Question 1

A medical device company is undergoing an ISO 13485:2016 audit. The company has a documented procedure for supplier evaluation, and the company has several suppliers used to produce critical components. The company’s procedure outlines initial evaluation, periodic evaluation, and performance monitoring, however, for some suppliers that are deemed “low-risk” there is no *documented rationale* for why those suppliers were classified as such. As the Lead Auditor, what is the MOST appropriate action to take?

Options :

A : Accept the company-s classification of the suppliers as "low-risk" without further investigation, as long as the products they supply consistently meet specifications.

B : Issue a minor nonconformity, and require that the company either conduct a risk assessment or generate a documented rationale for why the suppliers were classified as low risk.

C : Accept the classification if these suppliers provide components to Class I devices.

D : Issue a major nonconformity, since all supplier evaluations must be documented with a detailed, objective risk assessment.

Answer: B

Question 2

A medical device manufacturer is using a cloud-based software platform for managing its quality management system (QMS) documentation, including procedures, work instructions, and records. The manufacturer claims that since the cloud provider is ISO 27001 certified, they do not need to perform their own validation of the software's suitability for managing their QMS data. As a Lead Auditor, how should you respond?

Options :

A : Accept the manufacturer-s reasoning, as ISO 27001 certification of the cloud provider sufficiently addresses data security and integrity concerns.

B : Inform the manufacturer that ISO 27001 certification is irrelevant to the validation requirements of ISO 13485:2016, and full validation is always necessary.

C : Acknowledge the ISO 27001 certification but require the manufacturer to demonstrate through documented evidence that the software platform is suitable for managing QMS data and meets applicable regulatory requirements, focusing on data integrity, security, and accessibility.

D : Suggest that the manufacturer only needs to validate the interfaces between the cloud-based system and any local systems, as the cloud provider is responsible for validating the core functionality.

Answer: C

Question 3

A medical device company is undergoing an ISO 13485:2016 audit. The company manufactures a Class IIa medical device. The Lead Auditor discovers that the company's internal audit program is conducted by personnel who have received training on auditing techniques but lack specific technical expertise related to the processes they are auditing (e.g., design, manufacturing, sterilization). The company claims that the auditors' general understanding of the QMS is sufficient. What is the MOST appropriate action for the Lead Auditor to take?

Options :

A : Accept the company-s rationale, as the personnel are trained auditors and possess a general understanding of the QMS requirements.

B : Issue a minor nonconformity, requiring the company to enhance the general QMS knowledge of the auditors.

C : Issue a major nonconformity, requiring the company to revise its internal audit program to ensure auditors possess the necessary technical expertise or involve technical experts in the audits.

D : Recommend that the company outsource all internal audits to a qualified third-party auditing firm.

Answer: C

Question 4

During an ISO 13485:2016 audit, the Lead Auditor discovers that a medical device company uses a cloud-based software to manage its training records. The software provider states the system is fully compliant with all relevant data privacy requirements such as GDPR and HIPAA. The manufacturer performs an annual review of the software provider’s SOC 2 Type II report to verify its compliance with relevant security standards. Considering the requirements of ISO 13485:2016 regarding the control of outsourced processes, what should be your MOST appropriate next action?

Options :

A : Accept the SOC 2 Type II report as sufficient evidence of compliance, and move on to another area of the audit.

B : Confirm the scope of the SOC 2 Type II report addresses the specific data privacy and security controls required by the company-s QMS and applicable regulations, and verify the medical device manufacturer has performed a documented risk assessment to identify potential risks associated with data privacy.

C : Require the company to perform a full on-site audit of the software provider-s facility to verify compliance with data privacy requirements.

D : Accept the software provider-s statement of compliance without further verification, as cloud providers are inherently responsible for data privacy.

Answer: B

Question 5

A medical device company is undergoing an ISO 13485:2016 audit. The Lead Auditor observes that the company uses a software program to manage customer complaints and track corrective actions. The software program allows users to easily generate reports and analyze trends in customer feedback. The manufacturer has performed initial validation and has documented a process for regular preventative maintenance of the software. What additional action must be verified by the Lead Auditor to ensure compliance?

Options :

A : The Lead Auditor should verify the integrity of the software is maintained and secured against unauthorized changes.

B : The Lead Auditor should verify that the software generates aesthetically pleasing and easily understandable reports.

C : The Lead Auditor should verify the software developers hold an ISO 13485:2016 Lead Auditor certification.

D : The Lead Auditor should verify the software is also used for other business functions such as marketing.

Answer: A

Higher Test Marks with Free Online ISO-QMS-13485 Exam Practice

Buying Options: