Search results

Need for meeting requirements per FDA 21 CFR

You need to be in partial compliance with FDA 21 CFR, the part that considers purchasing process, production, quality control, and storage. In your case, you are providing outsourced services for your client. From both Fda or ISO 13485 standpoint of view, your client is responsible for your part of the process. It means that your clients need to have a quality agreement with you, and you need to have procedures and records that will prove that your part of the production is performed in compliance with specific requirements from the ISO 13485 or FDA 21 CFR. 

How this quality agreement looks like, you can see here:

• Quality Agreement for Subcontractor  https://advisera.com/13485academy/documentation/quality-agreement-for-subcontractor/

• Question about mandatory documentation

  First of all, thanks for this feedback

  Indeed in the List of documents file the Supplier Security Policy should be marked as mandatory, but with an asterisk, because it is related only to controls from ISO 27001 Annex A, which are only required if there are relevant risks, or legal requirements, that demands the implementation of the related controls. We'll make this correction ASAP.

  Regarding the need of your customer, he can combine the Supplier Security Policy with another document.

• Queries on ISO22301, BCM

  1) Difference between keywords 'resume' and 'recovery' w.r.t ISO22301.

  Resume refers to having operations working again considering minimum specified conditions (e.g., operations resumed in the alternative site), while recovery refers to having operations back to normal conditions (i.e., main site operational again).

  2) Difference between RTO and MAO as per ISO 22301. I have read the definitions as per the standard but it looks like both are same and just the difference between wording is there in their definition. Please give a detailed response as these are very confusing. Also, is MAO >= RTO always?

  First is important to note that the MAO concept was present in ISO 22301:2012 and is not mentioned in ISO 22301:2019 any more, only in ISO 22300, which defines a vocabulary for ISO 22301. In the current version of ISO 22301, the concept used is MTPD (Maximum Tolerable Period of Disruption), which has the same meaning as MAO.

  Considering that, the difference between MTPD and RTO is that MTPD defines the limit of time, after a disruption, for which an organization considers an impact as acceptable or unacceptable, while RTO defines when the organization wants operations to be resumed after a disruptive event.

  Considering both definitions in ISO 22301, RTO can be equal or smaller than MTPD, never greater (an RTO greater than MTPD does not make sense, because you would be returning operations after impact has become unacceptable).

  For example, if MTPD is 8 hours, then recovering operations at any time equal or below 8 hours is acceptable (i.e., the RTO can be any value between 0 and 8 hours, noting that the smaller the RTO, the more resources and effort you need to spent).

  This article can provide further information:  

  • What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/

  3) Difference between Crisis Management plan and BCP and relation between them

  First is important to note that ISO 22301 does define "Crisis management plan", and ISO 22300 only define "Crisis management", which is a management process (not a plan) covering a set of processes to be taken to ensure proper handling of disruptive situations (e.g., identification of relevant impacts, mitigation of risks, response to disruptive events, etc.), while BCPs are primarily about plans that define activities to resume and recover service or process from a specific disruptive situation.
   
  In this context, the Crisis Management provides the framework to define Business Continuity Plans.

  4) Difference between crisis, disaster and incident along with examples

  A crisis is an unstable situation that requires immediate attention and action.
   
  Disaster is a situation where losses are greater than the normal capacity of an organization to handle it.
   
  The incident is any situation that can result in a negative impact on normal operations.
   
  Considering these definitions, an incident can lead to a crisis, that can lead to a disaster.
   
  An example of an incident that can lead to a crisis and a disaster would be a fire (without immediate attention and action it can destroy assets and facilities that cannot be easily replaced). Other examples are pandemic, earthquake, and riots.

  For further information, see:

  • ISO 22301 Case study in the travel industry: Business continuity as a necessity in customer care https://advisera.com/27001academy/blog/2016/11/07/iso-22301-case-study-in-the-travel-industry-business-continuity-as-a-necessity-in-customer-care/

  5) Difference between Resiliency and Business Continuity/BCM

  Resiliency refers to the capacity to adapt to new situations.

  Business continuity refers to the capacity to continue to deliver products or services after a disruptive event.
   
  Business continuity management refers to the general process to ensure business continuity.
   
  Considering these definitions, business continuity management helps build business continuity, which covers one aspect of resiliency (please note that you can have new situations that an organization will need to adapt to that does not involve a disruptive event, like the enforcement of a new regulation).

  6) Difference between BCP and BRP ( Business Resumption plan)

  Please note that ISO 22301 does not have the concept of a Business Resumption plan (Business Resumption Plans are defined in NIST 800-34, BS 25999-1, APS 232, NFPA 1600, COBiT, HB 292-2006 and PAS 77). 

  In these documents, the BRP refers to the actions needed to resume normal operations following the recovery of their critical processes, while a BCP covers the actions to respond to a disruptive event, and resume, recover and restore normal operations.
   
  Considering these definitions, a BRP would be part of a BCP.

• CE marking

  In the EU market, companies are not allowed to sell medical devices without a CE mark certificate if the medical devices are classified as class Is, Im, II1, IIb, or III. For medical devices that are classified as a class, you do not need to have a CE mark certificate; a Declaration of conformity from the manufacturer is enough in that case. 

  In the case of class I medical devices, manufacturers need to register it in National regulatory authority and they need to issue a Registration notice.

  All medical devices that want to be on the EU market must be in compliance with the Medical device directive (MDD 93/42/EEC) or Medical device regulation (MDR 2017/745), no matter the classification. In Article 1 of the MDR is stated: This Regulation lays down rules concerning the placing on the market, making available on the market or putting into service of medical devices for human use and accessories for such devices in the Union. This Regulation also applies to clinical investigations concerning such medical devices and accessories conducted in the Union.

  For more information, please see:

  • EU MDR Article 1 – Subject matter and scope - https://advisera.com/13485academy/mdr/subject-matter-and-scope/

  • ISO 14001 examples of environmental aspects

    Environmental aspects are the way an organization interacts with the environment. As examples we can have:

    • Air emissions
    • Wastewater discharge
    • Environmental noise
    • Raw materials consumption
    • Water consumption
    • Energy consumption
    • Waste generation 

    Please check this information below with more detailed answers:

    • Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
    • Catalogue of environmental aspects - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/catalogue-of-environmental-aspects/
    • ISO 14001 risks and opportunities vs. environmental aspects - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
    • Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
    • ISO 14001 document template: Procedure for Identification and Evaluation of Environmental Aspects and Risks - https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
    • Enroll for free in this course – ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/
    • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
       

  • ISO 14001 Efective internal auditor notes

    I prepare my checklist including questions and related ISO 14001 clauses. Sometimes I use tables to help me record useful and mandatory information

    When performing an audit, I use different pen colors for each audit day, and I use a set of symbols to make easier to search among the written text. A symbol for positive things, a symbol for what seems to be an opportunity for improvement, and a symbol for I think are nonconformities.

    When starting to prepare the report I rapidly read the completed checklist and underline with different colored markers the conformities, non-conformities and opportunities for improvement. Then, I read again all topics from each color in search of any pattern that could be useful for the report.

    Hope this can help you.

    You can find more information below:

    • Enroll for free in ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    • Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/
       

  • Executing SPC analysis

    SPC is used to monitor variation in the production process. Getting 1 or 2 days of training on the subject will help you.

    Also, I recommend you review the customer-specific requirement manuals that describe SPC applications. AIAG's blue-coated SPC revision 2 book explains this subject well.

    For more information please read the following article:

    • How to establish QMS Statistical Process Control according to IATF 16949 https://advisera.com/16949academy/blog/2017/08/30/how-to-establish-qms-statistical-process-control-according-to-iatf-16949/ 

    • Question about GDPR Article 27

      I hope your week is going well.

      We have bought several of your products and love everyone of them.  We had a question about GDPR article 27.  We are working with one of our customers on their GDPR annual audit and one of the questions that is asked for Article 27 is: "Is your organisation established outside of the European Union"?

      This customer is US Based, but has a corporation established in both the UK and Ireland.  They do all of their EU business from either the UK or the Ireland companies and have "Data Champions" in place at each company in the UK and Ireland.  Since they have a corporate entity in the EU, are they allowed to answer the "Is your organisation established outside of the European Union" question "No"?

      If the US company has an office or a branch in Ireland or in the UK can be considered established in the EU and therefore answering “NO” is the right choice. In fact, recital 22 of the Preamble of GDPR states that “[e]stablishment implies the effective and real exercise of activities through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.”

      The Guidelines on the territorial scope of the GDPR adopted by the European Data Protection Board (EDPB) on 16th November 2018 states that: “In order to determine whether an entity based outside the Union has an establishment in a Member State, both the degree of stability of the arrangements and the effective exercise of activities in that Member State must be considered in the light of the specific nature of the economic activities and the provision of services concerned. This is particularly true for undertakings offering services exclusively over the Internet. The threshold for “stable arrangement” can actually be quite low when the center of activities of a controller concerns the provision of services online. As a result, in some circumstances, the presence of one single employee or agent of the non-EU entity may be sufficient to constitute a stable arrangement if that employee or agent acts with a sufficient degree of stability.”

      This means that if the EU business of your US client is carried through the UK and the Irish branch, that organizations can be considered as a stable arrangements and the company can be considered as established in the EU.

      Here you can find more information:
      Guidelines on the territorial scope of the GDPR  https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_3_2018_territorial_scope_en.pdf

      What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
      You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//