Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Documents required by MDSAP and FDA in ISO 13485 Documentation Toolkit

    1. Do you have in your 13485 & MDR package documents required by MDSAP? If no, where I can get them.

    In our ISO 13485 & MDR documentation toolkit, we have all the necessary documentation for the internal audit which is very similar to MDSAP Documents. These are the following documents:

    • Procedure for Internal audit
    • Internal audit checklist
    • Internal audit program<
    • Internal audit plan
    • Internal audit report

    On this link you can see the list of the documents that we have in our Documentation toolkit https://advisera.com/13485academy/iso-13485-internal-audit-toolkit/

    The list of MDSAP audit procedures and forms you can find on the following link: https://www.fda.gov/medical-devices/medical-device-single-audit-program-mdsap/mdsap-audit-procedures-and-forms

    More information on ISO 13485:2016 internal audit process you can find in the following articles:

    2. The same question about your 13485 & MDR package documents required by FDA?"

    Medical device regulation is applicable to all medical devices that want to be placed on the EU market. Necessary Technical documentation is described in Annex 2 and Annex 3 of the MDR 2017/745.

    Here are the links to that Annexes:

    We, in our ISO 13485 & MDR Documentation Toolkit have prepared the obligatory procedures and reports. Other test reports depend on the type of medical device and it was not possible to standardize it. Below you can see listed these documents:

    • Procedure for clinical evaluation and related documents
    • Procedure for post-market surveillance and related documents
    • Technical documentation procedure and related documents

    A 510(k) is the technical dossier required by the US Food and Drug Administration (FDA) to sell a medium-risk medical device or IVD in the United States. It is formally called a Pre-market Notification. A 510(k) contains detailed technical, safety, and performance information about a medical device. The documentation must demonstrate the device in question is "substantially equivalent" to a predicate device (i.e. a product already cleared for sale in the US). The FDA must review the 510(k) and "clear" your device before you can legally sell or distribute it in the United States.

    Here is the link to the content of the 510(k):

    Differences between MDR and FDA 510(k) are in some definitions, classes, and in the clinical investigation trials. Therefore, you can use our templates from our documentation toolkit. However, once again I repeat that this documentation is not all the required documents, and plans, reports, and results of different tests can not be standardized.

  • ISO 9001 Internal and External Parties and their Needs

    Please check this picture with a list of different interested parties:

    https://www.screencast.com/users/ccruz5284/folders/Default/media/a6e4c52a-8c9a-4590-9567-b6db857f1ab5

    Please check this example of what can be the needs of an interested party:

    https://www.screencast.com/users/ccruz5284/folders/Default/media/44af4f5c-25d9-41a1-872b-b3200b799d9b

    Both images were taken from this free webinar on demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/

    You can find more information below:

  • Impact details for each ISO 27001 control

    Please note that impact details of ISO 27001 controls, and impacts of not implementing them, will depend on the results of your risk assessment (i.e., which impacts and likelihood are related to the risks), the controls you decide to apply (some controls may be more effective when used together), and applicable legal requirements (even if there are not relevant risks you may need to implement a control due to a legal requirement). Since these depend on the context of each organization, it is unfeasible to define a generic overview.

    These articles will provide you a further explanation about impact and requirements identification:

  • No data security clause in existing employee and commercial contracts - should we send an addendum to all contracts?

    Any treatment action to be taken about the current contracts will depend on the results of risk assessment (i.e., there are relevant risks which treatment can be made by making an addendum to the contracts? To which contracts this will be applicable) and applicable legal requirements (e.g., laws or regulations may require such addendum to be made).

    Most probably you will need to send an addendum to some or all the contracts, but you need to decide that based on risk assessment and applicable legal requirements. This is the whole idea about adopting an information security management system (you have factual information and clear impacts about doing nothing to decide what to do).

    For further information, see:

  • Mandatory checkpoint to be present in product audit

    Usually, a form defined in excel or word is used for product audit. In the product audit, the finished product is selected from the shipment area.

    First of all, packaging and labeling issues are controlled. Next, traceability issues should be looked at. This is proof of the measurement and monitoring results made at every stage of the product. Then the finished product is measured against the product drawing. All these audit results are recorded on the relevant product audit form with the product number, control date, name, and surname of the controller.

    German OEM customers such as Daimler and VW require the use of the VDA 6.5 product audit form. If you do not have any customer requirements, you can define the topics I explained above in your own form, and that would be enough.

  • ISO 9001 Covid 19 as an issue

    Absolutely, Covid 19 has implications for organizations. For some, it generates risks, and for other opportunities. It changes the external context like demand level and channels, but it also may change the internal context with teleworking, preventive measures in production lines or service provision.

    As an auditor I expect to see Covid 19 in the context analysis update.

    You can find more information below

  • Identifying the changes in ISO 27001 scope

    The definition and changes of the ISMS scope when information is on a cloud solution will depend on the control you have over the cloud

    • for IaaS, the scope excludes physical infrastructure and virtual machines
    • for PaaS, the scope excludes virtual servers, and, to some degree, applications
    • for SaaS, the scope excludes datacenter facilities’ physical location, hardware, and software

    This article will provide you a further explanation about defining a scope considering cloud models:

    Regarding clauses from sections 4 to 10 of the standard, the best approach would be to verify all of the one by one. Regarding controls, the proper way is by reviewing the results of risk assessment and risk treatment, and the applicable legal requirements.

    The reason is that these approaches for the on-prem scope will allow you to review the current scope, and for the cloud scope all the elements are necessary for the certification.

  • Assets Inventory and Risk Assessment

    1. Some of the cloud services we are using are already ISO 27001 certified (like AWS, e.g., or some service hosted in AWS). Does that have any meaning for us?

    ISO 27001 certified suppliers will make the management of your risks related to them easier because your organization and these suppliers will have a common base to manage information security risks (e.g., they will have an SoA that can make easier to you to evaluate how they treat risks relevant to your organization).

    For further information, see:

    2. Do we still have to consider Risks for that cloud services as well?

    If these cloud services store or process information that is part of your ISMS scope, then the risks related to them need to be considered (e.g., a disaster can hit their sites, or a cyberattack, that can compromise your information that is with them). In this situation, any related treatment will be a part of contracts or terms of service you have with these suppliers.

    These articles will provide you a further explanation about ISMS scope considering cloud services and management of suppliers:

    3. Could we group the Assets so that they become more manageable? E.g. one group: Cloud services, and perform the Risk Assessment for this group, or divide it to SaaS and IaaS groups.

    The short answer is yes.

    ISO 27001 does not prescribe how to build the asset register, so you can define it as better fits your organization.

    In your case, you can group assets, or uses them individually, the way you understand will better fulfill your needs. For example, if you have several laptops with the same level of risks you do not need to list them individually, you can have a single asset called "laptop". In case you have laptops with a different risk level, such as laptops from a development and maintenance department, you can create an asset called "development laptops".

    In short, you should consider splitting assets in details when they require different levels of protection.

    This article will provide you a further explanation about assets register:

    4. Who should be the Asset Owner of Operating System – the user? And the Risk Owner is the System Administrator?

    First is important to note that ISO 27001 does not prescribe who the asset owner must be, so organizations are free to define the asset owners as best fit them.

    Considering that, as a good practice, you should consider as the asset owner the first management level with responsibility for protecting and managing the asset, because this will make the decisions about the asset faster and more effective.

    For example, if the asset is a server, the owner should be the server's administrator. In the case of laptops, you should consider the asset owner the laptop user.

  • ISO 17025 Management document structure

    To answer your question, let me highlight firstly that they serve different purposes. In the context of ISO 17025:2017, however, the answer would be the Quality Policy as it provides a framework to establish the quality objectives, meaning quality-focused results to be achieved.

    It is also mandatory for laboratories to have policies and objectives that are aligned to address impartiality, competence and consistent operation – all quality components. The Quality Policy is the core of the management system, binding the laboratory in a singular vision of what Quality means to your organisation. It focuses your attention to structure processes and documentation appropriately, as it is the crucial focal point for addressing risks and opportunities.

    A Quality Manual on the other hand is not mandatory, although useful to “bring” all your processes and procures together. The mandatory documentation requirements could be met with a master index of documents and separate procedures.

    Have a look at these ISO 17025 toolkit document templates for some more insight: Quality Policy at https://advisera.com/17025academy/documentation/quality-policy/;  as well as the Quality Manual at https://advisera.com/17025academy/documentation/quality-objectives/
Page 300-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +