Search results

Information on risk classification for IVDs under new IVDR regulations

According to the IVDR's, Annex VIII now defines four classes In lieu of the previous lists A and B. The classes are based on the Global Harmonization Task Force classification scheme and are determined using seven rules, which are explained in more detail in Annex VIII of the IVDR:

• Class D: highly critical data, e.g. for transfusion medicine or determination of life-threatening or infectious diseases
• Class C: critical data, e.g. human genetic testing, determining levels of medicinal products, detecting infectious or inherited diseases in the embryo or fetus. Most self-tests (performed by the patients) fall within class C.
• Class B: less critical parameters such as glucose or leukocytes. Class B is also the default class for all parameters which do not fall within the scope of any of the stated rules.
• Class A: uncritical devices such as washing solutions or general culture media are classified as class A.

IVDR even divides in-vitro diagnostic products into further categories:

• devices for near-patient testing
• devices for self-testing
• companion diagnostic devices that are essential for the safe and effective use of a corresponding medicinal product. An example would be a genetic test verifying whether a cytostatic is effective.

The new classification scheme means that IVD devices not fitting into any of the classes will be considered Class B, falling under NB supervision. This is an important distinction because they would have been self-declared previously, under the IVDD.

Risk assessment

You asked

"1. How should risk assessment be done?

ISO 17025 does not prescribe any particular methodology or formal program.  It requires a planned activity to integrate risk and opportunities assessment into the management system, for example evaluate risks during the audit program. A laboratory must assess the potential impact on objectives and results, and take appropriate, proportional action. You therefore need to introduce an risk level evaluation that results in a risk ranking, so you can prioritise actions. The methodology for a specific risk assessment would generally start with documenting the critical systems or processes, then document the process steps, followed by identifying the risks by looking at the inputs and outputs of each step. Once these are identified you will rate the likelihood of an event happening as high, medium or low; as well as the impact as high, medium or low. Using at a minimum, a 3 x 3 matrix, you then determine the risk level for that specific risk as high, medium or low.

You also asked

2. And in which areas should the risk assessment be performed?"

A laboratory must consider and address risks for all activities which could possibly have a negative impact on the competency, impartiality and / or consistent operation of the laboratory.

Your attention should be focused on spending more time considering risks to performance of tests which are part of your scope of accreditation, along with risks to the overall policies and objectives of the laboratory.  This includes for example, procurement, if a delay in receiving an order could cause a delay in reporting time for a test to a customer.

For a more detailed explanation, you can watch the free webinar How to manage risks in laboratories according to ISO 17025 at https://advisera.com/17025academy/webinar/iso-17025-risk-management-how-to-manage-it-free-webinar-on-demand/

For more information regarding  actions to address risks and opportunities, see the ISO 17025 toolkit document template: Addressing Risks and Opportunities Procedure at https://advisera.com/17025academy/documentation/addressing-risks-and-opportunities-procedure/ 
and for more information on the five steps to address risks, see the article Five-step laboratory risk management according to ISO 17025:2017 at https://advisera.com/17025academy/blog/2019/12/05/iso-17025-risk-management-in-five-steps/

Other responses to similar questions may also be of interest – have a look at What is the efficient way and tricks to address, handle and treat the risk and opportunity? at https://community.advisera.com/topic/what-is-the-efficient-way-and-tricks-to-address-handle-and-treat-the-risk-and-opportunity/

Special treatment or additional activities for the IATF audit in case of ongoing escalation with customer

It is not possible to have certification before the escalation process ends.

What you need to do here is to present the detailed analysis of the problem and the action plan to your auditor in the stage 1 audit.

Escalation must be finished before the Stage 2 audit.

The maximum time between stage1 and stage 2 audit is 90 days. If escalation does not disappear within 90 days, I recommend you to consult with your certification company.

Clause 7.2.1.3

You asked

"1. If I can not purchase the last version of the method right now, can I use the old one?

For a standard method, this will depend on what changed; as well as your laboratory’s application of the method. You have to consider any risk of staying with the old version by looking at the purpose of the test. You need to consider what you are required to test and report, meaning what decision does you client need to make, based on the result you provide? If you have to provide a statement of conformity and the test has a regulatory requirement, for example tolerances for drinking water, your client may need you to make a pass or fail statement based on the latest standard. If you can verify there was no known methodology change and the table of tolerances are published elsewhere with reference to the new standard, yes in principle you could continue using the old version, until you can purchase the new version.

You then asked

2. If not, what mean of "unless it is not appropriate or possible to do so." in this clause."

For certain methods, the latest version of a standard my include a technique that you cannot implement. In this case, you once again need to look at the significance technically, of staying with the previous version. You could choose to continue with the old version, effectively validating it as your laboratory’s latest valid modified standard method.  Another case where it may not be possible to change to the latest valid standard method, is where the test results are being used for research or academic projects, and the change will not be appropriate (will affect interpretation of project data).

ISO 9001 Question

ISO 9001:2015 structure and logic is based on the PDCA cycle. Please check this article - Plan-Do-Check-Act in the ISO 9001 Standard https://advisera.com/9001academy/knowledgebase/plan-do-check-act-in-the-iso-9001-standard/

You can find more information below:

• How to implement the Check phase (performance evaluation) in the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/17/how-to-implement-the-check-phase-performance-evaluation-in-the-qms-according-to-iso-90012015/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Key technical security safeguards

Mostly depends on the kind of data processing carried on by the controller or the processor (i.e. is it a computer or paper-based data processing?). 

Article 32 GDPR let the controller determine what technical security safeguards to ensure a level of security appropriate to the risk and able to guarantee:

• integrity
• availability
• confidentiality
• resilience of systems

Of course, in computer-based data processing some basic technical security safeguards are:

• antivirus
• antimalware
• access control (with different level of account restrictions)
• two-factor authentication
• the use of a VPN service

The GDPR suggests also to prefer cryptography and pseudonymization of data when possible. Any specific remedy is listed because the aim of the GDPR is to set principles that can resist to technology evolution.

You can find more information here:

• Article 32 GDPR: https://advisera.com/eugdpracademy/gdpr/security-of-processing/
• How cybersecurity solutions can help with GDPR compliance: https://advisera.com/eugdpracademy/blog/2017/11/27/how-cybersecurity-solutions-can-help-with-gdpr-compliance/
• Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/

You can also consider enrolling in our free EU GDPR Foundations Course

• EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Guide for dock audit

  There is no CQI or any other manual about the dock audit.

  As you know dock audit is ‘’a quick, final inspection of finished products before they are sealed, boxed, and approved for shipping. It is a visual inspection typically performed by quality control inspectors on the shipping dock of a warehouse shortly before the product is loaded onto a freight truck for delivery.’’

  So, as long as it covers the above topics, you can use your own list of questions.

• Requirements for custom service business to be compliant for ISO 13485

  In ISO 13485:2016 in section 1 Scope is stated that this standard can be equally applicable for both medical device production and related services. This means that instead of production you will describe how you provide your service. Of course, certain documented requirements want to be applicable to you. For example, if you do not provide sterilization process, then requirements (and all applicable documentation) 7.5.5 Particular requirements for sterile medical devices and 7.5.7 Particular requirements for validation of processes for sterilization and sterile barrier systems are not applicable to you. Also, if you have no implantable requirements, then requirement 7.5.9.2 Particular requirements for implantable medical devices is also not applicable to you.

  You have to state all requirements that are not applicable and write a justification for them in the Quality manual.

  For more information structuring ISO 13485 Quality Management System, please see the following article:

  • How to structure Quality Management System documentation according to ISO 13485 https://advisera.com/13485academy/knowledgebase/how-to-structure-quality-management-system-documentation-according-to-iso-13485/

  For more information about ISO 13485 implementation, see following articles:

  • Checklist of ISO 13485 implementation and certification steps - https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/
  • Six key benefits of ISO 13485 implementation - https://advisera.com/13485academy/knowledgebase/six-key-benefits-of-iso-13485-implementation/

  • Clarity on the certifying body and the cost for it

    Depending on the industry your organization works on, and countries it operates, some certification bodies will be more relevant than others, regardless of its "popularity" in general marketing.

    This article will provide you a further explanation about certification bodies:

    • How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

  • Difference between BCMS and Risk Management System

    How is a BCMS different from a Risk Management System?

    The BCMS objective is to ensure the continuity of delivery of products and services during and after a disruptive event, while the Risk Management System's objective is to identify, analyze, evaluate, and treat risks according to defined organization's criteria.

    These articles will provide you a further explanation about BCMS and risk management:

    • ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/
    • ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

    These materials will also help you regarding BCMS and risk management:

    • Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
    • Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/