Purpose: Provide a clear, audit-ready standard operating procedure (SOP) for refurbishing IT assets, assigning consistent cosmetic and functional grades, verifying data sanitization, and authorizing units for resale or redeployment. Applies to: Laptops, desktops, all-in-ones, servers, monitors, mobile devices, and small peripherals in an ITAD/e-waste recycling context aligned with R2v3 and common enterprise expectations.
1) Roles and responsibilities
Refurb Lead: Owns this SOP, updates test matrices, approves deviations.
Technician: Executes functional testing, cleaning, minor repairs, grading, and labeling.
Data Technician: Performs data wipe and verification; isolates failures.
Parts stock: RAM, SSDs/HDDs, power bricks, CMOS batteries, fans, hinges, cables.
Safety: PPE for cleaning chemicals; lockout/tagout for high-voltage monitors; fire-rated containers for suspect batteries.
Records: Asset ID labels tied to a device record (make, model, serial, customer lot, intake date, and data classification if provided).
3) Process overview (high level)
Intake & Triage: Verify asset ID, external condition, power-on eligibility, data classification, and customer instructions.
Data Sanitization: Wipe or destroy per policy. Verify and log results.
Functional Testing: Apply model-specific test matrix. Record pass/fail and repairs performed.
Cosmetic Grading: Assign grade using the rubrics below; capture supporting photos.
Final QC Gate: QA sample-checks function, cosmetics, labeling, and documentation.
Release to Sale: Generate spec label and listing attributes; move to pick-ready location.
4) Data sanitization & verification (must be completed before functional testing that accesses user data)
Isolation: Devices with storage media are quarantined in a limited-access area until wiped or storage removed. Method selection: Based on storage type and customer policy (e.g., overwrite for HDD, cryptographic erase or overwrite for SSD; physical destruction when required). Execution:
Confirm the asset ID and media serial match the record.
Apply the approved sanitization method with verification enabled.
For multi-drive systems (RAID, dual storage), sanitize each device individually. Verification:
Save a report (or log) with asset ID, storage serial(s), method, date/time, technician ID, and result (success/fail).
Random sample audit: QA re-runs verification on at least 5% of wiped units per lot. Failures:
If wipe fails or verification is incomplete, reattempt once. If still failing, escalate to physical destruction or specialized handling per policy. Recordkeeping:
Attach the wipe report to the device record.
Apply a โData Clearedโ label with date, technician initials, and method.
5) Functional testing matrices
Create model-agnostic matrices with minimum pass levels and optional enhancements. Below is a baseline you can adapt.
5.1 Laptops
Power & POST: Boots without error beeps; BIOS accessible; correct CPU and RAM detected.
Battery health: Reported design vs. full charge capacity; Grade A โฅ 80%, B 60โ79%, C < 60% (or include new battery).
Keyboard & input: All keys register; trackpad click and movement consistent.
Display: No cracks; brightness uniform; no pressure marks; pixel test (allowable defects per grading rubric).
Storage & RAM: SMART check; surface scan or short DST; memory test pass.
Ports & wireless: USB, video out, audio, Wi-Fi, Bluetooth verified.
Thermals: 15-minute stress test; fans functional; temps within spec.
Camera & speakers: Basic mic and speaker test; camera detection.
Cosmetic: Apply grading rubric (below); hinge stiffness acceptable.
5.2 Desktops/All-in-Ones/Servers
POST stability: No hardware errors; time/date set; RAID healthy.
Storage: SMART/DST pass; SSD life check; confirm bays populated as listed.
Thermals & noise: 20-minute stress test; no abnormal bearing noise.
Monitors: Stand fully functional; no discolorations; backlight uniform.
Grade B (Good)
Housings: Minor scuffs/scratches visible at 30 cm; 1 small ding (< 3 mm) acceptable; no cracks affecting structure.
Displays: Up to 1 minor pressure mark or hairline scratch not visible on white screen at 30 cm; Pixels: โค 3 total defects; no clusters.
Keyboards/trackpads: Moderate cosmetic wear; all legends legible; function normal.
Batteries: Laptops 60โ79% design capacity.
Monitors: Minor bezel wear; โค 2 small dust spots not visible in normal use.
Grade C (Fair/Functional)
Housings: Noticeable wear, multiple scuffs, or up to 2 small dings; no sharp edges or exposed internals.
Displays: Noticeable scratch or pressure mark visible in bright screens but not obstructing primary content; Pixels: โค 5 defects; minor image retention allowed.
Keyboards/trackpads: Heavy wear but functional; replacement caps allowed if consistent.
Batteries: < 60% capacity or holding charge but below B threshold.
Monitors: Noticeable wear; limited uniformity issues; stand may have 1 function missing if VESA mount provided.
Grade D (Parts/Repair)
Cracks, missing plastics, dead pixels in clusters, severe pressure marks, faulty ports, failed thermal tests, activation lock present, or battery unsafe. Not for resale until repaired and re-graded; else route to parts or recycling per policy.
Photo evidence:
3 angles minimum (front, back, side/hinge).
Close-ups for any B/C-defining blemishes with a scale reference (coin or ruler).
Non-approved repairs: Board-level rework unless by certified tech in ESD area; cosmetic filling/painting that may hide damage; unsafe battery manipulation.
Parts traceability: Record part number, condition (new/pulled/refurb), supplier, and technician.
Re-test: After any repair, repeat affected functional tests before grading.
8) Labeling & documentation
Each asset must carry:
Front label: Make/Model, CPU, RAM, Storage, Screen size/resolution, GPU (if any), Wi-Fi, OS license indicator (if applicable), Battery health (laptops/mobiles), Grade, and Asset ID (barcode).
Media label: โData Clearedโ with method, date, initials; or โNo Storage.โ
Device record must include: Intake details, customer lot, serial(s), wipe report, functional test results, repairs, cosmetic grade with photos, QA result, and final disposition.
9) Final QA gate and release to sale
Sampling: QA reviews at least 10% of ready units per lot (increase to 100% for new technicians or high defect rates). Checks:
Data wipe documentation present and matches asset.
Review KPIs weekly; if FPY drops or QA disagreements rise, retrain on the most-missed steps.
Update the grading photo gallery with examples so new techs calibrate faster.
Refresh test matrices quarterly to reflect new common models, firmware changes, and failure patterns.
Invite feedback from sales and returns teams to tune grading thresholds and descriptions.
Summary
This SOP gives technicians and auditors the same thing they want: repeatable processes, objective grades, and verifiable records. By sequencing sanitization โ testing โ cosmetic grading โ QA โ release, and documenting each step with reports, photos, and labels, you reduce nonconformities, returns, and disputesโwhile speeding time to sale and protecting data at every stage.
Purpose: Provide a clear, repeatable system to capture incidents and nonconformities, analyze root causes, implement corrective and preventive actions (CAPA), and prove effectiveness to auditors. Applies to: All personnel, contractors, and visitors on site. Outcomes: Faster containment, fewer repeat issues, stronger audit evidence, safer operations.
1) Definitions (plain-English)
Incident: Any unplanned event that affects safety, environment, security, or operations (e.g., battery smoke, chemical spill, near-miss, injury, data-wipe station outage).
Nonconformity (NC): A failure to meet a requirementโinternal SOP, customer requirement, certification clause, legal requirement, or contract. Includes documentation gaps (e.g., missing signature on log).
Containment: Immediate actions to control or mitigate the impact (e.g., isolate affected pallets, stop shipment, place hold tags).
Corrective Action (CA): Action to eliminate the root cause of a detected nonconformity to prevent recurrence.
Preventive Action (PA): Action to eliminate the cause of a potential nonconformity to prevent occurrence (proactive).
Verification of Effectiveness (VoE): Evidence that the action worked over time (e.g., trend data shows reduction, sample audits pass for 90 days).
2) Roles & Responsibilities
All Employees: Stop unsafe work, report incidents/NCs immediately, assist with containment, record facts.
Area Supervisor: Open the report, classify severity, lead containment, assign temporary controls, notify the CAPA Owner.
CAPA Owner (often QA/EHS/Operations Lead): Drive root-cause analysis, set actions, deadlines, and metrics; track completion; verify effectiveness.
EHS Lead (if safety/environmental): Oversee legal reporting, medical response, spill kits, waste handling, and training.
When to report: Immediately for incidents; by end of shift for minor NCs. How to report: Use a single Incident/NC Report Form (paper or digital). Keep reporting simple and non-punitive.
Description (facts only; what was observed, not opinions).
Assets/materials involved (IDs, batch, serials).
Immediate actions taken (containment/first aid/shutdown).
Photos or attachments (if applicable).
Initial severity (S1โS4; see below).
Supervisor notified (name/time).
Temporary hold/isolation tag numbers.
Severity classification (for prioritization)
S4 Critical: Injury requiring hospitalization, fire, major spill, data breach, illegal shipment, repeated failure affecting customers/regulators.
S3 Major: Medical treatment beyond first aid, equipment damage, batch scrap, shipment recall risk, repeated log gaps.
S2 Moderate: First aid case, isolated process deviation, small contained spill, single log defect without impact.
S1 Minor: Cosmetic/documentation detail, readily corrected on the spot, no safety/quality impact.
Escalation timing
S4: Notify CAPA Owner and senior management immediately.
S3: Notify CAPA Owner within 2 hours, management by end of day.
S2/S1: Log within shift; supervisor review within 24 hours.
4) Containment (stop the bleeding)
Perform before analysis to prevent spread/recurrence while you investigate.
Standard containment toolkit
Quarantine/hold: Red โHOLDโ tags; move items to a designated hold area.
Stop & check: Halt affected line; initiate 100% check on last good lot.
Administrative controls: Temporary sign-offs, additional checks each hour.
PPE/safety: Spill kit deployment, ventilation, isolation of power, fire watch if battery thermal risk occurred.
Communication: Post a brief shift note and toolbox talk next day for awareness.
Record: what was contained, by whom, when, and scope (lot numbers, quantities).
5) Root Cause Analysis (RCA) that actually works
Use structured, quick-to-execute methods. Pick one:
A) 5-Whys (fast)
Why did the event happen?
Why was that possible?
Why did the enabling condition exist?
Why wasnโt it detected/prevented?
