Question 1

A medical device company is undergoing an ISO 13485:2016 audit. The company utilizes a cloud-based Enterprise Resource Planning (ERP) system for managing its inventory, purchasing, and production planning. The company claims that since the cloud provider is ISO 27001 certified, they do not need to perform their own validation of the software's suitability for managing their QMS data. As a Lead Auditor, what aspect of validation and security is MOST important to investigate?

Options :

A : Confirm that the cloud provider-s ISO 27001 certification covers the specific services used by the medical device company.

B : Verify that the medical device company has a documented procedure for data backup and disaster recovery in case of a cloud outage.

C : Assess whether the medical device company has performed its own risk assessment to identify potential risks related to data integrity, data privacy and data availability when using the ERP.

D : Review the contract between the medical device company and the cloud provider to ensure it clearly defines responsibilities for data security and data privacy.

Answer: C

Question 2

A medical device company uses a commercial off-the-shelf (COTS) software program for managing its training records. The software is not directly used in the manufacturing process but is integral to personnel training and demonstrating compliance with ISO 13485:2016. The Lead Auditor reviews the company's training procedure and notes the procedure indicates the company must perform testing of software used within the QMS, and validation is not required. Which of the following would be the MOST appropriate determination for the Lead Auditor?

Options :

A : Accept the process, as long as the procedure indicates the software is not used in production, testing is sufficient.

B : Accept the procedure, so long as the organization keeps accurate training records, the process is valid.

C : Issue a minor nonconformity, because the software validation procedure has not been followed.

D : Issue a finding, because the company-s documentation lacks justification for using a testing and not a validation approach for training software.

Answer: D

Question 3

A medical device company is undergoing an ISO 13485:2016 audit. The company has a documented procedure for design verification. As the Lead Auditor, you discover that the company has not formally validated the computer software used to perform finite element analysis (FEA) during design verification, where the FEA is part of the QMS and Clause 4.1.6 applies. The output of the FEA software is used as objective evidence that the design meets safety and performance requirements. The FEA software is commercial off-the-shelf software and not developed by the medical device manufacturer. The company states that they check the FEA software inputs and outputs against hand calculations as a form of verification. As the Lead Auditor, what is your MOST appropriate course of action?

Options :

A : Accept the company-s approach because the software is commercially available and inputs and outputs are verified using hand calculations.

B : Consider the company-s approach as verification and ask for the documented procedure for verification, objective evidence, and acceptance criteria for these hand calculations.

C : Document the lack of software validation as a finding and follow up during the next surveillance audit.

D : Issue a nonconformity because the FEA software used for design verification must be validated for its intended use.

Answer: D

Question 4

During an ISO 13485:2016 audit, a Lead Auditor is evaluating the post-market surveillance system of a medical device company. The company primarily relies on customer complaints to identify potential issues. The Lead Auditor finds that while the company diligently collects and investigates customer complaints, the threshold for initiating a formal investigation and potential corrective action is based on a subjective assessment of the 'severity' of the complaint. There is no documented definition of 'severity' or objective criteria used to determine whether a complaint warrants a deeper investigation. What is the MOST appropriate course of action for the Lead Auditor?

Options :

A : Accept the company-s approach, as they are actively collecting and addressing customer complaints, which demonstrates a commitment to post-market surveillance.

B : Issue a minor nonconformity, suggesting the company document their severity assessment process without requiring specific objective criteria.

C : Issue a major nonconformity, as the lack of objective criteria for severity assessment could lead to inconsistent handling of complaints and potential failure to identify significant issues.

D : Recommend the company benchmark their process against other medical device companies to determine industry best practices for severity assessment.

Answer: C

Question 5

During an ISO 13485:2016 surveillance audit, a Lead Auditor reviews the management review process of a medical device company. The company conducts management reviews quarterly, as required. However, the Lead Auditor notices that the documented outputs of these reviews consistently lack specific action items with assigned responsibilities and deadlines for addressing identified issues. Which of the following is the MOST significant concern regarding this situation?

Options :

A : The frequency of the management reviews is insufficient to address the company-s needs.

B : The lack of documented action items and responsibilities undermines the effectiveness of the management review process.

C : The documented outputs should also include a review of the company-s financial performance.

D : The management review process is compliant since the company is conducting reviews as frequently as documented.

Answer: B

Confidently Practice Online with Free ISO-QMS-13485 Exam Cram

Buying Options: