Search results

ISO 13485 requirements for virtual IVD manufacturer

A company can have implemented ISO 13485 only for the Desing and development. In that case, some requirements will be stated as „non-applicable“, like: 7.5.3 Installation activities, 7.5.4. Service activities, 7.5.5 Particular requirements for sterile medical devices, 7.5.7 Particular requirements for validation of processes for sterilization and sterile barrier systems. The main procedure, in that case, will be Desing and development, which will replace the procedure for production and service provision. 

For more information, please see the following article:

• How to manage design and development of medical devices according to ISO 13485:2016 https://advisera.com/13485academy/blog/2017/08/24/how-to-manage-design-and-development-of-medical-devices-according-to-iso-134852016/

You can see how we have prepared the Design and development procedure in our ISO 13485:2016 Documentation toolkit:

• Design and Development File https://advisera.com/13485academy/documentation/design-and-development-file-iso-13485-2016/
• ISO 13485:2016 Documentation Toolkit https://advisera.com/13485academy/iso-13485-documentation-toolkit/

• Mobile app GDPR compliance

  "Firstly, I want to thank you so much for providing such help. It is really valuable.I would like to ask you about the following.Current situation:

  I have a mobile application (Notes & todo lists) running on Android that stores & processes data.- This data could be personal or personally identifiable.- The app stores the data on the user's device in the app folder that is accessible by the user only.- We do not collect or store any data in the cloud.- The app also has google ads. Users are informed and have to give consent before using the app- There is no requirement for sign up or requests for email, name, passwords, financial information etc.- Data stored (because it is a notes app) can be personal interests, schedules, names, numbers etc.

  What I would like to know:

  Considering the app above:If I do not encrypt the data stored in the device am I in breach of GDPR?

  The GDPR lets the controller decide if security measures as appropriate to the data processing or not, so encryption can be a good security measure and it is recommended but it is non-mandatory. Article 32 GDPR states that the controller needs to consider the risks for freedom and rights of users, the state of art, the costs of implementation, the nature, scope, and purpose of processing and to balance it in order to verify the appropriate security measure (i.e., the app may not encrypt data because are stored on user device but request two-factor authentication or access with fingerprint).

  Do I need to appoint an EU Data Protection representative?

  If you are not located in the EU yes you need to appoint an EU representative, as required by Article 27 GDPR.

  Does the GDPR really apply to this application since there is no collection of data and only the user has access to it?Thank you so much for your help."

  GDPR applies to data processing which is defined by Article 4 GDPR “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”

  Your app records and makes available personal data to the user so it processes personal data, then your company probably acquires data of users who downloaded the app, their device numbers or email or Google Play account, in fact, you ask consent for processing data, the GDPR will apply even if your app does not transmit personal data of your user you still process other personal data (device number, email, google accounts, etc.).

  Here you can find more information on GDPR implementation:

  • Is the GDPR applicable to our company? https://advisera.com/eugdpracademy/knowledgebase/who-needs-to-be-gdpr-compliant-an-easy-explanation/
  • What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
  • A summary of 10 key GDPR requirements https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/
  • List of mandatory documents required by EU GDPR https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/

  If you need to understand how to process personal data under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

   

• ISO 9001 suppliers' requirements

  Your organization as the client has the authority to determine qualification requirements for suppliers. If they want to serve your organization, they have to comply.

  However, there is nothing in ISO 9001:2015 requiring that suppliers must be ISO 9001 and IATF-16949 certified.

  The following material will provide you more information:

  • Purchasing in QMS – The Process & the Information Needed to Make it Work - https://advisera.com/9001academy/blog/2014/03/18/purchasing-qms-process-information-needed-make-work/
  • ISO 9001 document template: Procedure for Purchasing and Evaluation of Suppliers - https://advisera.com/9001academy/documentation/procedure-purchasing-evaluation-suppliers/
  • Enroll for the free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

• 9001 Auditor's competency

  Has any requirements for the auditor for conducting an internal audit and how to ensure the auditor conduction audit is competent? 

  Answer:

  Each organization has the authority to determine the competence requirements of its internal auditors. Normally, organizations consider that internal auditors should have knowledge of the audit criteria (ISO 9001:2015 in this case) and should have training in internal audits. You can even decide that an auditor has to study a book on audits or attend an online course and do an in-house exam. Internal auditor competence requirements can be established in a job description, for example. Audit competence or audit effectiveness can be measured, for example by comparing internal audit results with external audit results.

  Is it any requirements for attending internal audit training and getting certificates? 
  If have please give a reference on İSO 19011. 

  Answer:

  No, there is no formal requirements for choosing people to attend internal audit training. Anyone can be internal auditor, unless psychologically they do not want to do it.

  The following material will provide you information about internal auditors:

  • 13 Steps for ISO 9001 Internal Auditing using ISO 19011 - https://advisera.com/9001academy/knowledgebase/13-steps-for-iso-9001-internal-auditing-using-iso-19011/
  • How to perform an internal audit using ISO 19011 - https://info.advisera.com/free-download/how-to-perform-an-internal-audit-using-iso-19011
  • ISO 9001 – ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
  • Free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/
  • Book -  ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/
     

• Evidence of competence

  1. Should evidence of competence be related to Information Security, or IT, or something else? Which competence do we have to justify? Should we have the evidence for everybody, or only just for IT Manager or Admins e.g.?

  The evidence of competence must be related to issues and activities that can impact the ISMS (e.g., secure development for the development and maintenance of information systems included in the ISMS scope, audit techniques for internal auditors, etc.).

  You need to evidence competency of anyone who has an impact on the performance of the ISMS, i.e., those who put together and manage the ISMS (e.g., managers and technical staff), and also of those who have to follow the policies and procedures (e.g., all employees included in the ISMS scope).

  These articles will provide you a further explanation about competence evidence for ISO 27001:

  • 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/
  • How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

  These materials will also help you regarding competence evidence for ISO 27001:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  2. What if we have an online learning platform with Data Privacy Training, but only half of the employees completed that training? I don't think it is enough, can it raise a non-confirmity?

  The answer to this question will depend on your defined ISMS scope. In case your ISMS scope is all the organization, and data privacy protection is a requirement for the ISMS, then this situation can rise a non-conformity.

  These articles will provide you a further explanation about ISMS scope and readiness for certification:

  • How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
  • Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

  These materials will also help you regarding ISO 27001:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Environmental objectives when working from home

  When thinking about environmental objectives I recommend two elements to frame them:

  • The environmental policy (that sets priorities)
  • The updated and classified list of environmental aspects and impacts

  So, during COVID times, was the list of environmental aspects and impacts updated? And the classification also? Perhaps some significant aspects from the past are not so significant for the time being, and vice versa. Do any significant environmental aspects relate to supporting the work from home? I will not consider what happens inside each employee’s house to avoid intrusion or harassment charges. For example, considering the life cycle, is an environmental aspect emerging as relevant? How environmentally friendly are your internet suppliers, or your web storage suppliers?

   

  First, chose the environmental aspects. Without that, it is artificial trying to come up with relevant environmental objectives.

   

  Please check this information below with more detailed answers:

  • Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
  • Catalogue of environmental aspects - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/catalogue-of-environmental-aspects/
  • Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
  • ISO 14001 document template: Procedure for Identification and Evaluation of Environmental Aspects and Risks - https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
  • Enroll for free in this course – ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/
  • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
     

• Risk Assessment Method

  Generally speaking, a risk assessment methodology compliant with ISO 27001 has these 5 elements:

  • risk identification
  • risk owner
  • likelihood
  • impact
  • risk level.

  Provided CIS CRAM can fulfill these requirements, it can be used in an ISO 27001 context.

  We are not experts in CIS RAM, but based on the material provided in the Center for Internet Security (https://www.cisecurity.org/white-papers/cis-ram-risk-assessment-method/), this methodology seems too complex for beginners (please note that risk assessment is more useful when everyone in an organization can use it by themselves in a quick way, not depending upon few persons).

  To see a risk assessment methodology compliant with ISO 27001 that we consider simple to learn and use, please access this free demo template: https://advisera.com/27001academy/documentation/Risk-Assessment-and-Risk-Treatment-Methodology/

  These articles will provide information about risk management in ISO 27001:

  • How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
  • ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

  This material will also help you regarding risk management:

  • The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
  • Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

• Issues from MDD to MDR in terms of mainly clinical evaluation and investigation

  If you have already marked medical device according to the MDD, your certificate is valid until the expiry date on the certificate, but not longer than May 2024. 

  Transition steps from MDD to MDR are as follows:

  1) First, you need to check if the classification of your medical device changed. Go to Annex VIII – Classification rules - and check-in which rule your medical device falls now.
  2) Take Annex I – General safety and performance requirements – and go through each requirement to check how is that requirement fulfilled for your medical device. Of course, not all requirements from this Annex I are applicable to all manufacturers. For example, if your medical device is not sterile, then requirements in section 11. Infection and microbiological cleanliness – are not applicable to you.
  3) Then review your technical file and compare it with the documentation requirements from the Annex II Technical documentation and Annex III – Technical documentation on post-market surveillance. If you see that some documentation/information is missing, prepare those documents.
  4) Review your QMS because there are some additional requirements regarding the QMS – MDR Article 10, paragraph 9, and Annex I.  For example, there is a requirement that within QMS there should be a strategy for regulatory compliance. Also, there is a necessity to put as part of the QMS Clinical evaluation process (Chapter 6) and Post-market surveillance system (Chapter 7).
  5) Assign for the UDI number - The UDI, in general, is provided by an official designated entity. On the MDCG 2019-1 guiding principle of issuing entities rules on Basic UDI-DI, there are some requirements to follow.

  For periodic audit that will be conducted after May 2021, you need to have prepared a Post-market surveillance system, vigilance system, and defined economic operators according to the MDR (for more details see Article 120).

  Here you can find all the information:

  EU MDR Article 10 – General obligations of manufacturers https://advisera.com/13485academy/mdr/general-obligations-of-manufacturers/
  EU MDR Article 120 – Transitional provisions https://advisera.com/13485academy/mdr/transitional-provisions/
  EU MDR Annex I - General safety and performance requirements https://advisera.com/13485academy/mdr/general-requirements/
  EU MDR Annex II – Technical documentation https://advisera.com/13485academy/mdr/technical-documentation/
  EU MDR Annex III – Technical documentation on post-market surveillance https://advisera.com/13485academy/mdr/technical-documentation-on-post-market-surveillance/
  EU MDR Annex VIII – Classification rules https://advisera.com/13485academy/mdr/classification-rules/

• How to effectively use CAPA to improve Quality Management Systems?

  CAPA stands for Corrective Action and Preventive Action. It is usually a set of actions that an organization requires in manufacturing, documentation, procedures, or systems to correct and eliminate recurring non-conformities. Non-conformity is determined after a systematic evaluation and analysis of the root cause of the non-compliance.

  Corrective actions include identifying, documenting, and removing the root cause of the nonconformity or problem to prevent the problem from recurring.

  Preventive measures are taken to prevent the occurrence of such non-compliances, generally as a result of a risk analysis.

  The best way to start with the CAPA system is to go through the following articles:

  • ISO 13485 continual improvement: Seven-step process for corrective and preventive actions https://advisera.com/13485academy/knowledgebase/iso-13485-continual-improvement-seven-step-process-for-corrective-and-preventive-actions/
  • >What are the consequences of non-compliance with ISO 13485 for manufacturers of medical devices? https://advisera.com/13485academy/blog/2017/11/02/what-are-the-consequences-of-noncompliance-with-iso-13485-for-manufacturers-of-medical-devices/
  • Complete guide to corrective action vs. preventive action https://advisera.com/9001academy/blog/2020/06/22/complete-guide-to-corrective-action-vs-preventive-action/
  • Seven Steps for Corrective and Preventive Actions to support Continual Improvement https://advisera.com/9001academy/blog/2013/10/27/seven-steps-corrective-preventive-actions-support-continual-improvement/

  After you will study these articles, if you will have any other questions, do not hesitate to contact us.

• Customer management

  1. I would like to know why in ISO 27001 there is a "Supplier Management" and there is no "Customer Management"?

  Please note that ISO 27001 main objective is to protect the information, that belongs to the organization or is under its responsibility (e.g., customer information, partners information, etc.).

  Considering that, the information to be protected may be accessed by suppliers (e.g., a SaaS provider, contractors, etc.), and the organization needs to ensure that information is also properly protected by suppliers (by means of contractual clauses, periodic service review, etc.), thus the need for “Supplier management”.

  Now, customer management involves much more than information protection, so to include it in ISO 27001 would mean an unnecessary overhead for the information security management system.

  2. How should I align or assure my clients within my implementation of ISO 27001?

  For alignment of customers' interests and requirements with your ISO 27001 implementation, you must consider them when working clause 4.2 Understanding the needs and expectations of interested parties. Fulfilling this clause is enough for the standard to consider customers in your implementation.

  For more information, see:

  • How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
  • How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

  In case your organization considers it needs a more robust customer management approach, you may consider adopting concepts from ISO 9001, the standard for quality management.

  For more information, see:

  • Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
  • How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/

  These articles will provide you a further explanation about ISO 27001:

  • What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
  • Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

  These materials will also help you regarding ISO 27001:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/