe.
2. If the sites have to be listed, then the audit will sample projects being executed from each site, along with the support activities at these locations. These site scope of activity can be the same as these are your locations and your way of execution. The certificate will also carry the site location and the scope of activity there, along with the main scope of the certificate.
At certain annual / half yearly cycle of the 3 year certification agreement, these sites have to be visited by the CB.
(I have audited sites from the site location, while the organization auditee were remotely connected. This was when the organization wanted to add a new site. There are guidelines that CB follow and one of them is sampling sites in audits in a multi-site certification. Remote audit as of present is not normal and will require due justification and special permission.)
 
Thread starter Similar threads Forum Replies Date
Q ISO 13485 certificate needed if I go for MDSAP certification? ISO 13485:2016 - Medical Device Quality Management Systems 3
A Scope of ISO 13485 certificate ISO 13485:2016 - Medical Device Quality Management Systems 1
A What if Contract Manufacturers does not have an ISO 13485 certificate? Where will the NB audit take place, at legal mfg. site or contract mfg. site? Other Medical Device Regulations World-Wide 3
H Transferring an ISO 13485 certificate to a new CB - Do I have to start from scratch? ISO 13485:2016 - Medical Device Quality Management Systems 2
GStough Informational SN EN ISO 9001:2015 and SN EN ISO 13485:2016 on Same Certificate? Registrars and Notified Bodies 7
T Software Validation Certificate (ISO 13485:2016) ISO 13485:2016 - Medical Device Quality Management Systems 19
R ISO 13485 Certificate Scope modified by Notified Body EU Medical Device Regulations 9
B Reapplying for ISO 13485 certification after certificate revocation ISO 13485:2016 - Medical Device Quality Management Systems 3
N "Sterile" missing on the CE Certificate - ISO 13485 Certified Contract Manufacturer ISO 13485:2016 - Medical Device Quality Management Systems 5
Y Which version of ISO 13485 would be considered for MDSAP certificate? Canada Medical Device Regulations 8
S BSI's ISO 13485 certificate does not mention AC 2009 corrigendum Registrars and Notified Bodies 5
5 Transfer of an ISO 13485 Certificate to another Company ISO 13485:2016 - Medical Device Quality Management Systems 4
D Using a different Notified Body for ISO 13485 Certification & Device Certificate CE Marking (Conformité Européene) / CB Scheme 6
C Validity of a 5 year ISO 13485 Certificate ISO 13485:2016 - Medical Device Quality Management Systems 3
N Scope of ISO 13485 Certificate for Multiple Devices EU Medical Device Regulations 4
N New Certificate for ISO 13485 & CMDCAS has no product listed nor explicit CMDCAS refs ISO 13485:2016 - Medical Device Quality Management Systems 5
C Lapse between ISO 13485 certificate expiring and new audit ISO 13485:2016 - Medical Device Quality Management Systems 9
K ISO 13485 Registration Certificate Life-Time (Validity Period) ISO 13485:2016 - Medical Device Quality Management Systems 21
Q ISO 13485 Certification - Single ISO certificate for two different business entities? ISO 13485:2016 - Medical Device Quality Management Systems 4
B Reference to EN550 or ISO11135 - on an ISO 13485 Certificate ISO 13485:2016 - Medical Device Quality Management Systems 2
LostLouie DHF linked to ISO 13485:2016? ISO 13485:2016 - Medical Device Quality Management Systems 4
M ISO 13485 Supplier Question ISO 13485:2016 - Medical Device Quality Management Systems 13
M ISO 13485:2016 Identification & Traceability ISO 13485:2016 - Medical Device Quality Management Systems 4
K Clause 7.5.2 of ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 5
J ISO 13485 and new warehousing ISO 13485:2016 - Medical Device Quality Management Systems 2
A Applying for ISO 13485 certification ISO 13485:2016 - Medical Device Quality Management Systems 8
Ed Panek Auditor Feedback ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 12
S ISO 13485 certification training Training - Internal, External, Online and Distance Learning 1
Ed Panek ISO 13485 Reporting Requirements ISO 13485:2016 - Medical Device Quality Management Systems 4
B ISO 13485 Qualification of R&D Equipment Qualification and Validation (including 21 CFR Part 11) 1
J Recognised/reputable courses for ISO 13485 Section 7.3 (Design & Development)? ISO 13485:2016 - Medical Device Quality Management Systems 1
K ISO 13485 Design Requirement with respect to "component" manufacturers ISO 13485:2016 - Medical Device Quality Management Systems 11
P Registrar Cancelled ISO 13485 Auditors multiple times? Registrars and Notified Bodies 1
rob3027 ISO 13485 justification for design and development exclusion for medical packaging ISO 13485:2016 - Medical Device Quality Management Systems 18
A Help understanding what it takes to implement a QMS that is ISO 13485 compliant ISO 13485:2016 - Medical Device Quality Management Systems 4
FuzzyD ISO 13485:2016 Customer Assessment OFI ISO 13485:2016 - Medical Device Quality Management Systems 2
M ISO 13485 consultants and auditors with design oriented focus ISO 13485:2016 - Medical Device Quality Management Systems 7
S Brexit ISO 13485:2016 + Corrigendum - What does a UKCA DoC require? EU Medical Device Regulations 2
Aliken Recommendation for the ISO 13485 certification company ISO 13485:2016 - Medical Device Quality Management Systems 7
ISO-tired ISO 13485: file structure overview ISO 13485:2016 - Medical Device Quality Management Systems 11
M PROBLEM IN SCOPE OF ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 6
S ISO 13485 signing of Procedures etc. ISO 13485:2016 - Medical Device Quality Management Systems 10
N ISO 13485 Scope Reduction Other ISO and International Standards and European Regulations 2
M Can veterinary implants be ISO 13485 certified? ISO 13485:2016 - Medical Device Quality Management Systems 23
D Audit Report details when ISO 13485:2016 and cGMP 21 CFR 820 are applicable ISO 13485:2016 - Medical Device Quality Management Systems 6
R Looking for ISO 13485 Internal Audit Checklist ISO 13485:2016 - Medical Device Quality Management Systems 8
FuzzyD ISO 13485 change in process ISO 13485:2016 - Medical Device Quality Management Systems 3
R Interesting Discussion Chapter 7.5 of ISO 13485 for manufacturers of mobile medical applications ISO 13485:2016 - Medical Device Quality Management Systems 4
V ADDING NEW MEDICAL DEVICE / Product, WHEATHER THIS AFFECTS EXISTING ISO 13485 CERTIFICATION? ISO 13485:2016 - Medical Device Quality Management Systems 4
K Subcontractors Providing Services Under MDD or MDR need ISO 13485 from EU Notified Body? CE Marking (Conformité Européene) / CB Scheme 8

Similar threads

Top Bottom