Search results

Symbol MD in the label of Medical Devices Class I (no sterile)

Thank you, Kristina for the detailed response. 

End of life and ISO 27001

Using third parties with a physical presence in remote locations to manage corporate equipment is an acceptable solution for ISO 27001. In this situation, you also need to consider signing contracts or service level agreements including information security clauses to increase information protection (specifically how to dispose or re-use equipment).

In case hiring third parties to collect or receive the equipment is not a viable solution, an alternative you can consider is the use of BYOD, where employees use their own devices to work, implementing software that either forbids the storage of corporate information locally in the device (e.g., employees can only access corporate resources through a virtual machine) or that allows a remote full reset of the device.

Normally, these rules are implemented through a BYOD policy, which you can see how it looks like at this link: https://advisera.com/27001academy/documentation/bring-your-own-device-byod-policy/

This article will provide you a further explanation about the supplier relationship:

• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

This article will provide you a further explanation about BYOD policy:

• How to write an easy-to-use BYOD policy compliant with ISO 27001 https://advisera.com/27001academy/blog/2015/09/07/how-to-write-an-easy-to-use-byod-policy-compliant-with-iso-27001/

These materials will also help you regarding supplier management and BYOD:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Standard for chlorine dioxide sterilization of medical devices

To my knowledge, there is no ISO standard for performing chlorine dioxide sterilization. However, besides that kind of standard, each sterilization process and sterile medical device must correspond to the following harmonized and state-fo.the-art standards:

ISO 18472:2018 Sterilization of health care products — Biological and chemical indicators — Test equipment
EN ISO 11737-2:2020 Sterilization of health care products - Microbiological methods - Part 2: Tests of sterility performed in the definition, validation, and maintenance of a sterilization process (ISO 11737-2:2019)’
EN 556-1:2001 Sterilization of medical devices - Requirements for medical devices to be designated "STERILE" - Part 1: Requirements for terminally sterilized medical devices
EN ISO 11140-1: 2014 Sterilization of health care products - Chemical indicators - Part 1: General requirements
EN ISO 11140-3:2009 Sterilization of health care products - Chemical indicators - Part 3: Class 2 indicator systems for use in the Bowie and ****-type steam penetration test
EN ISO 11737-1: 2018 Sterilization of medical devices - Microbiological methods - Part 1: Determination of a population of microorganisms on products
EN ISO 11737-2:2019 Sterilization of medical devices - Microbiological methods - Part 2: Tests of sterility performed in the definition, validation, and maintenance of a sterilization process
EN ISO 14937:2009 Sterilization of health care products - General requirements for characterization of a sterilizing agent and the development, validation, and routine control of a sterilization process for medical devices

BIA and Risk Assessement

1 - Thanks for the reply. I will highly appreciate if you can give me one example of risk which has been done for a BIA process.

Answer: First is important to note that risks are not identified as part of a BIA process. Risk assessment and BIA are different processes. From risk assessment you can identify risks that can help you prioritize on which business process to perform BIA first. For BIA it is irrelevant which risks might materialize - the only relevant thing is the duration of the outage (irrespective of the incident).

Examples of risks that can be identified and used to prioritize business processes to apply on BIA are fire, earthquake, bomb threat, and interruption of power supply.

To see how such risks can help understand which business processes a BIA should cover first, I suggest you take a look at the demo of this template: https://advisera.com/27001academy/documentation/examples-of-disruptive-incident-scenarios/

For further information, see:
- Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

2 - Also as per you answer, should I perform RA only for the process which I have in BIA? If that’s the case, should I consider RA w.r.t People , process and technologies boundaries? or should I consider operational and business risks as well?

Thanks

Answer: In case your purpose is to ensure business continuity, considering the ISO 22301 standard, which provides requirements for business continuity management, then you should apply RA only for the process which you have in BIA (which are all the processes included in the Business Continuity Management System scope).

Regarding risk categories, ISO 22301 does not prescribe which ones to apply, so you can define the ones that better fit your needs.

To see how documents compliant with ISO 22301 BIA and RA looks like, please take a look at the free demos of these toolkits:
- ISO 22301 Business Impact Analysis Toolkit https://advisera.com/27001academy/iso22301-business-impact-analysis-documentation-toolkit/
- ISO 27001/ISO 22301 Risk Assessment Toolkit https://advisera.com/27001academy/iso-27001-22301-risk-assessment-toolkit/

Question about requirements

No, everything is covered there. So for the periodic audits after 26th May 2021, you need to have in place the following elements for the MDR (point 17.-4 in the document that you referred to):

a) Registration of economic operators and of devices (see Art. 31 MDR and Art. 29 MDR)
b) Post market surveillance (PMS) (see Art. 83-86, 92 MDR including Annex III but without the PMS having to be an integral part of the QMS)
c) Market surveillance (see Art. 93 – 100 MDR, but device standards to be met = Directives)
d) Vigilance (see Art- 87-92 MDR)

Storing data on Google Suite/Drive

We wondered if you could help us regarding the following. We would like to know:

When collating our list of client emails when sending out a seasonal greeting (our annual Christmas email) we store the list on Google Suite/Drive, and also CETA - our facilities managing database. Is this permitted?

Yes, the data controller can choose the means and purpose of data processing and Google is a third-party processor which claims to be compliant with EU GDPR.

I update an online excel sheet which tracks which clients attend for which jobs. This is also stored on G Suite and CETA. Is this permitted?"

Yes, you need to verify if any particular category of data is stored and if it is protected (maybe you can add a password to access the sheet in order to increase security).Remember to verify the Google G Suite privacy notice because the personal profile gives fewer security options compared to the business account.

Here you can find some information on cybersecurity:

• Privacy, cyber security, and ISO 27001 – How are they related?: https://info.advisera.com/27001academy/free-download/privacy-cyber-security-and-iso-27001

Rework procedure

Rework procedure is just needed if the rework is possbile. As you know, it is mandatory to have a procedure to handle non conformities, and rework is one of the possibilities of treating a non conformity. That is why in our toolkit, we covered rework in documented procedure:  15_Procedure_for_Control_of_Non_Conforming_Products. 

Test method validation

Validation must be performed in the cases when you are not able to verify the product by subsequent monitoring or measurements. Of course, validation of the product should be on the final product, not on the sample from the design. Therefore, as soon as you perform the transfer from the design to the real production, a process in which the final product will be produced must be validated. For more information on the validation, please provide a more specific question.

In the following link you can find some more details for the validation process:

• Using ISO 13485 to manage process validation in the medical device manufacturing industry https://advisera.com/13485academy/blog/2017/09/07/using-iso-13485-to-manage-process-validation-in-the-medical-device-manufacturing-industry/

• Auditing process

  First of all, you can start with checking the procedure, is there a procedure in place, who is responsible to carry out the procedure, to whom non-compliances products should be reported. Then you can check when the last time was reported non-conforming product and how it was resolved. Have any corrective actions been taken, what records are there about that? Review the evidence that the corrective action taken is effective.

  For more detail on this topic, you can see the following articles:

  • ISO 13485:2016 nonconforming product – How to approach the post-delivery actions https://advisera.com/13485academy/blog/2017/04/11/iso-134852016-nonconforming-product-how-to-approach-the-post-delivery-actions/
  • What are the consequences of noncompliance with ISO 13485 for manufacturers of medical devices? https://advisera.com/13485academy/blog/2017/11/02/what-are-the-consequences-of-noncompliance-with-iso-13485-for-manufacturers-of-medical-devices/
  • Five steps for ISO 9001 non-conforming products https://advisera.com/9001academy/blog/2014/01/13/five-steps-iso-9001-nonconforming-products/

  You can see how we prepared the form for the non-conforming product so, maybe it will give you an idea about the additional questions:

  • Non-Conforming Product Record https://advisera.com/13485academy/documentation/non-conforming-product-record-iso-13485-2016/
  • Registry of Non-Conformities https://advisera.com/13485academy/documentation/registry-of-non-conformities-iso-13485-2016/

  • Clinical Evaluation for Class A Medical Software

    In Iso 13485:2016 there is a requirement 4.2.3 Medical device file. It is stated that for each medical device, the organization must establish and maintain files containing documents to demonstrate conformity to the requirement of this ISO standard, but also of applicable regulatory requirements. On the EU market, medical devices must be in compliance with MDR, and there is a requirement that within technical documentation there must be a clinical evaluation.

    For more information regarding the clinical evaluation for medical software please see the following guidance: https://ec.europa.eu/docsroom/documents/40323