Confidently Practice Online with Free ISO-QMS-13485 Exam Cram

A medical device company utilizes a cloud-based platform for managing its Quality Management System (QMS) documentation. The company’s documented procedure for software validation and data security, while comprehensive, does not address the specific requirements for verifying the ongoing data integrity and availability of QMS data on the cloud platform. The company does not perform independent backup of their cloud data. As a Lead Auditor, what is the MOST appropriate action to take?

A medical device company is undergoing an ISO 13485:2016 audit. The company has a documented procedure for design verification. As the Lead Auditor, you discover that the company has not formally validated the computer software used to perform finite element analysis (FEA) during design verification, where the FEA is part of the QMS and Clause 4.1.6 applies. The output of the FEA software is used as objective evidence that the design meets safety and performance requirements. The FEA software is commercial off-the-shelf software and not developed by the medical device manufacturer. The company states that they check the FEA software inputs and outputs against hand calculations as a form of verification. As the Lead Auditor, what is your MOST appropriate course of action?

A medical device company is undergoing an ISO 13485:2016 audit. The company uses a cloud-based software to manage its training records. The software provider states the system is fully compliant with all relevant data privacy requirements such as GDPR and HIPAA. The manufacturer performs an annual review of the software provider’s SOC 2 Type II report to verify its compliance with relevant security standards, however, the medical device company has not performed any risk assessment to identify potential risks associated with data privacy.

A medical device company is undergoing an ISO 13485:2016 audit. The company utilizes a cloud-based Enterprise Resource Planning (ERP) system for managing its inventory, purchasing, and production planning. The company claims that since the cloud provider is ISO 27001 certified, they do not need to perform their own validation of the software's suitability for managing their QMS data. As a Lead Auditor, what aspect of validation and security is MOST important to investigate?

A medical device manufacturer is undergoing an ISO 13485:2016 audit. They utilize a contract manufacturer to produce a critical component for one of their Class III devices. During the audit, the Lead Auditor reviews the medical device company's records pertaining to the oversight of the contract manufacturer. While the records show regular communication, agreed-upon specifications, and documented inspections of incoming components, the Lead Auditor discovers that the medical device company is performing no periodic on-site audits of the contract manufacturer's facility. What type of conclusion should the Lead Auditor draw?