Search results

ISO 13485 documentation question

If you are a distributor of medical devices and may have to register products in the future, you have to have implemented ISO 13485:2016.

For more information about ISO 13485, please see following articles:

• What is ISO 13485? https://advisera.com/13485academy/what-is-iso-13485/
• Six key benefits of ISO 13485 implementation https://advisera.com/13485academy/knowledgebase/six-key-benefits-of-iso-13485-implementation/

• Calculating Duration of each Service or Critical Service

  This choice will depend on the business objectives and complexity of measurement, but in most cases, organizations consider only critical services for such KPI (measuring noncritical services only adds effort without bigger benefits).

  Regarding calculation, in general, it is considered the total sum of interruption times in a given period (e.g., day, week, month, etc.), where the downtime periods are monitored either by monitoring systems or by reports sent by users. Both approaches have their advantages and disadvantages, which should be evaluated considering the business context.

  This article will provide you a further explanation about monitoring:

  • How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/

  These materials will also help you regarding monitoring:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Defining calibration criteria

  

  When we perform a measurement of a variable to be measured, we are sure that there is a true value for the result. However, we recognize that we humans will never know what this true value is.

  So, when we use monitoring and measuring resource to determine the value, we get a measured value of v1.

  Can we trust on v1?

  To obviate the problem of not knowing the true value, instead of crossing our arms, we adopt an engineering approach, we will find a measurement standard traceable to international or national measurement standards, something that serves as a reference and that can be used as an approach of the true value. For example, if we are working with a scale that gives results to the second decimal place, if we use a measurement standard weigh with five decimal places, we can admit that that measurement standard is the true value, for our practical situation.

  So, when we perform a measurement we have:

  

  How do you read this in a calibration report?

  First, let’s find the deviation. The calibration laboratory performs a set of measurements with the monitoring and measuring resource within the measuring range. Something like:

  

  We calculate the deviation, or systematic error, by calculating the absolute value of the difference between the true value and the measured value.

  What is the worst-case within the measuring range? Find the highest value for the calculated deviations. For example, d5. So, for any measurement done within the measuring range, there is an associated maximum error, max-error, equal to   |d5 + uncertainty|

  Now consider an example: We have a product that we put on the market. This product has a characteristic X (the mass, for example) that is promised to customers to be within the range of a specification.

  They claim:

  "Buy our product, we guarantee that it has a mass of 20g with a tolerance of plus or minus 2g"

  Something like:

  

  We will create a grid to assess the effect of the dimension of the measurement error on our assessment of product quality in terms of compliance with the specification. Something like:

  

  As we approach the limits of the specification, there is an increased risk of making errors of appreciation, the so-called alpha and beta errors, accepting a bad product as being good, and rejecting a good product as being bad.

  If the measurement error (max-error) increases in size, the likelihood of making these alpha and beta errors increases, as shown in the following figure:

  

  The greater the measurement error, the greater the risk of making error alpha or error beta.

  Reject a good product as bad, or accept a bad product as good.

  The bigger the percentage of the tolerance interval “eaten” by the measurement error (max-error), the higher the probability of committing an alpha error or a beta error, that is, the risk of making a wrong decision.

  By calling the tolerance range “2 x T” (because of ± T) and the measurement error (max-error) as ME, we can calculate the following ratio:

  

  If R = 1; 2 x T = ME, the degree of risk in decision making, following the measurement is 100%.

  If R = 2; 2 x T = 2 x ME, the degree of risk is 50%

  If R = 10; 2 x T = 10 x ME, the degree of risk is 10%.

  In other words: Only when the measured value falls within the blue areas of the figure below, is there a risk of making the alpha or beta error of appreciation, that is, a 25% risk.

  So, we can say:

  

  The decision criteria for establishing the maximum-error (ME) to accept a measurement instrument, following a calibration, is not metrological, it is a management criteria (we are not talking about legal metrology). What risk do we accept in our measurement assessment?

  The risk will always exist, always! We have to assess its dimension, and which is the dimension from which we find it too uncomfortable.

  From the above example, does our scale measure the mass of a pharmaceutically active ingredient for a recipe? Or measure the amount of flour to put in a pastry cake? What is the risk associated with each situation?

  ISO 10012-1, in the Application Guide, advised (I say advised because I do not have the latest version at hand) that the R-value should be as high as possible, and that the range should be between a minimum of 3 and a maximum of 10 (more than 10 means having a measuring device that is too good, maybe too expensive).

  Consider your monitoring and measurement resource and check what is the lowest tolerance allowed in a measurement made with it, and then determine your R.

  You can find more information below:

  • Monitoring and Measurement Equipment Control - https://advisera.com/9001academy/blog/2014/05/06/monitoring-measurement-equipment-control/
  • Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
     

• Statement of Applicability

  If there are changes in the SOA after certifying the company you have to:

  • review the risk assessment and treatment and the list of legal requirements, and update those so you can provide the basis you need to justify the changes in the SoA
  • update the SoA to reflect the new status (i.e., update the status of controls and their justifications), and have it approved by top management
  • update the risk treatment plan considering these new SoA
  • implement the new controls, and gather evidence that the new applicable controls are working and achieving defined objectives.

  Basically, you have to perform the risk assessment and treatment again.

  For further information, see:

  • ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

  Regarding the external audit, when the SoA is changed you need to inform the certification body about the changes made, so it can verify if the surveillance audit needs adjustment, either in duration or in the number of required auditors, due to the change in the number of applicable controls. You need to communicate this as soon as possible.

• Has my employer and union broken GDPR?

  I am sorry but your case does not involve the GDPR aspect, but it involves how the Union fulfilled the obligation of providing legal assistance. You should verify with a lawyer if the Union abused somehow of powers of representation you provided to handle the case. From your question I understand that you asked for legal aid, not for legal representation, you provided your personal data, so the Union has the right to process your data. If they misrepresented you, in front of your employer it is an aspect that does not involve data processing. You should contact a lawyer to verify if the Union acted correctly.

  Here you can find more information on the legal basis to process personal data according to the GDPR:

  • Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

  If you want to learn how personal data are processed under the EU GDPR you may consider enrolling in our free training EU GDPR Foundations: https://advisera.com/training/eu-gdpr-foundations-course//

• Does acceptance by exception by the customer must always be formalised by the supplier?

  Let us use ISO 9001:2015 as our guide. After a non-conformity being detected, a supplier may decide to ask for a derogation by the customer. According to ISO 9001:2015, clause 8.7 the supplier must keep records evidencing that the customer authorized the derogation. There is no requirement about what kind of record is to be used. The supplier may use its own internal NC and ask the customer to use it for evidence approval, or the supplier may annex an e-mail from the customer to evidence that approval.

  You can find more information about improvement in the following links:

  • How to use quality control tools to improve your QMS - https://advisera.com/9001academy/blog/2017/04/18/how-to-use-quality-control-tools-to-improve-your-qms/
  • Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
     

• IT Managed Service Providers

  1. Is there an ISO certification we should look at?

  Please note that ISO certifications are not mandatory by themselves, although some countries have established laws and regulations that are easier to be fulfilled by adopting them, and an increased number of customers are preferring ISO-certified organizations as suppliers because they consider such organizations are more capable to help them.

  Considering that, you need to evaluate your legal environment and customers’ profile to see if an ISO certification is interesting to you.

  Broadly speaking, IT Managed Service Providers, should consider the following certifications:

  • ISO 20000: related to the management of IT services
  • ISO 27001: related to the management of information security
  • ISO 9001: related to quality management

  These standards share many common requirements, so you can implement them in an integrated way.

  These articles will provide you a further explanation about ISO standards:

  • What is ISO 27000? https://advisera.com/20000academy/what-is-iso-20000/
  • What is ISO 27001? https://advisera.com/27001academy/what-is-iso-27001/
  • What is ISO 9001? https://advisera.com/9001academy/what-is-iso-9001/

  This article can provide you a customer point of view (the same general concept applies to all ISO management standards):

  • Why is it important for your hosting partner to be certified against ISO 27001? https://advisera.com/27001academy/blog/2019/07/02/iso-27001-for-hosting-companies-what-are-the-main-benefits/

  2. What would be involved to get certified and what sort of costs would we expect?

  After the implementation of documents and controls required by the specific standard, you need to make sure that everyone in the company is complying with documents, i.e., performing all the activities prescribed there. After that, you can work on selecting your certification body.

  Our toolkit can help you with the implementation: 

  • ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/

  These articles will provide you a further explanation about the ISO 27001 implementation process:

  • ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
  • How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/2011/how-to-prepare-for-an-iso-27001-internal-audit/
  • Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

  Regarding costs, without detailed information about the certification scope it is not possible to give you a precise answer, but broadly speaking, what I can tell you is that these are some cost issues you should consider:

  • Training and literature
  • External assistance
  • Technologies to be updated/implemented
  • Employee's effort and time
  • The certification process

  These materials can provide you more information:

  • How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
  • 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/2019/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
  • How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project/
  • Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

  For the duration of the implementation:

  • How long does it take to implement ISO 27001 / BS 25999? https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/  - Please note that this is the timing that is needed for companies that use our toolkits.

  These materials will also help you regarding ISO 27001 project:

  • ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• ISO 27001 implementation

  Besides our webinars, to support your ISO 27001 implementation in Advisera you can find:

  • blog posts: https://advisera.com/27001academy/blog/
  • free to download templates and whitepapers: https://advisera.com/27001academy/free-downloads/
  • ISO 27001 Documentation Toolkit: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
  • free to enroll online training courses: https://advisera.com/training/

  Regarding specialists, you may consider a specialist in the ISO 27001 standard (with our toolkit this need is reduced to a minimum) and specialists in your core processes and technologies.

  These articles will provide you a further explanation about ISO 27001:

  • What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
  • ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
  • The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
  • Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

  These materials will also help you regarding ISO 27001:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Annex A controls

  Besides information about specific controls in our blog (https://advisera.com/iso-27001/), and how to apply them, these materials may also help you:

  • Overview of ISO 27001:2013 Annex A https://advisera.com/27001academy/iso-27001-controls/
  • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
  • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Annex A controls

  Além de informações sobre controles específicos em nosso blog (https://advisera.com/iso-27001/) e como aplicá-los, esses materiais também podem ajudá-lo:

  • Visão geral do Anexo A da ISO 27001:2013 https://advisera.com/27001academy/pt-br/knowledgebase/visao-geral-do-anexo-a-da-iso-270012013/

  • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/