Search results

How is the supply chain interrelated with business continuity?

1. How the supply chain is interrelated with business continuity

Depending on your business continuity objectives, a disruption in the supply chain may have a big impact on the business. For example, if you work with "just in time" supplies (i.e., you only have minimal stock of raw material), a disruption of your supply chain may disrupt your production line, even if the disruptive incident is hundreds of miles away from your facilities.

To have a better view of how your supply chain can affect your business, you should perform a Business Impact Analysis.

For further information, see:

• Setting the business continuity objectives in ISO 22301 https://advisera.com/27001academy/blog/2014/02/17/setting-the-business-continuity-objectives-in-iso-22301/
• How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

2. How to generate the emergency plan during the breakdown of any of the links

Once you have identified the disruptive scenarios you have to handle, broadly speaking, the development of a continuity plan based on ISO 22301: 2012 requires the development of:

• incident response plans, with emergency actions to be performed right after the disruption being identified;
• continuity actions to bring activities back to the minimum agreed levels;
• recovery actions to bring activities back to normal operations.

These materials will provide you a further explanation about developing a continuity plan:

• Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
• How to write business continuity plans? https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/
• Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/
• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

To see how a Business Continuity Plan compliant with ISO 22301 looks like, I suggest you see the free demo of our Business Continuity Plan at this link: https://advisera.com/27001academy/documentation/business-continuity-plan/

ISO 27001

Please note that a complete answer to the applicable standards and international regulations for the issues you mentioned requires legal expert advice, which is not our field of expertise.

What we can answer is about the applicability of ISO 27001, ISO 27701, and GDPR for such issues, by means of these articles:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
• Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/
• Relationship between ISO 27701, ISO 27001, and ISO 27002 https://advisera.com/27001academy/blog/2019/12/10/relationship-between-iso-27701-iso-27001-and-iso-27002/
• What is EU GDPR https://advisera.com/eugdpracademy/what-is-eugdpr/
• Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/

Document Control Numbers (Doc Code)

You can solve this situation in at least three ways. 

One way is the way that you have described in your question. 

Another way is for the company to make a decision that from a certain date you will start with a new document tagging (e.g. 01.10.2020), that all documents will start from revision 0, and there will be a combination of documents from the toolkit and your existing documents. In this case, you will describe this as a change in the quality management system, in the archive, you will have all of this „old“ versions with all relevant changelogs and start with the new numbering process. 

The third way is that you use your numbering of existing documents and take our numbering for the new documents. 

Try to see which way is the easiest way for you and all employees, which way will be the easiest to implement in everyday work. 

For more information about common mistakes with ISO 13485:2016 documentation control and how to avoid them, please see the following link:

• Common mistakes with ISO 13485:2016 documentation control and how to avoid them https://advisera.com/13485academy/blog/2018/03/14/common-mistakes-with-iso-134852016-documentation-control-and-how-to-avoid-them/

• Differences between ISO 13485:2003 and ISO 13485:2016

  1. What are the exact differences between ISO 13485:2003, ISO 13485:2016?

  The European standard, EN ISO 13485:2012 Medical Devices - Quality Management Systems - Requirements for Regulatory Purposes, has been published, after approval by CEN on January 24, 2012. This replaces EN ISO 13485: 2003, although the text of the global standard ISO 13485:2003 is unchanged, only the foreword and annexes in the European version have been revised. Therefore, there are no different requirements in ISO 13485:2012 compared to ISO 13485:2003. 

  To identify new requirements of ISO 13485:2016 vs 13485:2003, at the end of the new ISO 13485:2016, in Annex A there is a table - Comparison of content between ISO 13485:2003 and ISO 13485:2016, where you can see all new requirements and differentiation between these two versions.  

  On the following link, there is an article with the list of mandatory documents required by ISO 13485:2016: https://advisera.com/13485academy/blog/2017/01/18/list-of-mandatory-documents-required-by-iso-134852016/ 

  On the following link you can download free matrix ISO 13485:2016 vs. ISO 13485:2003: https://info.advisera.com/13485academy/free-download/iso-13485-2016-vs-iso-13485-2003-matrix

  Also, you can find on Advisera 13485 blog a lot of articles considering certain requirements from ISO 13485: 2016 and how you can fulfill them: ISO 13485 Blog https://advisera.com/13485academy/blog/

  2. What portions of FDA cGMPS, are being revised to comply with ISO 13485:2016?

  While adherence to ISO 13485 is not explicitly required, FDA 21 CFR Part 820 Quality System Regulations is the law for medical device companies manufacturing and selling products for the U.S. market. there are some differences between FDA 21 CFR Part 820 and ISO 13485. Yet prior to the publishing of ISO 13485:2016, it has been a very common practice for medical device companies to establish a QMS to address both FDA 21 CFR Part 820 and ISO 13485:2003.

  For more information about differences and similarities between FDA 21 CFR Part 820 and ISO 13485, please see the following link:

  • Differences and similarities between FDA 21 CFR Part 820 and ISO 13485 https://advisera.com/13485academy/blog/2017/10/05/differences-and-similarities-between-fda-21-cfr-part-820-and-iso-13485/

  • SAR

    Employees, like other data subjects, have the right to access their personal data. When you receive a SAR (Subject Access Request) you need to reply without undue delay (usually one month) and you can extend such a period to another month for complex requests.

    You need to give access to the employee to data stored excluded for documents subjects to legal privilege (i.e. legal advice on the employee), data concerning third parties, disproportionate request.

    You should also inform the employee about the categories and the purposes of data processing, how data have been processed, the legal ground of processing, the source of data (if data were not communicated by the employee), data retention periods, other data subjects rights, if data had been transferred to third parties, security measures if any automated processing method applies. Usually, all this information is included in the employee privacy policy.

    Please consider that if the SAR is too generic you can ask for clarification to the employee, if the employee is not legitimate to access, you can reply with a denial, but do not ignore the request otherwise the employee can lodge a complaint to the Data Protection Authority of your country.

    Here you can find more information:

    • Data subject rights according to GDPR https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr//
    • Four main questions for obtaining and managing data subjects’ consent under GDPR https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/
    • How the GDPR could impact your HR department https://advisera.com/eugdpracademy/blog/2018/02/22/how-the-gdpr-could-impact-your-hr-department/ 

    If you want to know more about GDPR compliance you can consider enrolling in this EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

  • 15223-1 and 13485 certification question

    Do i need to purchase iso 15223-1 in order to comply with a medical device app?

    Yes, you need to purchase this standard. But please be careful because the new revision of this standard is currently under development: ISO/DIS 15223-1 Medical devices — Symbols to be used with medical device labels, labeling, and information to be supplied — Part 1: General requirements.

    There are some new symbols that are applicable to all medical devices, regarding the type of medical device.   

    Furthermore, can the iso 13485 certification and the CE certification be done by the same organization?

    Yes, both certifications can be done by the same Notify body, moreover, it is recommended and expected. 

    The following article regarding compliance with the MDR requirements for medical device labels can be helpful:

    • How to comply with the MDR requirements for medical device labels https://advisera.com/13485academy/blog/2020/09/20/how-to-create-medical-device-labels-compliant-with-mdr/

    • What do I need to become a NRTL?

      Yes, ISO 17025 is the international Standard that is applicable to testing and calibration laboratories, providing general requirements for the competence, impartiality and consistent operation of laboratories. The first step to establishing your Quality Management system is to purchase a copy of ISO 17025:2017. I then recommend some training to assist you understand the purpose, scope and intent of the standard. Thereafter do a project plan to make sure everyone involved understand what it will take to implement the mandatory policies, processes, document the mandatory procedures, perform risk assessments and implement the record keeping and technical requirements. Once you have implemented all the activities, and have some evidence of successful implementation, for example an audit programme and corrective action procedure, the next step will be to contact your accreditation body to obtain a quote for you initial assessment. Ensure you have completed a full gap audit before the assessment, allowing enough time to close the gaps.

      Have a look at how the ISO/IEC 17025:2017 Documentation Toolkit may assist you, available at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

      and download some free tools at https://advisera.com/17025academy/free-downloads/

      • Project Plan for ISO/IEC 17025 implementation
      • Diagram of ISO 17025 Implementation Process

      For some more information here are some useful resources, Download the complimentary white papers:

      • Clause-by-clause explanation of ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/
      • Checklist of mandatory documents required by ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/checklist-of-mandatory-documents-required-by-iso-17025
        and watch the Free webinar – What are the steps in the ISO 17025 accreditation process? https://advisera.com/17025academy/webinar/what-are-the-steps-in-the-iso-17025-accreditation-process-free-webinar-on-demand/

    • Lot number coding

      No, there is no template for coding lot/batch number since it is very specific for each company and the medical device itself. We have section 3.3.7 Identification and traceability in the 11_Procedure_for_Production_and_Service_Provision where we describe what has to be done and what responsibilities there are.

