Search results

Implementing verification and validation of method in microbiology lab

In order to implement ISO 17025 in a microbiology laboratory all mandatory requirements must be met. In addition for each method that you wish to be accredited for, the labaortory must perform verification of all standardized methods and full validation for in-house methods.

Have a look at a similar topic Properly implementing section 7.2 and 7.6 for a microbiological lab at https://community.advisera.com/topic/properly-implementing-section-7-2-and-7-6-for-a-microbiological-lab/ and look at the provided links to the Toolkit documents.

For more detail on what is required for ISO 17025, read the whitepaper Clause-by-clause explanation of ISO 17025:2017 available for download from https://advisera.com/17025academy/free-downloads/ and preview the ISO 17025 Academy toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/ 

Diferent references for manufacturer and distributor

The best way is to use the code that is on the product because that code will be one day in the EUDAMED database. This will make it easier for you to monitor if something is happening with the product on the market, eg if there will have to be a product recall. 

Leader Auditor 27001

Since the possibility for tricky situations is endless, the best way to find out how to handle them is to participate in lead auditor forums, or specific related groups in social networks, and place your questions (it is unfeasible to bring all situations in training).

As for your example, the best approach is to state that it was not possible to evidence the proper management of intellectual property rights of software *** (you should NEVER state that software is illegal, remember that your findings are based on the evidence you have or have not found).

Regarding abandoning an audit, this should be your last resort, only in cases in which the auditor perceives that proceeding with the audit will lead to risks of physically harming or risk of life. In such cases, he needs first to communicate with his manager, explain the situation and decide how to proceed. When there is no time for such communication, the auditor must contact his manager as soon as possible.  

ISO 27001 package question

1 - Is a "Inventar der Werte" obligatory? As I understand this it's just a list of all values that appear in the risk analysis. Why is an ID needed?

Please note that ISO 27001 does not prescribe the inventory of assets, but it needs to be written if you mark the control A.8.1.1 as applicable in the Statement of Applicability.

Regarding the need for an ID, this is so because assets need to be identified in a unique manner to make them manageable.

For further information, see:- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

2 - Could you tell me the correct order of internal audit, management review and implementation of measurements? I understood it like this that first all measures have to be implemented, then there is an internal audit by someone of us or a consultant, then we need to do the management review and implement the recommendations from the internal audit and then we can ask for an external audit - is that correct?

Please note that for the implementation and audit of the ISO 27001 Information Security Management System, you need to follow the implementation steps as defined in the toolkit (basically following the documents in the exact order displayed in the toolkit folders).

One question about ISO 27001

The main documents in the toolkit that define how communication needs to be done are:

• the Information Security Policy, located in folder 4 General Policies
• the Training and Awareness plan, located in folder 9 Training and Awareness
• the Incident Management Procedure, located in folder 8 Annex A Security Controls >> A.16 Information Security Incident Management
• the Disaster Recovery Plan, located in folder 8 Annex A Security Controls >> A.17 Business Continuity

Consulting clients who must be GDPR compliant.

You can advise your customers on how to implement a GDPR-compliance project within their respective organizations. We have a lot of resources that you can use, including a full GDPR Toolkit (link below) and some free GDPR courses (you can also purchase an Advisera certification proving that you passed a GDPR exam). Appointing a DPO is only required in some specific cases, or when you feel you need to have better control over how personal data is processed within your organization, or if you process large quantities of special categories of personal data.

Some helpful links:

• EU GDPR DOCUMENTATION TOOLKIT: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
• FREE EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/
• FREE EU GDPR DPO Course: https://advisera.com/training/eu-gdpr-data-protection-officer-course/
• The role of the DPO in light of the General Data Protection Regulation: https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/

How to handle Software/Firmware to be MDR compliant?

Yes, you are right that Biocompatibility does not apply to the software. But other documents are applicable with some adjustments.

First what you need is to go to Annex I; - General safety and performance requirements and to see which of those requirements are applicable for you. 

Then, I suggest going to the following MDCG guidance that are specific for software as a medical device:

• Is your software a medical device? https://ec.europa.eu/health/system/files/2021-03/md_mdcg_2021_mdsw_en_0.pdf
• MDCG 2020-09 Guidance on Clinical Evaluation (MDR) / Performance Evaluation (IVDR) of Medical Device Software https://ec.europa.eu/health/system/files/2020-09/md_mdcg_2020_1_guidance_clinic_eva_md_software_en_0.pdf
• MDCG 2019-16, Rev 01 - Guidance on Cybersecurity for medical devices https://ec.europa.eu/health/system/files/2022-01/md_cybersecurity_en.pdf
• MDCG 2019-11 - Guidance on Qualification and Classification of Software in Regulation (EU) 2017/745 – MDR and Regulation (EU) 2017/746 – IVDR - https://ec.europa.eu/health/system/files/2020-09/md_mdcg_2019_11_guidance_qualification_classification_software_en_0.pdf

Also, be aware that medical device software must be in compliance with the following standard: IEC 62304:2006 - MEDICAL DEVICE SOFTWARE — SOFTWARE LIFE CYCLE PROCESSES

Information on Certificates such as CoC / CoA or 3.1 certifications

Economic operator definition

If I understand correctly, they are distributors. Obligations of distributors are described in Article 14.

• EU MDR Article 14 - General obligations of distributors https://advisera.com/13485academy/mdr/general-obligations-of-distributors/

Policies specific to HR & Admin

The "Statement of acceptance of ISMS documents" is the way used to enforce employees to observe all the documents prescribed by the organization in its information security management system.

In Conformio there is no such document because the information about which user read which document is tracked automatically by the platform and can be accessed when needed (i.e., instead of a static document which needs to be signed every time a new document is released, in Conformio this information is provided automatically as soon as the user reads the document).

You can see the details about which document was read, or not, by which user in the Responsibility Matrix, using the filter “One-time tasks” and searching for the title “Please read the document…”.

Additionally, this information can be tracked also within each step in the wizard by checking the Version history for this document.