Search results

Critical non-conformities

Nonconformance is not necessarily a bad thing because each non-conformance is an opportunity for improvement. ISO 13485 in sections 8.3 Control of non-conforming products and 8.5.2 Corrective action include clear and in-depth guidance on how to respond to any nonconformity discovered through your processes, connected with customer complaints, or conducted audits (both external and internal). 

The potential impact of non-conformity on your organization depends on the size and type of the nonconformance. When critical issues are discovered in the production process this may lead to the product of an unsafe medical device. Un-safe medical devices present both risks for the patient/end-user, but also for your company because your company’s rating can be compromised. 

If Top management needs to be involved in solving critical non-conformities by ensuring certain resources (financial, infrastructure, or human), they must be aware of the consequences that may have not solving non-conformities.

So, prepare a full explanation of what the consequences are if you do not resolve the nonconformity and provide that evidence Top management. If Top management has no ear for this, you can always contact the Board of Directors, the owner, or some other entity that is above your boss.

MDR classification

Rule 9 is considering active therapeutic devices s intended to administer or exchange energy, while lung ventilators are monitoring devices. According to the MDR, active monitoring devices of vital physiological processes are covered in Rule 10.

È necessario il DPO?

Dipende dal tipo di dati che tratti. Se il tuo software tratta le particolari categorie di dati (i cosiddetti dati sensibili, come quelli sulla salute, l’orientamento sessuale, le opinioni politiche, ecc.) potresti aver bisogno di un DPO, altrimenti non rientri nelle ipotesi indicate nell’Art. 37 GDPR.

Qui puoi approfondire la figura del DPO:

• Il ruolo del Responsabile della Protezione dei Dati alla luce del Regolamento Generale sulla Protezione dei Dati https://advisera.com/eugdpracademy/it/knowledgebase/il-ruolo-del-responsabile-della-protezione-dei-dati-alla-luce-del-regolamento-generale-sulla-protezione-dei-dati/
• How to hire the right DPO? https://advisera.com/eugdpracademy/blog/2018/08/27/how-to-hire-the-right-dpo/

Se vuoi approfondire l’applicazione del GDPR puoi iscriverti al nostro corso online gratuito EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course//,

Per conoscere i requisiti per il DPO, puoi iscriverti al nostro corso online gratuito EU GDPR Data Protection Officer Course https://advisera.com/training/eu-gdpr-data-protection-officer-course/

Information security policy

ISO 27001 mentions the following policies: 

- Information Security Policy
- Mobile device policy
- Access control policy
- Policy on the use of cryptographic controls
- Clear desk and clear screen policy
- Secure development policy
- Information security policy for supplier relationships

According to ISO 27001, only the Information Security Policy must be approved by the top management (clause 5.2) - all the other mentioned policies are operational policies that are almost never approved by the top management.

You might try to change the names of operational policies to "procedures", however then you risk having problems at the certification audit. The name of the Information Security Policy should not be changed to procedure because the auditor would certainly raise a nonconformity for that.

Corrective Action Form

The reference to be used in the column “Reference to the Corrective Action Form” is the number of the Corrective Action form. There is no need to list “actions points” because this information will be recorded in the Corrective Action form.

This article will provide you a further explanation about records management:

• Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

These materials will also help you with records management:

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 9001 Questions

1/Example of determining the requirements for products and services, meaning what features the product or service will have in the organization;

Answer:

I do not know if I understand the question correctly. Product or service requirements are included in its specifications. They are a design output (see ISO 9001:2015 clause 8.3.5 d))

2/Example of scope of QMS and its evidences in any organization;

Answer:

I invite you to check this free webinar on-demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - – where I develop the topic.

For example, a hotel may have several services and several kinds of clients:

While implementing a quality management system, top management decided that its scope would be only the hospitality service for groups. The scope statement should be written in a document. Normally, organizations keep a system’s manual, not mandatory, and include the scope statement there.

3/ Example of process design/service in any organization

Answer:

In this picture

you find a generic example of a design process.

4/ Example of establishment and documenting the criteria for supplier’s selection in any organization;
5/Example of establishment and documenting the criteria Production and service provision in any organization 

Answer:

Unfortunately, I cannot present here those examples because we sell that kind of template in our ISO 9001:2015 Documentation Toolkit. Please check the free previews available.

About supplier’s selection criteria – think about what an organization needs from its suppliers: no defects, no delivery delays, price level, innovation, service.

About establishing the criteria for product and service provision – please check this free webinar on-demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/  - and see how the risk-based approach can be used to develop a process control plan.

New requirements for technical files

You have a template for technical documentation in the folder Technical file. The name of the document is the Technical file template.  

Coding records

You do not need to code records if it is not suitable for you. The point of the code is that you can differentiate your records. So any system that will allow you how to differentiate records is good. This way of coding in our documentation toolkit was just a suggestion, the way that we considered to be the best. But, do it as it is logical for you.

Your documentation must suit your company, organizational, and process needs

Considering the example from your question: 

If you decide to you codes on the record, then one code will be for one type of the record. It means, that if you have a record PR-001-F, each time when your employee will use this form it will be written on it. It does not depend on the date of issue of that record or the content of the record. The code always stays the same. Some clients put that code in the header or footer.

Considering the records that run automatically like backup logs - yes you can add that code to the file name of the backup

More information about document management you can find on the following link:

• Common mistakes with ISO 13485:2016 documentation control and how to avoid them https://advisera.com/13485academy/blog/2018/03/14/common-mistakes-with-iso-134852016-documentation-control-and-how-to-avoid-them/
• How to structure Quality Management System documentation according to ISO 13485 https://advisera.com/13485academy/knowledgebase/how-to-structure-quality-management-system-documentation-according-to-iso-13485/

• Working Instructions for testers under accreditation

  You asked

  Working Instructions for testers under accreditation – is there recommended form and will we receive it?

  Within ISO 17025 there are certain mandatory procedures, documented processes and records required. Work Instructions (WI) can be used when detailed information is needed about how to do a task. There is no prescribed way a WI must be presented. An instruction could be in the form of a written text in a document, workflow of steps, a graphic illustration, series of photographs and or a video.  Either way WIs should be sequential, logical and to the point, menaing clear to follow. The design will depend on your needs. Within the ISO 17025 Academy toolkit, there are a number of procedures and forms, including checklists that contain the information to complete a process. These can be used to write a step by step work instruction. To preview the toolkit see https://advisera.com/17025academy/iso-17025-documentation-toolkit/

  You also asked

  Is it possible to receive support for the structure of the Lab and it place in our organization chart – to be acceptable for accreditation body?

  Simply answered any structure is acceptable where there is overall management, clearly defined roles and there is no conflict of interest. Responsibilities and authorities must be defined, and the structure must safeguard impartiality, confidentiality and drive the objectives of the laboratory.

  Please have a look at my reply to a question Key positions in ISO 17025, at https://community.advisera.com/topic/key-positions-in-iso-17025/ where this is answered. You can also view a preview of the Quality Manual that covers this, available from https://advisera.com/17025academy/iso-17025-documentation-toolkit/ Also feel free to download a complimentary white paper Clause-by-clause explanation of ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/, where Structural requirements are explained in section 5.

• Measuring success of Information Security

  Thank you. Your explanations are clear and understandable.