      There is no regulations for medical devices which elements LOT number must have, so you can define it in any way that you find the most appropriate. Usually, it contains information about the location where the product is manufactured (in case when the company has several locations), date of the production, year of the production; sometimes it can have a production line on it and so on. 

      However, be careful that from May 2021. You will need a UDI number. Which elements are necessary to be part of UDI number you can find in the following articles from Medical device regulative 2017/745:

      • EU MDR Article 27 – Unique Device Identification system - https://advisera.com/13485academy/mdr/unique-device-identification-system/
      • EU MDR Annex 6 – Information to be submitted upon the registration of devices and economic operators in accordance with Articles 29(4) and 31; core data elements to be provided to the UDI database together with the UDI-DI in accordance with Articles 28 and 29; and the UDI system - https://advisera.com/13485academy/mdr/information-to-be-submitted-upon-the-registration-of-devices-and-economic-operators-in-accordance-with-articles-294-and-31-core-data-elements-to-be-provided-to-the-udi-database-together-with-the-ud/

      For more information please see the following article:

      • How to comply with the MDR requirements for medical device labels - https://advisera.com/13485academy/blog/2020/09/20/how-to-create-medical-device-labels-compliant-with-mdr/

      • Risk and opportunities

        Think about what your organization expects as desired results from each of these departments. Think also about the undesired results that you want to avoid.
        So, for example, what can be expected from each department:

        • Increase brand notoriety (Marketing)
        • Reduce delivery delays (Production)
        • Reduce defects that are received by customers (Quality Control)
        • Keep talented people (Human Resources)
        • Good decisions about the whole organization (Management)
        • Reduce transportation costs (Logistics)
        • Reduce defects imported from suppliers (Purchasing)
        • Increase time between equipment failure (Maintenance)

        Then, start thinking about events that can introduce uncertainty and deviate from meeting the desired results. For example, concerning Production:

        • Delays from suppliers
        • Equipment breakdowns
        • Wrong planning
        • Lack of workers
        • Defective raw materials
        • Workers lacking the necessary skills

        You can also think about events that can introduce positive uncertainty and help meet or surpass the desired results. For example, concerning Maintenance:

        • Old equipment that is more likely to break down replaced by newer, more reliable equipment
        • Use of more reliable parts suppliers
        • Better preventive maintenance

        You can find more information below.

        • How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
        • Does ISO 9001 require a procedure for addressing risks and opportunities?: https://advisera.com/9001academy/blog/2017/10/10/does-iso-9001-require-a-procedure-for-addressing-risks-and-opportunities/
        • For a free preview of an example of the Registry of Key Risks and Opportunities - https://advisera.com/9001academy/documentation/registry-of-key-risks-and-opportunities/
        • Free webinar on demand - How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
        • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
        • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

      • ISO 9001: 2008 vs ISO 9001: 2015

        Algunos de los cambios más importantes en ISO 9001:2015 con respecto a ISO 9001:2008 son los siguientes:

        - un esquema común en las normas que forma parte de la estructura de alto nivel que hace que la integración sea más sencilla

        - eliminación del manual de calidad y del representante de la dirección

        - inclusión de la determinación del contexto de la organización así como de las partes interesadas

        - control de proveedores externos 

        - Introducción del pensamiento basado en riesgos y la eliminación de la acción preventiva

        - Los registros y documentos pasan a llamarse información documentada

        - Refuerzo del enfoque basado en procesos

         

        Para mas información sobre las diferencias entre ISO 9001:2008 e ISO 9001:2015 vea los siguientes materiales:

        - Infografía ISO 9001:2015 vs revisión del 2008: qué ha cambiado: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/infografia-iso-90012015-vs-revision-del-2008-que-ha-cambiado/

        - Curso gratuito en línea - Fundamentos de la norma ISo 9001:2015:  https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

        - Libro - ISO 9001:2015 through practical examples:  https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/