Question 1

During an ISO 13485:2016 audit, a Lead Auditor is evaluating the post-market surveillance system of a medical device company. The company primarily relies on customer complaints to identify potential issues. The Lead Auditor finds that while the company diligently collects and investigates customer complaints, the threshold for initiating a formal investigation and potential corrective action is based on a subjective assessment of the 'severity' of the complaint. There is no documented definition of 'severity' or objective criteria used to determine whether a complaint warrants a deeper investigation. What is the MOST appropriate course of action for the Lead Auditor?

Options :

A : Accept the company-s approach, as they are actively collecting and addressing customer complaints, which demonstrates a commitment to post-market surveillance.

B : Issue a minor nonconformity, suggesting the company document their severity assessment process without requiring specific objective criteria.

C : Issue a major nonconformity, as the lack of objective criteria for severity assessment could lead to inconsistent handling of complaints and potential failure to identify significant issues.

D : Recommend the company benchmark their process against other medical device companies to determine industry best practices for severity assessment.

Answer: C

Question 2

A medical device company is undergoing an ISO 13485:2016 audit. The company utilizes a cloud-based Enterprise Resource Planning (ERP) system for managing its inventory, purchasing, and production planning. The company claims that since the cloud provider is ISO 27001 certified, they do not need to perform their own validation of the software's suitability for managing their QMS data. As a Lead Auditor, what aspect of validation and security is MOST important to investigate?

Options :

A : Confirm that the cloud provider-s ISO 27001 certification covers the specific services used by the medical device company.

B : Verify that the medical device company has a documented procedure for data backup and disaster recovery in case of a cloud outage.

C : Assess whether the medical device company has performed its own risk assessment to identify potential risks related to data integrity, data privacy and data availability when using the ERP.

D : Review the contract between the medical device company and the cloud provider to ensure it clearly defines responsibilities for data security and data privacy.

Answer: C

Question 3

A medical device company uses a commercial off-the-shelf (COTS) software program for managing its training records. The software is not directly used in the manufacturing process but is integral to personnel training and demonstrating compliance with ISO 13485:2016. The Lead Auditor reviews the company's training procedure and notes the procedure indicates the company must perform testing of software used within the QMS, and validation is not required. Which of the following would be the MOST appropriate determination for the Lead Auditor?

Options :

A : Accept the process, as long as the procedure indicates the software is not used in production, testing is sufficient.

B : Accept the procedure, so long as the organization keeps accurate training records, the process is valid.

C : Issue a minor nonconformity, because the software validation procedure has not been followed.

D : Issue a finding, because the company-s documentation lacks justification for using a testing and not a validation approach for training software.

Answer: D

Question 4

A medical device company is undergoing an ISO 13485:2016 audit. The Lead Auditor observes that the company uses a software program to manage customer complaints and track corrective actions. The software program allows users to easily generate reports and analyze trends in customer feedback. The manufacturer has performed initial validation and has documented a process for regular preventative maintenance of the software. What additional action must be verified by the Lead Auditor to ensure compliance?

Options :

A : The Lead Auditor should verify the integrity of the software is maintained and secured against unauthorized changes.

B : The Lead Auditor should verify that the software generates aesthetically pleasing and easily understandable reports.

C : The Lead Auditor should verify the software developers hold an ISO 13485:2016 Lead Auditor certification.

D : The Lead Auditor should verify the software is also used for other business functions such as marketing.

Answer: A

Question 5

A medical device manufacturer is using a cloud-based software platform for managing its quality management system (QMS) documentation, including procedures, work instructions, and records. The manufacturer claims that since the cloud provider is ISO 27001 certified, they do not need to perform their own validation of the software's suitability for managing their QMS data. As a Lead Auditor, how should you respond?

Options :

A : Accept the manufacturer-s reasoning, as ISO 27001 certification of the cloud provider sufficiently addresses data security and integrity concerns.

B : Inform the manufacturer that ISO 27001 certification is irrelevant to the validation requirements of ISO 13485:2016, and full validation is always necessary.

C : Acknowledge the ISO 27001 certification but require the manufacturer to demonstrate through documented evidence that the software platform is suitable for managing QMS data and meets applicable regulatory requirements, focusing on data integrity, security, and accessibility.

D : Suggest that the manufacturer only needs to validate the interfaces between the cloud-based system and any local systems, as the cloud provider is responsible for validating the core functionality.

Answer: C