Search results

Inventory of assets

To fulfill the requirements of controls related to inventory of assets of ISO 27001 Annex A (controls A.8.1.1 and A.8.1.2), you do not need to have a specific policy or procedure for asset management/inventory. It is sufficient to have the records showing the asset and the owners.

This article will provide you further explanation about inventory of assets:

• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

Purpose of a company´s Data Protection Policy

The right answer is "d. All of the above" because Data protection policy allows a company to guide its employees on key aspects of GDPR by establishing its principles in line with the GDPR and it is a key component of the accountability principle. 

GDPR structure establishes principles on how organizations must process personal data, such principles must be adapted by each organization to their own data processing activity. 

Answer c does not imply that the company formulates "new" principles, as principles are inside the GDPR. It implies that principles in line with GDPR are formulated into company principles to adapt to concrete company data processing. 

I.e. GDPR does not say company how long to store collected data, it establishes the principle of minimization of processing. In the Data Protection Policy, however, the company must set a principle to help employees to deal with this principle. The company may establish that collected CVs from job applicants are deleted as soon as the job position has been covered. From this principle comes the rule to HR department "delete every CV you received as soon as the selected candidates start working and no later than the trial period ends." Therefore, in this example, there is a GDPR principle (data minimization), a company principle (collected CVs must be deleted) and a rule for the HR department. 

In other words, Data protection policy explains how employees and company will process data and, though it is not directed to customer, it helps Supervisory Authority to verify that anything is declared in the Privacy policy (i.e. how data are processed) is coherent with principles and instruction given to employees, and with the internal company interpretation of GDPR. This is why the correct answer is d. All of the above.

For more information, see the following article:

Addressing TPM

Unfortunately, our IATF 16949 documentation toolkit does not contain TPM documents. However, these are some documents in our toolkit which are related to equipment maintenance. There are some documents under our ITAF 16949 Toolkit which are related to equipment maintenance. They are located in the folder 16 Procedure for equipment maintenance and measuring equipment. You can see the link address as below. These documents are very limited for TPM activities.

Feel free to check out our IATF 16949 Documentation Toolkit and the List of documents here:

IATF 16949 clause 8.5.1.5 defines requirements for total productive maintenance activity, but it does not define how it needs to be documented.

As you know, TPS is a system of maintaining and improving the integrity of production and quality systems through machines, equipment, process, and employees to add value to the organization.

Toyota production system defines TPM activities and there are different levels of TPM, from level 1 to level 5.It is not easy to apply full TPM in the first step; this is a culture for management for all organization activities, not only maintenance but also full systematic of organization management with Quality, Production, Maintenance, HSE, Planning,etc.

You can find more detailed documentation in Toyota TPM culture, TPM books and/or TPM trainings. 

Documents and forms that can be included as follows:

a) Daily machine control forms by operators

b) Weekly, Monthly, 3 Monthly, 6 Monthly, Yearly (accordign to machine/equipment situation and handboook) maintenance plan ans records

c) Machine maintenance wotk instructions for new maintenance

d) Break down records with MTTR and MTBF target and results

e) OEE targets and results

f) Spare parts for machines and equipments, minimum amd maximum levels

g) Machine break down reaction plans and operator trainings

h) Break down analyses and corrective action plans for improvements.

Internal Complaint

Internal OH&S complaints in ISO 45001 should be addressed as with any other process nonconformity, with the corrective action system required per clause 10.2, Incident, nonconformity and corrective action. These identifications of OH&S problems by employees are a key improvement opportunity, and are common in the OHSMS (although not everyone would call them complaints).

For more on corrective action in the OHSMS, see that article: Using corrective actions to eliminate nonconformities and drive health & safety improvements, https://advisera.com/45001academy/blog/2017/02/15/using-corrective-actions-to-eliminate-nonconformities-and-drive-health-safety-improvements/

MDR 2017/745

Liability insurance is designed to protect your property as a whole from claims by third parties. Your property is not physically insured under this policy, but it is protected from being reduced, as the insurer will pay out compensation to a third party on your behalf. This insurance protects your economic interest. 

In MDR, Article 10. General obligations of Manufacturers is stated that natural or legal persons may claim compensation for damage caused by a defective device in accordance with applicable Union and national law. Manufacturers must, in a manner that is proportionate to the risk class, type of device and the size of the enterprise, take measures to provide sufficient financial coverage in respect of their potential liability under Directive 85/374/EEC (on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products).

A lot of different insurance companies can offer you this kind of insurance, so please look through the internet.

Certificate of calibration

I understand from your question that a calibration certificate was not received. The answer is no, a receipt cannot be used in place of a calibration certificate. ISO 17025 has specific requirements for the suitability of equipment and its calibration. The laboratory must ensure that equipment conforms to specified requirements. Evidence that equipment can perform as required may, depending on the equipment, be a specific qualification or verification process which may be provided in some part by the provider. The laboratory needs to verify this post installation, on your site. If the use of your equipment is to establish the metrological traceability of reported results or if the validity of the reported results is affected by measurement accuracy and or uncertainty, then you need calibration and a calibration certificate which meets ISO 17025 requirements of for calibration reports.

The following articles will provide further information related to equipment and calibration

• What does ISO 17025:2017 require for laboratory measurement equipment and related procedures? https://advisera.com/17025academy/blog/2019/07/25/iso-17025-measurement-requirements-of-the-standard/
• Calibration of measurement equipment  https://community.advisera.com/topic/calibration-of-measurement-equipment//
   

The relevant ISO 17025 document template, Equipment and Calibration Procedure, as well as a list of related documents, is available for download at https://advisera.com/17025academy/documentation/equipment-and-calibration-procedure//

Legal basis and contracts

It depends on the purposes of data processing. If the data processing is related to give execution to the contract, article 6, paragraph 1, letter b GDPR, states that the processing is lawful under GDPR when "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract".

Of course, this is limited only to the performance of the contract. You must inform the data subject about data processing by providing your privacy notice. You may need consent form even if you are working on the contractual legal basis if your data processing purposes go beyond the contract (i.e. marketing purposes).

You may find some useful information here:

• Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
• Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
• Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/

You may also consider taking our free Foundation GDPR Course: https://advisera.com/training/eu-gdpr-foundations-course// 

ISO 9001 and remote audits

Thanks

Bar codes under MDR

In MDR, Chapter III - Requirements regarding the information supplied with the device it is stated that all labels for medical devices must be provided in a human-readable format and may be supplemented by machine-readable information, such as radio-frequency identification (‘RFID’) or bar codes.

In ANNEX VI – Information to be submitted upon the registration of devices and economic operators, in Part C are guidelines on how to implement bar code in UDI number.

There are also several guidelines from the Medical device coordination group (MDCG) showed in the table:

MDCG 2018-1 v3                Guidance on basic UDI-DI and changes to UDI-DI

MDCG 2019-1                     MDCG guiding principles for issuing entities rules on basic UDI-DI

MDCG 2019-2                     Guidance on application of UDI rules to device-part of products referred to in article 1(8), 1(9) and                                                1(10) of Regulation 745/2017
MDCG 2018-2                     Future EU medical device nomenclature - Description of requirements

Link to this table and all guidelines is: https://ec.europa.eu/growth/sectors/medical-devices/new-regulations/guidance_en

For more information, see the following article: 

EU MDR – Easy-to-understand basics https://advisera.com/13485academy/what-is-eu-mdr/

FAI vs Design Validation?

FAI is referenced in clause 8.5.1.3 of AS9100 Rev D as an equivalent to “production process verification”. That is because the FAI process does a lot more than just validate the design, it verifies that all the processes, documentation and tooling utilized to create the first product are working properly to meet the design requirements. The FAI gives you a “line in the sand” stating, when everything was set up in this manner the product created meets the requirements. Design validation is making one article to show that the design can work.

In answer to your question, though, this greatly depends on how your customer has defined the FAI and design validation requirements. The FAI does show that the design works, but it also shows much more and a failure in FAI might be due to other situations in the processes and could give a false negative of your design validation. However, if your customer accepts this as a design validation then it could be acceptable.

Find out more on FAI in the article: How does First Article Inspection fit into AS9100 Rev D?, https://advisera.com/9100academy/blog/2017/11/07/how-does-first-article-inspection-fit-into-as9100-rev-d/