Search results

ISO 14001 controllers

So, you want to perform an environmental initial assessment in your lab in order to implement control.

Let us start with an example:

You need to determine all aspects and impacts under normal, abnormal and periodical situations. Then you need to evaluate those impacts and determine what kind of control or improvement you need in place, to improve your relationship with the environment.

You can start by getting a plant of your lab. Make several copies and use each copy for a specific environmental aspect. Please check this article to get a starting point about the main environmental aspects - Catalogue of environmental aspects - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/catalogue-of-environmental-aspects/

Let us consider, as an example, that you are with your lab plant for “hazardous chemical waste” (both in chemical form and materials contaminated with chemicals such as filters from a vent hood): Gather a team from the lab and go to each location and write, draw, comment in your lab plant all situations, all activities, where hazardous chemical wastes can be generated. You can repeat this procedure for every environmental aspects.

Then, you can organize all that information into a table and write the environmental impacts. Define an evaluation scheme to determine which aspects/impacts are critical or not. Please check these articles - 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/ and - What makes an environmental aspect significant in ISO 14001? - https://advisera.com/14001academy/blog/2015/03/09/what-makes-environmental-aspect-significant-in-iso-14001/ to help design that evaluation scheme.

For each critical environmental aspect/impact you can design one or more actions. For example:

• Invest in buying a pallet spill to minimize leaking impacts;
• Invest in training, procedures and/or simulations to improve practices or minimize wrong practices
• Decide to eliminate an activity, for example some organizations decide to no longer paint and subcontract that activity
• Decide to establish control procedures – frequently checking appearance or making measurements

Please consider these sources of information:

• Article - Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
• Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
• Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

ISO 9001 vs ISO 17025

That will depend on the extra benefits that your organization can get from being ISO 9001 certified. Do your company’s target customers value ISO 9001 certification besides ISO 17025 accreditation? It that is so, perhaps getting ISO 9001 certification could be useful.

Just implementing ISO 9001 on top of ISO 17025 accreditation can be useful if used by top management to introduce the business flavor. ISO 17025 is about technical competence. ISO 9001 has several business-related topics not included in ISO 17025 like:

• Context of organization and interested parties
• Quality policy and strategic direction
• Quality objectives
• Monitoring and measurement that can be very useful together with the use of the process approach.

You can perform an initial Gap Analysis to check was is missing from ISO 9001:2015 in your organization - Free ISO 9001:2015 Gap Analysis Tool - https://advisera.com/9001academy/iso-9001-gap-analysis-tool/

You can find more information below:

• Should you use a gap analysis in your ISO 9001 implementation? - https://advisera.com/9001academy/17/use-gap-analysis-iso-9001-implementation/
• Six key benefits of ISO 17025 implementation - https://advisera.com/17025academy/blog/2019/10/18/six-key-benefits-of-iso-17025-implementation/
• Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
• ISO 17025 vs. ISO 9001 – Main differences and similarities for some more information, available at https://advisera.com/17025academy/blog/2019/07/11/iso-17025-vs-iso-9001-main-differences-and-similarities//
• Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO 9001 program vs process

Let us use an example of what can be a flowchart for an internal audit process:

A process consists of a set of main steps. In one of these steps, an Audit Program must be established and approved. This Audit Program must be approved by someone who has been given the authority to do so.

However, the internal audit process includes more steps. The person responsible for the process as a whole is responsible for the fulfillment of the process purpose and for its effectiveness and compliance with the procedures. If your organization has a procedure describing the internal audit process it must have an item answering to the question: who is responsible for this process as a whole.

You can find more information below:

• What is the ISO 9001 audit program, and how does it work? - https://advisera.com/9001academy/blog/2017/01/24/what-is-the-iso-9001-audit-program-and-how-does-it-work/
• Free webinar on demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/ (includes the slide above)
• ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
• Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

Non - conformance

First is important to note that the concept of major and minor non-conformities is not commonly used in internal audits because the type of the identified non-conformity normally does not affect the development of the internal audit (as it occurs in certification and surveillance audits). Considering that:

Minor nonconformity - a non-conformity that does not affect the capability of the management system to achieve the intended results. An example might be that you find some people have not undertaken training that the organization has made mandatory (ISO 27001 clause 7.2), but you find that those people are still competent to carry out their tasks.

Major nonconformity - a non-conformity that affects the capability of the management system to achieve the intended results or in other words, when you have found that the requirement of the standard has not been met. For example, if an organization completely failed to fulfill a certain requirement; if a process has completely fallen apart; or if you have several minor nonconformities that are related to the same process, or to the same element of your management system.

Regarding your scenario, since you have several cases in the same process, you could consider it a major non-conformity, because of its recurrence.

This article will provide you a further explanation about major and minor nonconformities:

• Major vs. minor nonconformities in the certification audit - https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/

GDPR - Breaking of Confidentiality

I have been in dispute with a care company over an invoice dating from late 2018. Basically the company was trying to charge my mother, who suffers from *** for appointments where they didn't turn up or left early to get to other appointments. I asked for some information under the "Freedom of Information Act 2000" several months back which the care company did not supply. Recently a Debt Recovery company contacted me reference the unpaid invoice. We have been in communication for a several weeks now. This week I received an email from the Debt Recovery company attached to the email was some of the information that I had requested from the care company. The attachments were a copy of my mothers contract with the care company, a copy of her Individual Care and Support Agreement and a copy of my Power of Attorney for my mothers finances.

Are the care company in breach of GDPR for sharing this information with a third party i.e. the Debt Recovery company?

First, you should verify if any privacy notice was given to your mother and if she signed it. She may have given consent to data processing and data transfer.

In any case, Article 6 GDPR paragraph 1 (b), (f) states that data processing (without consent) is lawful when it is necessary to perform a contract between the controller and the data subject or for the purposes of a legitimate interest of the controller or a third party. Therefore, transferring data to collect money for an unpaid invoice is considered lawful.

You should verify with a lawyer if the Member State where you live introduced some internal regulation over data processing in debt collecting procedure which limits data transferring in some way. 

What can I do about this breach of confidentiality?

It can be considered a breach of confidentiality only if your mother signed a privacy notice where it was stated that personal data would not transfer to any third party. Otherwise, it can be considered lawful.

Can I take the Care Company to court over this matter? As I am really not happy with them over this!

I can understand that you are not happy, you should ask for advice from a lawyer in your own country and verify if there is any chance to defend from their request on the basis of the care service provided. 

You can find more information about data processing here:

• Article 6 GDPR: https://advisera.com/eugdpracademy/gdpr/lawfulness-of-processing/
• Understanding 6 key GDPR principles: https://advisera.com/eugdpracademy/knowledgebase/understanding-6-key-gdpr-principles/
• Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
• Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/

You may also consider enrolling in this online EU GDPR Foundations Course:
EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Integrated joint audit

When auditing an integrated management system, one must consider the High-Level Structure of the management system standards. Auditing clauses 4, 5, 7, 9 and 10 is straightforward

When auditing an integrated management system, one must consider two realities of an organization:

• Its processes; and
• Its facilities.

With clause 6 of each standard an organization determines risks around processes, products and business, compliance requirements, environmental aspects, risk of employee injury, and defines action plans and objectives.

When auditing, you follow an itinerary along its facilities where you audit processes (clause 8), and for each location the relevant environmental aspects and risks of employee injury and related procedures.

You follow more information below:

• How to implement integrated management systems - https://advisera.com/articles/how-to-implement-integrated-management-systems/
• ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
• Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

MDR Medical device documentation for distributors

Thanks Kristina for your thorough explanation, this is very useful for distributors seeking to meet MDR requirements.

As you have mentioned, the key areas for distributors are Core documentation (CE certificate, Declaration of Conformity, compliant IFU's and labelling) and the implementation of a Quality Management System. Many distributors have an ISO 9001 Quality Management System in place, and may think this is all that is necessary, however, unless an organisation has implemented and maintained their QMS in accordance with the ISO 13485:2016 Standard and have been issued a certification from a registration body then other requirements must be met in order to comply with the MDR.

Your comments regarding the expectation for compliance with ISO 13485:2016 through the application of the MDR as a harmonised standard and the differences between the ISO 13485:2016 and ISO 9001 Standards, will assist in creating a common understanding of the differences in requirements of the ISO 9001 Standard versus the ISO 13485:2016 Standard and the compliance requirements of medical devices here https://www.akstamping.com/medical

The phased approach for documentation and classification and submission of documentation and devices is an effective means of meeting MDR compliance.

Thank you for providing references and links to assist all distributors in their MDR preparedness.