Search results

Customer audits - 17025 requirement?

In all cases if a mandatory ISO 17025 requirement is not applicable to your laboratory, you simply state so in that section of your Quality Manual; or the relevant procedure (if you still need a procedure to cover other process that do apply to you).

You spoke of

the customer requests to monitor laboratory performance being an audit option for clients to 'come and see for themselves'.

The customer requests to monitor laboratory performance could involve a request to receive a report on your evaluation of any agreed service and Quality indicator such as turnaround time; or the validity of results -internal quality control and interlaboratory /PT performance.

You need to show that you would accommodate customer requests of this nature, if they arose.

You also mentioned

demonstrating or explaining in conversation the preparation of items for testing

Yes you are correct in your understanding - here, in your case the process is still relevant. The customer may be interested in you explaining some key aspects of the process to them. Doing this will provide them with confidence in the laboratory.

Customer complaint - reporting to the authorities

Yes, you see it correctly. I will paraphrase it: not each complaint will lead to non-conformity and to adverse vents eventually.

In MDR Article 2 Definitions - there is a good definition of what an adverse event is and that should be your guidance:

1. adverse event’ means any untoward medical occurrence, unintended disease or injury, or any untoward clinical signs, including an abnormal laboratory finding, in subjects, users, or other persons, in the context of a clinical investigation, whether or not related to the investigational device;

2. serious adverse event’ means any adverse event that led to any of the following:

• death;
• serious deterioration in the health of the subject, that resulted in any of the following: life-threatening illness or injury;
• permanent impairment of a body structure or a body function,
• hospitalisation or prolongation of patient hospitalisation,
• medical or surgical intervention to prevent life-threatening illness or injury or permanent impairment to a body structure or a body function,
• chronic disease,
• fetal distress, fetal death or a congenital physical or mental impairment or birth defect

Our toolkit is tailor-made, so if you think that better logic is to put Registry of Reports to the Authorities from section 08 Customer Complaints and Feedback to 15 Non-conformities, you are absolutely allowed to do that. 

Is ISO 13485 certification applicable for company which provides eQMS dedicated to medical device industry clients?

If you provide eQMS it is not necessary to have implemented ISO 13485. Rather to me, it seems that it would be helpful to have ISO 9001 and/or ISO 27001. 

MDR 2017/745

If you put on your own name those glasses frames on the market, then those frames are your medical device. It means that you need to have by yourself prepared Technical documentation according to the Annex II and Annex III of the MDR 2017/745. It means also, that you have to implement ISO 13485 in your company no matter that you are not producing anything by yourself.

If you are not putting those glasses frames with your own brand name, then the Declaration of conformity from the factory is almost enough. Besides that, you need to have also a description of the device, intended purpose, and specification.

For more information, please see:

• EU MDR Annex II - Technical documentation https://advisera.com/13485academy/mdr/technical-documentation/
• EU MDR Annex III - Technical documentation on post-market surveillance https://advisera.com/13485academy/mdr/technical-documentation-on-post-market-surveillance/

• ISO 27001:2022

  First of all, sorry for this confusion.

  In the transition scheme, the 25/10/2022 date only means that ISO 27001:2022 is already a certifiable standard by the day of its release.

  To be able to issue the certification, certification bodies, and certification auditors working for them, will need to go through an update process to be qualified for that. Some certification bodies will be able to do this more quickly, others will be slower - in any case, we expect that some certification bodies will start certifying against the new 2022 revision very soon.

• Risk Assessment

  To see examples of associated assets, threats, and vulnerabilities, please see:

  • Checklist of cyber threats & safeguards when working from home https://info.advisera.com/27001academy/free-download/checklist-of-cyber-threats-and-safeguards-when-working-from-home
  • Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process

  Regarding what you should choose from our list of threats and vulnerabilities, the best approach is to ask the people who work depending on this cloud software what their biggest concerns are, because from that you can identify which assets, threats, and vulnerabilities to consider.  

  For example, if they are concerned with losing data, then the assets where data is stored must be considered, as well as threats and vulnerabilities that can impact these assets vulnerabilities.

  For further information, see:

  • Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

• HIPAA vs ISO

  The general steps to be prepared for certification are:

  1) getting management buy-in for the project

  2) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational and the requirements of interested parties

  3) development of risk assessment and treatment methodology

  4) perform a risk assessment and define a risk treatment plan

  5) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.)

  6) people training and awareness

  7) controls operation

  8 performance monitoring and measurement

  9) perform internal audit

  10) perform management critical review

  11) address nonconformities, corrective actions, and opportunities for improvement.

  This article will provide you with a further explanation of ISMS implementation:

  • ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

  Regarding the relation between HIPAA and ISO 27001, ISO 27001:2013 has at least 47 controls that can be used to comply with HIPAA requirements such as:

  • Assigned Security Responsibility (164.308(a)(2)) can be related to control A.6.1.1 – Information security roles and responsibilities
  • Security Awareness and Training (164.308(a)(5)) can be related to control A.7.2.2 – Information security awareness, education, and training

  For further information, see:

  • Comparison of HIPAA compliance and ISO 27001 certification https://advisera.com/27001academy/blog/2021/01/27/hipaa-compliance-vs-iso-27001/

• ISO27001 clause & controls alignment

  Please note that there is no connection between individual clauses to particular controls.

  This is so because the purpose of the main part of the standard (clauses 4 to 10) is to manage security (e.g., risk management, internal audit, etc.), whereas the purpose of Annex A is to decrease risks with controls.

  The main part of the standard determines how to select safeguards, how to manage them, how to measure if they are successful, and so on, whereas Annex A controls describe what needs to be implemented.

  For further information, see:

  • The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

  • Procedure for Design documentation management for medical devices

    No, we do not have a separate procedure for this. Managing documentation is covered within the Design and development procedure and Document control procedure.

  • Design & Development

    You may have all or most “Design and development” elements documented in your ISO 17025 QMS already, however you need to do a gap assessment (what you need versus what is in place) as there are specific requirements for ISO 9001:2015. Why I say “may” is it depends on what you have in place. Just because a laboratory is accredited to ISO 17025 does not automatically mean all the elements of ISO 9001 are there. The extent of implemented process, documentation and records varies from laboratory to laboratory.
    
    You need to look at the ISO 9001:2015 requirements as per the standard and or a checklist, including the mandatory documents (procedures and records). Confirm is the requirements are implemented, in which procedures the processes are documented and if the records you have include all the information required. If fully covered in your system, then you know clearly where they are. If not, either modify your ISO 17025 documents to add elements required by ISO 9001, or create additional documents.
    
    For more information, look at the resources available at the Advisera ISO 9001 Academy at https://advisera.com/9001academy/ Have a look at the Checklist of Mandatory Documentation Required by ISO 9001:2015 at https://info.advisera.com/9001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-90012015