Search results

Safety courses, CPR or first aid as part of accreditation

You do not have to have safety courses, CPR or first aid to meet accreditation requirements.  ISO 17025 accreditation does not specifically include Health and safety requirements. As a laboratory you should of course, comply with all Health, Safety and Environmental protection regulations of your country; and personnel need suitable training and knowledge. Typically these requirements are covered under a separate programme and documentation, usually via a policy and manual. This means that the accreditation body will not directly assess the laboratory on these issues, unless linked to an ISO 17025 requirement that could jeopardise the consistent, impartial operation to produce valid results – for example cross contamination.  What ISO 17025 does require, stipulated in clause 5.4, is that Laboratory activities must be carried out in such a way as to meet the requirements of regulatory authorities, organizations providing recognition and customers. These requirements could be integrated into one management system or could be separate. 

For more information on 17025 requirements, have a look at the Whitepaper Clause-by-clause explanation of ISO 17025:2017, which will assist you with ISO 17025 awareness, available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/ and the ISO 17025 Toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

58 areas of compliance required by ISO 13485

This means that in the standard ISO 13485:2016 on 58 places is put that manufacturer needs to be in compliance with applicable regulatory requirements. Regulatory requirements are any other standard, law, rule, regulation that is applicable for certain medical devices or manufacturers of medical devices. These requirements can be international or national. The point is that manufacturers of medical devices understand that it is not only ISO 13485 that is applicable to them, that there are a number of other rules by which they must be complied with. 

For example, in point 4.1 General each manufacturer of medical devices must be in compliance with requirements from this standard, but also with any other applicable regulatory requirements. This means that any technical standard must be taken into account when designing and manufacturing a medical device, but also any national law, rule, or ordinance must be considered. 

If manufacturers have any outsourced process, this also must be organized by the requirements of ISO 13485 but also any other applicable regulatory requirements. If there are some national laws and rules how contracts between two companies must look like, then it also must be taken into account. 

Considering the retention period of obsolete documents, the standard stipulates that mandatory storage is a minimum of two years. However, if there is a national rule on how long a particular type of documentation must be kept, then the manufacturer must comply with that as well. 

I hope that these examples approached what it means to be in compliance with regulatory requirements. Throughout the standard, this term extends and is found at almost every point. A detailed list of this is essentially the whole standard.

For more details on this topic, please see the following articles:

• How to determine regulatory requirements according to ISO 13485:2016 https://advisera.com/13485academy/knowledgebase/how-to-determine-regulatory-requirements-according-to-iso-13485/
• What is ISO 13485? https://advisera.com/13485academy/what-is-iso-13485/
• ISO 13485 structure and requirements https://advisera.com/13485academy/what-is-iso-13485/

• Green field plant IATF certification

  Automotive customer satisfaction shall be tracked by metrics such as quality performance, shipping performance, premium freight, number of complaints, etc. and this is mandatory for IATF 16949: 2016. For this subject, you can refer to Article 9.1.2.1 of the IATF 16949:2016 standard.

• Availability of parts and components for a discontinued medical device

  It is covered in MDR 2017/745, Annex 9, section point 2.2 c): the procedures and techniques for monitoring, verifying, validating, and controlling the design of the devices and the corresponding documentation as well as the data and records arising from those procedures and techniques.

  Those procedures and techniques shall specifically cover:

  • solutions for fulfilling the applicable specific requirements regarding design and construction, including appropriate pre-clinical evaluation, in particular, the requirements of Chapter II of Annex I,
  • solutions for fulfilling the applicable specific requirements regarding the information to be supplied with the device, in particular, the requirements of Chapter III of Annex I.

  So yes, you need to inform the customers that you will not produce your medical device anymore, but that you will provde the spare parts or service for a lifetime. If you are unable to do so, then you must inform who I can contact for spare parts or for service.   

• Giving consent

  First of all, consent needs to be clearly expressed by the user. The Supervisory Authorities consider that consent with an opt-out mechanism is not given correctly.

  You should add an opt-in checkbox.

  Here you can find more information on consent and e-mail marketing.

