Search results

Reagent equivalency requirement

Equivalent device in the meaning of the In vitro diagnostic device regulation (IVDR 2017/746) is considered as equivalent when the device in question is either almost identical or completly identical to the comparator device. In order to demonstrate equivalent performance, a systematic methodological comparison is required, where performance should correspond to the performance of a comparator device within the pre-defined limits. 

Some of the elements according to which equivalence can be made a presented bellow (regarding the product composition, design, features, or intended purpose). Please keep in mind that this is not the whole list, it is manufacturer's responsibility to define appripriate concept, considering the type of the IVD device:

-        Technology (for example is it ELISA, PCR, spectroscopy...)

-        Device design (for example what is a sample volume, what are the processing and incubation time, critical reaction component(s))

-        Is it automated or manual system

-        What are analytical performance characteristics

-        Which Specimen type(s) are used (blood, urine, saliva, plasma)

-        Biological controls

-        Are antibodies used polyclonal or monoclonal

-        What is intended purpose 

-        Who are target population 

-        Who are Intended user (professional use, near patient test, self-testing) 

-        Are there any test limitations 

-        Scientific validity 

-        Clinical performance 

-        Clinical benefit

Characteristics of manufacturing process that should be controlled and documented

According to customer specs and technical drawings, control criteria should be defined both in PFMEA and in the Control Plan for both the product and the production process. These controls vary from product to product.

For example; dimensional measurements, visual checks, material checks, strength tests, etc..  can be given for the product control.

Controls such as pressure, temperature, time, speed, voltage, ampere, etc. can be followed for the production process. 
 

ISO 13485:2016 regulatory expectations around distributors

ISO 13485:2016 is applicable to the distributors as well, according to section 1 of the standard. So it is expected that distributors will have implemented the ISO 13485:2016. Their quality management system will cover their distribution scope: how they receive medical devices, which documents they must check when receiving it from the manufacturer, how to store it, how to deliver it to the customer/client. Distributors must have in place a customer complaint process, have a proper place where returned products will be placed, and must have in place the process of communicating with the competent authority when needed.

Distributors must have in place QA agreements with manufacturers where mutual responsibilities will be stated.

For more information on the distributor's obligations, please see:

• EU MDR 2017/745 Article 14 - General obligations of distributor https://advisera.com/13485academy/mdr/general-obligations-of-distributors/

• Risk Consultation

  ISO 27001 is pretty flexible when it comes to documenting your security objectives - you can write them in your Information Security Policy, in the Statement of Applicability, or in some separate document. 

  When using our ISO 27001 Documentation Toolkit, you can document the general ISMS objectives in the Information Security Policy, and specific objectives for controls (or groups of controls) in the Statement of Applicability. 

  Including the information security objectives within the risk treatment plan, or in the asset list would not be efficient, because a single information security objective can be linked to many actions in the plan or assets in the assets list, which would make them very difficult to understand and maintain.

  This article will also help you:

  • ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

  In this free online training you'll find detailed guidance on setting the objectives:

  • ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Conformio and ISMS

  First is important to note that unless you have specific requirements demanding the implementation of ISO 27017 and ISO 27018 (e.g., laws, regulations, or contracts), ISO 27001 is fully capable to provide required information security for cloud environments.

  Considering that, to implement an ISMS compliant with ISO 27001, ISO 27017, and ISO 27018, the best approach would be to use the ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit, and do not use Conformio. Currently, Conformio does not cover ISO 27017 and ISO 27018 requirements.

  In case you decide to use the toolkit you’d need to buy it, and since you are our existing customer, we can offer you a discount.

  These articles will provide you a further explanation about ISO 27017 and ISO 27018:
  - ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
  - ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/

• Risk treatment plan

  Hello, I want to make an inquiry. If the Risk Treatment Plan is considered an "Action Plan", can the information security objectives be included in the plan?

  ISO 27001 is pretty flexible when it comes to documenting your security objectives - you can write them in your Information Security Policy, in the Statement of Applicability, or in some separate document.

  When using our ISO 27001 Documentation Toolkit, you can document the general ISMS objectives in the Information Security Policy, and specific objectives for controls (or groups of controls) in the Statement of Applicability.

  Including the information security objectives within the risk treatment plan, which can be considered an “Action plan”, or in the asset list would not be efficient, because a single information security objective can be linked to many actions in the plan or assets in the assets list, what would make them very difficult to understand and maintain.

  This article will also help you: 

  • ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

  In this free online training, you'll find detailed guidance on setting the objectives: 

  • ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Implementation duration

  We estimate that for companies up to 10 employees it is necessary up to 3 months to implement the quality management system according to the ISO 13485:2016.

• Como devo prosseguir com um relatório?

  De sua pergunta e do artigo encaminhado para mim (https://advisera.com/27001academy/pt-br/blog/2015/05/20/certificacao-iso-27001-o-que-fazer-apos-receber-o-relatorio-de-auditoria/), presumo que você esteja se referindo a um relatório de auditoria de certificação.

  Considerando isso, em resumo, ações decorrentes do relatório de auditoria são:

  • envio de plano de ação para o auditor de certificação para tratativa de não conformidades menores (quando identificadas), e implementação do plano dentro das datas definidas
  • tratativa pela organização e envio de evidências para o auditor de certificação da tratativa de não conformidades maiores (quando identificadas)
  • análise crítica das oportunidades de melhoria pela alta administração e definição de ações a serem tomadas e prazos quando julgado pertinente.

  O relatório de auditoria de certificação será usado como referência de consultada para quaisquer dúvidas em relação as ações a serem tomadas.

• Data transfers to third countries under BCR umbrella

  Article 94 GDPR states that “References to the repealed Directive shall be construed as references to this Regulation. References to the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established by Article 29 of Directive 95/46/EC shall be construed as references to the European Data Protection Board established by this Regulation.”There is continuity between Directive 95/46/EC and the GDPR. The adoption of BCR is a long process involving different stages of exam and approval from Data Protection Authorities and the Working Party (under the Directive 95/46/EC) which became the European Data Protection Board (under GDPR). So, BCRs adopted are still valid.However, you need to check in the BCR which is the Leading Authority, because in July 2020 the European Data Protection Board stated that the BCR having the UK Data Protection Authority (ICOs, or Information Commissioner’s Office) as the Leading Authority needs to be amended because of Brexit.

  Here you can find the statement: https://edpb.europa.eu/news/news/2020/european-data-protection-board-thirty-fifth-plenary-session-information-note-binding_en

  If you need to know more about how to transfer data in third countries under the EU GPDR here you can find more information:

  • 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
  • Free webinar – How to make personal data transfers to other countries compliant with GDPR: https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/
  You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• ISO 17025 accrediting

  As long as you are able to meet ,sustain and maintain the requirements of ISO 17025 , accreditation can be achieved. But as you have mentioned having no equipments of own and using the rented ones, it would be very challenging to ensure that related requirements of ISO 17025 as rightly mentioned by Tracy evans. It will help greatly if other party which is renting the equipments have accreditation so that most of requirements gets covered at their end and other related ones at your end.

  I am afraid that a broad answer only can given to your question.