Search results

Executing SPC analysis

SPC is used to monitor variation in the production process. Getting 1 or 2 days of training on the subject will help you.

Also, I recommend you review the customer-specific requirement manuals that describe SPC applications. AIAG's blue-coated SPC revision 2 book explains this subject well.

For more information please read the following article:

• How to establish QMS Statistical Process Control according to IATF 16949 https://advisera.com/16949academy/blog/2017/08/30/how-to-establish-qms-statistical-process-control-according-to-iatf-16949/ 

• Question about GDPR Article 27

  I hope your week is going well.

  We have bought several of your products and love everyone of them.  We had a question about GDPR article 27.  We are working with one of our customers on their GDPR annual audit and one of the questions that is asked for Article 27 is: "Is your organisation established outside of the European Union"?

  This customer is US Based, but has a corporation established in both the UK and Ireland.  They do all of their EU business from either the UK or the Ireland companies and have "Data Champions" in place at each company in the UK and Ireland.  Since they have a corporate entity in the EU, are they allowed to answer the "Is your organisation established outside of the European Union" question "No"?

  If the US company has an office or a branch in Ireland or in the UK can be considered established in the EU and therefore answering “NO” is the right choice. In fact, recital 22 of the Preamble of GDPR states that “[e]stablishment implies the effective and real exercise of activities through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.”

  The Guidelines on the territorial scope of the GDPR adopted by the European Data Protection Board (EDPB) on 16th November 2018 states that: “In order to determine whether an entity based outside the Union has an establishment in a Member State, both the degree of stability of the arrangements and the effective exercise of activities in that Member State must be considered in the light of the specific nature of the economic activities and the provision of services concerned. This is particularly true for undertakings offering services exclusively over the Internet. The threshold for “stable arrangement” can actually be quite low when the center of activities of a controller concerns the provision of services online. As a result, in some circumstances, the presence of one single employee or agent of the non-EU entity may be sufficient to constitute a stable arrangement if that employee or agent acts with a sufficient degree of stability.”

  This means that if the EU business of your US client is carried through the UK and the Irish branch, that organizations can be considered as a stable arrangements and the company can be considered as established in the EU.

  Here you can find more information:
  Guidelines on the territorial scope of the GDPR  https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_3_2018_territorial_scope_en.pdf

  What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
  You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Evaluation criteria for environmental aspects

  First, why do we use evaluation criteria? To segment significant aspects from the non-significant aspects. Why? Because resources are scarce, we should focus our attention and resources on those aspects where we can get the most improvement leverage. There is no other reason for developing evaluation criteria. So, any criteria that help your organization doing that is acceptable. Some organizations start with simple criteria like gravity, frequency/probability and ability to control or influence and then, with time, evolve to include other criteria like economic outcomes.
  So, if you are starting, I recommend a simple approach.

  Please check this information below with more detailed answers:

  • Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
  • Catalogue of environmental aspects - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/catalogue-of-environmental-aspects/
  • ISO 14001 risks and opportunities vs. environmental aspects - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/
  • Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
  • ISO 14001 document template: Procedure for Identification and Evaluation of Environmental Aspects and Risks - https://advisera.com/14001academy/documentation/procedure-for-identification-and-evaluation-of-environmental-aspects/
  • Enroll for free in this course – ISO 14001:2015 Lead Auditor Course - https://advisera.com/training/iso-14001-lead-auditor-course/
  • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

• Monitoring integrity issues in QMS

  As far as I understand your question, integrity issues can be integrated into a QMS through the risk-based approach:

  • Determining risks
  • Evaluate risks
  • Develop action plans to deal with the most critical (prevention, response and simulation)

  You can find more information below:

  • Similarities and differences in risk management in ISO 9001, ISO 31000, and ISO 27001 - https://advisera.com/9001academy/blog/2016/10/25/similarities-and-differences-in-risk-management-in-iso-9001-iso-31000-and-iso-27001/
  • How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
  • How to identify risk significance in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/
  • For a free preview of an example of the Registry of Key Risks and Opportunities - https://advisera.com/9001academy/documentation/registry-of-key-risks-and-opportunities/
  • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
     

• Privacy Policy

  "Dear Sir/MadamI need your advice regarding the belowAs a data processor , is it required to create a privacy policy

  From your question, I understand that you are asking me if the processor has to inform data subjects about data processing through the privacy notice under Article 13 GDPR. 

  The purpose of a Privacy notice is to provide to data subject all the information about data processing. In fact, Article 13 GDPR requires that the controller inform the data subjects about what kind of data is processed, the purposes of the processing, if there are any data transfer, and all the information that needs to be provided by the controller to the data subjects. Privacy notice is mandatory.

  The privacy policy, instead, is an internal document from the management that shows how the organization processes personal data and sets rules on processing, access data, data retention period, and so on. The privacy policy is considered one of the organizational measures to be taken by both processors and controllers. It is mandatory under Article 24 (2) GDPR when proportionate in relation to processing activities.

  What is data processor obligation regarding data subject right"

  As a processor, you need to establish processes that allow the controller to fulfill its obligation towards data subjects. This means that if the controller receives a request to exercise the right of erasure (right to be forgotten) and request you to erase the data of the data subject, you need to comply with such request.

  Here you can find more information:

  • EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
  • Data subject rights according to GDPR https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr//
  • Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/
  • EU GDPR Data Subject Access Request Flowchart https://info.advisera.com/eugdpracademy/free-download/eu-gdpr-data-subject-access-request-flowchart

  You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Implementation of the ISO 27001

  1 - For instance, would it be sufficient for us to adjust certain procedures we already have because of this? Besides creating new ones that are required of course.

  ISO 27001 and ISO 13485 share some common requirements, and procedures related to them can be integrated into single documents with minor adjustments, like document control, internal audit, and management review.

  2 - Is integrating ISO 27001 into our Quality Management System possible?

  ISO 27001 and ISO 13485 share some common requirements, it is perfectly possible to integrate them.

  For further information, see:

  • How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/
  • Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/ (the general concept applies to ISO 13485)

  3 - Does a gap analysis exist between ISO 13485 and ISO 27001 and if so, has it already been made?

  A direct gap analysis is not available, but you can use these references to have this information:

  • Similarities and differences between ISO 9001:2015 and ISO 13485:2016 https://advisera.com/9001academy/blog/2015/01/21/iso-9001-vs-iso-13485/
  • ISO 27001 vs. ISO 9001 matrix (PDF) https://info.advisera.com/9001academy/free-download/iso-9001-2015-vs-iso-27001-2013-matrix

  4 - Is this kind of information also addressed extensively in your toolkit?

  I'm assuming you are referring to information related to integration.

  Considering that, common demand is for integration between ISO 27001 and ISO 22301, and this is the information provided in the toolkit.

  However, by buying the toolkit you will have our support, through questions sent to our experts, or by means of online meetings, where you can solve your doubts related to this and other related issues.

• Requirements for medical device implant

  If you are asking what requirements are applicable for implantable medical device, here they are:

  Most of the implantable devices need to be sterile, then requirements 7.5.5 Particular requirements for sterile medical devices and 7.5.7 Particular requirements for validation of processes for sterilization and sterile barrier systems are applicableImplantable medical devices do not need installation and service so requirements 7.5.3 Installation activities and 7.5.4 Servicing activities are not applicable

  All other requirements are applicable.

  For more information on what is ISO 13485, please see the following articles:

  • What is ISO 13485? - https://advisera.com/13485academy/what-is-iso-13485/
  • Six key benefits of ISO 13485 implementation - https://advisera.com/13485academy/knowledgebase/six-key-benefits-of-iso-13485-implementation/
  • Checklist of ISO 13485 implementation and certification steps - https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/

  • Vendor Reviews

    I work for ***, which provides software and services to help companies do webinars. I'm trying to figure out if certain companies that we use their services need to be on our Vendor Log, and if we need to perform periodic vendor reviews for them, etc. It is clear to me that our Key Vendors and all vendors who interface with our software would need to be included. But what about companies like ***, who helps us manage our social accounts? It is not clear to me where the line is in cases like this. Thanks very much.