Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Using certified contract manufacturer impact

    If you a legal manufacturer and want to put a medical device under your name, then you are also obliged to be certified according to ISO 13485. The contract manufacturer is your outsourced process and you need to have a proper quality agreement with them in accordance with the requirement 4.1.5 from the ISO 13485.2016. This quality agreement is supposed to cover mutual responsibilities, but also what kind of control you will have over them. Usually, the following are control measures:

    Supplier's audit – you will perform supplier audit over them in a periodicity which will be risk-based the need for the outsourced company to notify you if it receives any complaint about similar products mutual communication in resolving complaints and inconsistencies - defined time required to respond to inquiries and clarifications

    Considering the MDR /CE mark, again if you are a legal manufacturer and want to put a medical device under your name, then it is your responsibility to prepare the technical file in accordance with the Annex II and Annex III of MDR. Be prepared that when the notified body will come for your MDR audit they will also go to the audit of the outsourced certified company.  

    For more information, see: 

    • EU MDR Annex II – Technical documentation https://advisera.com/13485academy/mdr/technical-documentation/
    • EU MDR Annex III – Technical documentation on post-market surveillance https://advisera.com/13485academy/mdr/technical-documentation-on-post-market-surveillance/

    • Data protection: IT service provider

      You need consent to process a special category of personal data (the so-called sensitive data) and when your data processing goes beyond the fulfillment of a contractual obligation. In your case, when making a contract with a client for your software, the client agrees to data processing for the purposes of the contract: receiving the software, issuing invoices, store the IP, Wi-fi password, location, etc. This set of data you are collecting must be contained in the privacy notice and have as a legal basis the performing of contractual obligation.

      However, if you want to process your client’s data for marketing purposes you need to ask a specific consent on it because the client when downloading the software reasonably expected that personal data would be processed to fulfill the obligation.The consent must be specific and given freely so you need to ask your client something like “Do you agree to receive information, promotions, from us?” or “Do you want that your data are shared with our partners for promotional advertisement?” The Client must be aware of the reasons you are asking him consent.

      Here you can find more information on the legal basis to process personal data according to the GDPR and what to consider about the GDPR privacy notice:

      If you want to learn how personal data are processed under the EU GDPR you may consider enrolling in our free training EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course//

    • ISO 9001 and 14001 certification and integration

      How to integrate ISO 9K with ISO 14K

      Answer:

      Organizations exist to serve clients. So, I recommend starting with modeling how the organizations serve clients based on the process approach and ISO 9001.

      https://www.screencast.com/users/ccruz5284/folders/Default/media/6cda8c8b-252d-411d-a716-61e78f632784

      Then, I consider other interested parties:

      https://www.screencast.com/users/ccruz5284/folders/Default/media/b098e50a-df24-41b2-ae71-70db2aa73af9

      Based on ISO 14001 and interested parties' requirements I recommend organizations to determine environmental aspects and impacts, compliance obligations, and risks.

      From here, it is possible to determine what needs to be done to improve the interaction with the environment while serving clients. And what needs to be done can be translated to things like:

      • Add work instructions specifically about environmental practices
      • Update work instructions from quality with tips and requirements to be followed because of improvement needs relevant to the environment
      • Make changes in layouts and visual management in order to help people comply with environmental requirements while doing their work
      • Develop action plans to meet quality and environmental objectives

      Of course, you will have several activities that can be immediately integrated like training, management review, internal audits, document control, monitoring, and measurement.

      You can find more information below:

      what are the basic requirements for certification?

      Answer:

      I don’t know if I’m understanding correctly your question. To be certified an organization has to comply with management system standards (both at the design of the system level and at the conformity of practices level) and has to comply with compliance obligations.

      what are the best practices followed by organisations seeking for ISO 14k certification?

      Answer:

      Setup a project sponsor, a project manager, and a project team. Determine the scope of the EMS. Ensure top management support, get training. Designing and implementing an environmental management system (EMS) implies being knowledgeable about ISO 14001:2015.

