Search results

ISO 13485 and IVD

Yes, you can make a self-declaration and put a CE mark on the device. Your Declaration will be check by National regulations in the country where you will register the product.

Authorized representative is necessary for Manufacturers that are outside of Europe and want to sell their products on the EU market. So, if you want to sell your product in XYZ, you do not need an authorized representative.   

For more information please read the following articles: 

How to use ISO 13485 to comply with In Vitro Diagnostic medical devices (IVD) requirements in UK https://advisera.com/13485academy/blog/2017/10/26/how-to-use-iso-13485-to-comply-with-in-vitro-diagnostic-medical-devices-ivd-requirements-in-uk/

How to use ISO 13485 to get your devices approved for CE Marking  https://advisera.com/13485academy/blog/2017/10/12/how-to-use-iso-13485-to-get-your-devices-approved-for-ce-marking/

SOFTWARE VALIDATION In relation to ISO 13485:2016

According to the requirement 4.1.6 organization must document procedures for the validation of the application of computer

software used in the quality management system. Software must be validated prior to initial use and after changes to such software or its application. It is mandatory to have a record of such maintenaince. 

If the vendor does not provide you a validation certificate, you can perform the validation by yourself, considering the aspects of the software that is most importa for you. 

For more detailes How to establish process validation in the QMS you can find in this article:  https://advisera.com/9001academy/blog/2017/01/31/how-to-establish-process-validation-in-the-qms/

ISO 13485 planning related query

If your reagent is not medical device, than you do not need medical device file and orocedure for advisory notice. You can state in the Quality Manual that requirements 4.2.3 Medical device file and 8.2.3 Reporting to regulatory authorities are not applicable for your quality management system. 

Risk analysis is applicable for you. You have to take a risk assesment for the whole production process of your reagent. It means from the purchasing and storage of raw material, to delivering the reagent to medical device company. 

For more information about How to use ISO 14971 to manage risks for medical devices, you can read in the following article: 

https://advisera.com/13485academy/blog/2017/09/21/how-to-use-iso-14971-to-manage-risks-for-medical-devices/

Risks and opportunities in ISO 14001

I recommend that organizations consider environmental risks and opportunities at three levels.

1. Environmental business risks and opportunitiesConsidering context and interested parties what risks and opportunities with impact can be determined? For example, in this webinar - How to perform management review according to ISO 14001:2015 - https://advisera.com/14001academy/webinar/how-to-perform-management-review-according-to-iso-14001-2015-free-webinar-on-demand/ - I use this example. Following a context assessment:

Air emissions levels (internal issue)Legislation trends (external issue)Neighborhood complaints (internal issue)Technology evolution (external issue)An organization can decide that air emissions reduction is a priority for next year to minimize the risk of being shut down by authorities due to stricter emission level limits.

2. Environmental risks and opportunities around internal activitiesI recommend drawing a flowchart to identify activities and start determining environmental aspects and impacts. Then, for each environmental aspect I look for risks and opportunities around probable abnormal situations:

https://www.screencast.com/t/V1NTXLOs

3. Environmental risks and opportunities around the lifecycle of products and or servicesConsider your suppliers. For example, a furniture manufacturer may consider timber’s provenance an important aspect because they want to avoid promoting illegal activities. What risks and opportunities can be associated with that aspect?

Consider your downstream business partners (distributers, customers, retailers, consumers, …). For example, what will the consumer do with the product after use? Any relevant impacts? Are there any circular economy opportunities to be considered? Remember the example of toys batteries – what will consumers do with them after use?

The following material will provide you more information environmental risks and opportunities:

- Article – Lifecycle perspective in ISO 14001:2015 – What does it mean? - https://advisera.com/14001academy/blog/2017/02/20/lifecycle-perspective-in-iso-140012015-what-does-it-mean/- Article - How does product life cycle influence environmental aspects according to ISO 14001:2015? - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/- Article - ISO 14001 risks and opportunities vs. environmental aspects - https://advisera.com/14001academy/blog/2016/06/06/iso-14001-risks-and-opportunities-vs-environmental-aspects/- Article - Risks and opportunities in ISO 14001:2015 – What they are and why they are importante - https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/- Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/- Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

ISO 45001 Clause 5

The best way to implement ISO 45001 is to take a systematic approach and work through the standard, starting with commitment and a gap analysis that identifies what you are already doing. Then work through a systematic process of implementing what you do not already have but is required. You can see the systematic way of implementation in the diagram below.

As for clause 5, many of the leadership requirements do not need documentation as they are a listing of top management OHSMS philosophy rather than what needs to go into a procedure. It is only mandatory for a procedure when the standard uses the term “documented information”, so in clause 5 you need to document objectives and worker participation and consultation, but not everything. You can learn more in the whitepaper below.

For more on the systematic way to implement ISO 45001, see the diagram: Diagram of ISO 45001 Implementation Process, https://info.advisera.com/45001academy/free-download/diagram-of-iso-45001-implementation-process

To ensure that you do not miss any documentation, see the whitepaper: Checklist of Mandatory Documentation Required by ISO 45001, https://info.advisera.com/45001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-45001  

Risk assessment and treatment plan

1 - Am I right in saying that the severity is based on the worst-case scenario that could occur based on the threat? For example, the threat that antivirus is not installed on a laptop. The worst-case scenario is someone gets our cloud admin permissions. However, this has never happened before as we do have antivirus in place just not the documented procedures. So it has the severity of the highest and occurrence of low. Due to the nature of our business, we want to have documented controls and mitigation in place for all our threats.

Answer: Your understanding is partially correct. While you do need to consider the worst-case scenario for the impact, in most cases any existing controls will reduce the likelihood.

For additional information, see:
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

 2 - This leads me to the treatment plan. We will put in place controls to treat this threat which I gave as an example. We will recalculate the risk evaluation after mitigation. Am I correct in saying that the severity and occurrence will not change in this case? Am I correct in saying the severity of the risk will never change just the likelihood of occurrence? Thank you

Answer: Please note that in the case you mentioned you already have a mitigation implemented (i.e., antivirus in place), and you only have to evaluate if by documenting the antivirus procedures the likelihood will change (clear available procedures reduce risk of antivirus misconfiguration).

Additionally, antivirus is a preventive control, and this kind of control indeed only affects the likelihood of occurrence, not risk consequence.

An example where a control will also reduce the impact is a fire suppression system. It will reduce both the likelihood (it will prevent most of the fires) and the impact (if the fire goes out, it will be put out much sooner), but please note that these cases where a single control affects both likelihood and impact are rare.

Intellectual Property Rights

Your understanding is correct. The protection of Intellectual Property Rights must be applied not only to property rights of your own organization, but the rights of all interested parties included in the ISMS.

While for your own organization some implementation examples would be by means of legal clauses in contracts you have with others, and registering patents, the protection of third parties would also consider controls to avoid unauthorized use of patents, and software licenses of other parties.

Laws and regulations

The list in the article you've mentioned cover laws and regulations related to information security and business continuity, but does not cover all countries nor is fully up-to-date because it depends on voluntary contributions from our readers. To make sure you have the latest list of laws and regulations related to these issues,  it would be best to hire a local legal adviser.

Exteranl standards for calibration lab equipment

Regarding minimum requirements for external laboratory in IATF 16949, the organization shall have a defined laboratory scope that includes the capability to perform the required inspection, test, or calibration, by clause 7.1.5.3.2

Also, external laboratories have to be accredited to ISO/IEC 17025 or national equivalent.

Please consider reading our article “What is ISO 17025”: https://advisera.com/17025academy/what-is-iso-17025/

Also, have in mind that calibration services may be performed by the equipment manufacturer when a qualified laboratory is not available for a given piece of equipment.

In our IATF 16494 Toolkit, you can find documentation in folder 16.Equipment: https://advisera.com/16949academy/iatf-16949-2016-documentation-toolkit/

Environmental Management System Representative vs Internal Auditor

Yes.

Please check ISO 9000:2015 definition of auditor. As long as the EMS Representative has the required competence and skills, he or she can be the Internal Auditor. Previous versions of ISO 9000 required auditors to be independent. 

More information about here:

- What competences should an ISO 14001 internal auditor have? - https://advisera.com/14001academy/blog/2016/07/04/what-competences-should-an-iso-14001-internal-auditor-have/
- Enroll for free in ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/