Search results

ISO 13485 requirements for outsourced processes under MDR

According to the MDR, all production processes are the responsibility of the Manufacturer, no matter that some of the parts of the production are conducted in other companies.   It means that the manufacturer will need to ensure that sub-contractor has proper processes and documentation in place. This can be done in several ways:

That sub-contractor implements a quality management system by themselves. That Manufacturer provides to the sub-contractor proper documentation and records. Manufacturers need to have control over the processes performed at the sub-contractor. Usually, it is done by quality agreement where all responsibilities of the sub-contractor will be stated; and periodically auditing the sub-contractor.

In the following article, you can find more information:

• How can ISO 13485 help with MDR compliance? https://advisera.com/13485academy/blog/2020/03/09/how-can-iso-13485-help-with-mdr-compliance/

• Integration suggestion on QMS (AS9100) & ISMS (27001)

  Inclusions and exclusions in the scope of ISMS will depend on the information, your organization wants to protect.
  You need to identify in which part of your company is your most valuable information - see the details here: How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

  For example, if the most important information is about new products, then the Research & Development process/department must be in the scope. If the most important information is about customers, then the Customer support process/department must be in the scope. You can also define all the organization's information as part of the ISMS scope.

  This article can provide you further answer about integrating management systems (the general concept applies to your case):

  • How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/

  These materials will also help you regarding scope definition:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Certified company not taking the audit comments

  Thank you for sharing about 4 effective risk mitigation strategies, these will be really helpful for me. I love reading this blog; it talks so much about planning a great idea about it. Keep sharing such informative articles in future, will be appreciated. See @ https://parapet.com/Solution****************************

• How to report to senior management

  ISO 9001:2015 does not prescribe a specific method. Clause 7.4 mentions the use of:

  • what to communicate;
  • when to communicate
  • with whom to communicate;
  • how to communicate;
  • who communicates.

  So, about communicating to senior management we need to decide first what do they want or need to receive. Perhaps:

  • performance information about processes and the whole management system;
  • sales performance information;
  • complaints information;
  • costs information;
  • defects information;
  • customer satisfaction information

  Then, decide frequency, the when: Weekly? Monthly? Quarterly?

  And the how – Meeting report? Special report? Digital dashboard?

  The following material will provide you information about communication:

  • Communication requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2016/11/01/communication-requirements-according-to-iso-9001-2015/
  • You can enroll for free in this ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

• Incorporation of conformity assessment in QMS

  Conformity assessment is a process that is used to demonstrate that a product meets specified requirements. In the case of medical devices, it means that conformity assessment is a process of demonstrating whether the requirements of MDD (93/42/EEC) or MDR (2017/745) relating to the device have been fulfilled. So, all documentation, tests, and reports according to the applicable regulations need to be done. It means that you need to define your processes in the way to collect all of it. 

  Here you have a direct link to Annex 9 of the MDR

  • Conformity assessment based on a quality management system and assessment of the technical documentation: https://advisera.com/13485academy/mdr/conformity-assessment-based-on-a-quality-management-system-and-assessment-of-the-technical-documentation/

  • Defining Scope

    1. How to define Scope

    You need to identify in which part of your company is your most valuable information. You can start this by identifying which information is important for your organization to achieve its objectives and be compliant with applicable legal requirements (e.g., laws, regulations, and contracts)

    Generally speaking, for a company of up to 100 employees, the best option is to include the whole company in the scope.

    These articles will help you:

    • How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    • Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

    2. Can we say that a company is certified if it is just a part that meets the standards?

    You need to check the specific procedures on how to communicate the certification status to external parties with the certification body, but generally speaking, wherever you display information about the certification status you also need to provide information for people to verify the certification scope (e.g., the certification number, a link to a copy of the certification, etc.).

    3. A company that builds an IT solution. Can we make a difference between its business infrastructure and the product infrastructure?

    You can define the ISMS scope considering only specific parts of your organization, but in general, this is worthy only for bigger organizations.

  • ISO 27001 + TISAX

    We are not experts on TISAX, but what we can tell you, based on ISO scenario, is that you have to consider:

    • legal requirements (e.g., laws, regulations, and contracts), to understand if TISAX is mandatory for your industry
    • business objectives, to understand if the TISAX certification and maintenance effort is worth the expected benefits

    This article will provide you a further explanation about TISAX and ISO 27001:

    • How ISO 27001 and TISAX are related https://advisera.com/27001academy/blog/2019/03/11/how-iso-27001-and-tisax-are-related/

  • Context of organization - culture, beliefs, values, or principles

    Clause 4.1 of ISO 9001:2015 mentions internal and external issues. Culture, beliefs, values, or principles inside the organization are internal issues. For example, different organizations have different risk aversion cultures. For example different organizations have different beliefs concerning short and long term investment.

    The following material will provide you information about the context of a management system:

    • How to identify the context of the organization in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-identify-the-context-of-the-organization-in-iso-90012015/
    • How to Align Company Culture with ISO 9001 - https://advisera.com/9001academy/blog/2014/10/14/align-company-culture-iso-9001/
    • Free webinar - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
    • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    • Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Process approach auditing

     

    how to use the approach with top management and some support functions

    I use the process approach in my audits for many years. However, when auditing top management, I mix the process approach with the clause approach. For example: management review, quality policy and objectives, risks and opportunities, context and interested parties, monitoring, and evaluation.

    Am on the right thought path with "the process style" of auditing?

    Yes, I believe you are, based on your description.

    what clauses are most useful to audit against for different types of processes?

    Let me show you the turtle diagram:

    

    You can audit a process and consider one or more ISO 9001:2015 clause(s) relevant from section 8. But for any process, you can use the turtle diagram and list several other clauses that you can audit:

    

    You can find more information about auditing below:

    • Article - ISO 9001 Audit checklist: https://advisera.com/9001academy/knowledgebase/iso-9001-audit-checklist/
    • Article - How to create a checklist for an ISO 9001 internal audit for your QMS: https://advisera.com/9001academy/blog/2016/07/12/how-to-create-a-check-list-for-an-iso-9001-internal-audit-for-your-qms/
    • Free webinar on demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/ (includes a slide about developing checklist questions)
    • ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
    • Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

  • ISO 14001 controls

    An environmental management system based on ISO 14001 is based on the assessment of how an organization interacts with the environment. Those interactions are called environmental aspects. Each environmental aspect has consequences for the environment – environmental impacts. Organizations should assess and evaluate environmental aspects and impacts and determine action plans to improve or control environmental performance.

    
    Please consider these sources of information:

    • Article - 4 steps in identification and evaluation of environmental aspects - https://advisera.com/14001academy/knowledgebase/4-steps-in-identification-and-evaluation-of-environmental-aspects/
    • Article - Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
    • Free webinar - ISO 14001: Identification and evaluation of environmental aspects - https://advisera.com/14001academy/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
    • Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/