  • Is consent needed? Six legal bases to process data according to GDPR https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
  • Data subject rights according to GDPR https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr//
  • Email marketing in the era of GDPR – How to ensure compliance? https://advisera.com/eugdpracademy/blog/2019/05/27/gdpr-and-email-marketing-rules-for-compliant-campaigns/

  If you need to understand how to process consent under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Implementation of applicable controls

  Please note that ISO 27002 is a support standard that provides guidelines and recommendations for implementation of ISO 27001 Annex A controls, so it is not mandatory, and you can adapt its contents to your context, provided you fulfill the security objectives and security controls statement provided in the ISO 27001 Annex A.

  Regarding the word “shall”, please note that ISO 27002, as a guideline, does not use the word “shall”, but “should”, and that for ISO world means that its content can be implemented or not, according to your needs.

  This article will provide you a further explanation about ISO 27002:

  • ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

  These materials will also help you regarding controls from Annex A:

  • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
  • ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Control A.14.3.1

  1) I understand that the CISO performs internal audits in a company, but who should audit the CISO?

  Answer: First is important to note that CISO is a very bad choice for the internal auditor because of the obvious conflict of interest (this role is in general responsible for all the ISMS, and auditors cannot audit their own work).

  Considering that, you must consider another person to be the internal auditor (e.g., train another employee as internal auditor, or hire an external auditor).

  For further information about CISO, see:
  - What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
  - Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
  - How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

  These materials will also help you regarding internal audit:
  - ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
  - ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

  
  2) Our company is dedicated to selling ERP in SaaS mode (software as a service), how should control A.14.3.1 (Protection of test data) be implemented? ... it is necessary to obfuscate the information of customers who are in the database?

  Answer: The way to implement control A.14.3.1 will depend on the results of risk assessment and identified legal requirements. For example, risk assessment may identify that only strict control to test database is enough, or that creation of randomized dummy customer data may be needed. Additionally, contractual clauses may require the use of specific techniques, or forbid others, and some regulations like GDPR may require anonymization of test data.

  This article will provide you a further explanation about the software development life cycle:
  - How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/

  This material will also help you regarding ISO 27001 controls:
  - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

• EU IVDR 2017/746

  Thank you very much!

• Mandatory status of a ISO 9001 representative

  With ISO 9001:2015 there is no longer a mandatory requirement for a quality management representative (QMR). ISO 9001:2015 makes no mention of a QMR.

  You can find more information below:

  • What will be the destiny of the management representative in the new ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/what-will-be-the-destiny-of-the-management-representative-in-the-new-iso-90012015/
  • Choosing the best person for the job quality management representative: https://advisera.com/9001academy/blog/2014/06/03/choosing-best-person-job-quality-management-representative/
  • Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

• ISO 9001 customer satisfaction questions

  "1.If the assessment of customer satisfaction (according to ISO 9001:2015) by the auditee is still mandatory, even if the related procedure and records are not more mandatory?

  Answer:

  It is mandatory that an organization determines how to get, monitor and review information about what is commonly called “customer satisfaction”. 

  2.Are auditors and certification bodies simply allowed to decide to not take into account as NEEDED the customers' satisfaction assessment by the auditees?"

  Answer:

  If clause 9.1.2 is included in the scope the audit, auditors should audit the customers' satisfaction assessment by the auditees. They can ask: how do you get and monitor customers’ satisfaction feedback? Did you receive that feedback? Did you analyze that feedback? What were your conclusions and decisions?

  You can find more information below:

  • Handling customer satisfaction with code of conduct and complaints procedure - https://advisera.com/9001academy/blog/2014/07/15/handling-customer-satisfaction-code-conduct-complaints-procedure/
  • How the ISO 9001:2015 standard can help improve relationships with your customers - https://advisera.com/9001academy/blog/2016/02/23/how-the-iso-90012015-standard-can-help-improve-relationships-with-your-customers/
  • Main elements of handling customer satisfaction in ISO 9001 - https://advisera.com/9001academy/blog/2014/07/01/main-elements-handling-customer-satisfaction-iso-9001/
  • Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/