Search results

ISO 9001 and supply chain control

ISO 9001 is a generic standard applicable to all kinds of organizations. If an organization uses ISO 9001 to improve the business and to do more than just getting a certificate, we can look into clauses 4.2 and 6.1 of ISO 9001:2015 as a way of answering your concerns. For example, in this free webinar on-demand - Context of the organization, interested parties, and scope - - I show how a set of participants in a business ecosystem can be included. When working with organizations on this topic I recommend thinking in more than just the needs and expectations of the interested party – that means:

About the fake/fraudulent components, it is a matter of thinking about risks and acting on those more significant. For example, I’m currently working with a manufacturing company on the implementation of a quality management system. One of the risks determined was about using raw materials during production with specifications changed by the supplier without warning. So, we determined a set of laboratory tests to be performed every x months. 

You can find more information below about mitigating risks.

• How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
• How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
• In this free webinar on-demand - How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
• Enroll for the free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ (I use a lot of examples based on the risk-based approach)

Controlled vs Non-Controlled copy

Who are these students?

Are they future users of the SOP’s? If they are future users of the SOP’s, will they have access to them in the future through paper or through another medium, like digital? If they will have future access to SOP’s through paper perhaps the copies should be controlled.

If they are not future users, or are future users with future access through digital, distributing non-controlled copies seems to be the best solution.

Controlled copies are used to ensure that those that need to use them are on the loop to be informed of any change

You can find more information about documentation below:

• Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Seperation of the ISO13485/MDR toolkit.

Templates for the ISO 13485 can and are recommended to be in one folder. Considering MDR, my recommendation is that MDR folders should be organized for one medical device or group (family) of medical devices – it means that each medical device or family of medical devices will have one folder.

A medical device family is a collection of medical devices that have the same or similar intended purpose, have the same risk classification, and have the same design and manufacturing process. Members of the medical device family can differ in the following (for example):

• in the sizes (e.g. gauzes different sizes, syringes with different volumes, gowns different sizes)
• strength (e.g. needle force)

• 17025 accreditation

  Indeed, if you are referring to your organisation performing the testing, ISO 17025 accreditation will demonstrate that the method is valid, and your laboratory operates competently. This will provide confidence in your work internationally.  Standardising a method would involve engaging with other experts in testing laboratories and applying to your sector-specific standards body or national standards body. A technical committee is formed to coordinate /manage the process.

  For more information on ISO 17025 see the article What is ISO 17025? at https://advisera.com/17025academy/what-is-iso-17025/

• When is there a need to open and handle a complaint?

  No, you do not need to initiate the complaint in the case that you have described. However, this situation is an input to your design and development process and also for the risk analysis. Responsible persons from these two processes (D&D and risk management) must be informed about the cause and a change process probably need to be initiate. 

  Following articles can be helpful:

  • How to manage design and development of medical devices according to ISO 13485:2016 https://advisera.com/13485academy/blog/2017/08/24/how-to-manage-design-and-development-of-medical-devices-according-to-iso-134852016/
  • How to use ISO 14971 to manage risks for medical devices https://advisera.com/13485academy/blog/2017/09/21/how-to-use-iso-14971-to-manage-risks-for-medical-devices/

  • IATF 16949 for software companies

    IATF 16949: 2016 standard; In the scope definition section in 1.1 Scope, stated as follows for the embedded software. '' Automotive supplemental to ISO 9001: 2015 this Automotive QMS Standard defines the quality management system requirements for the design and development, production and, when relevant, assembly, installation, and services of automotive-related products, including products with embedded software. ''In other words, companies that produce software embedded in the product can also apply for an IATF certificate. As you know, the product, which is embedded software, must be installed on the OEM or OES vehicle.
    If the company produces an embedded software product for the automotive industry; the IATF 16949: 2016 standard requires the following in clause 8.3.2.3.

    8.3.2.3 Development of products with embedded software

    The organization shall use a process for quality assurance for their products with internally developed embedded software. A software development assessment methodology shall be utilized to assess the organization's software development process. Using prioritization based on risk and potential impact to the customer, the organization shall retain documented information of a software development capability self-assessment.  The organization shall include software development within the scope of its internal audit program (see Section 9.2.2.1).

  • Is it mandatory to write a specific procedure for impartiality?

    There is no mandatory requirement to have a procedure or documented procedure regarding impartiality. Typically you will ensure safeguarding impartiality through stating your commitment and approach in a Quality Policy as well as the Quality Manual (if you have one).

    Other processes that include considering and evaluating risks to impartiality are Internal Audits, Addressing Risk and Opportunities, and Management Review. Risk assessments must be used to demonstrate the ongoing attention and identification of impartiality risks.

    Have a look at the Article  How to ensure impartiality in an ISO 17025 laboratory at https://advisera.com/17025academy/blog/2020/10/12/ensuring-impartiality-in-an-iso-17025-laboratory/ for Five steps to ensure impartiality.

  • ROSI - interpreting calculated value

    First is important to note that the interpretation will depend on how the formula considers the incident costs and security control costs.

    For example, in the formula:

    ROSI = cost of a realized incident - the cost of needed security controls

    the results can be interpreted as you said (i.e., a positive result means that the implementation of security controls is worthy, and a negative result means the implementation is not worthy).

    In case the formula is:

    ROSI = cost of needed security controls - the cost of a realized incident

    The results interpretation would be inverse.

    These articles will provide you a further explanation about ROSI:

    • Is it possible to calculate the Return on Security Investment (ROSI)? https://advisera.com/27001academy/blog/2011/06/13/is-it-possible-to-calculate-the-return-on-security-investment-rosi/
    • How to make your investment in ISO 27001 profitable https://advisera.com/27001academy/blog/2015/07/13/how-to-make-your-investment-in-iso-27001-profitable/

    This material can also help you:

    • Free Return on Security Investment Calculator https://advisera.com/27001academy/free-tools/free-return-security-investment-calculator/

  • All documents required by QMS for ISO13485

    This is not the list of internal documents. This is just a form where each manufacturer needs to put all their internal documents: https://advisera.com/9001academy/documentation/list-internal-documents/

    The list of internal documents are all documents that you will prepare for your Quality management system (documented procedures). Records are documents that arise as a result of some work, testing, reports, and similar.

    For more information, please see the following article:

    • How to structure Quality Management System documentation according to ISO 13485 https://advisera.com/13485academy/knowledgebase/how-to-structure-quality-management-system-documentation-according-to-iso-13485/

    If you need a list of all documents that is necessary to prove the compliance with ISO 13485:2016, please see following article:

    • List of mandatory documents required by ISO 13485:2016 https://advisera.com/13485academy/blog/2017/01/18/list-of-mandatory-documents-required-by-iso-134852016/

    List of all documents that are part of our documentation toolkit, you can find on this link, under the headline Toolkit documents:

    • ISO 13485:2016 Documentation Toolkit https://advisera.com/13485academy/iso-13485-documentation-toolkit/