Search results

Mould validation

Validation documents are necessary according to the ISO 13485:2016 requirement 7.5.6 Validation of processes for production and service provision. Manufacturer need to have documented procedure for the validation and records of the result and conclusion of validation.

When it comes to product quality in injection molding, machine and tool validation is fundamental to creating a stable manufacturing process and de-risking the project. The purpose of validation is to ensure that injection molders have a stable and dimensionally centered process that consistently produces high-quality products. Validation is basically providing the scientific evidence that the machine and tool is repeatedly doing everything you expect it to do, every minute of every day.

For more information about validation please read the article on the following link: 

Using ISO 13485 to manage process validation in the medical device manufacturing industry https://advisera.com/13485academy/blog/2017/09/07/using-iso-13485-to-manage-process-validation-in-the-medical-device-manufacturing-industry/

Manual de Organización y Funciones & Manual de Puestos y Funciones

Por supuesto puede hacerlo, cualquiera de las opciones que me presenta son válidas. Además los puestos de la organización así como las responsabilidades y competencias para cada una de las funciones deben de estar claramente definidos y si estos están recogidos en un único documento es más sencillo saber quién se responsabiliza de qué. Por otro lado, de esta manera es más sencillo determinar las necesidades de capacitación de cada uno de los roles dentro de la organización.

Estos materiales pueden serle de ayuda para entender mejor las funciones y responsabilidades dengtro de ISO 9001:2015

- Artículo - How to document roles and responsibilities according to ISO 9001: https://advisera.com/9001academy/blog/2018/02/26/how-to-document-roles-and-responsibilities-according-to-iso-9001/
- Inscríbase gratis en este curso -  Curso de Fundamentos de la nroma ISO 9001:2015 - https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
- Libro – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/  

Information on EU GDPR

1. Since I am outside the EU what do I need to do?
2. Do I need to find storage in the EU or I can store data in Ukraine?
3. Do I need to set up a company in the EU?
4. Do I need to encrypt my servers?
5. How should I modify the contracts that have with customers in EU?
6. Am I allowed to sent marketing emails to my customers?

27001 Scope Confusion

First is important to note that products cannot be certified against ISO 27001. Processes and services which supports a product can be certified.

Considering that, since information related to the product flows through IT assets and the access to the product itself is provided by Corporate IT, Corporate IT process should be considered part of the scope, not a dependency.

This article will provide you further explanation about defining scope:
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

Inherent vs Residual Risk

1. Considering the initial risk assessment is done taking into account controls already in-place, is it accurate to say that if these controls are sufficient, there should be no change between the inherent and residual risk score?

Your understanding is correct. If the assessed risk, considering controls already in-place, are considered acceptable according to your defined criteria, then assessed risk and residual risk are the same.

2. Added to which, are there any circumstances where you would risk assess assuming NO controls?  You wouldn't approach a risk assessment for crossing the road with worst-case scenario at the outset, i.e. with a blindfold, earplugs and at rush-hour there is a high probability you will be killed?! That can't be your starting point or all risk assessments would be artificially skewed.

An example of a circumstance where you would assess a risk, assuming NO controls applied, is to identify the full impact of the risk occurring, so you can evaluate whether the effort and cost of applied controls are worthy.

This article will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will also help you regarding risk assessment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Lock-out Procedure

Although ISO 45001 does not include requirements for lockout/tagout, this does come under the clause 6.1.3, determination of legal requirements and other requirements, as there are many locations which have legal requirements for lockout/tagout procedures. As this is the case it is important to know what your applicable laws about lockout/tagout procedures are so that you can design your procedures to meet the requirements. The legal documents will tell you when a lockout/tagout procedure needs to be put in place.

In general, the idea is that when a piece of machinery is having work done to it outside of regular production, such as maintenance, you have a way to make sure that it is safeguarded against start up so that employees are not injured during the maintenance. One common method of doing this is to have each employee who is working on the machinery have their own tag or lock which they put in place to stop the machine from engaging; and only that employee can remove their tag or lock. These often go on the start mechanism such as the electric panel of the equipment. So, if 4 people are working on a machine, there will be 4 individual locks in place and only once the last lock is removed by the last employee is the machine able to start. Since no one but the employee who put the tag/lock in place can remove it, you are certain that all employees are safely away before start up.

