Search results

ISO 9001 in a service industry

The main purpose of a quality management system (QMS) is consistently meeting customer requirements and enhancing their satisfaction. The process approach is one of the eight quality management principles upon which ISO 9001:2015 is based. According to this principle, a desired result is achieved more efficiently when activities and related resources are managed as a process. So, ISO 9001:2015 invites organizations to see themselves as a system of interacting processes. One can say that the QMS is that collection of processes.

I like to use the process approach as a way of modeling how an organization works. For example, the main processes for a service providing organization can be around something like:

If your organization has other relevant interested parties you can add other processes for those other interactions

All organizations are different, so there is no universal set of processes. Each organization should design the set of interrelated processes that bests suits the purpose.

Once designed the model of how your organization works it is easy to relate each process to ISO 9001:2015 clauses. For example: the process above “Schedule the service” is mainly about clauses 8.2 and 8.5.1; the process “Purchase material or service” is about clause 8.4 and the process “Report the service” could be about clause 8.6 or 9.1.2.

Once designed the model of how your organization works it is easier to start planning the implementation.

Please check in this free webinar on demand how the set of processes can be determined and the process approach can be used - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/

You can find more information about the process approach in the following links:

• Should you use a gap analysis in your ISO 9001 implementation? -https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
• Free ISO 9001:2015 Gap Analysis Tool -https://advisera.com/9001academy/iso-9001-gap-analysis-tool/
• Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
• ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
• Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ (where I use the process approach as the basis for a QMS, unfortunately without an example from services)

Difference between the Risk management parts in the Toolkits

1. What is the difference between the Risk management parts (06) of ISO_13485_MDR_Integrated_Consultant_WL_Toolkit_Preview_EN and ISO_13485_MDR_Integrated_Documentation_Toolkit_Preview_EN?

There are no differences in the text of the document itself. The document is the same. The difference is that Consultant documents are "white-labeled" signs - do not have Advisera tags and whoever buys a consultant toolkit can use it for their clients. While "ordinary" documents/toolkits in accordance with Advisera's policy cannot be used to implement standards with the client.

2. And do I nee also the risk parts (6) of ISO_13485_Documentation_Toolkit_Preview_EN?

Yes, you do need this part. According to requirement 7.1 Planning the production, Risk management is a vital element of the ISO 13485:2016. This risk management is prepared according to the ISO 14971:2019 Medical devices - Application of risk management to medical devices - which is the only risk management standard from the list of harmonized standards: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2020:090I:TOC

Following article can make a better explanation:

• How to use ISO 14971 to manage risks for medical devices - https://advisera.com/13485academy/blog/2017/09/21/how-to-use-iso-14971-to-manage-risks-for-medical-devices/

• SAMA and ISO 27K: common control

  I'm understanding that by SAMA you mean Saudi Arabian Monetary Authority.

  Considering that, the 2017 version of SAMA Cyber Security Framework is based on industry cybersecurity standards, such as NIST, ISF, ISO, BASEL, and PCI.

  Unfortunately, we do not know SAMA CSF deeply enough to provide you detailed information about common controls. What we can tell broadly is the relation about domains:

  • Cyber Security Leadership and Governance is related to ISO 27001 clauses 4 (Context of Organization), 5 (Leadership), 7.2 (Competence), and 7.3 (Awareness), and controls from Annex A sections A.6.1 (Internal organization) and A.7.2 (During employment)
  • Cyber Security Risk Management and Compliance is related to ISO 27001 clauses 6.1.2 (Information security risk assessment), 6.1.3 (Information security risk treatment), 8.2 (Information security risk assessment), 8.3 (Information security risk treatment), 9.2 (Internal audit), 9.3 (Management review), and controls from Annex A section A.18 (Compliance)
  • Cyber Security Operations and Technology is related to ISO 27001 Annex A sections A.8 (Asset management) to A.16 (Information security incident management)
  • Third Party Cyber Security is related to ISO 27001 Annex A sections A.15 (Supplier relationships) and A.17 (Information security aspects of business continuity management)

• A.11 Domain Requirements List

  Please note that ISO 27001 standard is an intellectual property of the International Organization for Standardization, and listing the specific requirements here would be a violation of those rights. You can buy the standard at this link: https://www.iso.org/standard/54534.html

  Broadly speaking, controls from section A.11 aims to protect information by protecting facilities (A.11.1 - Secure areas, with 6 controls), and equipment (A.11.2 - Equipment, with 9 controls). The selection of controls, and how to implement them, will depend on the results of risk assessment and applicable legal requirements. For support in the implementation, you can consider ISO 27002, a supporting standard which provides guidance and orientation in the implementation of controls from ISO 27001 Annex A

  These articles will provide you a further explanation about controls from section A.11 and selection of controls:

  • Physical security in ISO 27001: How to protect the secure areas https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/
  • How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 1 https://advisera.com/27001academy/blog/2016/04/18/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-1/
  • How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 2 https://advisera.com/27001academy/blog/2016/04/26/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-2/
  • The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

  These materials will also help you regarding ISO 27001 implementation:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Controls for Stage 2 audit

  If you go for the certification audit, you should have most of the controls stated in the SoA as applicable implemented, and make sure that controls that mitigate the biggest risks are fully implemented.

  In other words, you can leave only a smaller number of less significant controls to be implemented after the certification. In such a case, you have to ask risk owners to accept the residual risks.

  This article will provide you a further explanation about certification:

  • Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

  This material will also help you regarding certification:

  • ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

• ISO 17025 accreditation cost

  I assume from your question, that your company has a testing laboratory which plans to implement a management system according to ISO17025:2017. The pathway to accreditation basically consists of 2 stages. Stage 1 is Implementation and maintenance. Stage 2 is application, assessment and awarding of accreditation by your national accreditation body. The costs depend on the current resources you have and the fees of your accreditation body. A big component can be the cost related to method development and procuring calibration services to assure metrological traceability. 

  Stage 1 starts with purchasing the standard, having personnel available to establish the processes and documented information (procedures and records), personnel to evaluate performance of activities (such as test method performance, handling complaints), perform internal audits and management to review the entire system. Here you can determine your costs through a project pan. Have a look at what Advisera can offer, and if using templates will be beneficial for your company. 
  For more  support, Download a free Project plan (MS Word) for ISO/IEC 17025 implementation at https://info.advisera.com/17025academy/free-download/project-plan-for-iso-17025-implementation; 

  Download the free Diagram of ISO 17025 Implementation Process at https://info.advisera.com/17025academy/free-download/diagram-of-iso-17025-implementation-process; and 
  Preview the ISO/IEC 17025:2017 Documentation Toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

  Stage 2  involves applying for accreditation. I recommend you contact your national accreditation body, the Philippine Accreditation Bureau, who is listed, along with their contact and website detail, in the ILAC MRA Signatory search page at https://ilac.org/signatory-search/. You can request a quote from them. 
  
  For more information on Accreditation, view the Advisera 17025 Academy Free webinar – What are the steps in the ISO 17025 accreditation process? This is available at https://advisera.com/17025academy/webinar/what-are-the-steps-in-the-iso-17025-accreditation-process-free-webinar-on-demand/

• Major vs Minor nonconformity

  In effect, if a minor nonconformity, raised during the previous audit, has not been resolved within the deadline – such a small nonconformity automatically becomes a major one.

  You can find more information in the following links:

  • Major vs. minor nonconformities in the certification audit - https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
  • Free webinar on demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/ (includes a slide about developing checklist questions)
  • ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
  • Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/
     

• ISO 45001 changes and challenges

  The main changes in Iso 45001 are the removal of the management representative and preventive action, and the addition of the requirements for context of the organization, top level risks and opportunities and format of the documented information requirements.

  The main challenges in the change to ISO 45001 for your OHSMS is in the identification of context of the organization, which includes interested parties, as well as how you may want to record this context. Along with the challenge of re-thinking risk for the OHSMS beyond just the risks posed by hazards.

  We had a webinar on the changes form OHSAS 18001 to ISO 45001, you can see a previous recording here: ISO 45001 vs OHSAS 18001 the main changes, https://advisera.com/45001academy/webinar/iso-45001-2017-vs-ohsas-18001-2007-the-main-changes-on-demand/ or you have questions on the changes you can sign up for the next webinar presentation on this topic which is occurring on July 15th, 2020, here: https://advisera.com/45001academy/webinar/iso-45001-2017-vs-ohsas-18001-2007-the-main-changes/

• Validation requirements for 13485

  According to the ISO 13485:2016, requirement 7.5.6 Validation of processes for production and service provision, processes that need to be validated are processes where the resulting output can not be verified by subsequent monitoring and measurement. As far as I understand your process, if you measure your device after the molding (eg. weight, height, shape, volume or similar) and during assembly, you can clearly see that medical device is properly assembled, that there is no need to validate that part of the process. However, you need to validate the start of the molding process, when temperature and pressure have to be adjusted so that the medical device of proper characteristics can be achieved. If your machine for molding has some software and if you get a new version of the software for that machine, that for the new version you need to be sure that it did not change the final product. 

  For more information on validation, you can see the following articles:

  • Using ISO 13485 to manage process validation in the medical device manufacturing industry https://advisera.com/13485academy/blog/2017/09/07/using-iso-13485-to-manage-process-validation-in-the-medical-device-manufacturing-industry/
  • Production and service provision process in ISO 13485 - https://advisera.com/13485academy/blog/2017/12/13/production-and-service-provision-process-in-iso-13485/

  On the following links you can see how certain templates look like in our ISO 13485:2016 Documentation toolkit:

  • Record of Software Validation - https://advisera.com/13485academy/documentation/record-of-software-validation-iso-13485-2016/
  • Validation Report - https://advisera.com/13485academy/documentation/validation-report-iso-13485-2016/

  • Sterile Instruments Packaging

    There isn't anything in the ISO 13485:2016 about Sterile packaging changing color. It is rather specific because each manufacturer of sterile packaging has its own method of detection. However, in ISO 13485:2016 in requirement 7.5.7 Particular requirements for validation of a process for sterilization and sterile barrier system is stated that process for sterilization and sterile barrier system must be validated and that records of that validation must be maintained. It means that you need to define which is the criterion for sterilization to be declared successful. Therefore, you need to contact the manufacturer of sterile packaging to see how sterile barrier has to behave when the sterilization process is properly conducted.

    For more information on this topic, please see the following links:

    • How to manage the medical device sterilization process according to ISO 13485:2016 https://advisera.com/13485academy/blog/2017/06/28/how-to-manage-the-medical-device-sterilization-process-according-to-iso-13485/
    • Using ISO 13485 to manage process validation in the medical device manufacturing industry https://advisera.com/13485academy/blog/2017/09/07/using-iso-13485-to-manage-process-validation-in-the-medical-device-manufacturing-industry/