RESOURCES FOR DETERMINING WHICH APPENDICES APPLY TO YOUR FACILITY:

• APPENDIX APPLICABILITY GUIDANCE
• APPENDIX DETERMINATION TOOL  (Questionnaire to help facilities determine Appendices)

PROCESS Requirements apply only to facilities that engage in those specific processes.  Activities or processes taking place at a facility cannot be excluded.  If a Facility wipes a single hard drive, then it must certify to Appendix B-Data Sanitization.   Or if a facility buys material that is drop-shipped directly to another vendor, then Appendix F – Brokering applies.

But keep in mind that processes need to occur with enough frequency to generate a good sampling of records.  For each process or activity, an auditor will need to see sufficient records to demonstrate implementation and conformance with the R2 Standard.  Processes that lack sufficient records will result in a nonconformance.  For items or materials streams that are outside of a facility’s core competency or business model it would be wise to send those items to a qualified downstream vendor for processing.

Working within your core competencies and limiting the PROCESSES (Appendices) that need to be certified can be a way of containing audit costs.  A cost analysis may show that infrequent materials streams may not justify the cost of auditing and certifying a particular PROCESS that is rarely performed – especially when those items could be sent to a qualified downstream vendor for processing.

The Bottom Line:  If a process or activity is performed by a Facility, it must be audited and certified.  Using downstream vendors to process items outside the Facility’s core operations can be a way to reduce the number of Appendices that must be certified, which reduces audit time and cost.