Search results

FMEA:2019

First of all, I should mention that there is no document named FMEA 2019. I guess you asked about the new FMEA, its full name is AIAG & VDA FMEA Handbook 1st Edition 2019. 

The type of FMEA application is determined by the customer-specific requirement. If your automotive customer-specific requirement has stated that you should implement the new FMEA, then you shall be using this new FMEA application before the IATF 16949:2016 certification audit. If you do not have any customer-specific requirements regarding FMEA application, I recommend you apply the AIAG FMEA rev 4 manual due to this FMEA is already valid and useful. 

For more information, please read the following article: 

Annex A

In general, justifications for applicability, or not, of controls from ISO 27001 Annex A are based on perceived risks and legal requirements (e.g., laws, contracts, or regulations).

Considering that, these are some examples:

• Control A.x.x is applicable to treat risks <include there the ID of the risks from the risk treatment table>
• Control A.x.x is applicable to comply with a legal requirement <include here the name/number of the law, regulation or contract>
• Control A.x.x id not applicable because there is no unacceptable risk or legal requirements, that demands the implementation of this control.

Please note that included in the toolkit you have access to a video tutorial that can help you with the Statement of Applicability,  which provides examples with real data.

Procedures for IATF

The procedure writing method for IATF 16949:2016 standard is not different from ISO 9001:2015 standard. 

As you know a procedure states how the process needs to be done. 

A procedure offers a general description of how a company meets a process requirement and the procedure consists of more specifics. 

This includes scope, objective, responsibilities, references, application, specific tools, methods, measurements, and historical change of procedure.

There are 7 steps in writing quality management system procedures for ISO 9001:2015 and IATF 16949:2016 standards. 

These 7 procedure writing steps are listed below, respectively.

1) Decide on the process limits.
2) Gather the information.
3) Align with other documents and processes.
4) Define your document structure.
5) Write your document.
6) Get approval for your document. 
7) Train the relevant employees. 
 

For more information please to read https://advisera.com/9001academy/blog/2015/03/10/7-steps-in-writing-qms-policies-and-procedures-for-iso-9001/  and please visit our IATF 16949:2016 Documentation Toolkit ‘’ https://advisera.com/16949academy/iatf-16949-2016-documentation-toolkit/

ISO Obsoleted Documents

If a document is made obsolete, it is replaced by a new version. If you later decide to return to use the structure or content that has become obsolete, you still must update the code that identifies the version again.

Something like this:

Whenever you change a document you have to update the version counter. 

You can find more information below:

• How to set up document approval/withdrawal within your QMS based on ISO 9001:2015 - https://advisera.com/9001academy/blog/2016/04/12/how-to-set-up-document-approvalwithdrawal-within-your-qms-based-on-iso-90012015/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/
   

Context & Interested Parties External and internal issue UNDER 45001

Just as everything in the ISO 45001 standard, the internal and external issues from clause 4.1 need to be unique to the organization, and as such I really can’t list out the issues that will affect your company specifically. Additionally, the ISO 45001 standard is talking about top-level internal and external issues, much like those that senior management might identify in a SWOT analysis, and not necessarily the issues of individual processes or necessarily linked to interested parties..

You can learn more about identifying these issues in the article: Defining the context of the organization according to ISO 45001, https://advisera.com/45001academy/blog/2016/02/03/defining-the-context-of-the-organization-according-to-iso-45001/

ISO 13485 certification

These masks are class I medical devices, so they do not need a certified CE mark. It is enough that manufacturers have ISO 13485:2016 and masks must be done in accordance with ISO 14683:2014 Medical face masks — Requirements and test methods. Proof that these masks are prepared according to this standard must be written on the packaging and in Declaration of conformity which must provide the manufacturer.

Integrated Management System

1. We have integrated the 3 risk registers and have been having monthly risk meetings but we would like to find out how often would the SOA change from the ISO 27001 perspective?  Would it be after each risk meeting?  What happens if a control has been implemented and another risk is identified to the same control? 

 ISO 27001 does not prescribe how often the SoA should change, but you should consider updating the SoA every time there is a need for significant change in applicable controls (e.g., a new control is included, a control is excluded from SoA, an implementation method is changed, etc.). This need can come not only from risk meetings but also from management review, non-conformity treatment, etc.

In case a control has been implemented and another risk is identified to the same control, you have to evaluate the impact of not treating this risk until the next planned review of the implemented control to decide if an early change is needed.

For further information:

• Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

2. We are approaching our surveillance audit soon and would like to find out what an auditor would typically look out for during the surveillance audit.

The surveillance audit is performed the same way as a certification audit. The difference is that it covers only part of the ISMS scope (evidence of the fulfillment of the mandatory requirements and of part of the applicable controls in a sample of the process in the ISMS scope).

These materials will provide you a further explanation about surveillance audits:

• Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
• What to expect at the ISO certification audit: What the auditor can and cannot do https://info.advisera.com/free-download/what-to-expect-at-the-iso-certification-audit

CISA or CISM course

Good and effective content and informative one too.

Management review

If you implemented a quality management system and want to keep it certified, you have to perform at least a yearly management review. That requirement is not included in ISO 9001:2015 but is included in the contract with the certification body. Same applies to internal audits, certification bodies expect that the whole system must be audit at least once per year.

You can find more information about management review in the following links:

• How to make Management Review more useful in the QMS - https://advisera.com/9001academy/blog/2014/01/21/make-management-review-useful-qms/
• How to Make Management Review More Practical - https://advisera.com/9001academy/blog/2013/12/10/make-management-review-practical/ 
• Free webinar – How to perform management review according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-perform-management-review-according-to-iso-9001-2015-free-webinar-on-demand/
• ISO 9001 document template: Procedure for Management Review - https://advisera.com/9001academy/documentation/procedure-management-review/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Control of infrastructure

Considering software validation, in requirement 4.1.6 of ISO 13485:2016 that activities associated with software validation must be proportional to the risk associated with the use of the software. Therefore, it is up to you to define which software can influence both quality of the medical device and the management system.  

Considering the maintenance of the infrastructure, in requirement 6.3 Infrastructure of ISO 13485:2016 is stated that organization must document requirements and records for the maintenance activity when such maintenance or lack of it, can influence the product quality. These requirements must definitively apply to equipment used in production (e.g. different machines used in the production of medical device: molding machine, packaging machine), control of the work environment (e.g. equipment for measuring temperature and humidity), and monitoring and measurement (e.g. scales, thermometers, pressure valves).

Therefore, no, you do not need records for each computer and each desk, rather for those that can on any way influence on the quality of your device and/or service (e.g. following software definitely need validation: software used in the calibration of equipment, software that manage production, software that manage quantities in storage and manages invoices and delivery notes).