Search results

IATF 16949 for software companies

IATF 16949: 2016 standard; In the scope definition section in 1.1 Scope, stated as follows for the embedded software. '' Automotive supplemental to ISO 9001: 2015 this Automotive QMS Standard defines the quality management system requirements for the design and development, production and, when relevant, assembly, installation, and services of automotive-related products, including products with embedded software. ''In other words, companies that produce software embedded in the product can also apply for an IATF certificate. As you know, the product, which is embedded software, must be installed on the OEM or OES vehicle.
If the company produces an embedded software product for the automotive industry; the IATF 16949: 2016 standard requires the following in clause 8.3.2.3.

8.3.2.3 Development of products with embedded software

The organization shall use a process for quality assurance for their products with internally developed embedded software. A software development assessment methodology shall be utilized to assess the organization's software development process. Using prioritization based on risk and potential impact to the customer, the organization shall retain documented information of a software development capability self-assessment.  The organization shall include software development within the scope of its internal audit program (see Section 9.2.2.1).

Is it mandatory to write a specific procedure for impartiality?

There is no mandatory requirement to have a procedure or documented procedure regarding impartiality. Typically you will ensure safeguarding impartiality through stating your commitment and approach in a Quality Policy as well as the Quality Manual (if you have one).

Other processes that include considering and evaluating risks to impartiality are Internal Audits, Addressing Risk and Opportunities, and Management Review. Risk assessments must be used to demonstrate the ongoing attention and identification of impartiality risks.

Have a look at the Article  How to ensure impartiality in an ISO 17025 laboratory at https://advisera.com/17025academy/blog/2020/10/12/ensuring-impartiality-in-an-iso-17025-laboratory/ for Five steps to ensure impartiality.

ROSI - interpreting calculated value

First is important to note that the interpretation will depend on how the formula considers the incident costs and security control costs.

For example, in the formula:

ROSI = cost of a realized incident - the cost of needed security controls

the results can be interpreted as you said (i.e., a positive result means that the implementation of security controls is worthy, and a negative result means the implementation is not worthy).

In case the formula is:

ROSI = cost of needed security controls - the cost of a realized incident

The results interpretation would be inverse.

These articles will provide you a further explanation about ROSI:

• Is it possible to calculate the Return on Security Investment (ROSI)? https://advisera.com/27001academy/blog/2011/06/13/is-it-possible-to-calculate-the-return-on-security-investment-rosi/
• How to make your investment in ISO 27001 profitable https://advisera.com/27001academy/blog/2015/07/13/how-to-make-your-investment-in-iso-27001-profitable/

This material can also help you:

• Free Return on Security Investment Calculator https://advisera.com/27001academy/free-tools/free-return-security-investment-calculator/

All documents required by QMS for ISO13485

This is not the list of internal documents. This is just a form where each manufacturer needs to put all their internal documents: https://advisera.com/9001academy/documentation/list-internal-documents/

The list of internal documents are all documents that you will prepare for your Quality management system (documented procedures). Records are documents that arise as a result of some work, testing, reports, and similar.

For more information, please see the following article:

• How to structure Quality Management System documentation according to ISO 13485 https://advisera.com/13485academy/knowledgebase/how-to-structure-quality-management-system-documentation-according-to-iso-13485/

If you need a list of all documents that is necessary to prove the compliance with ISO 13485:2016, please see following article:

• List of mandatory documents required by ISO 13485:2016 https://advisera.com/13485academy/blog/2017/01/18/list-of-mandatory-documents-required-by-iso-134852016/

List of all documents that are part of our documentation toolkit, you can find on this link, under the headline Toolkit documents:

• ISO 13485:2016 Documentation Toolkit https://advisera.com/13485academy/iso-13485-documentation-toolkit/

• Matrix for Requirements against Process/Department

  For internal audit you can definitively use our Internal audit checklist from our ISO 13485:2016 Documentation toolkit. The Internal Audit Checklist is the list of questions required to ensure the management system is implemented and maintained. The listing includes more than 100 questions to ensure each requirement of the ISO 13485 standard is implemented and maintained within the Quality Management System and includes the ability for the company to add additional questions to suit individual needs. Of course within these 100 questions are questions regarding production, warehouse, quality control, and so on. Therefore, you can find questions applicable to your medical devices.

  Here is the link for the Internal audit checklist: https://advisera.com/13485academy/documentation/internal-audit-checklist-iso-13485-2016/

  For more information about conducting the internal audit, please see the following links:

  • Five main steps in the ISO 13485:2016 internal audit https://advisera.com/13485academy/knowledgebase/five-main-steps-in-the-iso-134852016-internal-audit/
  • How to create a checklist for an ISO 13485 internal audit for your QMS https://advisera.com/13485academy/knowledgebase/how-to-create-a-checklist-for-an-iso-13485-internal-audit-for-your-qms/
  On following link you can see which documents and records our ISO 13485:2016 Internal audit toolkit has: https://advisera.com/13485academy/iso-13485-internal-audit-toolkit/

• Reviewing and approving suitability and adequacy documents as an office administrator

  You can answer that during review and before approval you ask opinion of participants in the documented activities about its suitability and adequacy. You can answer that you make sure that while documents are being developed participants are invited to give their contribution. You can also answer that after approval in the first month you monitor suitability and adequacy by following its implementation.

  You can find more information about ISO 9001:2015 below:

  • How to set up document approval/withdrawal within your QMS based on ISO 9001:2015 - https://advisera.com/9001academy/blog/2016/04/12/how-to-set-up-document-approvalwithdrawal-within-your-qms-based-on-iso-90012015/
  • Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

• Isolation of Sensitive Systems

  This question can be answered from two points of view: auditor and pen tester.

  From the auditor's point of view, you need to check the evidence that shows isolation is implemented (e.g., network topology, pentest report, etc.)

  From a pen tester's point of view, to check isolation you need to try to access the systems from outside their defined perimeter of work (i.e., environment).

  For example, if a system stated environment is the companies premises, you should try to access it from outside the companies premises, like:

  • from a side street, trying to find out a hide wireless connection
  • from the company's website, trying to explore a site vulnerability

  In case the system stated environment is a single room int the companies premises, or it is disconnected from the main company's network, you should try to access by:

  • trying to find out a hide wireless connection
  • trying to explore an intranet vulnerability
  • trying to physically access a network device connected to the system
  • trying to get physical access to the room

  This article will provide you a further explanation about exploring vulnerabilities:

  • How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/