Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 22301 Toolkit - BIA questionnaire questions

    Thank you for the answer. How to approach BIA analysis when some processes, e.g. related to IT or sales are maintained as part of services shared by a related company? The critical processes in my organization require them to function. In your opinion, should they do the BIA on their own or fill in my questionnaire?

    In situations like these, to comply with ISO 22301 you should fill out your BIA questionnaires only stating on which third parties you depend upon and for which activities.

    You do not need to know the details on how to ensure they can properly support your processes, because with the information you identify in the BIA you can define business continuity capabilities as continuity clauses in the contracts or service agreements you have with them.

    By the way, included in your toolkit you have access to a video tutorial that can help you fill in the BIA. 

  • Questions regarding GDPR

    "I have two questions:Are there GDPR awareness training videos available? I am looking for a 30-1hr video for our employees which explains the guiding principles and responsibilities on organizations and their personnel.

    You can enrol in our free online training EU GDPR Foundations Course - the course has couple of hours of videos, but you can watch only the ones you consider appropriate: https://advisera.com/training/eu-gdpr-foundations-course//  

    Further, you can watch the security awareness training videos which are much shorter and have also some videos on privacy: https://advisera.com/training/awareness-session/security-awareness-training/

    In the paragraph below taken from the GDPR regulations. It refers to (commercial organizations). Could you elaborate on the intended definition of commercial organisation?

    The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In others words, transfers to the country in question will be assimilated to intra-EU transmissions of data.The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection."

    It refers to all organizations which are bond by GDPR (companies, sole traders, freelancers, non-profit, associations, political parties, etc) GDPR does not apply to data transfer among individuals in their private life/domestic activities.

    Here you can find more information about GDPR applicability:

    • Is the GDPR applicable to our company? https://advisera.com/eugdpracademy/knowledgebase/who-needs-to-be-gdpr-compliant-an-easy-explanation/

    • Timeline for updating documents

      For medical devices class I there is no strictly defined how often updates need to be done. And this is not about some time limit, but about the fact that these documents change depending on the situation. 

      The most common reason for changing the Clinical Evaluation is some risk that has arisen, or if something has happened to the competition so this is the input to you as well. It is expected that clinical evaluation. The clinical evaluation for Class I medical devices generally changes every 3-5 years. 

      In risk management, the situation is a little different. Every complaint you receive must be analyzed to see if it is already covered by your risk analysis. Any change of supplier, change of machine, change of production conditions, and even organizational changes must be analyzed and assessed how these situations affect the risks. This means that there will be a period that you will not change the risk analysis for a year, and then again there may be a period in which you will change the risk analysis several times within 6 months for example.

    • Question about records

      Records are types of documents that provide “proof of existence“, prove that certain process has been done. You need to record all the mandatory records which are directly required by the standard. You can see the List of mandatory documents and records required by ISO 13485:2016 in the following article:

      Of course, if some requirements are not applicable to you, then you do not need to generate these records. For example, if your product is not sterile, then you do not need to have records of sterilization and sterilization validation in your quality management system.

      The purpose of the List of records is to have in one place all your records, to know which record version is currently valid. On that list, there should be all records that you provide within your quality management system: both mandatory records required by the standard, but also any other record that you generate during the execution of your processes, which is proof that some process has been done. This list guarantees the exactness of entered data and prevents unauthorized entry, changes, and destruction of such records.

      If by CAPA you mean the records Corrective/preventive action request from our toolkit, that this record needs to be on the List of records.

      More information on document management you can find on the following links:

      • List of mandatory documents required by ISO 13485:2016 https://advisera.com/13485academy/blog/2017/01/18/list-of-mandatory-documents-required-by-iso-134852016/
      • How to structure Quality Management System documentation according to ISO 13485 https://advisera.com/13485academy/knowledgebase/how-to-structure-quality-management-system-documentation-according-to-iso-13485/

      • Standard Operating Procedures in ISO 27001

        Please note that ISO 27001 main clauses (from 4 to 10) do not prescribe the development of procedures. Regarding ISO 27001 Annex A controls, the following controls, when identified as applicable, require the development of procedures:

        • A.12.1.1 Documented operating procedures
        • A.16.1.5 Response to information security incidents
        • A.17.1.2 Implementing information security continuity

        To see how documents compliant with these controls look like, please see:

        These articles will provide you a further explanation about document management:

        These materials will also help you regarding document management:

      • CONFORMIO - Assets management

        Please note that when you perform a risk assessment on a group of assets it means that they share the same risk characteristics, like threats, vulnerabilities, likelihood, etc.

        For example, a category called “computer” can have as individual assets servers, desktops, and laptops. In case you assess risk for the category computer, it means that all individual assets have the same risk, so you do not need to assess each individual asset.

        Assessing an individual asset would be needed only if you have a risk specific (i.e., different threats, vulnerabilities, likelihood, etc.) for an individual asset in the category. For example, the risk of laptop theft could be different from the risk of server theft, so it may be interesting for the organization to perform risk assessments specifically for laptops.

        Considering that, to perform the risk assessment in Conformio for specific assets, you only need to go a step further in the identification of the assets (i.e., you can add a new asset choosing one of the assets included in the “computer” category).

        In case you want to assess two kinds of laptops separately, because they have different risks (e.g., financial laptop and development laptop), you would need to add two assets, and name them e.g., "financial laptop" and “development laptop”, and do the risk assessment. 

      • IATF 16949 Process Audit Checklist

        It would be more effective to make an automotive process approach for quality management processes system audits, the use of a checklist is not recommended.        

        For this, it may be necessary to receive training in internal auditors and the automotive process approach. During the audit, each process should be asked about goals, risks, and opportunities, responsibility, authority, training, etc. Apart from that, as an example, if the purchasing process is to be audited, the 8.4 clauses of the IATF 16949:2016 standard should be audited as the main subject.

      • Quality management system

        I never saw any use of the words “quality income” and ISO 9001.

        About the term “cost of quality” you can see it being used in this article - How to measure the cost of quality in line with ISO 9001 principles - https://advisera.com/9001academy/blog/2019/10/28/cost-of-quality-how-to-measure-it-in-line-with-iso-9001/ Before ISO 9001 I used the term “cost of quality” as a designation to the sum of cost of quality prevention (like training), quality control (like controller’s wages) and quality failure (like cost of defects and rework).

        Cost of quality can be a quality objective.

        Below, you can find more information about quality objectives:

      • Reagent equivalency requirement

        Equivalent device in the meaning of the In vitro diagnostic device regulation (IVDR 2017/746) is considered as equivalent when the device in question is either almost identical or completly identical to the comparator device. In order to demonstrate equivalent performance, a systematic methodological comparison is required, where performance should correspond to the performance of a comparator device within the pre-defined limits. 

        Some of the elements according to which equivalence can be made a presented bellow (regarding the product composition, design, features, or intended purpose). Please keep in mind that this is not the whole list, it is manufacturer's responsibility to define appripriate concept, considering the type of the IVD device:

        -        Technology (for example is it ELISA, PCR, spectroscopy...)

        -        Device design (for example what is a sample volume, what are the processing and incubation time, critical reaction component(s))

        -        Is it automated or manual system

        -        What are analytical performance characteristics

        -        Which Specimen type(s) are used (blood, urine, saliva, plasma)

        -        Biological controls

        -        Are antibodies used polyclonal or monoclonal

        -        What is intended purpose 

        -        Who are target population 

        -        Who are Intended user (professional use, near patient test, self-testing) 

        -        Are there any test limitations 

        -        Scientific validity 

        -        Clinical performance 

        -        Clinical benefit

      • Characteristics of manufacturing process that should be controlled and documented

        According to customer specs and technical drawings, control criteria should be defined both in PFMEA and in the Control Plan for both the product and the production process. These controls vary from product to product.

        For example; dimensional measurements, visual checks, material checks, strength tests, etc..  can be given for the product control.

        Controls such as pressure, temperature, time, speed, voltage, ampere, etc. can be followed for the production process. 
         
Page 176-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +