Question 1

A medical device company is undergoing an ISO 13485:2016 audit. The Lead Auditor discovers that the company's process for handling customer complaints includes detailed procedures for documentation, investigation, and corrective actions. However, the Lead Auditor also discovers that the company does not have a documented procedure for protecting patient confidentiality and complying with data privacy regulations (e.g., GDPR, HIPAA) when handling customer complaints that contain patient information. What is the MOST appropriate action for the Lead Auditor to take?

Options :

A : Acknowledge the detailed complaint handling procedure and continue the audit without further investigation on this aspect.

B : Issue a minor nonconformity, as the company has a well-defined complaint handling process.

C : Issue a major nonconformity because the lack of a data privacy procedure could result in regulatory violations and harm to patients.

D : Recommend implementing a data privacy procedure as a 'best practice' without issuing a nonconformity.

Answer: C

Question 2

During an ISO 13485:2016 audit of a medical device company, the Lead Auditor discovers that the company has implemented a comprehensive training program for its employees. The program covers various aspects of the QMS, including document control, CAPA, and risk management. However, the effectiveness of the training is solely measured through post-training quizzes, with no documented evidence of how the learned knowledge and skills are applied in the employees' actual job performance. As a Lead Auditor, what is your PRIMARY concern?

Options :

A : The lack of a defined process for verifying the effectiveness of the training could lead to employees not applying the learned knowledge and skills in their work, potentially impacting product quality and safety.

B : The exclusive reliance on post-training quizzes is sufficient to demonstrate training effectiveness, as long as the quiz questions are comprehensive and cover all relevant aspects of the QMS.

C : The absence of documented evidence of training effectiveness is not a significant concern, as long as the training program is well-structured and covers all required topics.

D : The company should focus on improving the content of the post-training quizzes to better assess the employees' understanding of the QMS requirements.

Answer: A

Question 3

A medical device company is undergoing an ISO 13485:2016 audit. The company has a documented procedure for supplier evaluation, and the company has several suppliers used to produce critical components. The company’s procedure outlines initial evaluation, periodic evaluation, and performance monitoring, however, for some suppliers that are deemed “low-risk” there is no *documented rationale* for why those suppliers were classified as such. As the Lead Auditor, what is the MOST appropriate action to take?

Options :

A : Accept the company-s classification of the suppliers as "low-risk" without further investigation, as long as the products they supply consistently meet specifications.

B : Issue a minor nonconformity, and require that the company either conduct a risk assessment or generate a documented rationale for why the suppliers were classified as low risk.

C : Accept the classification if these suppliers provide components to Class I devices.

D : Issue a major nonconformity, since all supplier evaluations must be documented with a detailed, objective risk assessment.

Answer: B

Question 4

A medical device company uses a commercial off-the-shelf (COTS) software program for managing its training records. The software is not directly used in the manufacturing process but is integral to personnel training and demonstrating compliance with ISO 13485:2016. The Lead Auditor reviews the company's training procedure and notes the procedure indicates the company must perform testing of software used within the QMS, and validation is not required. Which of the following would be the MOST appropriate determination for the Lead Auditor?

Options :

A : Accept the process, as long as the procedure indicates the software is not used in production, testing is sufficient.

B : Accept the procedure, so long as the organization keeps accurate training records, the process is valid.

C : Issue a minor nonconformity, because the software validation procedure has not been followed.

D : Issue a finding, because the company-s documentation lacks justification for using a testing and not a validation approach for training software.

Answer: D

Question 5

A medical device company is undergoing an ISO 13485:2016 audit. The Lead Auditor observes that the company uses a software program to manage customer complaints and track corrective actions. The software program allows users to easily generate reports and analyze trends in customer feedback. The manufacturer has performed initial validation and has documented a process for regular preventative maintenance of the software. What additional action must be verified by the Lead Auditor to ensure compliance?

Options :

A : The Lead Auditor should verify the integrity of the software is maintained and secured against unauthorized changes.

B : The Lead Auditor should verify that the software generates aesthetically pleasing and easily understandable reports.

C : The Lead Auditor should verify the software developers hold an ISO 13485:2016 Lead Auditor certification.

D : The Lead Auditor should verify the software is also used for other business functions such as marketing.

Answer: A

Higher Test Marks with Free Online ISO-QMS-13485 Exam Practice

Buying Options: