Search results

Home / Search

Category:
Select
Select

11271 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Procedure on personnel

    The ISO 17025:2017 clause on personnel is one of the most stringent in terms of mandatory requirements for a procedure and retaining records. The procedure must explain firstly how the personnel needs of the laboratory are determined (6.2.5a). Then the recruitment, training, supervision and authorisation process must be explained (6.2.5 b to e).  You need evidence (records) for each step, including evidence of competence. Only once personnel have the required competence level, can they work on their own.

    For further assistance, have  a look at the Advisera Expert Advice Community answers on personnel training (https://community.advisera.com/topic/personnel-training/) and deeming someone competent for more information (https://community.advisera.com/topic/how-training-should-someone-have-before-they-are-deemed-competent-for-a-specific-task/)

    The whitepaper Clause-by-clause explanation of ISO 17025:2017 will assist you with overall ISO 17025 awareness for Personnel requirements. It is available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/

    For more information on competence, have a look at the article How to manage competence in a laboratory according to ISO 17025, available at https://advisera.com/17025academy/blog/2021/05/20/how-to-manage-competence-in-a-laboratory-according-to-iso-17025/.

    The Advisera ISO 17025 toolkit includes the mandatory personnel procedure as ISO 17025 document template: Competence, Training and Awareness Procedure along with 4 appendices: Training Program, Training Record and Performance Monitoring, Record of Attendance and Competence. You can preview the template at https://advisera.com/17025academy/documentation/competence-training-and-awareness-procedure/

  • Article 1÷

    Thank you very much.  Your advice and your service here is priceless.  I will check with the UK Commissioner.  I guess as it is not a Data Breach I will not be entitled to any compensation.

    I think the Data Processor should also have told me that they were processing my sensitive data or at least checked that the Data Controller had informed me.

  • Text source about obligation to have IT Security Structure in place on premises

    The GDPR only states that the data controller must ensure that data are “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (‘integrity and confidentiality).” (Article 5 paragraph 1, f) GDPR)Article 32 GDPR, among the obligation of the data controller, states that:“Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller, and the processor, shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

    A) the pseudonymization and encryption of personal data;

    B) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

    C) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

    D) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

    Setting access policies and determining roles and responsibilities is considered an organizational security measure and of course there is no indication of what technical security measures must be applied, the aim of GDPR is to be technological neutral but ISO27001 standard on the security of information can be a good guide.

    Here you can find some information on security aspects and GDPR:

    If you want to know more about the EU GDPR compliance, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

  • Email marketing

    It depends on the country you are located in. I would choose a consultant from where I'm based in order to have an idea of the privacy legislation which applies to my current situation.

  • MDR - difference between configurable device and device with accessories

    If I understand it correctly, your device will be a system. According to the Definitions in the MDR system (point 10) is a combination of products, either packaged together or not, which are intended to be interconnected or combined to achieve a specific medical purpose.

    The question here is: are parts separately certified as medical devices?

    For systems that consist of parts that are medical devices, according to Article 22, you need to prepare the statement that will have the following information:

    • verified the mutual compatibility of the devices and, if applicable other products, in accordance with the manu­ lecturer's instructions and have carried out their activities in accordance with those instructions
    • packaged the system or procedure pack and supplied relevant information to users incorporating the information to be supplied by the manufacturers of the devices or other products which have been put together
    • the activity of combining devices and, if applicable, other products as a system or procedure pack was subject to appropriate methods of internal monitoring, verification, and validation.

    However, if your parts are not a medical device, that it needs to be certified as a system separately. In that case, you need the involvement of the Notify body, you need to prepare applicable technical documentation according to Annex 2 and 3 of the MDR, and in that case, you will put a CE mark on that system.

    For more information, see:

    • EU MDR Article 2 – Definitions https://advisera.com/13485academy/mdr/definitions/
    • EU MDR Article 22 – Systems and procedure packs https://advisera.com/13485academy/mdr/systems-and-procedure-packs/
    • EU MDR Annex 2 – Technical documentation https://advisera.com/13485academy/mdr/technical-documentation/
    • EU MDR Annex 3 – Technical documentation on post-market surveillance https://advisera.com/13485academy/mdr/technical-documentation-on-post-market-surveillance/

    • BIA or RA

      Actually, there is no definitive order to perform Risk Assessment (RA) and Business Impact Analysis (BIA), and the choice for one or another will depend on your expectations:

      • By doing BIA first you will have a prioritized list of processes and services that can impact the most of your business in case of disruptive incidents, then you can go to assess the most relevant risks for the most critical processes and services.
      • By doing risk assessment first you will have a prioritized list of risks your organization is most exposed to, i.e., the most potential disruptive incidents, then you can go to assess the impact on business regarding the processes and services affected by those risks.

      Particularly, we prefer to do a risk assessment first, because this way you will have a better impression of which incidents can happen (which risks you’re exposed to), and therefore be better prepared for doing the business impact analysis (which focuses on consequences of those incidents).

      For rating critical services considering the results of a risk assessment, you can consider the value of the risks, or the number of risks, associated with a specific service. For example, you can have a service with two high risks associated with it and other with ten medium risks associated with it. Considering your context, in terms of risks maybe the second service is more critical.

      These articles will provide you a further explanation about risk assessment and BIA:

      These materials will also help you regarding risk assessment and BIA:

    • ISO 9001 Strategic risk assessment

      In this free webinar on-demand - How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/ - I show some examples of determining risks and then acting on them. ISO 9001:2015 mentions risk about:

      • Context interacting with interested parties (clause 6.1)
      • Products and services (clause 5.1.2 b))
      • Processes (clause 4.4.1) 

      Your organization is a set of interrelated processes. Each process is a set of activities that transform inputs into desired outputs.

      ISO 9000:2015 defines risk as to the effect of uncertainty. Because there is uncertainty, sometimes we don’t have the expected:

      • Inputs
      • Activities
      • Outputs 

      What is a non-conformity? We don’t design processes to deliver non-conformities. So, when a non-conformity happens, we have the manifestation of risk. Non-conformities are potential risks that have materialized. Same for complaints.

      Seen in this way, the risk-based approach is a very effective methodology for developing a plan to control a process and its results. The control will materialize, for example, in operations of control, verification, improvements in the process, in work instructions, in improvements in monitoring, in increasing the competence of the participants.

      You can find more information below about risks.

    • Declaration of Conformity according to MDR

      thank you so much.

    • Questions about the implementation

      1. When the ISO needs to be finished / audited? (e.g. when company is founded, when first device is sold or…? – E.g. Section 7: Product Realization is with planning etc. is running right now while the company is not yet founded.

      ISO 13485 must be implemented and certified before manufacturing starts and before you put a medical device on the market. You have to prepare your quality management system like you can start the production right now. Of course, you can have some pilots production conducted, due to perform validations of certain processes, like cleaning and sterilization.

      2. Is English as language enough or is the country language additionally necessary?

      Given that notifying bodies reviewing the quality system according to ISO 13485 are internationally recognized, that they have offices in different countries, English is sufficient.

      3. Is the IVD guideline 98/79/EG (IVDD) and/or German “In-vitro-Diagnostika-Verordnung (IVDR)“ additionally necessary and incorporated in your toolkit? If not, can you recommend a toolkit for this? Background: In simple terms, the product is a special microscope with which a view of a tissue sample can be created and viewed. The interpretation of this image is done by a pathologist (unlike, for example, a blood pressure monitor, where the device interprets something). Staining of the tissue sample is done outside the device using standard procedures/products from appropriate manufacturers (e.g. H&E staining).

      Our ISO 13485:2016 documentation toolkit is prepared for all small manufacturers of medical devices. Since In vitro diagnostic products are also medical devices, our ISO 13485:2016 toolkit is applicable for in vitro diagnostic product manufacturers.

Page 170-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +