Search results

Relation between Directive IVDR 98/79, IEC 64304, 62366 and ISO13485

The relation between Directive IVDR 98/79, IEC 64304, 62366 and ISO13485. Esepecially the documentation.

Auditing regulatory offices

I have no experience of auditing a regulatory office, but I would do no different from other organizations. I would use the process approach and from there audit conformance with procedures and practices. I would use the quality policy and objectives and the management review to start auditing top management.

The following material can provide more information:

• ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
• Free webinar on demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/ 
• Free webinar on demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/
• Free online training ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Properly implementing section 7.2 and 7.6 for a microbiological lab

You asked

"How to properly implement section 7.2 and 7.6 for a microbiological lab?"

You question relates to the Selection, verification and validation of methods (clause 7.2 section 7.2.1 and 7.2.2) as well as evaluation of measurement uncertainty (clause 7.6).

Selection of a method and its validation involves ensuring you are using the correct method for the purpose. Microbiological laboratory activities can be diverse, beyond enumeration of microbes, so can involve standard or non-standard methods and diverse techniques and equipment. The validation experiments must demonstrate that the method is suitable to detect and identify one or more analyte in all the matrices of interest (e.g. water, foodstuff), using the required instruments or techniques. Typically if a rapid test is used, this would have to be verified for suitable performance against a gold-standard test for the purpose. If the kit is commercially available and validated, then you would need to show you can achieve a suitable performance in terms of the relevant validation parameters. Microbiological validation parameters generally include specificity, sensitivity, accuracy, trueness, precision, reproducibility, and ruggedness.

Regarding measurement uncertainty you need to 1) identify the contributions and 2) evaluate. It depends highly on the method - principles or experience of the performance of the method. For example, consider any condition that by your experience or principle of the method, has a contribution to variability. Sources of uncertainty typically come from sampling, storage, sample preperation (homogenization / extraction), weighing, pipetting, dilutions and of course the quantitation of colonies – either by counting manually, automatically or semiautomated methods to calculate the Most Probable Number (MPN). You would basically consider what trueness and replicate data you can acquire – for example replicates for laboratory control samples and reference cultures. Method validation data and ongoing quality control data can be used.

Commercial kits may report uncertainty limits for the main sources, then you do not need to do any further estimation, just control the system

I suggest you contact your accreditation body and or regulatory bodies (e.g FDA) for their policies and guidelines on microbiology laboratory method validations and evaluation of measurement uncertainty. Also look at other industry guidelines (perhaps references from the accreditation body guidelines) to provide more detail. There are also ISO standards, for example ISO 19036:2019 Microbiology of the food chain - Estimation of measurement uncertainty for quantitative determinations.

For more information regarding the method validation and measurement uncertainty, see the ISO 17025 toolkit document templates: 

• Test and Calibration Method Procedure at https://advisera.com/17025academy/documentation/test-and-calibration-method-procedure/ that is part of the ISO 17025 toolkit, along with the Test Method Development, Verification and Validation Register and Test Method Development, Verification and Validation Record.
• Evaluation of Measurement Uncertainty Procedure at https://advisera.com/17025academy/documentation/evaluation-of-measurement-uncertainty-procedure/ .
  This covers the basic principles and steps to plan, measure and calculate the data required for an evaluation of measurement uncertainty. The two appendices related to the document, Measurement Uncertainty Checklist and Measurement Uncertainty Record support the process. 

General criteria used to determine critical services

I work for the ***, and ***, a co-worker, gave me your email. In 2019, she acquired your company's business continuity templates.
I am writing to see if you can help me with a query: In your experience, what is the general criteria that companies use to determine critical services, which are the basis of the business continuity strategy?
On the other hand, if you can share with us the list of courses you offer on the subject of business continuity.
I greatly appreciate your assistance.

General criteria used to identify critical services are impacting the business considering:

• financial impact
• legal impact
• market impact
• operational impact

These criteria are used during the business impact analysis to identify which services are critical to the business

Regarding courses, at this moment we do not any available, but these free webinars can help you on the subject of business continuity:

• Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/
• Developing the business continuity strategy according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/developing-the-business-continuity-strategy-according-to-iso-22301-free-webinar-on-demand/
• Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/

These articles will provide you a further explanation about business continuity:

• What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
• How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
• Five Tips for Successful Business Impact Analysis https://advisera.com/27001academy/blog/2010/06/10/five-tips-for-successful-business-impact-analysis/

This material will also help you regarding business continuity:

• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

ISO 9001 update on the requirements

No, ISO 9001:2015 does not prescribe any update requirement. Please check clause 7.5.2 c) review should be done when appropriate or needed.

ISO 9001:2015 is not like some requirements from FDA, for example. Where organizations already include a limit date for review, after that date the document is obsolete.

The following material will provide you information about document control:

• How to set up document approval/withdrawal within your QMS based on ISO 9001:2015 - https://advisera.com/9001academy/blog/2016/04/12/how-to-set-up-document-approvalwithdrawal-within-your-qms-based-on-iso-90012015/
• What kind of Document Management System (DMS) do you need for handling ISO documents? - https://advisera.com/conformio/blog/2020/08/11/what-kind-of-dms-you-need-for-handling-iso-27001-documents/
• Should you keep your ISO documents in the cloud or on paper? - https://advisera.com/conformio/
• Book - Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Procedure for document and record control- the incoming mail register

No, there is no requirement in the ISO 13485:2016 standard to create an incoming mail register, especially for a small company like yours.

Here are some useful articles regard the documentation control:

• How to structure Quality Management System documentation according to ISO 13485 https://advisera.com/13485academy/knowledgebase/how-to-structure-quality-management-system-documentation-according-to-iso-13485/
• Common mistakes with ISO 13485:2016 documentation control and how to avoid them https://advisera.com/13485academy/blog/2018/03/14/common-mistakes-with-iso-134852016-documentation-control-and-how-to-avoid-them/

• Can you think of anything that could easily be overlooked when preparing for GDPR?

  "Can you think of anything that could easily be overlooked when preparing for GDPR?"

   

  The main issue is to insert privacy sensibility into organization processes and make GDPR a living thing into every-day activities. 
  In fact, many organizations can easily comply with the document-side of GDPR by drafting good privacy notices and policies or updating their devices with security measures but all the work done is frustrated if employees keep password under the keyboard, or forget to comply with data subjects request or do not update privacy notices and ask consent when required.

  Most of the fines issued from Data Protection Authorities (DPAs) concern non-compliance with general data processing principles as indicated in Article 5 GDPR (almost 44% of fines in 2019 according to European statistics on DPA decisions), security measures, and respect of data subjects rights.

  Here you can find more information:
  Article 5 GDPR: https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/
  Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
  Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/
  You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Separate Risk Assessment

  Thank you, @Rhand Leal

• ISO 27001 implementation

  I have bought the documentation toolkit with extended support.
  1 - Frankly, I'm not quite sure to whom should I send my queries via email.
  I have received detailed email explaining these things at the time of purchase, but I can't find it now.

  You can post your questions on our community at this site: https://community.advisera.com/

  In case you want to make a more sensitive question, you can send it to our support contact: support@advisera.com 

  2 - I'm planning to implement the ISO 22301 for our bank, which is a leading bank with more than 30 branches, and for now we are planning to certify only IT department operations.
  my question is, do we need to include the branches in our scope or it's just our HQ office and our DR Site?
  In each branch, we have some switches, firewalls that is used to connect to our centralized systems. All the equipment in the branches are managed centrally from the head office.

  You can define your ISO 22301 scope only as your HQ office and DR Site. You can treat your branches as external locations that your scope interacts with.

  These articles will provide you a further explanation about scope definition (it is focused on ISO 27001, but the concepts also apply to ISO 22301):

  • How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
  • Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

• Scope as IT Department,

  Since it seems all IT elements in the branches are managed from the HQ, there is no need to include the branches in the scope. You only need to inform how these elements are separated from other elements controlled by the branches.

  These articles will provide you a further explanation about scope definition (it is focused on ISO 27001, but the concepts also apply to ISO 22301):

  • How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
  • Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/