Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Writing a production instruction manual guide
Answer
I can only give you general guidelines. I recommend gathering a team and start with drawing a flowchart of your production process. Then take advantage of the collective knowledge and start determining what can go wrong with your process. Yes, use the risk-based approach and determine what can go wrong with your process that can affect:
The safety of your people;
The quality of your products;
The cost of your production;
The planning of your production.
Then, link those potential risks to the activities where they can act or where their impact can be sensed.
Now, considering those activities and risks, identify what process parameters or material/product parameters should be controlled to check if everything is OK. Then define:
Who will control those parameters;
When will those parameters be controlled;
What targets and specifications will determine if the activity is OK or NOK;
Wh at monitoring resources will be used;
Is there any need for visual samples to determine OK or NOK state?
Where will the control result be recorded?
Who will analyze performance trends?
Will work instructions be needed to help perform any of those activities, minimizing nonconformities and variation?
I hope this can give you a frame to start that project.
The following material will provide you more information about production control:
- ISO 9001 – Managing Production and Service Provision using ISO 9001 - https://advisera.com/9001academy/blog/2017/11/21/managing-production-and-service-provision-using-iso-9001/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Method for recording inspection activities
I am interested in moving towards this method of capturing data as we currently only record dimensional data on a paper that is filed away. Data is not being used in SPC or any track/trend analysis. If something is found out of tolerance, the manufacturer is notified of the issue.
Reading ISO 13485-2016, it seems that sections 7.4.3 & 4.2.5 only state that inspection activities are to be established and maintained. I believe the method described above would be acceptable and would like to have an outside opinion. Thanks!
Answer:
The method that you described above is acceptable if you are ok with that. Here is just important to point out that the company determines the specification of the purchased product, and that the company is solely responsible for how thorough the verification of the purchased product will be. If using this method you are sure that you will see and register products that stand out from the required measures, then this is acceptable.
For more details on how to implement requirement 7.4, please read article: How can ISO 13485 clause 7.4, Purchasing, enhance procurement?
https://advisera.com/13485academy/blog/2018/04/18/how-can-iso-13485-clause-7-4-purchasing-enhance-procurement/ -
Validation vs Verification
Thanks for your input
-
Withdrawing documents
Answer
There is not a single answer. Each organization should develop its own approach. One can consider that withdrawing a document is another way of changing its version. Any document introduced and any following changes must be approved by an authorized function. Any document change should be communicated to users, formally or informally. So, for example, I would like to see an evidence that the withdrawing was approved by an authorized function, and I would like to see evidences of that communication, if informally, I would like to interview different previous users to check if they were informed. Different organizations will use different levels of formality.
The following material will provide you more information about document control:
- ISO 9001 – How to set up document approval/withdrawal within your QMS based on ISO 9001:2015 - https://advisera.com/9001academy/blog/2016/04/12/how-to-set-up-document-approvalwithdrawal-within-your-qms-based-on-iso-90012015/
- New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book – Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/ -
ISO 27001 implementation project
1. Would it be a good idea to start with a narrow scope and then extend it with time? (The top management is only interested in certification)
Answer: Depending upon the size of the organization (up to 50 employees) it may be better to include all the organization in the scope, because the effort to separate the elements of the scope from other elements of the organization may be not worthy. In other cases you can start with a small scope and extend it over time, if this is interesting for the top management.
These articles can provide further information:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
2. How would i split the tasks among my team? For example should i ask one person to perform the risk assessment a nd then another person to perform the risk treatment? Or should these tasks be shared among the team?
Answer: This will also depend on the size of the organization's scope, and the size of the implementation team.
A common approach is to establish a project team which will divide the project among themselves, but you have to note that there will be some tasks that still for people outside of this team - e.g. performing a risk assessment for particular departments, reviewing specific documents, etc.
This article will provide you further explanation about defining responsibilities on project implementation:
- RACI matrix for ISO 27001 implementation project https://advisera.com/27001academy/blog/2018/11/05/raci-matrix-for-iso-27001-implementation-project/ -
ISO 45001 integration with ISO 9001
(1) Can I incorporate the ISO 45001 into our ISO9001:2015 QM. I am not sure how to do so. Procedures I can handle using a separate volume.
Answer: You are correct, OHSAS 18001 is being replaced by ISO 45001:2018, and companies who have the previous standard in place need to transition before 2021 to keep a valid certification for their OHSMS. As for incorporating ISO 45001 into an ISO 9001:2015 management system, this is certainly possible and often preferred. Both standards now follow the same document structure so it is easy to see what is common, such as internal audit, control of documented information and management review. In this way you can even use the same processes and procedures for these common elements and ens ure that you cover both aspects of the processes.
You may find it helpful to read the free whitepaper: How to integrate ISO 45001 with ISO 9001 and ISO 14001, https://advisera.com/45001academy/blog/2018/09/12/how-to-integrate-iso-45001-with-iso-9001-and-iso-14001/
(2) - how would certification bodies audit us - in one go or separate occasions?
Answer: When a company has more than one certification it is possible to have one certification body perform the certification audits together, at the same time. There will be additional auditing time allotted, but like the internal audits it is possible to audit some elements together and cover both standards. However, this would only be the case if you have the same certification body for both standards, and if you chose to have different certification bodies for each standard, they may not be able to do a joint audit.
To better understand the requirements of ISO 45001:2018, see our whitepaper: Clause-by-clause explanation of ISO 45001:2018, https://info.advisera.com/45001academy/free-download/clause-by-clause-explanation-of-iso-45001 -
Personal data breach and DPO
Answer:
You can find readily available templates for a Data Breach Policy, as well as notification templates to be used when subject to a personal data breach, in this EU GDPR Documentation Toolkit (https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/).
The same toolkit also contains a Task Description that can be used when appointing a DPO. -
ISO 27017 and ISO 27018 certification
Answer: First it is important to note that ISO 27017 and ISO 27018 are not certifiable standards (some certification bodies "certify" against ISO 27017 and ISO 27018, but only during an ISO 27001 certification process, because ISO 27001 is the only certifiable standard in the ISO 27000 series).
Considering that, the ISO 27001 certification is valid for three years.
These articles can provide further information:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
2 . Are there surveillance audits every year as with ISO 27001?
Answer: If your certification body includes in the certification an statement that you are also compliant with ISO 27017 and ISO 27018, the surveillance audits will be the same as for a normal ISO 27001 certification, normally one each year.
This article will provide you further explanation about surveillance audit:
- Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/ -
Residual risks
Question 1) Is this vision of a "second" residual risk correct?
Answer: I think there is a misunderstanding here. When you apply a policy over an "inherent risk" you are already treating a risk (first you would have to evaluate the inherent risk against the acceptance criteria - the risk appetite). If this first residual risk after applying this control is still over risk appetite you have two options: accept the residual risk as it is (because applying more controls will not be worthy), or apply additional controls to further decrease the risk (then you would have the "second", "third" residual risk, and so on).
Considering this, before applying any control you have to evaluate the inherent risk first.
This article can provide you further information:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
Question 2: Can I use the same controls assessment policy for estimating "second" residual risk?
Answer: The methodology you use to assess the inherent risk can also be used to assess the risk after the control application. -
Internal auditors and competence
We've received additional questions:
> Are the surveillance audits a new requirement of the ISO 9001:2015 standard?
> What happens if we don’t do the surveillance audits and just do the renewal on year 3?
Answer
Surveillance audits are not a requirement of ISO 9001:2015. Surveillance audits are a requirement from your contract with the certification body. Certification is not an ISO 9001:2015 requirement. Certification is a management decision. Many organizations use ISO 9001 as help to implement a management system without performing the extra step of certification.
ISO 9001 only mentions internal audits.
Certification bodies cannot propose a contract that does not include surveillance audits because that would go against their accreditation procedures.