Search results

Most difficult issue and challenge during initial implementation

The most challenging part is that you have to be sure that you have designed your medical device according to all applicable requirements stated in Annex 1 – General safety and performance requirements. Following the requirements on that list will give you information on whether your product is well designed, manufactured and packaged, and whether you have proven the safety and effectiveness of your product with appropriate tests.

The next thing concerns the technical documentation. Technical documentation covered in Annex 2 is extensive but durable. Preparing the necessary applicable documentation takes time.

The third thing that is challenging is preparing the documentation for the quality management system. In Article 10 General obligations of the manufacturer, point 9, is stated which elements must be covered by the quality management system. This quality management system is based on ISO 13485:2016, but there are some more requirements in the MDR that also need to be part of the quality management system.

On the following link, you can see how we prepared the documentation toolkit for ISO 13485 to be in compliance with MDR requirements:

• ISO 13485:2016 & MDR Documentation toolkit https://advisera.com/13485academy/iso-13485-eu-mdr-documentation-toolkit/

For more information, please see:

• EU MDR Article 10 General obligations of the manufacturer https://advisera.com/13485academy/mdr/general-obligations-of-manufacturers/
• EU MDR Annex 1 – General safety and performance requirements https://advisera.com/13485academy/mdr/general-requirements/
• EU MDR Annex 2 – Technical documentation https://advisera.com/13485academy/mdr/technical-documentation/

• What is EU MDR? https://advisera.com/13485academy/what-is-eu-mdr/
• How can ISO 13485 help with MDR compliance? https://advisera.com/13485academy/blog/2020/03/09/how-can-iso-13485-help-with-mdr-compliance/

On the following link, you can even find the webinar where you can find out the steps of the implementation of the MDR:

• Understanding the new European Medical Device Regulation and how ISO 13485 supports it https://advisera.com/13485academy/webinar/understanding-the-new-eu-mdr-and-how-iso-13485-supports-it-free-webinar-on-demand/

• PMS process

  This document, Post-Market Surveillance Report, is a report that you need to have for class I medical devices and that you will submit it for the audit.

  You can use any form for presenting data that you find useful, both figures and graphical form with appendices.

• GDPR and DPA Genome/Sensitive data

  Who collected the genetic data? A hospital? A research lab? The data subject should contact the data controller who collected the data and exercise the right of erasure according to the privacy notice.

  The data controller will verify if the request can be fulfilled or not. Member States may introduce specific limitations to data subjects' rights (even to the sensitive data under Article 9 GDPR) in order to protect scientific research programs, for example. So maybe there is a legitimate base to keep the genetic data in the database without the consent of the data subject.

  Controller processing genetic data should have a Data Protection Officer (DPO), so the data subject may contact the DPO in order to have clarification.

  Here you can find more information about consent:

  • Is consent needed? Six legal bases to process data according to GDPR https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
  • Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/
  • Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/

  If you need to understand how to process consent under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Quality audit in manufacturing company

  We can have vertical and horizontal audits. A horizontal audit is when you audit one process across many departments in the organization. A vertical audit is when you audit all the processes used by a department. Process audits are another name for horizontal audits. You can find more information in this article - ISO 9001 Horizontal audit vs. vertical audit - https://advisera.com/9001academy/blog/2015/03/03/iso-9001-horizontal-audit-vs-vertical-audit/

  We can have also product audits.

  The following material will provide you information about audits:

  • ISO 9001 – ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
  • Free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/
  • Book -  ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/
     

• Scope as a data controller

  Yes, it is correct, you listed the cases in which your company will act as a data controller. In these cases, in fact, you decide the purpose and means of data processing: the management of the employment relationship, your website, the relationship with your clients, and your suppliers. On the contrary, your app provides a service that other companies (your clients) will use, so all data that you will collect and process through your SaaS will be processed on behalf of your clients, which is the definition of a data processor.

  As a data controller, you are responsible for fair, transparent, and correct data processing, you need to provide information about your processing, collect consent and guarantee that data subjects can exercise their rights. You need to comply with all obligations that the GDPR requires the controller to comply with as stated in Article 24 GDPR.

  Here you can find more information about the distinction between the data controller and data processor:

  • EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
  If you want to learn how to comply with EU GDPR requirements you may consider enrolling in our free training EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course//

• Concern points 4 and 5 of document procedure for document and record

  Regarding section 4, please note that in clause 7.5.3, ISO 27001:2013 explicitly requires you to control documents of external origin that are important for your ISMS, and this section defines how you fulfill this requirement. External documents are any documents not owned or controlled by an organization that is required to its operation, either mandatory or voluntarily adopted. Examples of external documents to be controlled are Laws (e.g., SOX and EU GDPR), standards and regulations (e.g., the ISO 27001 itself), and documents and records from customers, suppliers, and partners (e.g., contracts, service agreements, product/service specification, operation manuals, etc.)

  Regarding section 5, it defines how the incoming mail register is stored and protected. The incoming mail register is not a mandatory document, so you can simply have a table where you register who received some important external document, or where such a document is stored.

  This article can provide you additional information:

  • Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

  This material will also help you regarding control of documents:

  • Free video tutorial that you received as part of your toolkit: How to Write ISO 27001/ISO 22301 Document Control Procedure

  This material will also help you regarding document management:

  • Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

• Trends in OH & S Performance

  Thank you very much for the explanation. This is really helpful.

• Best practice approaches related to the Asset Inventory

  In case these SaaS accounts are used to access or handle information that is part of the ISMS scope you are working on, the best approach would be for you to include them as outsourced services in your inventory. In case all these accounts refer to the same service, you only need to add a single register in your inventory (e.g., SaaS solutions for data storage, e-mail, collaborative software, etc.).

  This article will provide you a further explanation about assets management:

  • How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/