Free GAQM ISO-QMS-13485 Exam Questions

Question 1

A medical device company is undergoing an ISO 13485:2016 audit. The Lead Auditor discovers that the company's process for handling customer complaints includes detailed procedures for documentation, investigation, and corrective actions. However, the Lead Auditor also discovers that the company does not have a documented procedure for protecting patient confidentiality and complying with data privacy regulations (e.g., GDPR, HIPAA) when handling customer complaints that contain patient information. What is the MOST appropriate action for the Lead Auditor to take?

A : Acknowledge the detailed complaint handling procedure and continue the audit without further investigation on this aspect.

B : Issue a minor nonconformity, as the company has a well-defined complaint handling process.

C : Issue a major nonconformity because the lack of a data privacy procedure could result in regulatory violations and harm to patients.

D : Recommend implementing a data privacy procedure as a 'best practice' without issuing a nonconformity.

Answer: C

Question 2

During an ISO 13485:2016 audit, the Lead Auditor is reviewing the process for design transfer. The design transfer documentation includes detailed specifications, drawings, and manufacturing instructions. However, the documentation does not explicitly define the verification activities required to ensure the design is correctly translated into production. As a Lead Auditor, what should be your PRIMARY concern?

A : The lack of documented traceability between design inputs and design outputs.

B : The absence of a risk management plan specifically for the design transfer process.

C : The lack of defined verification activities to confirm successful design transfer to production.

D : The absence of evidence of review and approval of the design transfer documentation.

Answer: C

Question 3

A medical device company is undergoing an ISO 13485:2016 audit. The company uses a cloud-based software to manage its training records. The software provider states the system is fully compliant with all relevant data privacy requirements such as GDPR and HIPAA. The manufacturer performs an annual review of the software provider’s SOC 2 Type II report to verify its compliance with relevant security standards, however, the medical device company has not performed any risk assessment to identify potential risks associated with data privacy.

A : Accept the company-s reliance on the software provider-s statement and the SOC 2 report as sufficient evidence of compliance.

B : Require the company to perform a data protection impact assessment (DPIA) or risk assessment to identify and mitigate potential data privacy risks.

C : Recommend that the company obtain a written guarantee from the software provider ensuring compliance with all applicable data privacy regulations.

D : Issue a nonconformity for the lack of a documented data privacy procedure, regardless of the risk assessment.

Answer: B

Question 4

A medical device company is undergoing an ISO 13485:2016 audit. The Lead Auditor discovers that the company's process for handling customer complaints includes detailed procedures for documentation, investigation, and corrective actions. However, the Lead Auditor also discovers that the company does not have a documented procedure for protecting patient confidentiality and complying with data privacy regulations (e.g., GDPR, HIPAA) when handling customer complaints that contain patient information. What is the MOST appropriate action for the Lead Auditor to take?

A : Acknowledge the detailed complaint handling procedure and continue the audit without further investigation on this aspect.

B : Issue a minor nonconformity, as the company has a well-defined complaint handling process.

C : Issue a major nonconformity because the lack of a data privacy procedure could result in regulatory violations and harm to patients.

D : Recommend implementing a data privacy procedure as a 'best practice' without issuing a nonconformity.

Answer: C

Question 5

During an ISO 13485:2016 audit, the Lead Auditor is reviewing the Supplier Quality Agreement between the medical device company and a contract manufacturer of a critical component. The Supplier Quality Agreement details the product specifications, quality requirements, and acceptance criteria. The Lead Auditor confirms there is evidence of recent performance data trending showing sustained compliance. However, the Lead Auditor discovers that the Supplier Quality Agreement does not define how the contract manufacturer must manage changes to its own suppliers, including sub-tier supplier changes. As a Lead Auditor, what is the MOST appropriate determination regarding the company's approach?

A : The company's approach is acceptable because the contract manufacturer is responsible for managing their own suppliers.

B : The company's approach is acceptable, provided the contract manufacturer is ISO 13485 certified.

C : The company's approach is noncompliant. The medical device company should have approval authority over the contract manufacturer's changes to sub-tier suppliers.

D : The company's approach is acceptable because of the evidence of recent performance data trending showing sustained compliance.

Answer: C