Question 1

A medical device company manufactures Class IIa devices and is undergoing an ISO 13485:2016 audit. The company performs internal audits. The Lead Auditor reviews the internal audit reports and discovers that the reports consistently lack objective evidence to support the audit findings and conclusions. The Quality Manager explains that while the audit reports may not contain direct objective evidence in the report, they maintain detailed working papers with all the objective evidence, that can be requested and reviewed upon request, and which support the report's findings. What should be the Lead Auditor's MOST appropriate course of action?

Options :

A : Accept the Quality Manager-s explanation and close the audit finding, as long as working papers are available upon request.

B : Issue a minor nonconformity, since the objective evidence is available even if not included in the report.

C : Issue a major nonconformity, as the lack of objective evidence in the audit report hinders the effectiveness of the audit process and the ability to demonstrate QMS compliance.

D : Recommend the company outsource their internal audit program to ensure impartiality and objectivity.

Answer: C

Question 2

A medical device company is undergoing an ISO 13485:2016 audit. The company uses a contract manufacturer to produce a critical component of their Class II medical device. The Lead Auditor reviews the medical device company's records pertaining to the oversight of the contract manufacturer. While the records show regular communication, agreed-upon specifications, and documented inspections of incoming components, the Lead Auditor discovers that the medical device company is performing no periodic on-site audits of the contract manufacturer's facility. The company claims that these audits are not required if the component meets all the specifications and regulatory requirements. What should be the Lead Auditor’s MOST appropriate next action?

Options :

A : Accept the company-s justification and move on to the next area of the audit, documenting the rationale.

B : Issue a nonconformity because on-site audits are always mandatory for contract manufacturers of critical components.

C : Investigate the company-s rationale for not conducting on-site audits, considering the risk associated with the component and the effectiveness of other controls.

D : Require the company to immediately schedule an on-site audit of the contract manufacturer, regardless of the risk assessment or other controls.

Answer: C

Question 3

A medical device company is undergoing an ISO 13485:2016 audit. The company has a documented procedure for supplier evaluation, and the company has several suppliers used to produce critical components. The company’s procedure outlines initial evaluation, periodic evaluation, and performance monitoring, however, for some suppliers that are deemed “low-risk” there is no *documented rationale* for why those suppliers were classified as such. As the Lead Auditor, what is the MOST appropriate action to take?

Options :

A : Accept the company-s classification of the suppliers as "low-risk" without further investigation, as long as the products they supply consistently meet specifications.

B : Issue a minor nonconformity, and require that the company either conduct a risk assessment or generate a documented rationale for why the suppliers were classified as low risk.

C : Accept the classification if these suppliers provide components to Class I devices.

D : Issue a major nonconformity, since all supplier evaluations must be documented with a detailed, objective risk assessment.

Answer: B

Question 4

A medical device manufacturer is undergoing an ISO 13485:2016 audit. They utilize a contract manufacturer to produce a critical component for one of their Class III devices. During the audit, the Lead Auditor reviews the medical device company's records pertaining to the oversight of the contract manufacturer. While the records show regular communication, agreed-upon specifications, and documented inspections of incoming components, the Lead Auditor discovers that the medical device company is performing no periodic on-site audits of the contract manufacturer's facility. What type of conclusion should the Lead Auditor draw?

Options :

A : This is acceptable if the medical device company has a robust system for monitoring the quality of incoming components and the contract manufacturer maintains ISO 13485 certification.

B : This is a minor nonconformity because the medical device company is still communicating with the contract manufacturer.

C : This is a major nonconformity because the medical device company has not ensured compliance with ISO 13485:2016 requirements.

D : This is acceptable if the medical device company has a documented rationale explaining why on-site audits are not necessary.

Answer: C

Question 5

A medical device company is undergoing an ISO 13485:2016 audit. The company uses a cloud-based software to manage its training records. The software provider states the system is fully compliant with all relevant data privacy requirements such as GDPR and HIPAA. The manufacturer performs an annual review of the software provider’s SOC 2 Type II report to verify its compliance with relevant security standards, however, the medical device company has not performed any risk assessment to identify potential risks associated with data privacy.

Options :

A : Accept the company-s reliance on the software provider-s statement and the SOC 2 report as sufficient evidence of compliance.

B : Require the company to perform a data protection impact assessment (DPIA) or risk assessment to identify and mitigate potential data privacy risks.

C : Recommend that the company obtain a written guarantee from the software provider ensuring compliance with all applicable data privacy regulations.

D : Issue a nonconformity for the lack of a documented data privacy procedure, regardless of the risk assessment.

Answer: B