Search results

Implementation questions

1. Do I need to perform mechanical tests on the liner? If so, which organization can do this?

You are the ones who determine the tests that need to be performed on your product. If this test is crucial to show that your product meets the specifications, then a test is needed.

As for the laboratories where the test needs to be conducted, MDR requires it to be some accredited institution.

However, we are not authorized to refer you to the appropriate institutions because we do not know your product and its specifications.

2. How long do I need to do clinical trials on the liner? How many months and how many patients need to wear the liner as part of the clinical trials?

Clinical trials for medical devices must be prepared in accordance with the standard ISO 14155:2020 Clinical investigation of medical devices for human subjects — Good clinical practice. How long the research will take depends on many factors, which are listed in this standard.

However, please be aware that clinical trials are necessary for those medical devices that are completely new and that there is no other source for clinical data. So, usually, it is for completely new types of medical devices, with new technologies or materials.

For all other medical devices, it is possible to perform the clinical evaluation with the available clinical and scientific data for the literature (Article 61 in the MDR 2017/745). If I understand what silicone prosthetic liner is, it is not a new device, therefore you can find a lot of clinical data on the internet. When you use literature data for your medical device, you need to find an equivalent device with which you will compare your medical device. Equivalence must be demonstrated at the clinical, technological, and biological levels.

For more information, see:

• EU MDR Article 61 – Clinical evaluation https://advisera.com/13485academy/mdr/clinical-evaluation/

• EU MDR Annex 14 Clinical evaluation and post-market-clinical-follow-up https://advisera.com/13485academy/mdr/clinical-evaluation-and-post-market-clinical-follow-up/

On the following links you can find how we have prepared in the ISO 13485&MDR Documentation toolkit documents and reports for clinical evaluation:

• Procedure for Clinical Evaluation https://advisera.com/13485academy/documentation/procedure-for-clinical-evaluation/
• Clinical Evaluation Plan https://advisera.com/13485academy/documentation/clinical-evaluation-plan/
• Clinical Evaluation Report https://advisera.com/13485academy/documentation/clinical-evaluation-report/
• Literature Research Protocol https://advisera.com/13485academy/documentation/literature-research-protocol/

• Transfer of pesonal data under GDPR

  Yes, it would be a data controller even before entering into a contract, because the third-party service provider will be free to decide the purposes and means of the processing of personal data belonging to the potential customer.

  Here you can find more information on the role of processor and controller:

  • EU GDPR controller vs. processor – What are the differences?: https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
  • Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

  If you want to learn how to process data under the EU GDPR you may consider enrolling in our free training EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course/

• GDPR Checkpoints in ISO 27001 Audit Checklist

  Controls from ISO 27001 Annex A that can help verification of GDPR compliance are:

  • Controls from section A.8 (Asset Management), especially control A.8.2.1 (Classification of information)
  • Controls from section A.14 (System acquisitions, development, and maintenance)
  • Controls from section control A.15.1 (Information security in supplier relationships)
  • A.16.1 (Management of information security incidents and improvements)
  • A.18.1.1 (Identification of applicable legislation and contractual requirements)
  • A.18.1.4 (Privacy and protection of personally identifiable information)  

  This article will provide you a further explanation about ISO 27001 and GDPR:

  • Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/

• Statement of Applicability

  Please note that this control refers not only to laws but also to agreements (e.g., contracts) and regulations, so you need to also verify these elements. For example, you may have a contract with a customer or a supplier defining requirements for cryptography, or some regulation applicable to your industry may define requirements for cryptography.

  In case there are no agreements or regulations applicable to your organization, then you can record these controls as an exclusion in your SoA.

  This article will provide you a further explanation about SoA:

  • The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

  These materials will also help you regarding SoA:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• ISO Certified Auditor

  Depending upon the training provider, there are two options:

  1. attend an ISO 22301: 2019 transition course, if you are already a certified ISO 22301: 2012 lead auditor, where you will learn about the changes in the standard and how to perform audit considering these changes
  2. attend an ISO 22301: 2019 lead auditor course, where you will perform all the steps to requalify yourself as a lead auditor (i.e., attend the course, execute course activities, and take the final exam).

