Question 1

A medical device company manufactures Class IIa devices and is undergoing an ISO 13485:2016 audit. The company performs internal audits. The Lead Auditor reviews the internal audit reports and discovers that the reports consistently lack objective evidence to support the audit findings and conclusions. The Quality Manager explains that while the audit reports may not contain direct objective evidence in the report, they maintain detailed working papers with all the objective evidence, that can be requested and reviewed upon request, and which support the report's findings. What should be the Lead Auditor's MOST appropriate course of action?

Options :

A : Accept the Quality Manager-s explanation and close the audit finding, as long as working papers are available upon request.

B : Issue a minor nonconformity, since the objective evidence is available even if not included in the report.

C : Issue a major nonconformity, as the lack of objective evidence in the audit report hinders the effectiveness of the audit process and the ability to demonstrate QMS compliance.

D : Recommend the company outsource their internal audit program to ensure impartiality and objectivity.

Answer: C

Question 2

A medical device company is undergoing an ISO 13485:2016 audit. The company has a well-defined process for handling customer complaints, including documentation, investigation, and corrective actions. The Lead Auditor discovers that the company is using an older version of a Customer Relationship Management (CRM) software to manage customer complaint records, where the software vendor no longer provides any security patches or updates. The company has a documented procedure for backing up the data stored within the CRM. What is the MOST appropriate response for the Lead Auditor?

Options :

A : Accept the situation since the company has a backup process in place.

B : Raise a minor nonconformity, as the risk is mitigated by the backup process.

C : Raise a major nonconformity because the lack of security patches poses a significant risk to data integrity and potentially patient safety.

D : Recommend the company migrate to a newer CRM system but do not issue a nonconformity.

Answer: C

Question 3

During an ISO 13485:2016 audit of a medical device company, the Lead Auditor discovers that the company has implemented a comprehensive training program for its employees. The program covers various aspects of the QMS, including document control, CAPA, and risk management. However, the effectiveness of the training is solely measured through post-training quizzes, with no documented evidence of how the learned knowledge and skills are applied in the employees' actual job performance. As a Lead Auditor, what is your PRIMARY concern?

Options :

A : The lack of a defined process for verifying the effectiveness of the training could lead to employees not applying the learned knowledge and skills in their work, potentially impacting product quality and safety.

B : The exclusive reliance on post-training quizzes is sufficient to demonstrate training effectiveness, as long as the quiz questions are comprehensive and cover all relevant aspects of the QMS.

C : The absence of documented evidence of training effectiveness is not a significant concern, as long as the training program is well-structured and covers all required topics.

D : The company should focus on improving the content of the post-training quizzes to better assess the employees' understanding of the QMS requirements.

Answer: A

Question 4

A medical device company is undergoing an ISO 13485:2016 audit. The company has a documented procedure for design verification. As the Lead Auditor, you discover that the company has not formally validated the computer software used to perform finite element analysis (FEA) during design verification, where the FEA is part of the QMS and Clause 4.1.6 applies. The output of the FEA software is used as objective evidence that the design meets safety and performance requirements. The FEA software is commercial off-the-shelf software and not developed by the medical device manufacturer. The company states that they check the FEA software inputs and outputs against hand calculations as a form of verification. As the Lead Auditor, what is your MOST appropriate course of action?

Options :

A : Accept the company-s approach because the software is commercially available and inputs and outputs are verified using hand calculations.

B : Consider the company-s approach as verification and ask for the documented procedure for verification, objective evidence, and acceptance criteria for these hand calculations.

C : Document the lack of software validation as a finding and follow up during the next surveillance audit.

D : Issue a nonconformity because the FEA software used for design verification must be validated for its intended use.

Answer: D

Question 5

A medical device company utilizes a cloud-based platform for managing its Quality Management System (QMS) documentation. The company’s documented procedure for software validation and data security, while comprehensive, does not address the specific requirements for verifying the ongoing data integrity and availability of QMS data on the cloud platform. The company does not perform independent backup of their cloud data. As a Lead Auditor, what is the MOST appropriate action to take?

Options :

A : Accept the company-s reliance on the cloud provider-s security measures as sufficient evidence of data integrity and availability.

B : Issue a minor nonconformity, provided the company has a disaster recovery plan in place.

C : Issue a major nonconformity, as the lack of verification directly impacts the reliability of the QMS and data security.

D : Request the company to provide documentation of the cloud provider’s security policies and procedures and assess their suitability.

Answer: C

Confidently Practice Online with Free ISO-QMS-13485 Exam Cram

Buying Options: