Search results

Importer and Distributor obligations under MDR

Considering Article 120, Paragraph 3 from the MDR, requirements that will be applied to MDD CE marked medical devices after May 2021 are: post-market surveillance, market surveillance, vigilance, registration of economic operators. Therefore, verification obligations apply to devices that are marked under MDR, and not to ones under the MDD certificate.

For more information, see:

EU MDR Article 120 – Transitional provision - https://advisera.com/13485academy/mdr/transitional-provisions/

Implementación de ISO 9001-2015

Para iniciar la implementación de un sistema de gestión de calidad debe de contar con el apoyo de la alta dirección de su organización, que va a ser crucial durante la implementación de ISO 9001:2015, porque que proporciona los recursos tanto económicos como de personal.

Luego puede llevar a cabo un análisis GAP o de brecha, que le va a ayudar a identificar aquellos requisitos con los que ya cumple y aquellos con los que aún debe aún cumplir. Aquí puede llevar a cabo el análisis de forma gratuita: https://advisera.com/9001academy/iso-9001-gap-analysis-tool/ Esta herramienta también le va a facilitar la posibilidad de saber si tiene la información necesaria para lllevar a cabo la implementación del sistema de gestión de calidad, o por el contrario debe de recabar más información sobre sus procesos. 

Es importante que antes de la implementación de la norma conozca cada una de las cláusulas con las que tiene que cumplir para poder llevar a cabo el proyecto de implementación de ISO 9001. En este white paper puede encontrar información resumida sobre cada una de ellas - Clause by clause explanation of ISO 9001: https://info.advisera.com/9001academy/free-download/clause-by-clause-explanation-of-iso-90012015

Posteriormente puede escribir un plan de proyecto en el que determine responsabilidades, defina la documentación que va a escribirse, los plazos de implementación, etc. En este enlace puede descargarse una plantilla - Plan de Proyecto para la implementación de ISO 9001:https://info.advisera.com/9001academy/es/descarga-gratuita/plan-de-proyecto-para-la-implementacion-de-iso-9001-ms-word

Luego ya podría empezar con la implementación de la norma: la definición de la política de calidad, los objetivos de calidad y planes para llevarlos a cabo, el contexto de la organización y sus partes interesadas, el alcance del SGC, etc...hasta llegar a la auditoría interna y la revisión por la dirección, que sería el paso previo para certificarse. En este enlace puede descargarse un checklist para la implementación de la norma - Porject checklist for ISO 9001:2015: https://info.advisera.com/9001academy/free-download/project-checklist-for-iso-9001-2015-implementation

Estos materiales pueden ayudarle con la implementación de ISO 9001:2015:
- Libro – Discover ISO 9001:2015 through practical examples: https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Formación gratuita en línea – Fundamentos de ISO 9001:2015 : https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

Understanding requirements for company providing technical services

A company that provides only technical service has to prepare the ISO 13485 quality management system as follows:

First of all, your „medical device“ is technical services and technical writing. So, everywhere in the standard where it is written medical device, this is your service.

Second, requirement 7.5 Production and service provision, for you is only Service provision. Accordingly, the following requirements probably are not applicable for you: 7.5.5 Particular requirements for sterile medical devices, 7.5.7 Particular requirements for validation of processes for sterilization and sterile barrier system. If you are not providing installation of equipment, then requirement 7.5.3 Installation activities are also not applicable for you. If your technical service does not require specific cleanliness conditions, then requirement 6.4.2 Contamination control and 7.5.2 Cleanliness of product, are also not applicable for you.

For more information on ISO 13485, please see the following articles:

• ISO 13485 structure and requirements - https://advisera.com/13485academy/what-is-iso-13485/
• How to structure Quality Management System documentation according to ISO 13485- https://advisera.com/13485academy/knowledgebase/how-to-structure-quality-management-system-documentation-according-to-iso-13485/
• What is ISO 13485? - https://advisera.com/13485academy/what-is-iso-13485/
• List of mandatory documents required by ISO 13485:2016 - https://advisera.com/13485academy/blog/2017/01/18/list-of-mandatory-documents-required-by-iso-134852016/

• Which clause should I refer for supplier qualification?

  Supplier qualification is mostly covered in the requirement 7.4.1 Purchasing process where is required that criteria for evaluation and selection of supplier must be defined and determined. 

  For more information on purchasing process please see the following articles:

  • How can ISO 13485 clause 7.4, Purchasing, enhance procurement?  - https://advisera.com/13485academy/blog/2018/04/18/how-can-iso-13485-clause-7-4-purchasing-enhance-procurement/
  • How to evaluate supplier performance according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
  • Purchasing in QMS – The Process & the Information Needed to Make it Work https://advisera.com/9001academy/blog/2014/03/18/purchasing-qms-process-information-needed-make-work/

  • Incorrect use of product keys

    The situation you reported would configure a control failure, leading to a nonconformity, that if not properly handled can impact your certification.

    Regardless of that, the use of unlicensed product keys or incorrect licenses is a legal offense in many countries, and even if the related software is not in your ISMS scope, your organization should seek legal advice on how to handle the situation.

    These materials will also help you regarding ISO 27001 controls:
    - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  • A.9.4.3 Password Management System

    What is a Password Management System, is it just a set of rules, as described in Access Control Policy?

    In the context of ISO 27001, a Password Management System is a software that enforces the generation, use, and maintenance of passwords by users, according to a defined set of rules (which may be written in the Access Control Policy).

    For example, the Windows operating system has a password management system where the administrator can define rules for creating passwords (e.g., a minimal number of characters, use of numbers, special characters, etc.), for periodically change of passwords, etc. Application software, as an ERP also can have its own Password Management System.

    For further information, see:

    • How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/

    This material will also help you regarding password management system:

    • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    • ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/  

    But then, should we describe for which systems do these Password rules apply, and for which not? Or should they be general?
    Thank you!

    ISO 27001 does not prescribe which systems apply password rules, so both of your suggested approaches are acceptable.

    The main criteria you should consider are the results of risk assessment and applicable legal requirements (e.g., laws, regulations, and contracts). By evaluating these issues, you can identify if your rules should be applied in a general way or only to specific systems.

    For example, your risk assessment may identify that there are relevant risks requiring this control only for Windows operational systems, but a contract with a customer requires that all software used by your organization to process the information of this customers adopts this control.

  • Configuration and Vulnerability Management

    Configuration management is related to you know which assets you have and how they are configured, while vulnerability management is related to the identification and handling of misconfigurations and threats that can exploit current configurations.

    Both configuration and vulnerability management are connected by the fact that by means of configuration management you can:

    • identify the impact of identified vulnerabilities (e.g., how many devices are vulnerable, which sets of configurations should be analyzed/changed.
    • prioritize which vulnerabilities to look for first (they would be related to the most critical configurations you have)

    This article will provide you a further explanation about vulnerability management:

    • How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/

    These materials will also help you regarding vulnerability management:

    • ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
    • ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ 

  • Sub clause Explanation

    1. In which clause does the recording of FPA approval , Daily check sheets, Recording of clean room temperature comes under??

    In my opinion, FPA approval will be under the 7.5 productions and service provision, Daily checks sheets can be under:

    6.3 Infrastructure if it is daily checks of the machines and equipment6.4.1 Work environment if it is checked for the cleaning6.4.2 Contamination control - temperature or humidity  monitoring

    2. Under which clause does the naming (Document number, Rev no, Date) for a format comes ??

    Management of the documents comes under 4.2.4 Control of documents and 4.2.5 Control of records. 

    For more information regarding documentation control please see the following articles:

    • Common mistakes with ISO 13485:2016 documentation control and how to avoid them https://advisera.com/13485academy/blog/2018/03/14/common-mistakes-with-iso-134852016-documentation-control-and-how-to-avoid-them/
    • How to structure Quality Management System documentation according to ISO 13485 https://advisera.com/13485academy/knowledgebase/how-to-structure-quality-management-system-documentation-according-to-iso-13485/

    • Determining scope

      First is important to note that ISO 22301 does not require organizational context to be documented, only to be determined.

      Considering that, you can use the organizational context as criteria to see if the proposed BCMS scope is enough for your business. For example, if an external issue is a law or regulation, you need to verify if your proposed scope is enough to fulfill it, or if it does not violate it in some manner. The same is applied for an internal issue like a core activity or a process (is it covered by the proposed scope or not).

      As a way to get people thinking about organizational context when evaluating their own products and processes, you should consider developing a short customized presentation, linking internal and external issues to specific products and processes, and questions on how these issues can affect their products and processes.

      These articles will provide you a further explanation about scope definition (although they are about ISO 27001, the same concept applies to ISO 22301:

      • How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
      • Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
      • How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

      This material will also help you regarding Scope definition:

      • Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

    • Appendix 1 – List of Legal, Regulatory, Contractual and Other Requirements

      ISO 27001 does not prescribe the identification of contractual requirements to be made for every client, so you can use the approach that best fits your needs. One way is to define a list of requirements for a specific set of clients with specific characteristics:
      - are from the same country
      - have similar size
      - contracts the same service
      - the contracts have similar value.

      Of course, you can have a list of requirements for specific clients you value the most or wants to monitor closely.