Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
IVD Smartphone glucometers
Hope you are doing safe, recently I joined an IVD startup manufacturing company, the product is Smartphone glucometers there is no predicate device in the market, now we are planning for ISO 13485, could you suggest to me what strategy should be followed for implementation & technical documentation.
Thanks. -
PIMS
Please note that ISO 27701 is based on ISO 27001, adding specific requirements related to the protection of private information, so ISO 27701 would be the best approach for a PIMS.
Regarding ISO 27018, you need to consider this supporting standard only if you have specific requirements regarding the protection of information in the cloud (ISO 27701, like ISO 27001, which has enough controls for overall protection of information in cloud environments).
These articles will provide you a further explanation about ISO 27001, ISO 27018, and ISO 27701:- Relationship between ISO 27701, ISO 27001, and ISO 27002 https://advisera.com/27001academy/blog/2019/12/10/relationship-between-iso-27701-iso-27001-and-iso-27002/
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
-
Risk owner
Regardless of the type of risk, the risk owner should be someone with interest and authority to treat the risk.
Considering that, for strategic risks, the owner should be someone from top management.
By aggregated risks, I'm assuming you are referring to a set of related risks. In this case, the risk owner should be a role that can have the authority to treat all risks.
Regarding dynamic risks, the general rule about interest and authority applies.
This article will provide you a further explanation about risk owner:- Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
This material will also help you regarding Risk management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
-
Skipping certain blocks in the document templates
Regarding code, version, date of the version, and change history, in case all documents are accessed only through Conformio, you can remove this information from the documents (conformio features can make it possible to track this information). The purpose of this information in the document is to keep document control information available for printed versions, or for electronic versions used outside conformio (e.g., a document sent to an auditor or requested by a client or supplier).
Regarding reference documents, this information is useful so people can be aware of related documents that can impact, or be impacted, by the document being read.
This article will provide you a further explanation about document management:- Document management in ISO 27001 & BS 25999-2 https://advisera.com/27001academy/blog/2010/03/30/document-management-within-iso-27001-bs-25999-2/
This material will also help you:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
-
Are we required to store data in the EU that is collected in the EU?
"I have one key question, and cannot find the answer at your website. We are a small business in the U.S. Are we required to store data in the EU that is collected in the EU? We use Hostgator for our server. "
While keeping EU data in the EU can be considered a more compliant solution, you need to know that data transfer from the EU in the US is not forbidden. You need to transfer data by signing an agreement with Standard Contractual Clauses, in order to provide safeguards on data transfers.Of course, you need to also inform your customer in your privacy notice about where you will transfer their data.
Your hosting provider claims to be GDPR compliant and here you can find information about how they can help you: https://www.hostgator.com/help/article/general-data-protection-regulation
Here you can find our free template with Standard Contractual clauses: https://info.advisera.com/eugdpracademy/free-download/standard-contractual-clauses-annexes
Here you can find more information:
- 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
- EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
You can also consider enrolling in our free EU GDPR Foundation course:EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//
-
ISO 13485 queries
Among the questions I have during the implementation of the QMS there are the following: The change control procedure does not seem to take in consideration the NBOG guidance or MDCG-13 or to advise the registrar.
In our toolkit we do not have a change control procedure, since in the ISO 13485:2016 standard there is no requirement for the register. Change control is covered in the Management review procedure and covers all requirements from the ISO 13485:2016, point 4.1.4.
We considered that changes in the documentation would be initiated by the person listed as the document owner. All updates and reviews must be performed in line with the frequency defined in the List of Internal Documents. All changes to the document must be made by using "Track Changes," making visible only the revisions to the previous version, and must be briefly described in the "Change History" table; if the Track changes option is unavailable, or if the changes are too numerous, then the Track changes option is not used.
Furthermore, each document should preferably have a "Change History" table used to record every change made to the document.
For more information about common mistakes with ISO 13485:2016 documentation control and how to avoid them, please see the following article:
- Common mistakes with ISO 13485:2016 documentation control and how to avoid them https://advisera.com/13485academy/blog/2018/03/14/common-mistakes-with-iso-134852016-documentation-control-and-how-to-avoid-them/
-
Le domaine d'application
Si le manuel qualité est un document faisant partie du système de management de la qualité et, si le manuel qualité inclut déjà le domaine d'application du système, aucun autre document n'est nécessaire pour le formaliser. Dans ce cas, il est important que le manuel qualité soit approuvé par le top management ou par une personne à qui le top management a conféré cette autorité.
Les ressources suivantes peuvent fournir plus d'informations:
- How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
Is there a tri-party quality agreement between sterilizer/contract manufacturer/ legal manufacturer?
We have a Quality agreement for the subcontractor (10.7_Appendix_7_Quality agreement subcontractor). It is general, so you can specify it for your outsourced processes.
Records retention seems always be for 2 or 5 years. I couldn’t see anything for 10 years per MDR.
Thank you for pointing this out to us. We will correct it.
Statistical procedure seems to be missing.
There is no strict requirement in the ISO 13485:2016 for the documented statistical procedures. We have partially covered it in the 20_Procedure_for_Data_Analysis_Premium_EN.