Search results

How to effectively use CAPA to improve Quality Management Systems?

CAPA stands for Corrective Action and Preventive Action. It is usually a set of actions that an organization requires in manufacturing, documentation, procedures, or systems to correct and eliminate recurring non-conformities. Non-conformity is determined after a systematic evaluation and analysis of the root cause of the non-compliance.

Corrective actions include identifying, documenting, and removing the root cause of the nonconformity or problem to prevent the problem from recurring.

Preventive measures are taken to prevent the occurrence of such non-compliances, generally as a result of a risk analysis.

The best way to start with the CAPA system is to go through the following articles:

• ISO 13485 continual improvement: Seven-step process for corrective and preventive actions https://advisera.com/13485academy/knowledgebase/iso-13485-continual-improvement-seven-step-process-for-corrective-and-preventive-actions/
• >What are the consequences of non-compliance with ISO 13485 for manufacturers of medical devices? https://advisera.com/13485academy/blog/2017/11/02/what-are-the-consequences-of-noncompliance-with-iso-13485-for-manufacturers-of-medical-devices/
• Complete guide to corrective action vs. preventive action https://advisera.com/9001academy/blog/2020/06/22/complete-guide-to-corrective-action-vs-preventive-action/
• Seven Steps for Corrective and Preventive Actions to support Continual Improvement https://advisera.com/9001academy/blog/2013/10/27/seven-steps-corrective-preventive-actions-support-continual-improvement/

After you will study these articles, if you will have any other questions, do not hesitate to contact us.

Customer management

1. I would like to know why in ISO 27001 there is a "Supplier Management" and there is no "Customer Management"?

Please note that ISO 27001 main objective is to protect the information, that belongs to the organization or is under its responsibility (e.g., customer information, partners information, etc.).

Considering that, the information to be protected may be accessed by suppliers (e.g., a SaaS provider, contractors, etc.), and the organization needs to ensure that information is also properly protected by suppliers (by means of contractual clauses, periodic service review, etc.), thus the need for “Supplier management”.

Now, customer management involves much more than information protection, so to include it in ISO 27001 would mean an unnecessary overhead for the information security management system.

2. How should I align or assure my clients within my implementation of ISO 27001?

For alignment of customers' interests and requirements with your ISO 27001 implementation, you must consider them when working clause 4.2 Understanding the needs and expectations of interested parties. Fulfilling this clause is enough for the standard to consider customers in your implementation.

For more information, see:

• How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

In case your organization considers it needs a more robust customer management approach, you may consider adopting concepts from ISO 9001, the standard for quality management.

For more information, see:

• Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
• How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/

These articles will provide you a further explanation about ISO 27001:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
• Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

These materials will also help you regarding ISO 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Data retention

Please note that ISO 27001 does not prescribe data retention requirements (for any type of information), only that these must be defined, based on results of risk assessment and applicable legal requirements (e.g., laws, regulations, and contracts).

Considering that, you should consider hiring legal expert advice, to help you identify relevant legal requirements applicable to your organization.

This article may provide you a starting point:

• Laws and regulations on information security and business continuity https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/

Checklist to see if we should become ISO 17025

The starting point is to understand the purpose of the ISO 17025 Standard, the requirements and identify the benefit for your laboratory.

To assist, begin with the article What is ISO 17025?, available at https://advisera.com/17025academy/what-is-iso-17025/

Then have a look at the free Whitepapers available at https://advisera.com/17025academy/free-downloads/, particularly

• Clause-by-clause explanation of ISO 17025:2017
• Diagram of ISO 17025 Implementation Process
• Project Plan for ISO/IEC 17025 implementation

Then there are some useful articles at https://advisera.com/17025academy/blog/, particularly 

• Six key benefits of ISO 17025 implementation
• Checklist of ISO 17025 implementation steps

The ISO 17025 Toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/ has previews, including an Internal Audit Process Checklist you would use to populate all the requirements in (as from above)  to determine the gaps and level of compliance for implementation and accreditation. You could also obtain the assessment checklist form the ISO 17025 accreditation body you would deal with.

Requirement for ISO 9001: 2015 certification in cargo and marine services

Thanks for the information. Most appreciated 

MDR Technical Documentation

According to the definitions in the ISO 13485:2016, a medical device family is a group of medical devices manufactured by or for the same organization and have the same basic design and performance characteristics related to safety, intended use, and function. You can have one Technical documentation for the group of the medical devices with a complete list of the various configurations/variants. 

To see how to structure the Technical file according to MDR, see this Technical file template: https://advisera.com/13485academy/documentation/technical-file-template/

Archiving period for Documents in IATF 16949

Regarding the retention of records, the legal regulations and the periods specified by the customer-specific requirements are important. The first issue to be examined is these 2 places. 

In addition, the IATF 16949: 2016 standard defined in clause 7.5.3.2.1 as follows.

"Production part approvals, tooling records including maintenance and ownership), product and process design records, purchase orders (if applicable), or contracts and amendments shall be retained for the length of time that the product is active for production and service requirements, plus one calendar year unless otherwise specified by the customer or regulatory agency."

Management representative in ISO 13485

Yes, you can outsource a person as a management representative. A management representative should be someone who is knowledgeable, trained, and have experience in dealing with the Quality Management System according to ISO 13485 of the company as well as familiar. Also, it would be preferable that that person has experience with your type of medical devices and technologies. This person must be available upon your request.

With an outsourced Management representative, you need to have a contract where mutual obligations will be defined.

For more information, please see the following articles:

• How to define roles and responsibilities within an ISO 13485-based QMS https://advisera.com/13485academy/blog/2017/11/16/how-to-define-roles-and-responsibilities-within-an-iso-13485-based-qms/
• How to fulfill management responsibilities in ISO 13485:2016 https://advisera.com/13485academy/knowledgebase/how-to-fulfill-management-responsibilities-in-iso-13485/

• ISO 9001 documents for surveillance audit

  During the certification audit, auditors confirmed that your quality management system was designed according to ISO 9001 requirements.

  During surveillance audits auditors' main concern is to verify that your organization complies with the rules (internal and from the standard) and improves the system. So, I recommend you to check if your quality management system records are being filled correctly, performance is being analyzed and evaluated and improvement actions implemented.

  You can find more information below:

  • What is an ISO 9001 surveillance audit? - https://advisera.com/9001academy/blog/2016/10/18/what-is-an-iso-9001-surveillance-audit/
  • Surveillance visits vs. certification audits - https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
  • Course - Free online training ISO 9001:2015 Lead Auditor Training Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/