Cleanroom Disaster Recovery for ISO 13485

C

Calmed

During our last ISO 13485 audit, we received a NC for not providing a procedure for disaster recovery plan. I've looked thru ISO 14644 and not found a good foundation for a plan. I found IEST-RP-CC041: Recovery from Disruption to Cleanroom and Other Controlled Environments but this is still under development. Anyone have any templates they would be willing to share or can point me to a site where I can gather some information? (Have not had much luck with consultants).

Background: We are a small company which assembles non-sterile class II medical devices and our ISO Class 8 clean room is less than two years old.
 
R

Reg Morrison

Please have a look at the Controlled Environment Procedure: Disaster Recovery Plan? thread.

You must demand to get the source of the requirement from the auditor. If s/he can not produce it, appeal it. You should not have to implement ANY corrective action for something you are not required to do.

I wonder if we have a rogue auditor "creating" business for their registrar or consultant friends by demanding medical device companies to have a business continuity plan.

If that were the case, this people needs to be exposed.

Have other ISO 13485 certified organizations been "written up" for not having this type of system/program in place?
 
C

Calmed

Thank you for referencing the other thread. Our audit NC cited ISO 13485: 7.5.1.2.1, 7.5.3.1 and 6.2.2b which are not specific to "disaster". I have seen other posts regarding the business continuity plan and this being a popular NC, so I believe this is their "hot topic" for this audit season.
 
R

Reg Morrison

so I believe this is their "hot topic" for this audit season.
And how "convenient" that they also offer business continuity system certification and training, isn't it?

What a great racket: create a ghost requirement and prey upon less informed clients. It is starting to sound like a scam, if you connect the dots.

I stand by my previous post: appeal the NC. And I suspect that the registrar in question will soon be revising their checklist, deleting this requirement for ISO 13485 applicants, as they are being exposed here.
 
M

MIREGMGR

The company for which I work utilizes one of the larger, well reputed global NBs...their home-office and American operations each certify aspects of our US operations and those of our US contract sterilization supplier, and their China operation certifies our China fabrication affiliate's operations and those of their (and our) China contract sterilization supplier.

We have not been required to have a business continuity plan in place.

We in fact do have such plans--they become much easier when you have bi-continental fabrication and sterilization operations in place, with interchangable validations--but our NB has not asked about them.
 

pkost

Trusted Information Resource
The quoted clauses are about as far from any requirement from a business continuity plan as one can get.

While I don't agree a BCP is a strict requirement I can see it's benefit if I was to audit and trying to shoehorn a "shall", I would go for 5.1e and possibly 6.1b - as an auditee I would then respond that we had evaluated the benefit and come to the decision that as a smaller business the cost of impementing an effective plan outweighs the benefit to our customers.
 
M

maaquilino

Thank you for referencing the other thread. Our audit NC cited ISO 13485: 7.5.1.2.1, 7.5.3.1 and 6.2.2b which are not specific to "disaster". I have seen other posts regarding the business continuity plan and this being a popular NC, so I believe this is their "hot topic" for this audit season.

If these are the sections cited for the NC, then imo this auditor needs more training, as none have anything to do with disaster recovery.

That said, it's good business sense to have a procedure(s) for business continuity, including disaster recovery, because even though we all think it's something we'll never have to worry about, that's not always the case. It could be something as horrible as a Hurricane Katrina wiping out a manufacturing facility to something as simple as your backup server fails losing all your backed up data, that can adversely affect your business and/or prevent it from continuing to produce or remain in compliance. If there's no plan in place when something bad happens, it will take a lot more time to get the business back to where it needs to be. When something bad happens, rather than having to run around like chickens with their heads cut off and not knowing what to do, previous things put into place as part of business continuity and disaster recovery can get the business, or parts of it, back up and running quicker. Not everything needs to be under a regulation; some are just good sense business practices.

http://local.imsm.com/aboriginal/news/firms-failing-to-prepare-for-disaster-recovery/

A few things I found about regulations and business continuity/disaster recovery:
http://www.continuityinsights.com/s.../legacyfiles/L2_RegulatoryRequirements(1).pdf

This was interesting: Do a search on 'disaster' - http://www.fda.gov/RegulatoryInformation/Guidances/ucm126954.htm
 
Last edited by a moderator:

QA4ALL

Registered
I posted this on a related thread as well.

We are moving from an ISO9001 based system to an ISO13485 certification. We had the stage I assessment a few weeks ago and we were cited for two concerns related to this thread. "Need a business continuity plan (6.3) and need a pest control plan (6.4)". We are a small build to print manufacturer and have started supplying some analytical medical devices. I checked Elsmar since I couldn't find a "shall" in ISO13485 that required the above two processes. Has there been confirmation on these requirements? Any help would be appreciated.
 
C

Calmed

At the time, I was unable to locate a "disaster recovery" template/SOP/plan that met our needs, so I created one from scratch. Our location is in CA, so I divided it into man-made (such as user error, power outage) and natural disasters (such as fire, earthquake, flood) - who does what, when, where, etc. The plan I created satisfied our auditor. The Business part was left to the "business" sector of the company, which for the most part is not reviewed by regulatory bodies.
 
Top Bottom