For more on ISO 45001 legal requirements such as lockout/tagout and how to handle them, see the article: How to identify and comply with legal requirements in ISO 45001, https://advisera.com/45001academy/blog/2015/06/24/how-to-identify-and-comply-with-legal-requirements-in-iso-45001/

Root cause analysis and CAR form

To answer your question, I will address your overall question of how to effectively implement corrective actions, which incorporates the step of root cause identification. 

To address corrective action effectively, you will start with a documented procedure which specifies which events are considered to be deviating (nonconforming), as well as the processes (sequence of steps) that the laboratory must take when complaints are received, nonconforming work is identified, and corrective actions are required. This procedure will apply to all laboratory activities that may be the subject of complaints or nonconformities and will, therefore, cover technical and non-technical deviations from the planned objectives of the laboratory. The assigned responsible person must decide, after initial investigation, if a containment (immediate) action is required; based on the impact or seriousness of the complaints or nonconformity. 

A Corrective Action form must be used to capture all incidents, complaints and nonconformities to ensure the correct personnel are informed and the root causes of problems are identified. Getting to the root cause could involve a number of techniques, where the laboratory will select suitable tools from those listed in the procedure, for the specific type of event. Either way, it is essential to clearly state the problem in order to get to the root cause and thereafter select the appropriate action that will correct the issue and prevent it from reoccurring.  

These articles will provide further guidance. Written for ISO 9001, they are also applicable to ISO 17025:

Seven Steps for Corrective and Preventive Actions to support Continual Improvement https://advisera.com/9001academy/blog/2013/10/27/seven-steps-corrective-preventive-actions-support-continual-improvement/
ISO 9001 – Difference between correction and corrective action https://advisera.com/9001academy/blog/2016/02/09/iso-9001-difference-between-correction-and-corrective-action/
How to use root cause analysis to support corrective actions in your QMS https://advisera.com/9001academy/blog/2016/03/01/how-to-use-root-cause-analysis-to-support-corrective-actions-in-your-qms/ 

These ISO 17025 templates could also be of interest: 

Complaint, Nonconformity and Corrective Action Procedure https://advisera.com/17025academy/documentation/complaint-nonconformity-and-corrective-action-procedure/

Corrective Action Report (CAR) https://advisera.com/17025academy/documentation/corrective-action-report-car/

Conformance with ISO 13485

21 CFR 820 is the current quality system for medical devices used by the FDA. There is no requirement of conformance with the ISO 13485. Each standard (21 CRF 820 and ISO 13485:2016) may have additional requirements, but the requirements do not conflict with one another. While 21 CFR 820 compliance is required by law for the commercialization of medical devices in the United States, ISO 13485 is voluntary. 

If you need information on the Differences and similarities between FDA 21 CFR Part 820 and ISO 13485. please read article on the following link: 

https://advisera.com/13485academy/blog/2017/10/05/differences-and-similarities-between-fda-21-cfr-part-820-and-iso-13485/

6.1.2.b Environmental aspects / condition

ISO 14001:2015 does not include definitions for emergency or abnormal operation.

I use the term abnormal for situations different from normal operation. For example,

• During start or shutdown of an operation (during start or shutdown of a boiler, air emissions are very different from during normal operation)
• During a shift change over or during out of hours operation
• During the operation with inexperienced people or a machine breakdown 

Although abnormal the environmental impact is not severe.

I use the term emergency for an unplanned situation with severe environmental impact.

A machine break down is unplanned, and environmental impacts are severe (we have an emergency situation ) or not severe (we have an abnormal situation)

Requirement of 7.2.3

In IATF 16949 requirement 7.2.3 there are new requirements more demanding than in the previous version. 

Some of them are:

Using risk-based thinking, customer-specific requirements, quality technology and methods (core tools),
ISO 19011 as standard for audits
Knowledge for process-related risks analysis (FMEA)
Demonstrate technical competence of auditors
Also, maintenance of and improvements in internal auditor competence shall include minimum numbers of audits per year and knowledge maintenance. 

For more information, please read the article: 

Requirements for the competence of IATF 16949 Internal auditors https://advisera.com/16949academy/blog/2017/10/19/requirements-for-competence-of-iatf-16949-internal-auditors/