Why is the system designed that way? Stop when you land on a controllable system cause (not โhuman errorโ).
B) Fishbone (Ishikawa) for complex issues Consider People, Process, Equipment, Materials, Environment, Measurement. Brainstorm causes in each branch, then test the most plausible with data.
C) Evidence checklist
Interviews with operators/supervisors (use neutral, non-blaming questions).
Review recent changes (new staff, new supplier, revised SOP).
Check records (training logs, maintenance, calibration, DDQ approvals).
Sampling/inspection of affected stock.
Time series or control charts if you track process metrics.
Avoid blame. โOperator forgotโ is rarely the root cause; look for missing visual controls, unclear SOP steps, insufficient training, or poor workstation design.
6) Corrective & Preventive Actions (how to fix and future-proof)
Convert root causes into specific, testable actions. Use the Action Definition Rule: One action = one owner = one due date = one measurable outcome.
Common corrective actions
SOP update with clearer steps, photos, and acceptance criteria.
Retraining + competency check (quiz or observed demo).
Tooling or fixture change; poka-yoke/physical guide to prevent mis-assembly.
Additional inspection step with sampling plan for the next 30โ90 days.
Supplier corrective action (when vendor cause is confirmed).
Software/label template change to remove ambiguous fields or enforce required ones.
Maintenance/calibration schedule update.
Preventive actions (proactive)
Risk assessment (FMEA-lite) on similar lines or product families.
Addons to checklists (e.g., battery intake checklist adds state-of-charge check).
Closure: after VoE evidence meets success criteria.
10) Integration with Training & Change Control
Training: Any SOP change triggers a targeted training event; record attendance and competency (short quiz or observed task).
Change Control: Major corrective actions that alter equipment, software, or layout require a documented change request and, where applicable, risk review prior to implementation.
Communication: Post concise โWhat changed & whyโ notes on the work area board; include photos of new steps/labels.
11) KPIs & Dashboard (what to track monthly)
# of Incidents / Near-misses / NCs (by area and severity).
Average days to containment and to closure.
% CAPAs on time (by severity).
Top 5 root causes (trend quarter over quarter).
Repeat rate for the same NC category.
Training effectiveness (post-change audit pass rate).
Supplier-related NCs (by vendor, action status).
Use a simple stacked bar for counts and a line for closure time. Highlight overdue S3/S4 items in red on the management review.
12) Example, End-to-End (makes it real)
Event: Drive-wipe station produced 7 drives without verification logs for 2 hours (S3 Major). Containment: Quarantine all 42 drives from that period; stop station; assign temporary manual verification step. RCA:
5-Whys reveals a new label template removed the โVerified byโ required field; operator proceeded without prompt.
Measurement branch shows the verification script didnโt block completion on missing signature. Corrective actions:
Reinstate required field with a hard stop in software (Owner: IT; Due: 3 days).
Update SOP with screenshot of correct label; add โverify & signโ checklist step (Owner: QA; Due: 5 days).
100% audit of quarantined drives; re-wipe and relabel where needed (Owner: Ops; Due: 2 days). Preventive actions:
Add change-control checklist for any template/software change impacting required fields (Owner: Quality; Due: 10 days). VoE plan: 8-week samplingโdaily random check of 20 drives; target 0 missing verification signatures. Closure: After 8 weeks of zero misses and a passed internal audit, CAPA closed with management sign-off.
13) Audit Readiness Tips (make your file audit-proof)
Use consistent IDs on reports, hold tags, action items, and training events to show linkage.
Put a summary sheet on top of each case file: timeline + key decisions + VoE results.
Redline SOPs to show exactly what changed; keep both before/after.
Keep meeting minutes for management reviews where CAPAs were discussed (bullet decisions and owner/dates).
Ensure frontline staff can explain what changed and where to find the checklist.
14) SOPโCondensed Procedure (copy into your document)
Report & Log: Employee reports; supervisor logs Incident/NC within shift.
Classify & Escalate: Assign severity; notify per matrix.
CAPA ID, RCA summary, actions (owner, due date, status), resources needed, training required, affected documents.
C) Verification of Effectiveness Log
CAPA ID, metric, target, data source, sampling frequency, results, pass/fail, date closed, approver.
Final Notes
Keep the process simple, fast, and non-punitive so people report issues early. Tie every action to a measurable result and verify over time. When auditors arrive, a clean log, clear files, and confident operators are the best proof your CAPA system works.
Purpose: This Standard Operating Procedure (SOP) defines how an e-waste or ITAD facility safely receives, triages, stores, and ships hazardous fractionsโespecially lithium-ion batteries, CRT glass, and mercury-containing lampsโto minimize fire, exposure, and environmental risk while maintaining audit-ready records.
Scope: Applies to all staff handling inbound equipment and parts, including receiving, triage, refurbishment, demanufacturing, storage, and shipping. Covers small and large format batteries, lead-acid, NiCd/NiMH, CRT devices and cullet, fluorescent/CFL/UV lamps, and incidental spill/breakage response.
1) Roles, Training, and Competency
EHS Lead: owns this SOP, conducts hazard assessments, approves PPE, and reviews incidents/CAPAs.
Fire safety and thermal runaway basics; extinguisher selection and locations.
Spill/breakage response and notification tree.
Proper use of PPE and inspection of gloves/respirators/eye protection.
Recordkeeping: what to log, how, and where.
2) PPE & Work Area Controls (Quick Matrix)
Li-ion battery handling: cut-resistant gloves, safety glasses/face shield for damaged units, antistatic sleeve/bag, non-conductive tools, fire-resistant container with inert fill for quarantine.
Lead-acid/NiCd/NiMH: chemical-resistant gloves (nitrile), safety glasses, apron for wet batteries; neutralizer and absorbent within 10 m.
CRT removal/cullet: cut-resistant gloves, long sleeves, safety glasses + face shield, HEPA vac available.
Mercury lamps: cut-resistant gloves, safety glasses; if breakage cleanup, add disposable coveralls and P100 respirator per exposure assessment.
Area controls
No smoking or open flames.
Charging only at designated, supervised stations (never in storage areas).
Keep Class ABC extinguishers readily available; keep water or water-mist for cooling Li-ion incidents; maintain sand/inert absorbent for containment.
Post โNo Pallet Jacksโ signs where glass/lamps are stored if floor vibration risks tipping.
3) Receiving & Triage (All Streams)
Visual screen at dock
Look for swollen, hot, hissing, or leaking batteries; wet lead-acid; crushed CRTs; broken lamps.
Use an IR thermometer for suspicious packs; if > 60ยฐC (140ยฐF), treat as thermal risk and move to outdoor or isolated quarantine immediately.
Immediate isolation
Damaged/defective/dangerous (DDD) batteries โ Battery Quarantine Bin with inert material (vermiculite or sand), lid on, labeled โDamaged Li-ionโDo Not Charge.โ
Broken CRT or lamp โ secure area, prevent tracking, begin breakage procedure.
Identification & labeling
Apply hazard label, date, stream (Li-ion, L/A, NiCd, CRT, Mercury), condition (Intact / Damaged), and weight or count.
Record in Hazardous Fractions Intake Log before moving to storage.
Segregation
Separate by chemistry (Li-ion vs L/A vs NiCd/NiMH).
Keep intact away from damaged.
CRT devices separate from lamps and batteries.
Maintain minimum 1 m clearance between battery stacks and any ignition sources.
4) Lithium-Ion Batteries (Primary Fire Risk)
Key risks: internal short leading to thermal runaway; re-triggering after initial cooling; electrical short from terminals contacting metal.
Do / Donโt basics
Do tape or cap terminals; use non-conductive containers; keep SoC low; cool overheated packs.
Donโt crush, puncture, or charge unknown packs; donโt mix damaged with intact; donโt use metal bins.
Removal & Preparation
Depower devices; wait 5 minutes before removal.
Use non-conductive tools; remove batteries gently.
Tape all exposed terminals; for multi-cell packs, insulate harness connectors.
Storage
Intact Li-ion: rigid, non-conductive containers with lids; layers separated by cardboard; terminal-taped.
Damaged/Swollen: place individually in fire-resistant container with inert fill; lid closed.
Limits: set conservative max per zone (e.g., โค 300 kg intact per bay; โค 30 kg damaged in quarantine). Document your facilityโs limits and keep a tally.
Charging policy
Charging is prohibited unless you run a controlled test area with fire detection, 24/7 monitoring, non-combustible surrounds, and immediate access to suppression and evacuation routes. Never charge suspect packs.
Thermal incident response (small device battery)
Alert nearby staff; pull alarm if escalating.
Do not smother with Class D agent for Li-ion; cool generously with water or water-mist to stop propagation and cool adjacent packs.
Keep cooling until steam/smoke stops and temperature normalizes; monitor 60 minutes for re-ignition.
Move debris to metal tray, soak-cool outside if possible, then bag as incident waste once cold.
Documentation
Log incident time, location, product type, suspected cause (crush, puncture, charging, unknown), actions taken, cooling duration, and CAPA.
5) Lead-Acid, NiCd, and NiMH Batteries
Lead-acid (flooded/AGM/gel)
Keep upright on acid-resistant trays; neutralizer and absorbent within reach.
If leaking, neutralize and contain; move to leaker bin with absorbent; label โHazardโBattery Acid.โ
No mixing with Li-ion; different pallets and zones.
NiCd/NiMH
Tape terminals; store in closed, non-conductive tubs.
Treat leaking cells as chemical exposure; bag and stage as hazardous waste.
Outbound prep (general)
Use sturdy, tested packaging appropriate for battery type; cushion and segregate layers; verify labels and orientation markings; ensure counts/weights match shipment docs.
Don PPE: cut-resistant gloves, eye protection; for close cleanup, add P100 respirator if your assessment requires.
Gently collect large pieces; use sticky tape for small shards/powder; apply sulfur or zinc-based powder per kit instructions to bind residual mercury.
Place all debris, wipes, and PPE into a sealable bag or container; label as broken mercury lamp waste.
Ventilate area for โฅ15 minutes before resuming normal work.
Storage
Keep intact and broken streams separate.
Containers closed, upright, labeled with start accumulation date and contents.
8) Storage Design, Limits, and Fire Prevention
Segregation map: post a color-coded floor plan showing each streamโs zone, quarantine area, exits, extinguishers, and spill kits.
Aisle spacing: โฅ 1 m clear aisles; no dead-end corridors; keep exits unobstructed.
Stacking: do not exceed manufacturer ratings for gaylords/totes; no overhang; lids on.
Environmental controls: cool, dry storage; avoid direct sunlight; keep batteries away from heaters and chargers.
Detection: smoke/heat detection in battery areas; if feasible, use thermal cameras or spot checks with IR thermometer for quarantined packs.
Housekeeping: daily sweep of paperwork/combustibles from battery areas; no cardboard in damaged-battery quarantine bay except as necessary for packaging.
9) Spill, Leak, and Breakage Procedures (Quick Cards)
Battery electrolyte (lead-acid)
Don chemical gloves, eye protection, apron.
Contain with absorbent; neutralize per kit instructions until fizzing stops.
Scoop into labeled container; wipe area with neutralizer solution; dispose as hazardous waste.
Complete Spill/Leak Log with volume estimate and corrective actions.
Damaged Li-ion (leaking/venting)
Isolate, cool if hot, do not seal in airtight container until cool.
Double-bag debris once cold; label as incident waste; move to outside storage pending disposal.
CRT glass
HEPA vac only; no brooms; collect and containerize promptly; check footwear for shards before leaving area.
Mercury lamp
Follow breakage steps above; ventilate; package all cleanup materials as hazardous waste.
Weekly: verify storage tallies vs limits; IR spot-check of quarantine bins; check extinguisher gauges and kit supplies.
Monthly: review incident log, close CAPAs, and update risk assessments; refresh staff toolbox talk on a recent near miss.
Quarterly: drill a battery thermal incident; time your response, cooling duration, and area clearance.
Document findings and assign owners with target dates. Update this SOP when equipment, layout, or regulations change.
12) Practical Tips That Reduce Risk Immediately
Terminal tape at the dock: a 5-second habit that eliminates most shorts.
Small, frequent shipments of damaged batteries instead of stockpiling.
Dedicated carts and tools for battery workโno metal bins, no mixed-use tools.
Photo evidence: take quick photos of damaged items and final packaged state; attach to the log entry.
Signage and floor markings: clear visual management beats long lectures.
Donโt over-engineer: simple closed containers, separation, and discipline around logs win audits.
13) One-Page Checklists (print and post)
Receiving/Triageโ60-Second Checklist
Visual check for heat, swelling, leaks, or glass/mercury breakage
Isolate damaged items (battery quarantine or breakage protocol)
Apply label (stream, condition, date)
Tape/cap battery terminals
Log entry completed before moving to storage
Daily Area Walkโ5 Points
Containers closed, labeled, and not overfilled
Aisles and exits clear; no cardboard clutter near batteries
Storage tallies updated; limits respected
Extinguishers and kits present, inspected, unobstructed
Quarantine bin checked; temperature spot-check if needed
Closing Note
This SOP gives you practical, audit-ready controls for the hazardous fractions that cause the most issues in e-waste facilities: Li-ion batteries, CRT glass, and mercury lamps. Keep it simple: identify early, segregate smartly, store conservatively, document consistently, and practice your response. Thatโs how you reduce fires, injuries, and nonconformitiesโwhile passing audits with confidence.
Purpose: Define a practical, audit-ready Chain of Custody (CoC) process for electronics recycling and ITAD operations. This SOP ensures every asset and data-bearing device is tracked from intake to final disposition, with complete records, signatures, and tamper-evident controls.
Scope: Applies to all incoming assets (loose or palletized), especially data-bearing media (HDD/SSD/NVMe, mobile devices, tapes, removable media). Covers in-house handling and transfers to downstream vendors.
Outcomes:
Verifiable custody history for each asset or package.
Clear accountability at each handoff.
Evidence of data protection and compliance suitable for audits.
Custodian (Operations Lead or Cage Custodian): Controls access to secure areas, verifies seal integrity at each movement, signs custody transfers, approves exceptions.
Transporter (Internal Driver or Courier Liaison): Verifies counts, seal numbers, and documentation before transport; obtains signatures at pickup and delivery.
Data Team (Sanitization/Destruction Technicians): Updates CoC Log with wipe/destroy results, serials, QA verification, and exceptions.
Compliance (Quality/Compliance Manager): Performs periodic reconciliation, spot audits, and record retention; maintains approved downstream list.
Tip: Maintain a simple RACI matrix in your SOP binder to avoid confusion during audits.
2) Definitions (keep them simple)
Chain of Custody (CoC): Continuous documented control of assets/media from receipt to final disposition.
Lot ID: Unique identifier for a group of items received together (e.g., shipment or pallet).
Asset ID: Unique identifier for a single device/unit.
Tamper-evident seal: Numbered seal that, once broken, cannot be reapplied without evidence of tampering.
Exception: Any deviation from expected condition, count, or procedure (e.g., broken seal, mismatch, unknown device).
Final Disposition: Reuse/resale, material recovery, or certified destruction.
3) Required Records & Tools
CoC Log: Central record tracking lot/asset IDs, locations, handlers, timestamps, seal numbers, and signatures.
Prepare IDs & Materials: Pre-print Lot IDs, confirm seal inventory, stage Intake Forms, and ensure secure storage capacity.
Assign Staff: Receiver, Custodian, and Transporter designated for the job.
Step B โ Intake (Receiving & Lot Creation)
Receive Shipment: Verify shipper identity and Bill of Lading against schedule.
Initial Inspection: Check pallets/containers for damage; photograph overall shipment.
Create Lot: Assign a Lot ID; affix Lot label to pallet(s)/container(s).
Count & Weigh: Record total counts and/or weight per pallet/container; note discrepancies.
Seal Status:
If shipment arrived sealed: record seal numbers & condition; photograph seals.
If unsealed or mixed: apply new seals to each container holding data-bearing devices.
Intake Form: Document shipper, Lot ID, arrival time, receiver name and signature, condition notes, photos taken (reference numbers if you use a photo log).
CoC Log Entry (Start): Create the initial CoC Log record for the Lot ID with date/time, receiver, location, and (if applicable) seal numbers.
Tip: If you receive loose items, group data-bearing devices into bins and immediately seal those bins; record the seal numbers in the CoC Log.
Step C โ Secure Storage (Access Control)
Move to Secure Area: Transport the sealed pallets/bins to the secure cage/room.
Sign Handoff: Receiver โ Custodian handoff recorded in the CoC Log with both signatures, date/time, and location change.
Access Control: Only authorized staff may access; each entry/exit is logged (badge or manual) and tied to Lot/Asset activities.
Step D โ Internal Transfers (Within Facility)
Request Move: When assets move (e.g., cage โ data wipe room), generate a Transfer Form including Lot ID, destination, purpose, planned start/end times.
Verify Seals: Custodian checks seal numbers and integrity before release; record in CoC Log.
Signatures: Custodian (releasing) and receiving technician sign the transfer with timestamps.
Upon Arrival: Receiving technician confirms counts, seal integrity, and updates the CoC Log.
Step E โ Processing (Data Protection at the Core)
De-sealing & Open: Only at the point of processing. Record seal break with number, date/time, and technician signature.
Identify & Label Assets:
Assign Asset IDs to each device/media.
Capture serial numbers (scan when possible).
Sanitization or Destruction:
Record method (e.g., software wipe, degauss, shred), tool/version, settings, result (pass/fail).
For wipes: record verification step/results; for destruction: record particle size or cut class if applicable.
QA Check: A second person (QA) verifies a sample or 100% as required; signs off with date/time.
Update CoC Log: Link each Asset ID to the Lot ID, record processing details and outcomes.
Important: If a device cannot be wiped (SMART errors, unsupported interface), quarantine it in sealed container โ document exception โ route for physical destruction โ update records.
Step F โ Consolidation & Outbound (Downstream Transfers)
Package for Outbound: Group processed assets by disposition (e.g., resale, material recovery). Assign Outbound Package IDs and apply tamper seals.
Prepare Documentation: Outbound Transfer Form includes Lot IDs, Asset/Package IDs, counts/weights, seal numbers, destination, carrier, pickup time.
Custody Transfer at Dispatch: Custodian verifies counts and seals; Transporter signs to accept custody. CoC Log updated with date/time, names, and destination.
Proof of Delivery: On receipt, downstream or warehouse signs Delivery section with date/time, condition notes, and seal verification. Obtain copy (scan/photo) for records.
Step G โ Final Disposition & Closeout
Record Final Disposition: For each Asset/Package ID, record resale ticket, destruction certificate reference, or material recovery ticket.
Reconciliation: Compliance reviews the CoC Log against intake counts and outbound records; resolve any deltas.
Close Lot: Mark Lot as โClosedโ with date, reviewer name, and any CAPA references for exceptions.
5) Exception Handling (What Auditors Look For)
Common Exceptions & Actions:
Broken or Missing Seal: Immediately quarantine; photograph; assign new seal; record as exception with time, person, and location. Initiate CAPA (root cause, corrective & preventive actions).
Count Mismatch: Recount; reconcile against intake/outbound docs; note root cause (mis-sort, mis-scan). Update CoC Log and issue CAPA if systemic.
Unknown Devices/Media: Tag โUnknown,โ quarantine; investigate origin (Lot linkage). If unresolved, treat as highest risk (data-bearing) and process accordingly.
Process Fail (Wipe Fail): Record failure reason; transfer to destruction with new sealed container; update records.
Nonconformity Triggers: Missing signatures, absent seal numbers, handoffs without timestamps, or incomplete serial tracking for data-bearing devices. Your SOP should require immediate correction and documented CAPA.
6) Recordkeeping & Retention
CoC Logs, Intake Forms, Transfer Forms, Exception/CAPA, Sanitization/Destruction Records, Proof of Delivery: Retain for the period your certification or contracts require (often 3โ7 years).
Format: Electronic system preferred (exportable CSV/PDF). If paper, scan to PDF and index by Lot ID.
Indexing Rules: File by Year โ Client โ Lot ID, with cross-references to Asset IDs and Outbound Package IDs.
7) Physical Controls & Security Notes
Segregation: Separate data-bearing from non-data-bearing at intake; different color labels help.
