Search results

What rules should be applied to 3D printed - patient specific products?

The biggest question here is what is the intended purpose of the device. Depending on the purpose of the product, and thus the classification of the product, it depends on whether it is necessary to put the CE mark on the product and what documentation needs to be prepared.

Only implantable and Class III custom-made products require the affixing of the CE mark and the inclusion of a Notify body in the whole process. For all other classes, it is sufficient to prepare technical documentation for the product as described in Annex 13.

For more information, see:

• EU MDR Annex 13 - Procedure for custom made devices - https://advisera.com/13485academy/mdr/procedure-for-custom-made-devices/

• Question - ISO 27001

  1. How do you put in place HR systems when there are no employees ? Would this be more about Supplier management ? and supplier worker management ?

  Since your customer uses contractors, his relationship with them and their employees will be through supplier management, so regarding ISO 27001 implementation, this will mostly cover controls from ISO 27001 Annex A section 15 Supplier relationships.

  For further information, see:

  • 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001

  2.  With Software Development - Would they either:  (a) require suppliers to follow his requirements or ISO Compliant software development manuals. OR.  (b)  require the subsidiary to produce there software development manual (which meets the requirements of ISO 27001) – which he approves?

  In this situation first, you need to ensure, by means of security clauses in contracts or service agreements, that risks you consider relevant, and legal requirements applicable to his organization, related to software development are properly treated by the supplier.

  Considering that, alternative (a) is more adequate because in alternative (b) you only consider the standard's requirements, not those of your customer.

  These articles will provide you with further explanation about security clauses and software development:

  • Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
  • How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) https://advisera.com/27001academy/how-to-integrate-iso-27001-controls-into-the-system-software-development-life-cycle-sdlc/

• SOP in ISO 9001

  Do you know when you O d on it best place to buy generic cialis online

• Dental burs

  MDR does not have the term critical or semi-critical. All medical devices must be in one of the classes as described in Annex 8 - Classification rules. If I understand your device correctly, it is a reusable medical device, therefore class Ir. According to the definition, a reusable surgical instrument means an instrument intended for surgical use in cutting, drilling, sawing, scratching, scraping, clamping, retracting, clipping, or similar procedures, without a connection to an active device and which is intended by the manufacturer to be reused after appropriate procedures such as cleaning, disinfection, and sterilization have been carried out.  

  Rule 6 is the rule that covers reusable medical devices, which states that all surgically invasive devices intended for transient use are classified as class IIa unless they are reusable surgical instruments, in which case they are classified as class I. 

  Reusable devices must be sterile before use. It must be sterilized, and it can be kept in the holder for a certain amount of time. How much time depends on the type of sterilization, disinfection used, a method for preparing the sterilization, and so on. Usually, this time that is allowed for instruments to be stored after the sterilization is defined by the sterilization validation process.

  Instruments can be packed individually or for example a set for a certain procedure.

  For more information, see

  • EU MDR Annex 8 – Classification rules https://advisera.com/13485academy/mdr/classification-rules/

  • ISO 27001 implementation requirement

    First is important to note that ISO 27001 does not specify the PDCA cycle.

    Please note that the best practice is to consider Risk assessment as part of the Plan phase, since its main objective is to identify and prioritized relevant risks to be treated, so you can plan why controls to implement.

    In the Do phase, you implement and operates the controls.

    This article will provide you a further explanation about ISO 27001 and PDCA cycle:
    - Has the PDCA Cycle been removed from the new ISO standards? https://advisera.com/27001academy/blog/2014/04/13/has-the-pdca-cycle-been-removed-from-the-new-iso-standards/

  • Can private hardware used for business purposes be excluded from the scope?

    ISO 27001/ISO 27017/ISO 27018 allow the usage of private hardware, and you can exclude this hardware from the ISMS scope - this is pretty common in companies that have remote workers. 

    Once you specify in your ISMS scope document that private hardware is out of the scope, you need to ensure compliance with security rules by signing agreements with workers that use such hardware where you will specify specific security rules for using such hardware.

    In your toolkit, you will find the document "Security clauses for suppliers and partners" in folder 08 Annex A Security Controls - A.15 Supplier relationships - you can use clauses from this document in the agreement with your workers.

  • Device asset tracking

    ISO 27001 does not prescribe information to be used to track an asset, so organizations can define the information they see best fits their needs.

    In general, for tracking an asset you should consider information that is unique for each asset, and the serial number information fits these criteria, so it is a good choice for tracking information.

    This article will provide you with a further explanation of asset management:

    • Asset management according to ISO 27001: How to handle an asset register/asset inventory https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

  • Creating, reviewing, and approving documents

    Except by the top-level Information Security Policy, which is required to be approved by top management, ISO 27001 does not prescribe who needs to create, review, and approve documents for ISO 27001, so organizations can define these roles as best they fit their needs.
    
    Considering that, operationally speaking, you can justify that the reduction of the number of signatories will make the approval process more efficient.
    
    Good practice is that one person from the top management approves the document, and a couple of relevant people review the document before it is approved - this makes the process faster, and the documents better.

    For further information, see:
    - How to manage documents according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2021/06/27/how-to-manage-documents-according-to-iso-27001-and-iso-22301/