      As a first step perform a Gap analysis, to determine the amount of work to be done - comparing what your organization already has in place versus ISO 14001:2015 requirements. From that GAP Analysis, you can develop your Project Plan, listing what needs to be done, by whom, until when.

      From there it is implementation in order to close the gaps found. Then, perform an internal audit and the management review. There you can decide if your organization is ready for a certification audit.

      Perhaps the following links can be useful:

    • Can a Lead Auditor certify that organisation is ISO 27001 compliant?

      Only auditors working for certification bodies (certification auditors) can certify a business as ISO 27001 compliant.

      The choice of the certification body is an organization's decision, based on its strategies and business objectives and alignment with certification body practices.

      These articles can provide you further information:

    • Contractor's obligation to provide the client with BIA/BCRA

      Please note that the provision of Business Impact Analysis / Business Continuity Risk Assessment needs to be considered in the contract or service agreement you have with this supplier because this way in case they do not provide the documents you can have legal means to enforce compliance. Anything out of the contract or service agreement must be negotiated with the supplier.

      Considering that, to see a material with examples of applicable legal clauses to contracts that you can use as a basis to make your questionnaire for performance review, please access this template demo (although it is about ISO 27001, it also can be applied to business continuity): https://advisera.com/27001academy/documentation/security-clauses-for-suppliers-and-partners/

      These articles will provide you a further explanation about supplier management:

      These materials will also help you regarding supplier management:

    • Question on ISMS scope definition

      1 - The scope cannot be a server or a product, because it is a management standard right? Does this then mean that it can’t be an environment, like a cloud environment? Would you set the scope as the software engineering department for example instead?

      Your assumption is correct. The ISMS scope cannot be defined in terms of products, assets, or technologies. It needs to be defined in terms of information, location or processes to be protected, so the definition of the scope as a software engineering department is more appropriated.

      This article will provide you a further explanation about scope definition:

      These materials will also help you regarding scope definition:

      2 - And you mentioned the scope cannot be drawn between people who share the same office? Does this mean they would also need to be segregated in terms of network or email environment?
      I’d really appreciate your opinion as I think the delivery time will be quite different if we chose the smaller scope rather than the whole company, although maybe more detailed in segregating them.

      Please note that, for small environments, it is better to define all its elements as the ISMS scope because the effort and costs to segregate them may not be worthy, compared to managing all elements as part of the ISMS scope.

      This article will provide you a further explanation about scope definition:

    • ISO 13485 documentation question

      If you are a distributor of medical devices and may have to register products in the future, you have to have implemented ISO 13485:2016.

      For more information about ISO 13485, please see following articles:

      • What is ISO 13485? https://advisera.com/13485academy/what-is-iso-13485/
      • Six key benefits of ISO 13485 implementation https://advisera.com/13485academy/knowledgebase/six-key-benefits-of-iso-13485-implementation/

      • Calculating Duration of each Service or Critical Service

        This choice will depend on the business objectives and complexity of measurement, but in most cases, organizations consider only critical services for such KPI (measuring noncritical services only adds effort without bigger benefits).

        Regarding calculation, in general, it is considered the total sum of interruption times in a given period (e.g., day, week, month, etc.), where the downtime periods are monitored either by monitoring systems or by reports sent by users. Both approaches have their advantages and disadvantages, which should be evaluated considering the business context.

        This article will provide you a further explanation about monitoring:

        These materials will also help you regarding monitoring:

      • Defining calibration criteria

        https://www.screencast.com/users/ccruz5284/folders/Default/media/68a03e21-a2dc-471b-acdb-a53c843899ba

        When we perform a measurement of a variable to be measured, we are sure that there is a true value for the result. However, we recognize that we humans will never know what this true value is.

        So, when we use monitoring and measuring resource to determine the value, we get a measured value of v1.

        Can we trust on v1?

        To obviate the problem of not knowing the true value, instead of crossing our arms, we adopt an engineering approach, we will find a measurement standard traceable to international or national measurement standards, something that serves as a reference and that can be used as an approach of the true value. For example, if we are working with a scale that gives results to the second decimal place, if we use a measurement standard weigh with five decimal places, we can admit that that measurement standard is the true value, for our practical situation.

        So, when we perform a measurement we have:

        https://www.screencast.com/users/ccruz5284/folders/Default/media/71fd6451-3061-4105-8dc5-25c459cbc771

        How do you read this in a calibration report?

        First, let’s find the deviation. The calibration laboratory performs a set of measurements with the monitoring and measuring resource within the measuring range. Something like:

        https://www.screencast.com/users/ccruz5284/folders/Default/media/e92646f6-1567-4ea4-9df3-64e0655bf4d2

        We calculate the deviation, or systematic error, by calculating the absolute value of the difference between the true value and the measured value.

        What is the worst-case within the measuring range? Find the highest value for the calculated deviations. For example, d5. So, for any measurement done within the measuring range, there is an associated maximum error, max-error, equal to   |d5 + uncertainty|

        Now consider an example: We have a product that we put on the market. This product has a characteristic X (the mass, for example) that is promised to customers to be within the range of a specification.

        They claim:

        "Buy our product, we guarantee that it has a mass of 20g with a tolerance of plus or minus 2g"

        Something like:

        https://www.screencast.com/users/ccruz5284/folders/Default/media/e997ec75-c301-4219-9989-dba022e817f2

        We will create a grid to assess the effect of the dimension of the measurement error on our assessment of product quality in terms of compliance with the specification. Something like:

        https://www.screencast.com/users/ccruz5284/folders/Default/media/1c011c96-b951-4d67-9180-cc8d1242528b

        As we approach the limits of the specification, there is an increased risk of making errors of appreciation, the so-called alpha and beta errors, accepting a bad product as being good, and rejecting a good product as being bad.

        If the measurement error (max-error) increases in size, the likelihood of making these alpha and beta errors increases, as shown in the following figure:

        https://www.screencast.com/users/ccruz5284/folders/Default/media/c2cfdff0-8b08-4c81-8453-73e20bb10280

        The greater the measurement error, the greater the risk of making error alpha or error beta.

        Reject a good product as bad, or accept a bad product as good.

        The bigger the percentage of the tolerance interval “eaten” by the measurement error (max-error), the higher the probability of committing an alpha error or a beta error, that is, the risk of making a wrong decision.

        By calling the tolerance range “2 x T” (because of ± T) and the measurement error (max-error) as ME, we can calculate the following ratio:

        https://www.screencast.com/users/ccruz5284/folders/Default/media/d6f12537-62d7-47cd-a144-8605ae606fab

        If R = 1; 2 x T = ME, the degree of risk in decision making, following the measurement is 100%.

        If R = 2; 2 x T = 2 x ME, the degree of risk is 50%

        If R = 10; 2 x T = 10 x ME, the degree of risk is 10%.

        In other words: Only when the measured value falls within the blue areas of the figure below, is there a risk of making the alpha or beta error of appreciation, that is, a 25% risk.

        So, we can say:

        https://www.screencast.com/users/ccruz5284/folders/Default/media/47d6c16d-8470-40f0-88fd-66c493fc5a6a

        The decision criteria for establishing the maximum-error (ME) to accept a measurement instrument, following a calibration, is not metrological, it is a management criteria (we are not talking about legal metrology). What risk do we accept in our measurement assessment?

        The risk will always exist, always! We have to assess its dimension, and which is the dimension from which we find it too uncomfortable.

        From the above example, does our scale measure the mass of a pharmaceutically active ingredient for a recipe? Or measure the amount of flour to put in a pastry cake? What is the risk associated with each situation?

        ISO 10012-1, in the Application Guide, advised (I say advised because I do not have the latest version at hand) that the R-value should be as high as possible, and that the range should be between a minimum of 3 and a maximum of 10 (more than 10 means having a measuring device that is too good, maybe too expensive).

        Consider your monitoring and measurement resource and check what is the lowest tolerance allowed in a measurement made with it, and then determine your R.

        You can find more information below:
Page 197-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +