ISO 13485 Certificate Location / Scope

[bethg]

Hello,

A little background: I am a QM for a small software company with ISO 13485:2016 certification. We do not manufacture a medical device; we have a customer that uses our software to support their medical device and, in order to be an approved supplier, we became certified.

My question is regarding the scope of our certification. Our current certificate lists three locations. Our HQ and two manufacturing facilities - one in the US and one in EU.

We have no physical manufacturing. Everything is digital and the majority of our employees are remote.

Can anyone provide background or information on the requirements for listing "locations" on a ISO 13485 cert?

All of our processes are the same, regardless of location. I would prefer to be certified by business unit rather than a brick-and-mortar location.

I hope this makes sense. Thank you for your time and input!

Beth

 

[Ed Panek]

What do the locations do in terms of outputs for the SBoM? Do they follow your QMS?

 

[bethg]

Yes, all locations follow the QMS (including training, doc control, supplier management, internal audit, CAPA, etc.)

The location's registered activities are design, development, distribution and support of the software. Each location follows identical sets of policies, procedures. Everything is harmonized and well documented.

When we are audited, it is completely redundant. Each requirement is essentially audited in duplicate.

 

[yodon]

The manufacturing work is outside the scope of your QMS? I don't understand when you say you do not manufacture medical devices but you have 2 manufacturing facilities (but no physical manufacturing).

If you limit the scope to just the software development work, can you limit the locations to wherever your server is? (AOs are going to have to come to grips with remote working!)

 

[Ed Panek]

Let me ask this differently, does each location have its own local storage for testing and other documents? If you let your NB know everything is centralized here and if you ask for records there they will all point to "Here." If that is the case it should be ok to have an HQ where all outputs are collected, analyzed, and approved.


For example, we have SW engineers doing work hundreds of miles away but that isnt relevant to an audit.

Auditing bodies are business units themselves so revenue matters. We were recently contacted by our NB to tell us we can start our remote MDR audit this month. Me - "But you said last year that's only when we are 95% done with the technical review?!" NB_ "Our policies have changed" What I suspect has happened is all that planned billing revenue for 2023 has moved out 5 years because of the MDR delay to 2028. Their "policy" changed so they can bill for this fiscal year. It's a business, not regulatory-driven, decision.

 

[bethg]

My apologies, I should have stated our cert scope is "Design, development, sales, distribution, and support of software." We list HQ and two other locations on the certificate. HQ registered activities are "Administrative Support, HR & Sales," all of which are remote. The other two locations registered activities are "Design, development, sales, distribution, and support of software".

We have on-prem servers in only one of the two locations. Our quality output data are primarily stored in cloud storage.

 

[yodon]

I would think that trying to get the AO to visit just one site, despite centralized storage, would be difficult. They're doing different things at each site, both sites contributing to the QMS. And if you have both 'manufacturing' sites doing D/D work, it would be difficult to exclude them.

You might see if they could organize the surveillance audits around what each site does and so alternate visits during the surveillance audits. I expect they'd still want to visit both sites for a recert.

Another option might be to see if they would consider on-site audits at one location and remote for the other (maybe alternating years). Historically, I haven't seen a lot of flexibility from AOs but I guess it wouldn't hurt to ask.

 

[bethg]

The two sites dedicated to design / development are performing the same work, following the same processes. Currently, we are audited remotely for all three locations listed on our certificate.

I am attempting to get a better way of managing the certificate because the two design/development sites are duplication of efforts (and costs). I was hoping to list all of the registered activities under the HQ location.

 

[somashekar]

The two sites dedicated to design / development are performing the same work, following the same processes. Currently, we are audited remotely for all three locations listed on our certificate.

I am attempting to get a better way of managing the certificate because the two design/development sites are duplication of efforts (and costs). I was hoping to list all of the registered activities under the HQ location.

1. If your business accepts listing the HQ only on the certificate, it is better to then not have the site/s mentiond on the certificate. Your resources can be operating from anywhere on the globe.
2. If the sites have to be listed, then the audit will sample projects being executed from each site, along with the support activities at these locations. These site scope of activity can be the same as these are your locations and your way of execution. The certificate will also carry the site location and the scope of activity there, along with the main scope of the certificate.
At certain annual / half yearly cycle of the 3 year certification agreement, these sites have to be visited by the CB.
(I have audited sites from the site location, while the organization auditee were remotely connected. This was when the organization wanted to add a new site. There are guidelines that CB follow and one of them is sampling sites in audits in a multi-site certification. Remote audit as of present is not normal and will require due justification and special permission.)

 

[bethg]

Thank you to everyone for the information, feedback and experience shared!