Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 14001 Clause 6.1.1 & 6.1.2

    As per ISO 14001:2015, Clause 6,1.1. and 6.1.2, is it mandatory to carry out an environmental risk assessment and environmental aspects and impacts assessments as well as maintain its individual register required?

    Answer:

    Yes, it is mandatory to carry out an environmental risk assessment and environmental aspects and impacts assessments.

    About the individual register, an organization needs to maintain one for all environmental aspects and impacts. About the risks and opportunities what is mandatory to maintain is register of those deemed to relevant enough to be addressed. Please check this article - List of mandatory documents required by ISO 14001:2015 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/list-of-mandatory-documents-required-by-iso-140012015/

    differentiate environmental risk and environmental impacts

    Answer:

    Determining environmental aspects is determining how an organization interacts with the environment. For example:

    https://www.screencast.com/users/ccruz5284/folders/Default/media/9800c317-84db-4a4f-b6db-741f0dc6576d

    Determining risks and opportunities of an organization, according to ISO 14001:2015, is based on its environmental aspects, compliance obligations, and context and interested parties.

    For example, concerning environmental aspects we can have:

    https://www.screencast.com/users/ccruz5284/folders/Default/media/41f52d5c-bdf7-4fad-b0bd-057c24a5634a

    Since organizations have to consider the lifecycle of its products and services, do not forget to consider risks and opportunities around your products and services during use or final disposal.

    https://www.screencast.com/users/ccruz5284/folders/Default/media/be180b68-ea2f-4ca1-84a5-7cd4abf08150

    For example, concerning compliance obligations, and context and interested parties we can have for example, the above organization can realize that neighbors (an interested party) are pressuring local authorities to not allow its expansion (an external issue) due to non-compliance with wastewater discharging legislation (compliance obligations) translated into river pollution.+

    Please check risk definition (3.2.10) on ISO 14001:2015 (effect of uncertainty). With environmental aspects and impacts we are considering normal, expected situations, like startup and closing down operations, but also abnormal and emergency situations. Whenever there is uncertainty there is risk or opportunities, there is a potential deviation from the expected.

    About determining risks based on environmental aspects and compliance obligations I see that different organizations follow different approaches:

    1. There are organizations that determine their environmental aspects and use a risk and opportunities assessment to determine its significant environmental aspects. (Please see the end of the second paragraph of Annex A.6.1.1 of ISO 14001:2015)

    2. There are organizations that determine their environmental aspects evaluate them and determine the significant ones and use a risk and opportunities assessment to determine which ones need an action plan, and which ones need only to be monitored.

    3. There are organizations that only apply the risk-based approach to the context part. In a certain way they are following the same approach as 1 without explicitly mentioning it.

    Please check this information below with more detailed answers:

  • Certification ISO au niveau d'un point de vente assurance

    Je ne sais pas si j'ai bien compris votre question. Pour le contexte, je considérerais deux niveaux: local et dans le cadre d'une organisation plus large. Pour le contexte interne, je considérerais le type de sujets qui continuent d'apparaître dans les réunions sur la performance, qui continuent d'apparaître dans les plaintes, les rapports et les audits.

    Pour le contexte externe, j'utiliserais la méthodologie PESTLE (politique, économie, social, technologique, législation, environnement) pour déterminer les topiques pertinents.

    Vous pouvez trouver plus d'informations ci-dessous :

  • Is clean room installation mandatory?

    No, there is no strict requirement in ISO 13485:2016 that the cleanroom has to be installed. However, stated is the following:

    In section 6.4.1 Work environment, is stated that the manufacturer needs to document requirements for the work environment needed to achieve conformity of the product with the specification. If the conditions of the work environment have adverse effects on product quality, besides documenting the requirements for the work environment, the manufacturer also must document the procedure foto monitro and control the work environment. Therefore, it is the manufacturer's decision depending on the type of the medical device, will cleanroom will be installed or not.In section 6.4.2 Contamination control, for sterile medical devices is stated that manufacturer must document requirements for control of contamination with microorganisms or particular matter and maintain the required cleanliness during assembly or packaging process.

    For more information on this topic, please see the following articles:

    • Managing cleanliness of a product and contamination control according to ISO 13485:2016 https://advisera.com/13485academy/blog/2017/07/04/managing-cleanliness-of-a-product-and-contamination-control-according-to-iso-134852016/
    • Managing medical device infrastructure requirements according to ISO 13485:2016 https://advisera.com/13485academy/blog/2017/06/28/managing-medical-device-infrastructure-requirements-according-to-iso-13485/

    • Does GDPR applies just for European people?

      Article 3 GDPR ruling the territorial scope and states that GDPR applies if:

      • The controller or the processor carries out the data processing within the E.U. (therefore, your Spanish hosting as the data processor will apply GDPR)
      • The data processing refers to data subjects within the E.U. where the processing activities relate to the offering of goods and services to data subjects in the E.U. and the monitoring of data subjects behavior as far as it happens within the E.U.
      • The data processing is carried outside the E.U. but the E.U. Member State law applies in force of International law (i.e. your company based in LATAM is under some E.U. country legislation)

      So, if your company is based outside E.U. and all data processed do not refer to European people, you will not apply GDPR. On the contrary, if your company is based in the E.U. you will need to comply with GDPR even if data processed belong to LATAM individuals.

      Here you can find more information:

      You can also consider enrolling in our free EU GDPR Foundations Course

      • EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

      • Information on risk classification for IVDs under new IVDR regulations

        According to the IVDR's, Annex VIII now defines four classes In lieu of the previous lists A and B. The classes are based on the Global Harmonization Task Force classification scheme and are determined using seven rules, which are explained in more detail in Annex VIII of the IVDR:

        • Class D: highly critical data, e.g. for transfusion medicine or determination of life-threatening or infectious diseases
        • Class C: critical data, e.g. human genetic testing, determining levels of medicinal products, detecting infectious or inherited diseases in the embryo or fetus. Most self-tests (performed by the patients) fall within class C.
        • Class B: less critical parameters such as glucose or leukocytes. Class B is also the default class for all parameters which do not fall within the scope of any of the stated rules.
        • Class A: uncritical devices such as washing solutions or general culture media are classified as class A.

        IVDR even divides in-vitro diagnostic products into further categories:

        • devices for near-patient testing
        • devices for self-testing
        • companion diagnostic devices that are essential for the safe and effective use of a corresponding medicinal product. An example would be a genetic test verifying whether a cytostatic is effective.

        The new classification scheme means that IVD devices not fitting into any of the classes will be considered Class B, falling under NB supervision. This is an important distinction because they would have been self-declared previously, under the IVDD.

      • Risk assessment

        You asked

        "1. How should risk assessment be done?

        ISO 17025 does not prescribe any particular methodology or formal program.  It requires a planned activity to integrate risk and opportunities assessment into the management system, for example evaluate risks during the audit program. A laboratory must assess the potential impact on objectives and results, and take appropriate, proportional action. You therefore need to introduce an risk level evaluation that results in a risk ranking, so you can prioritise actions. The methodology for a specific risk assessment would generally start with documenting the critical systems or processes, then document the process steps, followed by identifying the risks by looking at the inputs and outputs of each step. Once these are identified you will rate the likelihood of an event happening as high, medium or low; as well as the impact as high, medium or low. Using at a minimum, a 3 x 3 matrix, you then determine the risk level for that specific risk as high, medium or low.

        You also asked

        2. And in which areas should the risk assessment be performed?"

        A laboratory must consider and address risks for all activities which could possibly have a negative impact on the competency, impartiality and / or consistent operation of the laboratory.

        Your attention should be focused on spending more time considering risks to performance of tests which are part of your scope of accreditation, along with risks to the overall policies and objectives of the laboratory.  This includes for example, procurement, if a delay in receiving an order could cause a delay in reporting time for a test to a customer.

        For a more detailed explanation, you can watch the free webinar How to manage risks in laboratories according to ISO 17025 at https://advisera.com/17025academy/webinar/iso-17025-risk-management-how-to-manage-it-free-webinar-on-demand/

        For more information regarding  actions to address risks and opportunities, see the ISO 17025 toolkit document template: Addressing Risks and Opportunities Procedure at https://advisera.com/17025academy/documentation/addressing-risks-and-opportunities-procedure/ 
        and for more information on the five steps to address risks, see the article Five-step laboratory risk management according to ISO 17025:2017 at https://advisera.com/17025academy/blog/2019/12/05/iso-17025-risk-management-in-five-steps/

        Other responses to similar questions may also be of interest – have a look at What is the efficient way and tricks to address, handle and treat the risk and opportunity? at https://community.advisera.com/topic/what-is-the-efficient-way-and-tricks-to-address-handle-and-treat-the-risk-and-opportunity/

      • Special treatment or additional activities for the IATF audit in case of ongoing escalation with customer

        It is not possible to have certification before the escalation process ends.

        What you need to do here is to present the detailed analysis of the problem and the action plan to your auditor in the stage 1 audit.

        Escalation must be finished before the Stage 2 audit.

        The maximum time between stage1 and stage 2 audit is 90 days. If escalation does not disappear within 90 days, I recommend you to consult with your certification company.

      • Clause 7.2.1.3

        You asked

        "1. If I can not purchase the last version of the method right now, can I use the old one?

        For a standard method, this will depend on what changed; as well as your laboratory’s application of the method. You have to consider any risk of staying with the old version by looking at the purpose of the test. You need to consider what you are required to test and report, meaning what decision does you client need to make, based on the result you provide? If you have to provide a statement of conformity and the test has a regulatory requirement, for example tolerances for drinking water, your client may need you to make a pass or fail statement based on the latest standard. If you can verify there was no known methodology change and the table of tolerances are published elsewhere with reference to the new standard, yes in principle you could continue using the old version, until you can purchase the new version.

        You then asked

        2. If not, what mean of "unless it is not appropriate or possible to do so." in this clause."

        For certain methods, the latest version of a standard my include a technique that you cannot implement. In this case, you once again need to look at the significance technically, of staying with the previous version. You could choose to continue with the old version, effectively validating it as your laboratory’s latest valid modified standard method.  Another case where it may not be possible to change to the latest valid standard method, is where the test results are being used for research or academic projects, and the change will not be appropriate (will affect interpretation of project data).

      • ISO 9001 Question

        ISO 9001:2015 structure and logic is based on the PDCA cycle. Please check this article - Plan-Do-Check-Act in the ISO 9001 Standard https://advisera.com/9001academy/knowledgebase/plan-do-check-act-in-the-iso-9001-standard/

        You can find more information below:

      • Key technical security safeguards

        Mostly depends on the kind of data processing carried on by the controller or the processor (i.e. is it a computer or paper-based data processing?). 

        Article 32 GDPR let the controller determine what technical security safeguards to ensure a level of security appropriate to the risk and able to guarantee:

        • integrity
        • availability
        • confidentiality
        • resilience of systems

        Of course, in computer-based data processing some basic technical security safeguards are:

        • antivirus
        • antimalware
        • access control (with different level of account restrictions)
        • two-factor authentication
        • the use of a VPN service

        The GDPR suggests also to prefer cryptography and pseudonymization of data when possible. Any specific remedy is listed because the aim of the GDPR is to set principles that can resist to technology evolution.

        You can find more information here:

        You can also consider enrolling in our free EU GDPR Foundations Course

Page 319-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +