Question 1

A medical device company utilizes a cloud-based platform for managing its Quality Management System (QMS) documentation. The company’s documented procedure for software validation and data security, while comprehensive, does not address the specific requirements for verifying the ongoing data integrity and availability of QMS data on the cloud platform. The company does not perform independent backup of their cloud data. As a Lead Auditor, what is the MOST appropriate action to take?

Options :

A : Accept the company-s reliance on the cloud provider-s security measures as sufficient evidence of data integrity and availability.

B : Issue a minor nonconformity, provided the company has a disaster recovery plan in place.

C : Issue a major nonconformity, as the lack of verification directly impacts the reliability of the QMS and data security.

D : Request the company to provide documentation of the cloud provider’s security policies and procedures and assess their suitability.

Answer: C

Question 2

During an ISO 13485:2016 audit, the Lead Auditor is reviewing the effectiveness of the company's Corrective and Preventive Action (CAPA) system. The auditor notes that the company's CAPA procedure includes a requirement for effectiveness checks to verify that implemented corrective actions have been effective in addressing the root cause of the problem and preventing recurrence. However, the Lead Auditor discovers that the effectiveness checks consistently focus on confirming the immediate resolution of the problem, with limited consideration of the long-term sustainability and robustness of the implemented corrective action, or its potential unintended consequences. What is the MOST appropriate next step for the Lead Auditor to take?

Options :

A : Accept the company-s approach, as the immediate resolution demonstrates the corrective action was effective.

B : Review the rationale for the short-term effectiveness checks and evaluate whether it aligns with the nature of the identified problems and the implemented corrective actions.

C : Document a minor nonconformity, since some effectiveness checks are performed, and allow the company to fix the issue after the audit.

D : Issue a major nonconformity, as the procedure is well-documented and effectiveness checks are being performed, which indicates a systematic issue.

Answer: B

Question 3

A medical device company has implemented a system for monitoring and measuring key processes within its Quality Management System (QMS). The system generates various performance metrics, which are regularly reviewed by management. However, the Lead Auditor discovers that the company has not established specific, measurable, achievable, relevant, and time-bound (SMART) objectives for these metrics. As a Lead Auditor, what is the MOST significant concern?

Options :

A : The lack of SMART objectives indicates a potential lack of commitment to continual improvement within the QMS.

B : Without SMART objectives, it will be difficult to determine whether the monitoring and measurement system is effective in achieving its intended purpose.

C : The absence of SMART objectives will likely lead to inconsistencies in data collection and analysis across different departments.

D : The company is not fully utilizing the available data to identify areas for improvement and optimize process performance.

Answer: B

Question 4

During an ISO 13485:2016 audit, a Lead Auditor is evaluating the post-market surveillance system of a medical device company. The company primarily relies on customer complaints to identify potential issues. The Lead Auditor finds that while the company diligently collects and investigates customer complaints, the threshold for initiating a formal investigation and potential corrective action is based on a subjective assessment of the 'severity' of the complaint. There is no documented definition of 'severity' or objective criteria used to determine whether a complaint warrants a deeper investigation. What is the MOST appropriate course of action for the Lead Auditor?

Options :

A : Accept the company-s approach, as they are actively collecting and addressing customer complaints, which demonstrates a commitment to post-market surveillance.

B : Issue a minor nonconformity, suggesting the company document their severity assessment process without requiring specific objective criteria.

C : Issue a major nonconformity, as the lack of objective criteria for severity assessment could lead to inconsistent handling of complaints and potential failure to identify significant issues.

D : Recommend the company benchmark their process against other medical device companies to determine industry best practices for severity assessment.

Answer: C

Question 5

A medical device manufacturer is using a cloud-based software platform for managing its quality management system (QMS) documentation, including procedures, work instructions, and records. The manufacturer claims that since the cloud provider is ISO 27001 certified, they do not need to perform their own validation of the software's suitability for managing their QMS data. As a Lead Auditor, how should you respond?

Options :

A : Accept the manufacturer-s reasoning, as ISO 27001 certification of the cloud provider sufficiently addresses data security and integrity concerns.

B : Inform the manufacturer that ISO 27001 certification is irrelevant to the validation requirements of ISO 13485:2016, and full validation is always necessary.

C : Acknowledge the ISO 27001 certification but require the manufacturer to demonstrate through documented evidence that the software platform is suitable for managing QMS data and meets applicable regulatory requirements, focusing on data integrity, security, and accessibility.

D : Suggest that the manufacturer only needs to validate the interfaces between the cloud-based system and any local systems, as the cloud provider is responsible for validating the core functionality.

Answer: C

Confidently Practice Online with Free ISO-QMS-13485 Exam Cram

Buying Options: