Search results

Internal Audit by Consultant

Yes, that has been my practice for the past thirty years with no problems. Consultant and internal auditor. By the way, strangely, ISO 9000:2015 definition for auditor removed the requirement for “formal independence”. What is a requirement is that the auditor demonstrates objectivity and impartiality. I work on that by preparing my checklists and leaving audit reports that describe precisely what I found.

You can find more information about audits:

• How to write a good ISO 9001 audit nonconformity? - https://advisera.com/9001academy/blog/2018/04/24/how-to-write-a-good-iso-9001-audit-nonconformity/
• ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/ ernal-auditor-course/
• ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/

Performing a successful audit

Auditing in ISO 45001, as with the other ISO management system standards, follows a process audit methodology, where you compare what is happening in the process to the planned arrangements to ensure that what is planned is what is happening. When auditing it is important to remember that you want to audit both the ISO standard requirements, and the process as it has been implemented at the organization. I have found that this can be done best as a two step process. First, during audit preparation you want to compare the process that is implemented (including procedures where they exist) against the ISO 45001 standard to see if what is planned to happens meets the requirements.

Once you know that the planned process meets the requirements, you can prepare questions to ask employees to confirm that what is actually happening meets the requirements of the process as implemented. Some of the best questions then include “Can you walk me through the process you use?”, “What happens when there is a nonconformity?”, etc. These are open ended and allow people to explain what they do which you can then compare to the process that is planned. Remember, you are auditing for conformity, not trying to hunt for mistakes. These questions and expected answers will be specific to your organization.

You can learn more about the process audit using the ISO standard for auditing management systems in the article: How to perform an internal audit using ISO 19011, https://info.advisera.com/free-download/how-to-perform-an-internal-audit-using-iso-19011

Requirements for proficiency testing / ILC and repeatability & repeatability

I assume from your question that you are referring to the initial formal assessment for a laboratory being assessed for accreditation for the first time. If you are referring to a requested voluntary pre-assessment by the accreditation body, prior to the initial assessment, the purpose is to identify gaps ahead of the initial assessment, so the same requirements must be met; however the purpose is to identify issues to address before the formal assessment (without formal nonconformances raised, that would have to be cleared in a specified time).

To clarify, the route to ISO 17025 accreditation by an accreditation body starts with implementation of the processes, procedures and controls by the laboratory to meet the requirements and address risks. This includes knowing the requirements of the accreditation body, which should be a signatory member of ILAC (the international organisation for accreditation bodies). This means that their requirements must be in line with ILAC policies, requirements and guidelines. The policy document ILAC-P9:06/2014 ILAC Policy for Participation in Proficiency Testing Activities is applicable to your question.

Implementation includes method validation for all the tests that the laboratory will be accredited for (will appear on the accreditation certificate) of which repeatability (precision) is one of the performance parameters. The method validations must be completed and submitted by the laboratory, typically on application. Furthermore, for each test to be accredited, laboratory processes must be in place to ensure the validity of results (clause 7.7) which includes monitoring and evaluating longer term internal quality control data (intermediate precision) for typically a few months; as well as enrolment and participation in a proficiency testing program where  a 4 to 5 year plan is usually required.

I suggest your obtain the method validation, proficiency testing and other relevant policy and requirement documents from your selected accreditation body.

The ILAC Policy documents are available at https://ilac.org/publications-and-resources/ilac-policy-series/

Have a look at the response to a question on Procedures for validation and verification of methods at https://community.advisera.com/topic/procedures-for-validation-and-verification-of-methods/

The ISO 17025 toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/ includes the procedure for validation and verification of methods, named Test and Calibration Method Procedure and the Quality Assurance Procedure.  The procedures are also available separately at https://advisera.com/17025academy/documentation/test-and-calibration-method-procedure/ and https://advisera.com/17025academy/documentation/quality-assurance-procedure/

External Risks

Natural hazards or calamities may be external issues that can translate into risks or opportunities. For example, a manufacturing company located near a flooding area may lose the capability to operate normally for several weeks. A hurricane can weaken a competitor and create an opportunity to expand activity. Today, I read in a newspaper that the coronavirus pandemic lockdowns worked as a boon for software game companies. It is up to each organization to determine the relevant issues from its context.

You can find more information in the following links:

• How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
• Free webinar on demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book – Discover ISO 9001:2015 Through Practical Examples –https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

ISO 13485 for Class 1 FDA medical device

Within Class I, if a device is classified into a general category of exempted devices, then no Premarket Notification application or FDA clearance is needed before selling the device in the U.S. But, the supplier is mandated to register its institution and submit a list of generic products to the FDA. These Class I devices are under the fewest regulatory controls. Class I devices that are not listed as exempted devices undergo a Premarket Notification application with the FDA.

The classification procedure and market approval processes are fully explained in the 21 CFR Part 860 (Code of Federal Regulations for Medical Device Classification Procedures). For the USA market, ISO 13485:2016 is not a regulation or law, however, while FDA 21 CFR Part 820 is mandatory for medical device distribution in the United States. 

For more detail on this topic, please see the following articles:

• How to use ISO 13485 to fulfill FDA regulatory classes for medical devices - https://advisera.com/13485academy/blog/2017/09/14/how-to-use-iso-13485-to-fulfill-fda-regulatory-classes-for-medical-devices/
• Differences and similarities between FDA 21 CFR Part 820 and ISO 13485 - https://advisera.com/13485academy/blog/2017/10/05/differences-and-similarities-between-fda-21-cfr-part-820-and-iso-13485/

• Minimum required distance between a primary and secondary data center

  I was able to find good information from your articles.

• ISO 9001 Implementation and Procedures

  Setup a project sponsor, a project manager and a project team. Ensure top management support, get training and as a first step perform a Gap analysis, to determine the amount of work to be done - comparing what your organization already has in place versus ISO 9001:2015 requirements. From that GAP Analysis you can develop your Project Plan, listing what needs to be done, by whom, until when.

  Then, an important step is to design a model of how your organization work as a set of interrelated processes. For example:

  

  Decide how to describe, procedures and/or work instructions, and monitor those processes. You can accelerate implementation by customizing a documentation set like our ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/

  From there it is implementation in order to close the gaps found. Then, perform an internal audit and the management review. There you can decide if your organization is ready for a certification audit.

  This is a very short description of the journey but below you can find more detailed information:

  • Free Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
  • Should you use a gap analysis in your ISO 9001 implementation? -https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
  • Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
  • ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
  • Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
  • Enroll for free course - ISO 9001:2015 Lead Implementer Course - https://advisera.com/training/iso-9001-lead-implementer-course/
  • Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
     

• Compliance check: Controller with no establishment and/or representative in EEA - Data and processing happens within EEA

  In order to be compliant, you need to appoint a representative in the EU this is an obligation of the controller stated in Article 27 GDPR and you should appoint it in Ireland since you are going to store data in that country. In fact, according to Article 27 paragraph 3 GDPR  “The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behavior is monitored, are.”

  You don’t need a representative if the processing:

  • is occasional,
  • does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offenses referred to in Article 10,
  • and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope, and purposes of the processing.
  • is carried by a public authority or body. 

  Appointing a representative is not too difficult, you require a service contract with an individual, a company, or organization established in the EU, who must be able to represent you regarding your obligations under the EU GDPR (e.g. a law firm, consultancy or private company).

  Of course, you need also to comply with all the GDPR requirements.

  You can find more information here:

  • What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
  • 9 steps for implementing GDPR https://advisera.com/articles/9-steps-for-implementing-gdpr/
  • List of mandatory documents required by EU GDPR https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/
  • A summary of 10 key GDPR requirements https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/ 

  You can also consider enrolling in our free EU GDPR Foundations Course

  EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Meaning of "E" in ISO 27001:2013(E)

  The (E) complement at the end of the name of the standard means the language on which it was written was English. According to the ISO/IEC Directives, Part 1 Consolidated ISO Supplement, ISO official languages are English (E), French (F), and Russian (R): https://www.iso.org/sites/directives/current/consolidated/index.xhtml