A medical device company is undergoing an ISO 13485:2016 audit. The company outsources the manufacturing of a critical component to a supplier. During the audit, the Lead Auditor discovers the supplier performs 100% automated inspection of the critical dimensions of the component, and the medical device company's quality group does not perform incoming inspection. The Lead Auditor reviews the process for controlling these outsourced processes and confirms the supplier's automated inspection system used to verify critical product dimensions is validated. What additional action must be verified by the Lead Auditor to ensure compliance?

During an ISO 13485:2016 surveillance audit, a Lead Auditor reviews the management review process of a medical device company. The company conducts management reviews quarterly, as required. However, the Lead Auditor notices that the documented outputs of these reviews consistently lack specific action items with assigned responsibilities and deadlines for addressing identified issues. Which of the following is the MOST significant concern regarding this situation?

A medical device company is undergoing an ISO 13485:2016 audit. The Lead Auditor observes that the company uses a software program to manage customer complaints and track corrective actions. The software program allows users to easily generate reports and analyze trends in customer feedback. The manufacturer has performed initial validation and has documented a process for regular preventative maintenance of the software. What additional action must be verified by the Lead Auditor to ensure compliance?

During an ISO 13485:2016 audit, the Lead Auditor discovers that a medical device company uses a cloud-based software to manage its training records. The software provider states the system is fully compliant with all relevant data privacy requirements such as GDPR and HIPAA. The manufacturer performs an annual review of the software provider’s SOC 2 Type II report to verify its compliance with relevant security standards. Considering the requirements of ISO 13485:2016 regarding the control of outsourced processes, what should be your MOST appropriate next action?

A medical device company is undergoing an ISO 13485:2016 audit. The company utilizes a contract manufacturer for a critical component of their Class II medical device. The Lead Auditor reviews the company's process for controlling the outsourced process. The quality agreement with the contract manufacturer clearly defines the product specifications, quality requirements, and acceptance criteria. There is evidence of recent performance data trending showing sustained compliance, however, the quality agreement does not define how frequently the quality agreement itself is reviewed or updated. As a Lead Auditor, what is the MOST appropriate determination regarding the company's approach?