  Please note that, due to the number of changes in the new ISO 22301:2019, this qualification is not very important if you want to work as a consultant, but this is very important if you want to work as an auditor. 

  These articles will provide you a further explanation about ISO 22301:2019:

  • Infographic: ISO 22301:2012 vs. ISO 22301:2019 revision – What has changed? https://advisera.com/27001academy/blog/2019/12/02/iso-22301-2019-vs-iso-22301-2012-key-changes-infographic/
  • Mandatory documents required by ISO 22301 revision 2019 https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/
  • Do we need to make the transition from ISO 22301:2012 to the 2019 revision? https://advisera.com/27001academy/blog/2019/11/05/iso-22301-transition-from-2012-to-2019-revision-is-it-needed/

• Is consent obligatory for our products?

  You should use a contract as a legal basis to provide your service. The processing of data through sensors seems essential to make the device working and so it is necessary to provide the service. If you use a contract as a legal basis, and the user denies agreeing with data processing you can deny the use of service since the processing of personal data is necessary.

  Here you can find more information on GDPR extraterritorial effect and on consent:

  • What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
  • Is consent needed? Six legal bases to process data according to GDPR https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
  • Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/
  • Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/

  If you need to understand how to process consent under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

• Transfer mechanisms

  You should use Standard Contractual Clauses (SCCs) as an annex to the contract with the US data importer. SCCs should be implemented by adequate safeguards, like encryption or pseudonymization, and contractual measures.

  If you need to know more about how to transfer data in third countries under the EU GDPR here you can find more information:

  • 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
  • Free webinar – How to make personal data transfers to other countries compliant with GDPR: https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/

  You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

• Regarding intended purpose or intended use

  Both terms are used in MDR. The term intended purpose should be inserted in the technical documentation, ie in the product description, instructions for use. Intended use can also be used in clinical evaluation and other documents.

• Conformio number of documents

  Please note that some documents from the toolkit are now embedded in some Conformio Module (e.g., Risk Assessment and Treatment Table are embedded in the Risk Register Modules, and Audit program, audit checklist, and audit report are embedded in the Audit module). In case of need, you can export this information to documents.

  Regarding templates for policies and procedures related to ISO 27001 Annex A, all templates available in the toolkit are also available in Conformio. They will be displayed according to the results displayed in the Statement of Applicability (i.e., related to the results of risk treatment and applicable legal requirements). In case all controls are identified as applicable in the SoA you will have access to the same template available in the documentation toolkit.

• Scope question

  1 - Our owner/parent company (***) is also our supplier for several IT services (e.g., network). They define rules and settings that automatically apply to us (in their role as owner). However, in their role as supplier they would have to adhere to the standards, we (subsidiary = ***) set for them, correct? How should we formulate this in our ISMS Scope and how should we treat it in the SOA?

  Answer: Please note that this question about rules, settings, and standards does not apply to the definition of the ISMS scope.

  In the definition of the scope, you only need to mention that your IT services are outsourced (you do not even need to identify the provider in the scope). The detailed information about the outsourcing situation is used when performing a risk assessment.

  For further information about scope, see:
  - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

  - Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

  Regarding your scenario, as the owner/parent company, your “supplier” will have the last word in any setting you define regarding the provided services, so you need to agree with them if these settings are needed (based on the results of risk assessment and applicable legal requirements) and feasible. In this situation you have two possible scenarios:
  - they agree with your settings and create specific rules for your organization.
  - they do not agree with your settings, and you will need to evaluate the related risks to decide on another way to treat them.

  
  2 - And are there any recommendations regarding how such a relationship should be clearly formulated in an SLA?

  Answer: The fact that your owner/parent company is also your IT supplier does not affect the regular content a SLA should cover, so you need to define in your SLA items like service description, scope, performance supported, contacts, etc.

  This article will provide you a further explanation about SLA:
  - What’s the content of an ITIL/ISO 20000 SLA? https://advisera.com/20000academy/blog/2016/06/14/whats-the-content-of-an-itiliso-20000-sla/