Free GAQM ISO-QMS-13485 Exam Questions

Question 1

During an ISO 13485:2016 audit, the Lead Auditor is reviewing the process for design transfer. The design transfer documentation includes detailed specifications, drawings, and manufacturing instructions. However, the documentation does not explicitly define the verification activities required to ensure the design is correctly translated into production. As a Lead Auditor, what should be your PRIMARY concern?

A : The lack of documented traceability between design inputs and design outputs.

B : The absence of a risk management plan specifically for the design transfer process.

C : The lack of defined verification activities to confirm successful design transfer to production.

D : The absence of evidence of review and approval of the design transfer documentation.

Answer: C

Question 2

A medical device company is undergoing an ISO 13485:2016 audit. The company utilizes a software program to manage supplier qualifications and track supplier performance. The software is commercially available and is not specifically designed for medical device manufacturing. The company claims that the software is 'intuitive' and easy to use, and that all personnel received verbal instructions on its use. The Lead Auditor discovers that there are no documented training records or competency assessments for personnel using the software. What is the MOST appropriate action for the Lead Auditor?

A : Accept the company's explanation, as the software is 'intuitive' and easy to use.

B : Issue a minor nonconformity requiring the company to document the verbal instructions.

C : Issue a major nonconformity requiring the company to implement a documented training program and competency assessments for personnel using the software.

D : Recommend the company switch to a software program specifically designed for medical device supplier management.

Answer: C

Question 3

A medical device company is undergoing an ISO 13485:2016 audit. The company has a documented procedure for design verification. As the Lead Auditor, you discover that the company has not formally validated the computer software used to perform finite element analysis (FEA) during design verification, where the FEA is part of the QMS and Clause 4.1.6 applies. The output of the FEA software is used as objective evidence that the design meets safety and performance requirements. The FEA software is commercial off-the-shelf software and not developed by the medical device manufacturer. The company states that they check the FEA software inputs and outputs against hand calculations as a form of verification. As the Lead Auditor, what is your MOST appropriate course of action?

A : Accept the company's approach because the software is commercially available and inputs and outputs are verified using hand calculations.

B : Consider the company's approach as verification and ask for the documented procedure for verification, objective evidence, and acceptance criteria for these hand calculations.

C : Document the lack of software validation as a finding and follow up during the next surveillance audit.

D : Issue a nonconformity because the FEA software used for design verification must be validated for its intended use.

Answer: D

Question 4

During an ISO 13485:2016 audit, the Lead Auditor discovers that a medical device company uses a cloud-based software to manage its training records. The software provider states the system is fully compliant with all relevant data privacy requirements such as GDPR and HIPAA. The manufacturer performs an annual review of the software provider’s SOC 2 Type II report to verify its compliance with relevant security standards. Considering the requirements of ISO 13485:2016 regarding the control of outsourced processes, what should be your MOST appropriate next action?

A : Accept the SOC 2 Type II report as sufficient evidence of compliance, and move on to another area of the audit.

B : Confirm the scope of the SOC 2 Type II report addresses the specific data privacy and security controls required by the company's QMS and applicable regulations, and verify the medical device manufacturer has performed a documented risk assessment to identify potential risks associated with data privacy.

C : Require the company to perform a full on-site audit of the software provider's facility to verify compliance with data privacy requirements.

D : Accept the software provider's statement of compliance without further verification, as cloud providers are inherently responsible for data privacy.

Answer: B

Question 5

During an ISO 13485:2016 audit, the Lead Auditor is reviewing the effectiveness of the company's Corrective and Preventive Action (CAPA) system. The auditor notes that the company's CAPA procedure includes a requirement for effectiveness checks to verify that implemented corrective actions have been effective in addressing the root cause of the problem and preventing recurrence. However, the Lead Auditor discovers that the effectiveness checks consistently focus on confirming the immediate resolution of the problem, with limited consideration of the long-term sustainability and robustness of the implemented corrective action, or its potential unintended consequences. What is the MOST appropriate next step for the Lead Auditor to take?

A : Accept the company's approach, as the immediate resolution demonstrates the corrective action was effective.

B : Review the rationale for the short-term effectiveness checks and evaluate whether it aligns with the nature of the identified problems and the implemented corrective actions.

C : Document a minor nonconformity, since some effectiveness checks are performed, and allow the company to fix the issue after the audit.

D : Issue a major nonconformity, as the procedure is well-documented and effectiveness checks are being performed, which indicates a systematic issue.

Answer: B