Smartly Prepare Exam with Free Online ISO-QMS-13485 Practice Test

A medical device company is undergoing an ISO 13485:2016 audit. The company has a documented procedure for supplier evaluation, and the company has several suppliers used to produce critical components. The company’s procedure outlines initial evaluation, periodic evaluation, and performance monitoring, however, for some suppliers that are deemed “low-risk” there is no *documented rationale* for why those suppliers were classified as such. As the Lead Auditor, what is the MOST appropriate action to take?

A medical device company is undergoing an ISO 13485:2016 audit. During a tour of the manufacturing facility, the Lead Auditor observes that several production machines are connected to the company's internal network. The company has a firewall and intrusion detection system in place. However, there is no documented assessment of the cybersecurity risks associated with these network-connected machines, including the potential impact on product quality or patient safety if a machine were compromised. What is the MOST appropriate action for the Lead Auditor to take?

A medical device company is undergoing an ISO 13485:2016 audit. The company utilizes a contract manufacturer for a critical component of their Class II medical device. The Lead Auditor reviews the company's process for controlling the outsourced process. The quality agreement with the contract manufacturer clearly defines the product specifications, quality requirements, and acceptance criteria. There is evidence of recent performance data trending showing sustained compliance, however, the quality agreement does not define how frequently the quality agreement itself is reviewed or updated. As a Lead Auditor, what is the MOST appropriate determination regarding the company's approach?

A medical device company is undergoing an ISO 13485:2016 audit. The company uses a cloud-based software to manage its training records. The software provider states the system is fully compliant with all relevant data privacy requirements such as GDPR and HIPAA. The manufacturer performs an annual review of the software provider’s SOC 2 Type II report to verify its compliance with relevant security standards, however, the medical device company has not performed any risk assessment to identify potential risks associated with data privacy.

A medical device company uses a contract manufacturer to produce a critical component for one of their Class III devices. During an ISO 13485:2016 audit of the medical device company (not the contract manufacturer), the Lead Auditor reviews the records pertaining to the oversight of the contract manufacturer. The records show regular communication, agreed-upon specifications, and documented inspections of incoming components. However, there is no documented evidence of periodic on-site audits of the contract manufacturer's facilities. What is the MOST appropriate conclusion for the Lead Auditor to draw?