Free GAQM ISO-QMS-13485 Exam Questions

Question 1

A medical device company is undergoing an ISO 13485:2016 audit. The company uses a cloud-based software to manage its training records. The software provider states the system is fully compliant with all relevant data privacy requirements such as GDPR and HIPAA. The manufacturer performs an annual review of the software provider’s SOC 2 Type II report to verify its compliance with relevant security standards, however, the medical device company has not performed any risk assessment to identify potential risks associated with data privacy.

A : Accept the company-s reliance on the software provider-s statement and the SOC 2 report as sufficient evidence of compliance.

B : Require the company to perform a data protection impact assessment (DPIA) or risk assessment to identify and mitigate potential data privacy risks.

C : Recommend that the company obtain a written guarantee from the software provider ensuring compliance with all applicable data privacy regulations.

D : Issue a nonconformity for the lack of a documented data privacy procedure, regardless of the risk assessment.

Answer: B

Question 2

A medical device company is undergoing an ISO 13485:2016 audit. The company utilizes a cloud-based Enterprise Resource Planning (ERP) system for managing its inventory, purchasing, and production planning. The company claims that since the cloud provider is ISO 27001 certified, they do not need to perform their own validation of the software's suitability for managing their QMS data. As a Lead Auditor, what aspect of validation and security is MOST important to investigate?

A : Confirm that the cloud provider's ISO 27001 certification covers the specific services used by the medical device company.

B : Verify that the medical device company has a documented procedure for data backup and disaster recovery in case of a cloud outage.

C : Assess whether the medical device company has performed its own risk assessment to identify potential risks related to data integrity, data privacy and data availability when using the ERP.

D : Review the contract between the medical device company and the cloud provider to ensure it clearly defines responsibilities for data security and data privacy.

Answer: C

Question 3

A medical device company is undergoing an ISO 13485:2016 audit. The Lead Auditor discovers that the company's process for handling customer complaints includes detailed procedures for documentation, investigation, and corrective actions. However, the Lead Auditor also discovers that the company does not have a documented procedure for protecting patient confidentiality and complying with data privacy regulations (e.g., GDPR, HIPAA) when handling customer complaints that contain patient information. What is the MOST appropriate action for the Lead Auditor to take?

A : Acknowledge the detailed complaint handling procedure and continue the audit without further investigation on this aspect.

B : Issue a minor nonconformity, as the company has a well-defined complaint handling process.

C : Issue a major nonconformity because the lack of a data privacy procedure could result in regulatory violations and harm to patients.

D : Recommend implementing a data privacy procedure as a 'best practice' without issuing a nonconformity.

Answer: C

Question 4

During an ISO 13485:2016 audit, a Lead Auditor is evaluating the post-market surveillance system of a medical device company. The company primarily relies on customer complaints to identify potential issues. The Lead Auditor finds that while the company diligently collects and investigates customer complaints, the threshold for initiating a formal investigation and potential corrective action is based on a subjective assessment of the 'severity' of the complaint. There is no documented definition of 'severity' or objective criteria used to determine whether a complaint warrants a deeper investigation. What is the MOST appropriate course of action for the Lead Auditor?

A : Accept the company-s approach, as they are actively collecting and addressing customer complaints, which demonstrates a commitment to post-market surveillance.

B : Issue a minor nonconformity, suggesting the company document their severity assessment process without requiring specific objective criteria.

C : Issue a major nonconformity, as the lack of objective criteria for severity assessment could lead to inconsistent handling of complaints and potential failure to identify significant issues.

D : Recommend the company benchmark their process against other medical device companies to determine industry best practices for severity assessment.

Answer: C

Question 5

During an ISO 13485:2016 audit, the Lead Auditor is reviewing the effectiveness of the company's Corrective and Preventive Action (CAPA) system. The auditor notes that the company's CAPA procedure includes a requirement for effectiveness checks to verify that implemented corrective actions have been effective in addressing the root cause of the problem and preventing recurrence. However, the Lead Auditor discovers that the effectiveness checks consistently focus on confirming the immediate resolution of the problem, with limited consideration of the long-term sustainability and robustness of the implemented corrective action, or its potential unintended consequences. What is the MOST appropriate next step for the Lead Auditor to take?

A : Accept the company-s approach, as the immediate resolution demonstrates the corrective action was effective.

B : Review the rationale for the short-term effectiveness checks and evaluate whether it aligns with the nature of the identified problems and the implemented corrective actions.

C : Document a minor nonconformity, since some effectiveness checks are performed, and allow the company to fix the issue after the audit.

D : Issue a major nonconformity, as the procedure is well-documented and effectiveness checks are being performed, which indicates a systematic issue.

Answer: B