Signage: Post access rules at secure areas; include โNo unauthorized entry,โ โNo personal devices,โ and camera policies.
CCTV Coverage: Entrances to secure areas, processing stations, and shipping bays. Store footage per policy.
Tool Control: Only approved wiping tools; versions and hashes recorded in the Sanitization Record.
Training: Annual training on CoC, seals, exceptions, and documentation; keep rosters and quizzes.
8) Audit-Ready Tips (Make Your Records Self-Explanatory)
Consistent Timestamps: Use 24-hour format with timezone; devices should be time-synced.
Readable Signatures: Pair signatures with printed names and employee IDs.
Photo Evidence: Photograph seals at intake and outbound; include the seal number visible in frame.
Unique IDs Everywhere: Lot ID, Asset ID, Package ID are never reused; barcode/QR reduce errors.
Spot-Checks: Weekly mini-audits: pick a Lot, walk from intake photo โ CoC Log โ sanitization record โ outbound proof. Fix gaps immediately.
9) Templates (Copy & paste into your forms system)
A) Chain of Custody Log (Core Fields)
Lot ID
Asset ID (or โPackage IDโ for bulk)
Item description (device/media type, model)
Serial number (for data-bearing items)
Seal number(s) applied/verified
Location (from โ to)
Handler name & signature (releasing)
Handler name & signature (receiving)
Date & time (handoff)
Purpose of transfer (intake, storage, processing, outbound)
Notes/Exceptions (reference Exception ID if applicable)
B) Intake Form (Shipment)
Client/shipper name
Arrival date/time
Bill of Lading / reference
Lot ID(s) assigned
Counts & weights by pallet/container
Visual condition notes + photo references
Seal numbers observed (if any)
Receiver name & signature
C) Transfer Form (Internal/Outbound)
From location โ To location
Lot/Package/Asset IDs included
Count/weight
Seal numbers verified/applied
Releasing person (name, signature, timestamp)
Receiving person (name, signature, timestamp)
Carrier details (for outbound)
Delivery confirmation section (signature, timestamp, seal status, condition notes)
10) Daily/Weekly Controls (Simple Routine That Works)
Daily:
Reconcile previous dayโs handoffs (are signatures and timestamps complete?).
Verify seal stock and log usage; investigate any gaps in seal number sequences.
Check cage access log vs. CoC activity.
Weekly:
Perform a start-to-finish trace on one closed Lot and one active Lot.
Calibrate scales if used for billing/weights.
Review exceptionsโclose open items or escalate CAPA.
Monthly:
Audit 10% sample of sanitization records against the CoC Log and device serials.
Review training needs and update roster.
Validate that record retention and indexing are current.
11) What Makes Auditors Confident (and Where They Fail Findings)
Confidence Builders:
Every handoff has two signatures and a clear location change.
Seal numbers are always present, legible, and match photos.
Serial numbers for all data-bearing media are captured and tied to outcomes.
Exceptions are documented quickly with CAPA showing real preventive steps.
Common Findings:
Missing timestamps or illegible signatures.
Seals recorded at application but not verified at receipt.
Wipe logs without tool version or verification step.
Transfer forms used inconsistently between departments.
12) Version Control & Training
SOP Version: Include version number, effective date, and next review date on the first page.
Change Log: Brief table of revisions (what changed, who approved, date).
Training: New hires trained before handling assets; refresher annually; keep sign-in sheets and quiz results.
Final Notes
An auditor-trusted chain of custody is mostly about clarity and consistency. If a third party can understand your records without asking you questions, youโve done it right. Keep the process simple, seal what matters, sign every handoff, record every step, and reconcile often. Your CoC will hold upโduring audits and when it matters most.
This guide shows real-world R2v3 nonconformities that recyclers and ITAD providers run into, why they happen, and exactly how to correct and prevent them. Use the checklists, templates, and acceptance criteria to close findings quickly and keep them from coming back.
How to read this playbook
Scope: Focuses on operational pain points that commonly trigger minor and major nonconformities during Stage 1, Stage 2, and surveillance audits.
Format: Each section lists (1) what auditors usually find, (2) the root causes, and (3) corrective and preventive actions with evidence examples and acceptance criteria.
Use it: Copy the bullet points into your CAPA form and attach the evidence listed.
1) Data security & sanitization: method not matching media, or records incomplete
What auditors find
Drives or devices labeled โwipedโ without a verifiable record of method, tool, settings, pass/fail, and unique identifier.
Mixed media types treated with a single method that isnโt appropriate (e.g., SSDs processed with an HDD-only overwrite method).
Sampling performed, but the sampling plan isnโt defined or justified.
Software version or wipe profile changed mid-period without a change control entry.
Likely root causes
SOPs are vague or not role-specific.
Technicians rely on tribal knowledge; training records do not reflect method specifics.
Wipe tool exports not mapped to your log fields; serial capturing inconsistent.
Corrective actions (fix now)
Align each media type to an approved method in a one-page Media โ Method Matrix and post it at the station.
Update the Data Sanitization Log to include: asset ID, media type, tool & version, profile, date/time, operator, pass/fail report reference, and reviewer sign-off.
Re-run sanitization for a sample of affected items; quarantine and reprocess any uncertain units.
Record a change control entry for the tool/version/profile currently in use.
Preventive actions (stop it recurring)
Technician training module that covers the matrix and log completion; require practical sign-off.
Weekly sanitization spot-check: supervisor reviews 10 random records against exported tool reports.
Lock the wipe tool configuration; changes require manager approval with a version snapshot.
Evidence to attach
Updated SOP and the Media โ Method Matrix.
Completed logs with matching software reports.
Training sign-in and competency checklists.
Spot-check checklist with pass rate.
Acceptance criteria
For a sample of 30 wiped devices across media types, 100% have full, traceable records and correct method per matrix; 0 unlabeled or unverified devices on the floor.
2) Chain of custody: gaps between intake, storage, and outbound transfer
What auditors find
Intake receipts exist, but location status and container IDs arenโt tracked end-to-end.
Outbound shipments lack a complete reconciliation from intake quantities/IDs to final disposition.
โQuarantineโ or โsecure cageโ exists, but no log shows time-in/time-out and who had access.
Likely root causes
Process maps stop at departmental boundaries.
Labels or barcodes not applied at the first practical touchpoint.
Paper forms that donโt sync with the digital ledger.
Corrective actions
Introduce a Chain-of-Custody Ledger (physical or digital) with five mandatory states: Received โ In Secure Storage โ In Process โ Post-Process Hold โ Outbound.
Require unique container IDs; affix labels immediately on intake.
Perform a backward reconciliation on last quarterโs shipments: choose 3 representative POs and tie every unit/container to the outbound record; correct discrepancies.
Preventive actions
Gate control: outbound cannot be scheduled unless reconciliation status = โcomplete.โ
Weekly walk-through with a location audit checklist (random containers).
Integrate barcode scanning at intake and outbound to cut manual errors.
Evidence
Completed ledger examples and reconciliations.
Photos of container labels and secure storage signage.
Walk-through checklists and corrective notes.
Acceptance criteria
For 3 sample POs, 100% of items/containers are traceable from receipt to outbound with timestamps and handler IDs.
3) Downstream due diligence: approval packets incomplete or not refreshed
What auditors find
Vendor approval forms on file, but missing waste codes, permit numbers, or final processing descriptions.
Annual reviews overdue; risk ratings not updated after incidents or regulation changes.
EHS/CSR claims (e.g., โno child labor,โ โno prison laborโ) not backed by documented checks.
Likely root causes
DDQ template doesnโt reflect your actual outbound streams.
Calendar reminders lapse; ownership for annual review unclear.
Overreliance on marketing brochures rather than documented evidence.
Corrective actions
Rework the DDQ to include: legal entity info, permits/licenses per stream, final process description, material flow map, facility photos, insurance, and contacts.
Perform desk audits for top 5 highest-volume downstreams: gather missing docs, verify permit validity dates, and document risk scores.
Temporarily suspend routing to any downstream lacking mandatory artifacts; identify alternates.
Preventive actions
Annual review schedule with assigned owner; automated reminders 60/30/7 days before due.
Post-incident re-evaluation trigger: any shipment complaint, nonconformity, or spill requires a DDQ refresh and risk rescore.
Supplier scorecard with thresholds that auto-flag high risk.
Evidence
Updated DDQ forms with attachments list.
Annual review log and upcoming reminder plan.
Risk scoring sheet with criteria and weighting.
Acceptance criteria
100% of active downstreams have current approval packets (dated within 12 months) that match your outbound streams and demonstrate legal authorization.
4) EHS controls: hazard assessments exist, but controls and training arenโt aligned
What auditors find
Generic risk assessments written years ago; they donโt mention lithium batteries, toner dust, or noise exposure specific to your lines.
PPE signage posted, yet training records donโt show task-specific PPE fit and use.
Spill kits present, inspection logs missing or outdated.
Likely root causes
Copy-paste assessments that never got localized.
Training tracked by job title, not by task.
No calendar for kit inspections or eyewash testing.
Corrective actions
Update the Hazard Identification & Risk Assessment by process step (intake, demanufacturing, battery handling, shredding, packing). Add specific hazards and controls.
Map each task to required PPE and training; issue task cards at workstations.
Inspect and replenish spill kits; start a monthly inspection log.
Conduct a drill (spill or fire) and document lessons learned.
Preventive actions
Quarterly floor audit with an EHS checklist tied to the risk assessment.
New-hire and job-change competency checks (not just attendance).
Purchasing control: PPE or kit changes trigger SOP and training updates.
Evidence
Revised risk assessment with sign-off date.
Task cards, training matrix, and signed competency forms.
Completed kit inspection logs and drill report.
Acceptance criteria
Zero missing or expired EHS controls in a random walk-through; training matrix shows 100% of active operators with current task-specific training.
5) Testing, evaluation, and repair (reuse claims not evidenced)
What auditors find
Units sold as โtested working,โ but no test protocol or proof of test steps/criteria per device category.
Repairs performed, but parts traceability and final quality check missing.
Cosmetic grading inconsistent across technicians.
Likely root causes
Test procedures live in peopleโs heads.
Work orders donโt require attachment of test results or photos.
No final QA gate before sale.
Corrective actions
Create category-specific test sheets (e.g., laptops, desktops, monitors) with pass criteria, firmware/BIOS checks, and battery/cycle thresholds.
Require a final QA sign-off on each work order before listing or shipment.
Introduce a grading guide with photos and definitions for A/B/C; train staff.
Preventive actions
Monthly QA sampling: pull 10 sold items, verify test sheets and grade accuracy.
Calibration or version control for diagnostic tools.
Separate โretestโ lane for returned units.
Evidence
Completed test sheets and work orders with QA sign-offs.
Grading guide and training records.
QA sampling log with results and actions.
Acceptance criteria
For a sample of 20 sold units, 100% have complete test evidence; grading disputes under 2% over a quarter.
6) Document control & change management: people use the old version
What auditors find
Multiple SOP versions on the floor; technicians follow an outdated instruction.
Recent process change (e.g., new wipe profile) not documented or reviewed.
Forms without revision numbers; difficult to verify theyโre current.
Likely root causes
Shared folders without permissions or archival rules.
No โcontrolled copyโ process for printed SOPs.
Changes implemented informally and announced verbally.
Corrective actions
Assign document owner per SOP. Add revision, effective date, and approval fields to the header.
Implement controlled copies: stamped printouts with an expiry; remove/replace old prints during change rollout.
Create a Change Control Log capturing reason, impacted docs, training required, and validation.
Preventive actions
Quarterly document review calendar.
Floor audit that checks version numbers against the master list.
CAPA: template forces root cause and effectiveness; no overdue high-risk CAPAs.
Final notes
Auditors donโt expect perfection; they expect control. That means traceable records, clear ownership, and proof that your fixes work. If you use this playbook to structure your logs, training, DDQ packets, and CAPA forms, youโll not only close todayโs findingsโyouโll reduce tomorrowโs risk.
Plain-English objective: R2v3 requires you to protect data at every stageโintake, handling, transport, processing, and final dispositionโusing documented controls that actually work. This guide gives you a practical, audit-ready workflow with sample SOP steps you can adapt immediately.
Scope & key definitions (keep these in your SOP)
Data-bearing asset (DBA): Any device or component that can store data (HDD, SSD, NVMe, mobile, tablet, server, printer/MFP with storage, network gear with flash, DVR, point-of-sale, USB/SD, embedded controllers).
Sanitization outcomes:
Clear: Overwrite data so it cannot be recovered using standard system functions and tools.
Purge: Render data unrecoverable using more rigorous techniques (e.g., cryptographic erase, firmware-assisted purge).
Destroy: Physically damage media so data is irretrievable (e.g., shredding, crushing, disintegration).
Verification: Evidence that sanitization achieved the intended outcome (software report, hash check, sample QC, physical fragment size checks).
Chain of custody (CoC): Continuous control and documented custody from pickup to final disposition.
Add these terms to your Definitions section so employees and auditors share the same language.
Data Security Lead (DSL): Owns the SOP, approves methods, maintains approved tool list, reviews exceptions.
Sanitization Operator: Executes wipe/purge/destroy steps and records serials, method, outcome, and verification.
QC Auditor: Independently verifies a defined sample or 100% where required; documents pass/fail.
Logistics/Dispatch: Ensures secure transport, seals, custody logs, and storage area integrity.
Compliance Manager: Performs internal audits, trend analysis, and CAPA for nonconformities.
Document this RACI in your procedure so itโs unambiguous who does what.
Intake-to-Disposition: the required control flow
Why this matters: Most nonconformities happen before or after the wipeโat intake (items missed) and after sanitization (mix-ups, incomplete records). A clean flow prevents both.
Pre-intake screening
Customer declares if assets are data-bearing; requests desired outcome (reuse with wipe, purge, or destroy).
Capture special handling requirements (e.g., encrypted assets, defective drives).
Secure intake
At receipt, visually and systematically identify DBAs. Use a laminated checklist by asset type.
Affix DATA-BEARING label and a unique asset ID. Photograph pallet/serial plates where feasible.
Record: customer, pickup manifest, seal numbers, time/date, handler signatures.
Controlled storage
Move DBAs to a restricted, CCTV-covered area with logged access.
Separate unsanitized from sanitized inventory with physical barriers and distinct tags.
High risk, encryption unknown, or device defective:Purge or destroy.
Customer-mandated destruction:Destroy regardless of device state.
Log the chosen method and rationale.
Sanitization execution
Use only approved tools/machines listed in your SOP (version-controlled).
Capture serial numbers, method, operator, start/end time, result code.
For cryptographic erase, record proof that the key was destroyed or reset performed.
Verification & QC
100% verification for software-based wipe/purge (attach reports per device).
Statistical QC only where justified and documented (e.g., repeated identical media batches).
For physical destruction, verify fragment size against your acceptance criteria.
Exception handling
If a device fails wipe or tool aborts, quarantine and escalate to DSL.
Decide re-attempt with alternate method or destroy.
Record the exception, corrective action, and final outcome.
Final disposition
Mark assets as SANITIZED or DESTROYED with visible tagging.
Update inventory status; separate storage for post-sanitization goods.
Prepare Certificates of Sanitization/Destruction with traceability fields (see template below).
Outbound control & records retention
For remarketing: ensure no unsanitized DBAs are mixed into outgoing lots.
For scrap: ensure destroyed media stays in secure custody until it enters the shredder and is ground to spec.
Retain records for your defined retention period (commonly 3โ7 years).
Sample SOP: Data Security & Sanitization (copy-adapt this)
Purpose Ensure all data on received DBAs is secured and sanitized in compliance with R2v3 and customer requirements.
Scope All DBAs handled at [Facility Name], including HDD, SSD/NVMe, mobile devices, printers/MFPs with storage, network devices, USB/SD, DVRs, and embedded flash.
Responsibilities As listed in Roles & responsibilities above.
Procedure
Identification at Intake
Use the DBA Identification Checklist for each pallet/skid.
Tag suspected DBAs with red DATA-BEARING labels and assign Asset ID.
Photograph pallet and serial plates if accessible.
Log customer, time/date, receiver signature, and truck seal number.
Secure Storage (Pre-Sanitization)
Move DBAs to Cage A (restricted access). Log entry/exit in Cage Access Log.
Place into bins labeled UNSANITIZED ONLY.
Method Selection
Review customer instructions and device condition.
Select Clear, Purge, or Destroy per the Sanitization Decision Tree.
Record decision and operator initials in the Sanitization Work Order.
Execution โ Clear/Purge
Connect device; verify serial in software UI.
Start approved wipe or crypto-erase profile.
On completion, export verification report; ensure it contains device ID, model, capacity, serial, method, date/time, and result.
If failed/aborted, quarantine and notify DSL.
Execution โ Destroy
For HDD: remove from chassis; process through crusher/shredder.
For SSD/flash: process via fine shredder or pulverizer meeting your fragment size limit.
Record batch ID, input count/weight, start/end time, and operator.
Collect fragment samples periodically to verify size.
Verification
100% report capture for software methods; store reports against Asset ID.
For destruction: perform hourly fragment checks; document results against acceptance criteria.
QC Auditor signs Verification Log daily.
Exception Handling
For any failure: complete Nonconformance Report (NCR) with cause, action, and outcome.
DSL approves rework or destruction.
Labeling & Segregation (Post-Sanitization)
Apply green SANITIZED labels to cleared/purged devices.
Move to Cage B (sanitized only). Update inventory status.
Certificates & Reporting
Generate Certificate of Sanitization/Destruction with customer name, PO/WO, asset list with serials, method, date, operator, and authorization signature.
Provide to customer; retain digital copy internally.
Records Retention
Keep all logs, reports, certificates, and photos for [X years] in the Data Security Repository with controlled access.
Acceptance Criteria
Software wipes: report states PASS and matches serial exactly.
Crypto-erase: record of successful key destruction/reset.
HDD destruction: fragments meet or are less than [your mm/in threshold].
SSD/flash destruction: fragments meet [smaller threshold]; no intact memory packages.
No unsanitized DBAs in sanitized/outbound areas.
Training & Competence
New Sanitization Operators require two shadowed shifts and a competency check before solo work.
Annual refresher covering tool updates and incident lessons learned.
Change Control
DSL maintains Approved Tool List with version numbers. Any tool/profile change requires a controlled update and staff briefing.
Records you must be able to produce on demand (audit-ready)
Intake Manifest & Seal Log
Cage Access Logs (pre/post-sanitization)
Sanitization Work Orders with method and operator
Verification Reports (one per device for software methods)
Destruction Batch Records with fragment checks
Certificates of Sanitization/Destruction tied to asset serials
Exception/NCR forms with CAPA evidence
Training records and Approved Tool List (with versions)
Inventory status reports showing transitions UNSANITIZED โ SANITIZED/DESTROYED
Keep these organized by customer โ work order โ asset ID. Consistent filenames and index sheets save you during audits.
Verification strategies that pass scrutiny
100% device-level verification for software methods is the cleanest approach.
Where statistical sampling is justified (e.g., homogeneous batches of identical media processed by a validated, unaltered workflow), document:
Sampling plan (e.g., AQL, lot size, sample size).
Rationale (history of zero defects, controlled inputs).
Escalation rule (any failure โ 100% verification and process review).
For destruction, define objective fragment size limits and measure on a routine cadence (e.g., each batch or every 30 minutes of operation).
Common nonconformitiesโand fast fixes
Missed DBAs at intake
Fix: Implement a DBA Identification Checklist by device type; retrain intake staff; spot-audit pallets.
Serial mismatches between report and label
Fix: Require barcode scanning at connect AND at report save; block save if mismatch.
Tool version drift (reports donโt match SOP)
Fix: Create an Approved Tool List with exact versions; IT locks updates; DSL signs off changes.
Cage integrity (finds of mis-segregation per month)
On-time certificate issuance (%)
Review KPIs monthly; create CAPA for trends exceeding your thresholds.
Practical setup tips (low cost, high impact)
Mount a visual workflow board at the cage: UNSANITIZED โ METHOD โ VERIFIED โ SANITIZED/DESTROYED.
Standardize label colors: red = DATA-BEARING (unsanitized), green = SANITIZED, black/white = inventory only.
Use barcodes/QRs for asset IDs; scan into the wipe tool to avoid typos.
Keep a hot-swap cart of adapters (SATA, NVMe, 2.5/3.5, USB docks) to reduce handling delays.
For SSDs headed to destruction, seal containers immediately post-pull; donโt accumulate loose media on benches.
Final checklist (print for the station)
DBA identified and labeled?
Asset ID and serial captured?
Method chosen and recorded (clear/purge/destroy)?
Wipe/destruction executed using an approved profile/machine?
Verification report or fragment check completed?
Exception handled and documented (if any)?
Status updated to SANITIZED/DESTROYED and assets moved to correct cage?
Certificate generated and stored?
Logs filed under the correct customer/WO?
Bottom line: If you can prove what happened to every single data-bearing assetโthrough clear procedures, objective verification, and tidy recordsโyouโll satisfy R2v3 expectations and build customer trust. Start by adopting the SOP above, tighten your intake controls, require 100% verification for software wipes, and make certificates and logs the natural by-product of doing the work right.
Purpose of this guide: give you a practical, copy-and-use framework to evaluate, approve, and monitor downstream vendors under R2v3โso you can defend decisions to auditors and reduce real-world risk.
1) What โdownstream due diligenceโ actually means in practice
In R2v3, โdownstreamโ covers every organization that receives your material, components, or data-bearing devices after they leave your controlโrefurbishers, brokers, repairers, recyclers, data sanitizers, smelters, and final disposers. Due diligence is the repeatable process you use to:
Assess risks before using a vendor
Decide whether to approve them (and for which materials)
Define controls in writing (contracts, specifications, reporting)
Monitor performance and re-assess on a schedule or when conditions change
Think of it as a living file per vendor: risk score โ approval scope โ controls โ evidence of monitoring โ periodic re-approval.
2) Map your material flows first (scope drives effort)
Before scoring anyone, write a one-page map of what goes where:
Material types: data-bearing devices, batteries, displays, PCBs, plastics, precious-metal fractions, whole units for reuse, non-hazardous residuals.
Path: Your facility โ Vendor A โ Vendor B (if any) โ final process (reuse, recycle, energy recovery, landfill).
Jurisdictions touched: your location, vendorโs location, any transit countries.
Disposition intent: reuse/resale vs. material recovery vs. disposal.
This map determines the risk profile and the depth of checks required. High-risk examples: data-bearing devices; export to unfamiliar jurisdictions; hazardous fractions (e.g., batteries); multi-hop chains.
3) A pragmatic risk model you can implement tomorrow
Use a 100-point scoring model so decisions are explainable. Score each vendor on the factors below, then classify: 0โ24 Low, 25โ49 Moderate, 50โ74 High, 75โ100 Critical. Calibrate thresholds to your risk appetite.
Factor
Guiding questions
Score (0=best, 20=worst)
Regulatory exposure
Hazardous materials? Export? Permits clearly in place?
High: quarterly KPI review + annual on-site or remote audit
Triggered review: any incident, regulatory change, ownership change, change in downstream path, or material type
KPIs that matter:
Reporting timeliness: % shipments with complete documentation within X days
Data sanitization validation: % lots with verification logs, % failures detected and resolved
Material accountability: variance between shipped mass and processed/received mass within agreed tolerance
Nonconformities: count and severity; closure time for CAPA
Safety/environment: reported incidents related to your lots; trend over time
Evidence to keep in the vendor file:
KPI summaries and your review notes
Updated permits/licenses (or screenshots of public registry entries)
Training matrix snapshot (roles related to your material)
Any incident reports and CAPA closure evidence
Re-approval memo with updated risk score and next review date
8) How to run a remote or on-site audit without wasting a day
Pre-audit (1โ2 weeks before):
Send scope: which processes and materials you will review
Request a single recent lot involving your material for document tracing
Share a 10โ12 point agenda and timebox to 3โ4 hours
During the audit:
Walk the material flow in order: receiving โ storage โ processing โ staging โ outbound
Trace one lot: BOL โ receiving log โ processing log โ output documentation โ downstream shipment proof
Interview process owner(s) for data wiping, hazardous handling, and packing
Sample PPE, labeling, segregation, and spill kits in the areas used for your material
Common findings to watch for:
Mismatch between SOP and actual practice
Incomplete wipe verification fields (e.g., missing operator ID or date/time)
Containers missing labels or date
Mass/serial reconciliation gaps
Expired permits on the wall vs. current in the file
Close-out:
Classify findings (minor/major)
Agree on CAPA owners and due dates
Record updated risk score if warranted
9) Handling multi-hop downstreams (beyond your first vendor)
If your vendor sends material to a further processor, you still need adequate assurance that the final path is legitimate. Practical approach:
Require your vendor to disclose the named downstream for your material and keep an internal list.
For low-risk streams, review the downstreamโs public credentials and a sample invoice/BOL showing the path.
For higher-risk streams (data-bearing, hazardous, export), perform at least a desktop review of the downstream, or obtain your vendorโs documented vetting results and sample permits.
If the downstream changes, treat as a triggered review and pause shipments until reassessed.
10) Red flags and what to do immediately
Immediate holds on new shipments if you see any of the following:
Claim of capacity far above the facilityโs apparent scale
Refusal to provide even basic evidence (permits, sample logs)
Frequent name changes, shell companies, or mismatched addresses
Export offers that seem too cheap relative to market recovery value
Repeated delays in providing data wipe logs or mass balances
Action: escalate, notify management, log a potential nonconformity, and require corrective actions before resuming shipments.
11) Recordkeeping: how long and how to organize
Keep at least:
Risk score sheets and approval memos for each vendor
Shipment-level traceability records (serials or mass balances)
Organization tip: one folder per vendor with subfolders: 01_Approval, 02_Contract, 03_Monitoring, 04_Audits, 05_Traceability. Keep a master index spreadsheet with vendor name, scope, risk tier, next review date, downstreams, and notes.
12) Typical nonconformitiesโand how to prevent them
Approval too generic: Fix by issuing material-specific approval scopes and updating shipping instructions.
Evidence not reviewed: Fix by adding a short checklist to every review (what you checked, date, initials).
No trigger reviews: Fix with a one-page SOP listing triggers and responsible person; add a simple email template: โTriggered review opened because X.โ
Great policy, weak practice: Fix by training process owners on the exact documents auditors will ask for and doing quarterly internal spot checks.
13) Step-by-step SOP you can adopt
Initiate: business owner requests a new vendor; due-diligence lead opens a file and assigns provisional risk 30.
Collect: send DDQ and document pack list; receive samples.
Assess: score the five risk factors; write 1โ2 lines rationale per factor.
Decide: draft approval memo with scope, controls, KPIs, cadence.
Contract: include control clauses; communicate packaging/labeling and reporting requirements.
Onboard: run a trial shipment (if applicable); validate documentation flow.
Monitor: review KPIs per cadence; log outcomes; adjust controls if needed.
Audit: schedule remote/on-site per risk or when triggered.
Re-approve: update risk score annually or after major changes; re-issue approval memo.
Retire: if terminated, record final status, reason, and where remaining material will go.
Data protection: No data handling for our scopeโscore 0.
Process maturity: ISO-like system, training records sampledโscore 8.
Traceability: Mass balance reports monthly, variances <2%โscore 6.
Reputation/history: Stable ownership since 2017; no adverse mediaโscore 4. Total: 30 โ Moderate. Decision: approve for Li-ion consolidation; quarterly KPI review.
Triggered review email: Subject: Triggered Review โ [Vendor], [Reason] Body: A change was reported: [permit expired/ownership change/downstream change/incident]. Shipments paused for this stream. We will reassess documents and confirm approval scope within [X] business days.
15) Final checklist (use before you ship)
Material flow map updated; jurisdictions understood
DDQ and sample evidence reviewed; risk score documented
Approval memo with specific scope and expiry date issued
KPI set and monitoring cadence scheduled on calendar
Shipping/warehouse teams briefed on scope and packaging/labeling requirements
Vendor file complete and indexed
Bottom line
Downstream due diligence under R2v3 is not about collecting the biggest binderโitโs about clear scope, justified risk decisions, and fresh evidence that shows your controls work in the real world. If you maintain a living vendor file with a logical risk score, material-specific approval, and consistent monitoring, youโll satisfy auditors and, more importantly, keep your supply chain trustworthy.
Goal of this guide: give you a practical, copy-ready blueprint for the documents, logs, and evidence that an R2v3 auditor will expect to seeโand how to organize them so theyโre complete, consistent, and easy to verify.
1) What โaudit-readyโ means in practice
Audit-ready documentation is not a pile of forms. Itโs a controlled system where:
Every policy and SOP has a current version, an owner, and a last-review date.
Every process produces objective records (logs, photos, serials, manifests) that prove you followed the SOP.
You can trace any unit or batch from intake to final disposition and show who did what, when, and based on which instruction.
Gaps trigger corrective actions (CAPA) that are documented and closed out.
Think in layers:
Top level: Policies (intent, scope, responsibilities).
Keep a Document Index spreadsheet: columns for ID, title, process, version, effectivity, owner, reviewer, next review date, status (draft/active/obsolete).
Stamp or watermark OBSOLETE on retired versions; keep them read-only in an โArchive/Obsoleteโ folder.
Use the same naming convention everywhere: PROC-ITAD-INTAKE-001_v3.1_2025-02-10.
3) Core logs your facility should maintain (and the fields that matter)
Below are copy-ready field sets you can implement in spreadsheets or your system of record. If you already track these data points digitally, export sample reports and keep them with your audit pack.
A) Receiving & Chain-of-Custody Log
Intake Date/Time
Customer/Source
Shipment/PO/Work Order
Transporter/Driver ID
Seal Number(s) and Condition
Pallet/Container Count
Unit Count by Category (e.g., laptops, drives, batteries)
Unique Intake Batch ID
Initial Condition/Exceptions (photos if applicable)
Receiver Name/Signature
Evidence add-ons: dock photos, scale tickets, exception tags, discrepancy reports.
B) Inventory Tracking & Work-in-Process (WIP)
Batch ID / Serial Number
Asset Tag(s)
Location (rack/room/area) with time stamps for moves
Process Stage (intake โ triage โ data wipe โ test โ grade โ disposition)
4) Evidence mapping: prove each step happened as written
Create a one-page โEvidence Mapโ that links each SOP to its evidence sources. Auditors love this because it shortens the path from โpolicy says Xโ to โshow me X happened yesterday.โ
Example (excerpt):
SOP / Control
Primary Record
Secondary Evidence
Owner
Intake & Chain-of-Custody
Receiving Log + photos
Seal logs, exception forms
Warehouse Lead
Data Wipe
Wipe Log + tool report
Sample verification sheet
ITAD Supervisor
Batteries Handling
Hazardous storage log
Spill kit inspection checklist
EHS Coordinator
Downstream Shipment
Bill of Lading, manifest
Scale ticket, export paperwork
Logistics Lead
CAPA Management
CAPA register
Root cause analysis worksheet
Compliance Manager
Keep the map printed in your Audit Binder and mirrored in your quality folder.
5) How to design records that survive scrutiny
Make it tamper-evident:
Use unique IDs and date/time stamps.
Limit edit rights; capture who changed what and when.
For paper forms, pre-number pages, and require initials on corrections.
Data sanitization/destruction: multi-year minimum (often aligned to customer contracts)
Downstream approvals, permits, monitoring: through relationship + several years
EHS incidents and training: per regulatory and insurer guidance
Whatever period you choose, write it down and apply it consistently. Ensure rapid retrieval: if an auditor asks for โwipe logs for batch INT-2025-0912,โ you should fetch them in minutes.
12) Common pitfalls (and how to avoid them)
Beautiful SOPs, empty logs. Fix: align every SOP with a mandatory record and a check.
Different numbers in different systems. Fix: daily reconciliation between intake, WIP, and outbound; investigate variances.
Expired downstream certs. Fix: a vendor calendar with 30-day reminders; no shipments if expired.
Training says โgeneral safety.โ Fix: specify process authorization by role (e.g., โauthorized for HDD destroyโ).
CAPAs that never close. Fix: weekly CAPA stand-up; escalate overdue items.
13) Your 30-day implementation plan
Week 1
Build your Document Index and assign owners.
Approve a Document Control SOP.
Draft the Evidence Map.
Week 2
Stand up 5 core logs: Receiving/CoC, Inventory/WIP, Data Wipe, Downstream DDQ, EHS Incidents.
Train owners and start using the forms immediately.
Week 3
Populate the Vendor Folders and risk ratings; set monitoring dates.
Run a mini internal audit on one process; open CAPAs.
Week 4
Reconcile one full batch trace end-to-end and fix gaps.
Hold a Management Review to set KPIs and resourcing.
Lock versions, archive drafts, and set next review dates.
14) Final sanity check before the auditor arrives
Can you trace one unit from intake to final disposition with matching counts, signatures, and dates?
Can you show who performed and verified each critical step and that they were authorized and trained?
Can you prove your downstream was approved and monitored at the time of shipment?
Do your CAPAs show root cause and effectiveness checks?
Are your policies/SOPs current, controlled, and consistent with how work is actually done?
If the answer is yes to all five, your documentation system is not just compliantโitโs operationally useful. Thatโs what makes evidence stand up in an R2v3 audit.
Purpose. This standard operating procedure (SOP) defines how electronics and IT assets move from arrival at your facility to final disposition, with complete traceability, consistent quality, and audit-ready records.
Who should use this. Warehouse leads, receiving techs, triage technicians, data-wipe teams, inventory controllers, and compliance managers.
Outcomes. Every asset is (1) received against paperwork, (2) uniquely identified, (3) evaluated and routed, (4) tracked through each status change, and (5) closed with final disposition evidence.
1) Scope, Roles, and Definitions
Scope. Applies to all incoming lots: business ITAD pickups, consumer drop-offs, OEM returns, municipal programs, and internal transfers. Includes loose devices, palletized mixed e-waste, and serialized IT equipment (laptops, desktops, servers, networking, storage, mobile).
Roles.
Receiving Lead: controls dock schedule, verifies documentation, signs chain-of-custody, opens lots in the inventory system.
6) Data Sanitization Routing (if storage media present)
Default rule. Any device with internal or attached storage goes to Media In location with a pending wipe status before any other work (unless client policy is destroy-on-arrival).
Wipe SOP essentials.
Confirm Asset ID matches label and system before starting.
Use approved sanitization methods per media type (e.g., clear/purge/destroy equivalents) with automated verification logs.
For failed wipes, open an Exception and route to Physical Destruction if required.
Attach wipe certificate/log ID to the Asset ID record.
Final check. No asset leaves Media area without a pass/fail record; status cannot advance to QC or Final without this field populated.
7) Asset Tracking & Inventory Controls (no black holes)
Location model (simple and effective).
ZONE > AISLE > RACK > BIN (e.g., RCV-A2-R3-B07).
Every status change requires a bin move in the system, enforced by barcode scan.
Mandatory statuses.
Received โ Tagged โ Triage โ Media In โ Media Pass/Fail โ Refurb โ QC โ Ready for Sale โ Shipped
Recycling: Received โ Triage D โ Harvest โ Weighed โ Commodity Out
Cycle counts & audits.
Daily: spot-check 10 random Asset IDs per active zone.
Weekly: cycle count of one full zone.
Monthly: reconcile โReady for Saleโ vs. physical bins; investigate variances.
Discrepancy handling.
Open a Discrepancy Ticket when quantity, serial, or location doesnโt match.
Media pass rate on first attempt: โฅ 97% (by device type)
Exception closure within SLA: โฅ 95%
Dock-to-triage lead time: median โค 2 business days
Review KPIs weekly; if thresholds are missed, log a corrective action with root cause and owner.
12) Templates You Can Recreate (no downloads needed)
Receiving Checklist (printable).
Lot ID / Client / Date / Carrier / Seal #
Pallets expected / received / variance
Visible damage? Y/N (describe)
Photos taken? Y/N
BOL & CoC signed? Y/N
Discrepancies logged? Y/N
Receiver name & signature
Triage Worksheet (bench view).
Asset ID / Category / Brand / Model / SN
Power Y/N, POST Y/N, Display OK, Keyboard/Ports OK
Battery condition (N/A/OK/Swollen)
Cosmetic grade A/B/C/D (notes)
Decision: Resale / Refurb / Harvest / Recycle
Tech name & time
Asset Tag Format.
Code 128 barcode: ASSET-YYYY-#######
Human readable under barcode; include Lot ID in small print.
Location Labeling Standard.
Zone sticker color by process (Receiving = grey, Media = blue, QC = green, Ready for Sale = purple).
Large bin IDs legible from 2 meters.
13) Training & Competency (keep it simple but real)
Onboarding: shadow for two full shifts; demonstrate correct tagging and two bin moves with zero errors.
Quarterly refreshers: 30-minute micro-training on top exceptions (e.g., locks, swollen batteries).
Authorization matrix: who can change statuses, who can close exceptions, who can sign CoC.
Maintain a training log: person, topic, trainer, date, quiz score (if used).
14) Change Control (so the SOP stays true to reality)
When tools or client requirements change, update this SOP within 10 business days.
Version control: increment minor versions for text edits, major for flow changes.
Communicate changes via daily standup and post at benches; require acknowledgment in the training log.
Final Notes
A good intake-to-disposition SOP is about discipline and visibility. If you can answer, at any moment, โWhere is this asset? What happened to it? Who touched it? Whatโs next?โโyouโre running a controlled operation. The steps above give you that control without bloat: clear tags, short tests, mandatory scans, tight exception loops, and records that stand up to scrutiny.
Use this as a practical, printable playbook. It translates R2v3 into dayโtoโday actions, owners, and evidence to show an auditor. Always defer to the official R2 Standard, the R2 Equipment Categorization (REC), the Code of Practices (COP), and SERI guidance when in doubt.
QuickโStart & Table of Contents
How to use this guide
Confirm your Scope and which Appendices apply. 2) Assign Owners. 3) Print the checklists for only the clauses that apply. 4) Build your Evidence Binder using the clauseโtoโevidence map. 5) Run the SelfโAssessment Scorecard and close gaps. 6) Rehearse with the Auditor Interview Playbook. 7) Keep it current monthly.
Core Requirements (CR 1โ10) โ apply to every certified facility.
Process Requirements (Appendices AโG) โ apply only if you perform those operations (e.g., Data Sanitization, Test & Repair, Brokering, PV Modules).
Managerโs first job: publish a clear Scope (CRโ1), determine which Appendices apply, then build procedures, training, records, and metrics around both.
Roles & RACI (suggested)
Top Management (TM): policy, resources, objectives, management review.
Periodic sample of routing decisions with evidence (e.g., evaluation forms, photos, test results).
Show the auditor: policy, routing SOPs, sampled job tickets, nonconforming material log.
CRโ3 EH&S Management System (EHSMS)
PlainโEnglish: Run a real EHS management system (ISO 14001 + ISO 45001 or RIOS). Know your hazards and control them.
You need:
Certification to an approved EHSMS (or documented conformance if allowed by COP) and effective risk assessments for your processes (e.g., batteries, CRTs, PV, shredding, manual disassembly).
Show the auditor: certificates, risk register, SOPs, drills, inspection logs, training/competency records, internal audit + CAPA, management review.
CRโ4 Legal & Other Requirements
PlainโEnglish: Know the laws that apply (environmental, health & safety, waste, import/export, data, privacy) and prove you follow them.
You need:
A legal register covering all jurisdictions (site + shipping). Include permits/consents, waste codes, transporter and destination authorizations, and data/security rules.
A compliance plan with monitoring, documented checks, and corrective actions. Include proof of lawful imports/exports when applicable.
Consider customer and other contractual requirements.
Checklist (Owner: EHS + LOG + DSV)
Legal register current (incl. crossโborder flows, Basel/equivalents, customs/classifications).
Permits/licenses displayed and valid; conditions tracked.
Import/export dossier template (evidence of legality) defined; shipping files include it.
Controls to prevent mixing of incompatible or hazardous streams; defect/hold process.
Checklist (Owner: OPS + QTL)
Evaluation forms/templates live and used.
REC mapping published at workstations.
Nonconforming/hold procedure + quarantine area.
Calibration/maintenance for test equipment.
Show the auditor: traveler packets, evaluation records, REC labels, calibration logs.
CRโ7 Data Security
PlainโEnglish: Prevent data breaches. Sanitize or physically destroy data storage devices under controlled conditions โ and prove it.
You need:
Data security policy (roles, access control, authorization levels, disciplinary consequences).
Physical/logical security of data areas (restricted access, CCTV or equivalent controls, chain of custody, tamperโevident packaging, device tracking).
Sanitization SOPs aligned to device type and data sensitivity; incident response.
Checklist (Owner: DSL)
Access control list + authorization records for data handlers.
Secure areas defined; security controls tested.
Incident response plan + drills.
If you sanitize: Appendix B is applicable (see below).
Show the auditor: policy, access logs, chainโofโcustody, incident drills, sample sanitization packets.
CRโ8 Focus Materials (FM)
PlainโEnglish: Identify Focus Materials (e.g., mercury devices, CRT glass, some batteries and lamps, certain PV components). Manage them to prevent uncontrolled releases and ensure legal downstream recovery.
You need:
FM identification by device/component, safe handling & storage, containment, spill kits, emergency response.
Qualified downstream vendors with appropriate permits/capabilities; additional controls for export.
Evidence that nonโFM streams are still managed per the hierarchy and law.
Checklist (Owner: EHS + DSV + OPS)
FM inventory & handling SOPs.
FM storage specs (closed, labeled, compatible, inspected).
FM downstream qualifications complete and current; contracts reference FM controls.
Export screens and records (where applicable).
Show the auditor: FM list by SKU/bill of materials, inspections, training, downstream approvals, shipment files.
CRโ9 Facility Requirements
PlainโEnglish: Your building, equipment, and housekeeping protect workers, the public, the environment, and product integrity.
You need:
Good housekeeping; weather/containment controls; ventilation and dust/noise controls where needed; fire prevention & protection; battery and lithium handling precautions; security.
A โ Downstream Recycling Chain: If you transfer control to any downstream (reuse, repair, recovery, disposal) โ almost everyone.
B โ Data Sanitization: If you wipe or destroy data storage devices, or manage dataโbearing devices for reuse.
C โ Test & Repair: If you functionally test and/or repair devices/components for reuse.
D โ Specialty Electronics Reuse: If you refurbish, test, or resell specialized equipment (e.g., medical, lab, industrial) requiring special competencies/compliance.
E โ Materials Recovery: If you mechanically or chemically process to recover materials (e.g., shred, smelt partners, deโmanufacture to commodity streams).
F โ Brokering: If you control equipment to a downstream without physically receiving/processing it at your site.
G โ PV Modules: If you handle, process, store, transport, or broker photovoltaic (solar) modules/cells.
If an activity is outsourced, Appendix A controls still apply to managing that downstream.
Appendix Applicability Decision Tree (quick)
Start โ Do you transfer control to any downstream? โ Yes โ Appendix A applies
โ No โ (rare; recheck)
Do you handle dataโbearing devices or sanitize/destroy storage? โ Yes โ Appendix B
Do you test/repair for reuse? โ Yes โ Appendix C (and D if specialized equipment)
Do you mechanically/chemically recover materials? โ Yes โ Appendix E
Do you arrange downstreams without physical possession? โ Yes โ Appendix F
Do you handle/broker PV modules? โ Yes โ Appendix G
If an activity is outsourced, Appendix A controls still apply to managing that downstream.
Process Requirements (Appendices AโG)
Appendix A โ Downstream Recycling Chain (DSV)
PlainโEnglish: Know your downstreams, qualify them, contract them, and keep verifying.
You need:
A downstream map from your dock to final disposition for each stream.
Qualification criteria (permits, capabilities, certifications, FM handling, legality), initial due diligence, and ongoing monitoring.
Contract terms requiring conformance and allowing oversight.
Records that shipments matched the plan (no leakage to uncontrolled destinations).
Checklist (Owner: DSV)
Streamโbyโstream downstream map maintained.
Qualification pack per downstream (permit/licensing, capabilities, references, audit/assessment).
Contract language covering R2 duties, FM, confidentiality, subโtier control.
Annual monitoring (desktop or onโsite); reโqual triggers defined.
Shipment exception process (mismatches, rejections) with CAPA.
Show the auditor: current downstream matrix, sample qualifications, contracts, monitoring reports, exception/CAPA log.
Appendix B โ Data Sanitization
PlainโEnglish: Sanitize (logical erase) and/or physically destroy per device type, verify the result, and trace each device.
You need:
Deviceโspecific methods (aligned to NIST 800โ88 or stricter where required). When using physical destruction, follow method tables and controls.
Parts provenance/traceability (no counterfeit); ESD program.
Outgoing quality checks; RMA/warranty feedback loop into CAPA.
Show the auditor: traveler with test results, grading snapshots, calibration certificates, training, outgoing QC records.
Appendix D โ Specialty Electronics Reuse
PlainโEnglish: Extra controls for specialized equipment (e.g., medical, lab, avionics, networking/carrierโgrade) where laws, safety, or calibration apply.
You need:
Proof of competency, specialized tools, and access to service info.
Calibration and functional verification to appropriate standards before resale.
Checklist (Owner: QTL + EHS)
Specialty device inventory and risk screen.
Regulatory/standards map per device type; prohibitions documented when reuse is unsafe/illegal.
Calibration records & labels; warnings/instructions included with sales.
Show the auditor: deviceโtype cheat sheets, competence records, calibration, outgoing documentation.
Appendix E โ Materials Recovery
PlainโEnglish: Control your depollution and recovery processes so there are no uncontrolled releases and FMs get proper downstreams.
You need:
Depollution steps before shredding; emission/effluent controls where applicable.
Process parameters, maintenance, and monitoring records.
Contracts/downstream verification for each commodity, especially FM fractions.
Checklist (Owner: OPS + EHS + DSV)
Preโtreatment/depollution work instructions (batteries, mercury, toner, PV laminate, etc.).
Shredder or dismantling controls (guards, ventilation, fire suppression, feed limits).
Sampling/analytics for output quality if claimed.
Downstream verifications current; shipments match declared outlets.
Show the auditor: SOPs, maintenance logs, monitoring data, shipment files, downstream approvals.
Appendix F โ Brokering
PlainโEnglish: Even if you never touch the goods, you still control them. Prove they went to qualified downstreams with correct categorizations and documents.
You need:
Control and visibility from seller โ downstream; accurate descriptions and REC categories.
Contracts binding downstreams; qualification & monitoring like Appendix A.
Records: chain of custody, shipping docs, exceptions & CAPA.
Repair Traveler (Appendix C/D) โ diagnostics performed; parts used; locks/firmware status; cosmetic grade; final test results; traceability to sanitization record.
Facility Inspection (CRโ9) โ aisles/egress; density limits; battery stations; fire systems; PM checks; photo log.
Create these as singleโpage PDFs, laminate, and post at the relevant workstations.
1) Hierarchy of Responsible Management Strategies
Order of preference (always legal & safe): 1) Reuse โ 2) Materials Recovery โ 3) Disposal (last resort). Never reuse: stolen, counterfeit, recalled, illegally imported/exported, or unsafe items. Operator cues: If reusable per SOP โ route to Test/Repair; if not โ depollute FMs โ materials recovery; document your decision on the traveler.
2) REC QuickโGuide (per product family) โ fill in your siteโs mappings
Product Family
Example Acceptance for Reuse
Required Tests/Proof
Data Status
Cosmetic Grade
Your REC Category
Laptops
Boots to OS; battery health โฅ threshold
Keyboard, display, ports, battery, WiโFi
Wiped/verified
B/C
[select]
Desktops
POST OK; no missing major parts
CPU/RAM/storage checks; ports
Wiped/verified
B/C
[select]
Smartphones
Unlockable; no activation lock
Screen, camera, battery, radios
Wiped/verified
B/C
[select]
Servers/Networking
Powers; passes vendor diag
Fans, ports, firmware, PSU
Wiped/verified
N/A
[select]
Displays
No cracks; acceptable pixel defects
Burnโin, color, controls
N/A
B/C
[select]
PV Modules
Safe connectors; passes test plan
Visual + electrical checks
N/A
N/A
[select]
Replace [select] with your approved REC code per the official R2 Equipment Categorization. Keep a printed copy of the full REC table nearby.
3) Battery & PV Handling โ Doโs / Donโts
Batteries (esp. lithium):
Do: tape/cap terminals; segregate by chemistry and state (intact vs. damaged); use approved containers; maintain spacing; inspect daily; keep spill/thermal event kit ready; train staff.
Donโt: crush, puncture, overโstack, mix damaged with intact, charge in staging, or store near heat sources.
PV modules:
Do: assume energized; cover connectors; use glassโsafe lifting; store flat/secured; cleanโup broken glass per SOP; identify FM components before processing.
Donโt: cut live wires; lean stacks unsecured; ignore microโcracks or delamination.
4) โCall Before You Shipโ โ Export/Transfer Checklist
Receiving site authorized (permits/licences) and qualified in your downstream matrix.
Correct classifications/codes and documentation prepared (include evidence of legality where required).
Contract includes R2 obligations, FM handling, and subโtier controls.
Packaging/segregation per SOP; no dataโbearing devices shipped without required status/proofs.
Records pack assembled (shipping docs, permits/consents, contacts). If anything uncertain โ call the DSV/LOG lead before dispatch.
5) Data Area โ Golden Rules
Accessโcontrolled: authorized, trained staff only; visitors escorted and logged.
Chain of custody: every device has a unique ID; status visible (e.g., ToโWipe/InโProcess/Verified/Failed).
Approved methods/tools only; verification recorded for every device per SOP.
No personal devices, photography, or unsecured notes in the data area.
Incident? Stop, secure, report to DSL; complete incident log and follow response plan.
Final Reminders
Keep it simple, visible, and provable. If you canโt show it, it didnโt happen.
When you add a new process or product family, revisit Scope, REC mapping, hazards, downstreams, and training.
Use internal audits as practice โ the best time to find a gap is before the auditor does.
