Question 1

A medical device company is undergoing an ISO 13485:2016 audit. They have a well-defined process for handling nonconforming product, which includes identification, segregation, review, and disposition. The company has clearly defined responsibilities for each step of the process. However, the Lead Auditor discovers that the procedure does not specify timeframes for completing each step, particularly the review and disposition of nonconforming product. What is the MOST significant concern for the Lead Auditor?

Options :

A : The lack of timeframes could lead to delays in addressing nonconformities, potentially resulting in the use of nonconforming product.

B : The nonconforming product may lose traceability to the production lot.

C : Without timeframes, the process becomes too rigid and inflexible, inhibiting the investigation of non-conformances.

D : The lack of defined responsibilities in the process, even with the lack of time frames, allows for a clear assignment of responsibilities.

Answer: A

Question 2

A medical device company uses a contract manufacturer to produce a critical component for one of their Class III devices. During an ISO 13485:2016 audit of the medical device company (not the contract manufacturer), the Lead Auditor reviews the records pertaining to the oversight of the contract manufacturer. The records show regular communication, agreed-upon specifications, and documented inspections of incoming components. However, there is no documented evidence of periodic on-site audits of the contract manufacturer's facilities. What is the MOST appropriate conclusion for the Lead Auditor to draw?

Options :

A : The arrangement is acceptable, as long as the incoming inspections are thorough and meet acceptance criteria.

B : The absence of on-site audits is a minor nonconformity, requiring only a commitment to schedule future audits.

C : The lack of on-site audits is a major nonconformity, as it demonstrates a failure to adequately control outsourced processes.

D : The company is only required to audit the contract manufacturer if there are persistent quality issues with the incoming components.

Answer: C

Question 3

During an ISO 13485:2016 surveillance audit, a Lead Auditor reviews the management review process of a medical device company. The company conducts management reviews quarterly, as required. However, the Lead Auditor notices that the documented outputs of these reviews consistently lack specific action items with assigned responsibilities and deadlines for addressing identified issues. Which of the following is the MOST significant concern regarding this situation?

Options :

A : The frequency of the management reviews is insufficient to address the company-s needs.

B : The lack of documented action items and responsibilities undermines the effectiveness of the management review process.

C : The documented outputs should also include a review of the company-s financial performance.

D : The management review process is compliant since the company is conducting reviews as frequently as documented.

Answer: B

Question 4

A medical device company is undergoing an ISO 13485:2016 audit. The company manufactures a Class IIa medical device. The Lead Auditor discovers that the company's internal audit program is conducted by personnel who have received training on auditing techniques but lack specific technical expertise related to the processes they are auditing (e.g., design, manufacturing, sterilization). The company claims that the auditors' general understanding of the QMS is sufficient. What is the MOST appropriate action for the Lead Auditor to take?

Options :

A : Accept the company-s rationale, as the personnel are trained auditors and possess a general understanding of the QMS requirements.

B : Issue a minor nonconformity, requiring the company to enhance the general QMS knowledge of the auditors.

C : Issue a major nonconformity, requiring the company to revise its internal audit program to ensure auditors possess the necessary technical expertise or involve technical experts in the audits.

D : Recommend that the company outsource all internal audits to a qualified third-party auditing firm.

Answer: C

Question 5

A medical device company is undergoing an ISO 13485:2016 audit. The company uses a cloud-based software to manage its training records. The software provider states the system is fully compliant with all relevant data privacy requirements such as GDPR and HIPAA. The manufacturer performs an annual review of the software provider’s SOC 2 Type II report to verify its compliance with relevant security standards, however, the medical device company has not performed any risk assessment to identify potential risks associated with data privacy.

Options :

A : Accept the company-s reliance on the software provider-s statement and the SOC 2 report as sufficient evidence of compliance.

B : Require the company to perform a data protection impact assessment (DPIA) or risk assessment to identify and mitigate potential data privacy risks.

C : Recommend that the company obtain a written guarantee from the software provider ensuring compliance with all applicable data privacy regulations.

D : Issue a nonconformity for the lack of a documented data privacy procedure, regardless of the risk assessment.

Answer: B

Higher Test Marks with Free Online ISO-QMS-13485 Exam Practice

Buying Options: