Tips, Tricks & Best Practices for Complying with ISO 13485:2016

May 8, 2018

ISO 13485:2016

When it comes to ISO 13485:2016, are you scrambling to meet requirements?

Are you trying to figure out the how, what, or when regarding its timeline? Or, maybe you just don’t know what you need to do. You are not alone because a lot of companies are behind.

Don’t wait until it is too late. Now is the time to take action.

Today’s guest is Kyle Rose, president of Rook Quality Systems, which helps companies achieve 13485 certification by using the Greenlight Guru’s Quality Management Software platform. Kyle shares some tips and tricks for dealing with 13485 because time is ticking!



Like this episode? Subscribe today on iTunes or Spotify.


Some highlights of this episode include:

  • The February 2019 deadline is approaching for most auditing organizations. If you have your audit scheduled before then, it has to be to the new standard.

  • If you don’t have your new ISO 2016 certificate by February 2019, you risk losing your ISO certification and other items.

  • Create a gap analysis or internal audit plan to review your current QMS and highlight what is missing for the new standard.

  • Companies should perform quarterly management reviews. There is a growing expectation that executive management knows the effectiveness of their QMS.

  • An element regarding QMS software validation has found its way into the new standard. Refer to Section 4.1.6.

  • How do Dropbox, Google Drive, and others play into QMS software validation? Assess, evaluate, and keep a paper copy on hand.

  • If you are using software packages or working with a company, that becomes a supplier. Have written agreements that describe the supplier’s role in the QMS.

  • Even if you are working with a contract manufacturer that is certified, you still need a QMS and be responsible for your product.




Memorable Quotes by Jon Speer and Kyle Rose:

If you haven’t started the process, it’s already too late.” - Kyle Rose

Your ISO auditor is going to want to see your gap analysis. That is going to be a key artifact as part of this transition process.” - Jon Speer

Our goal is to make it as simple and efficient as possible. If you stick with the standard, you improve your company and your product.” - Kyle Rose


Announcer:       Welcome to the Global Medical Device Podcast, where today's brightest minds in the medical device industry go to get their most useful and actionable insight or knowledge, direct from some of the world's leading medical device experts in companies.

John Speer:       ISO 13485:2016. Folks it's upon us, and you're running out of time; now is the time to take action. So, enjoy this episode of the Global Medical Device Podcast, where I talk with Kyle Rose from Rook Quality Systems. Rook Quality Systems, they're doing this each and every day, helping companies achieve 13485 certification, and they're doing so using the eQMS software platform. So there is hope if you're in this journey trying to figure out how and what and when, and you're concerned about the timeline or maybe you don't know what it is that you need to do, I would encourage you to listen to this episode of the Global Medical Device Podcast.

                        Hello and welcome to the Global Medical Device Podcast. This is your host, founder and VP of quality and regulatory at, John Speer. Folks, it's time to wake up. 13485:2016, it's upon us and from what I'm reading, a lot of companies are behind. So let's try to fix that and with me today I have a good friend and partner of ours at, Kyle Rose with Rook Quality Systems to talk about 13485:2016 tips and tricks. Kyle, welcome.

Kyle Rose:         Thanks John. Thanks for having me and good talking with you again.

John Speer:       Yeah, absolutely. So you're in the trenches, man. You're dealing with this all the time. I mean as we were kind of chatting a little bit ago, you just shared a story that I think is kind of interesting on this topic. Something about flying an auditor around the country or something like that. So, maybe, we can just kind of talk a little bit about that story because I think it really is important for people to understand, time is ticking.

Kyle Rose:         Yes, and I know you guys just did a post on this recently as well about if you haven't started the process it's already too late and we've got two clients, both that have their audit scheduled, but part of the new requirement is you have to make sure you've done your internal audit to the new standard before they come and audit you. So, we've got two clients that are scrambling, we're flying some monitors to Texas. They went to California this week and next week to try to get those internal audits completed for those companies to the new standard so they can submit that, and this typically is part of the stage one reviews, or like the external review before the auditing even comes. They want to see these internal audit records and management review records as well as all the documents.

                        So, companies giving us some short notice and we're trying to do the best we can to help them out, but definitely trying to plan these things is helpful for everybody. To make sure you have a good plan for your transition, your internal audit and everything that goes into it.

John Speer:       Sure and so it's probably good to kind of [inaudible 00:02:57] and to make sure, you know, we're getting everybody to understand this sort of scenario, you know, and it will probably come back to a couple of your stories, your experiences on dealing with this, but why is now so important from a 13485 perspective? I mean, what's the big deal? Maybe you can give some perspective of why this is such a big deal and why now it's important.

ISO 13485

Kyle Rose:         Yes. So most of us know the standard was from 2003. It got updated in 2016. So, typically, with a new standard that gives you a few years to transition. It's been over two years now, so they cut off, I think, February for most auditing organizations. February, 2019. So, that means if you have your audit scheduled between now and February, it has to be to the new standard. If you don't have your new ISO 13485:2016 certificate by February 2019, you can lose your ISO certification and it can also effect your CE mark, your Health Canada. There's also the MED-SAP schedule that plays into this a little bit as well as Health Canada, really pushing the companies move to the medical device single audit program and that requires compliance with the updated 13485, 2016 version as well.

John Speer:       Yes. And that, that MDSAP or however you choose to say at the single audit program, the Canadian requirements, uh, that's even more stringent. You said February for the 2016, but, but if you have a market in Canada and you want to stay in Canada, that's like January, right?

Kyle Rose:         Yes. So, January is like ... You have to have a certificate by January. This actually just got moved back a little bit and since we're talking to some of the auditing organizations this week about how they're interpreting that, but health Canada sent out a letter about a week and a half ago that if you have your audit is scheduled in 2019 for MDSAP, then you can still sell. So there's a little bit of pushback. It was hard. You had to have your certificate January, 1st, 2019, but there's a little bit of change in that. If you have questions, it's on Health Canada website or you can ... Companies can reach out to us as well. We're still trying to learn more about it, as well.

John Speer:       Yeah. And, and for people to reach out to you, what is the best way to do that? You know, maybe your website, you have a contact page?

Kyle Rose:         On our website '', you can reach us through that. Or my email is We can answer all your questions that way.

John Speer:       Yeah. Folks, Kyle and the quality team, this is what they do. You know, they help companies get their quality system dialed in. As I mentioned, they've been partners with almost since the beginning. And so, Kyle can help you get not only your quality system up to speed with 2016, but in the process also move you off of paper and get you into a modern electronic quality system that's designed for and built by medical device professionals for the medical device industry. So all of the caveats, the rules, the regulations, the requirements for 13485, as well as FDA, they're built into the workflows in the QMS quality system, so you can check out real quality system, but you can also reach out to us at to learn more about our software platform, and we're going to help you.

                        Now, time is ticking and if you don't take action, you're going to run out of time and you rest assured, this is why Kyle and I are talking today because there are some things that you can do. There are some tips and pointers. There are resources that you can leverage, whether it be Rook, whether it be or the combination. We can help you ensure that you meet that timeline. Now, one other thing that you just mentioned, Kyle, Health Canada, they're not backing away from that. So, folks, I don't want you to hear that, "Oh, I got plenty of time". You still need to take action and you still need to be proactive. You still need to be aggressively pursuing that MDSAP process. You still need to get into queue. This is not a blank ... [crosstalk 00:06:31]

Kyle Rose:         Yes. If you have Health Canada now, you'd have to comply with 2016 and 2018 anyway. So, that still has to be done.

John Speer:       Yes. So, you mentioned that the Rook team is sending auditors all over the country to help companies with internal auditing. So, let's get into some of the tips and tricks. Let's maybe talk about some of the things that companies should be doing now to make sure that they can do what they need to do to meet this aggressive timeline.

Kyle Rose:         Yes. I mean, really the first thing, and it goes along with a, internal audit is creating a kind of gap analysis or internal audit plan to review your current QMS and then highlight what's missing in compliance with the new standard. We have checklists for that. You guys have great, nice checklists for this. We can help you guys through this process if you reach out to Rook, but that's really the first step. Once you have that going, then you'll have a better idea of what's missing. Um, there's also, you know, a few things within the standard that we've noticed. We've been through about five audits onsite where they were transitioning as well as ... We've done a ton of internal audit, so there's a few things that we've noticed from our onsite audit with the actual auditor that we wanted to pass along to everybody else who's getting ready to make sure they had these kind of highlighted. There's somewhat [inaudible 00:07:48] a little bit in the standard that's easy to overlook. So we wanted to make sure that everybody was focusing on these as well.

John Speer:       Alright, that's good. And the gap analysis, folks, is a key thing. From everything that I've heard, and Kyle, you've been through this several times now. The things that I've heard is your ISO auditor is going to want to see your gap analysis. That's going to be a key artifact as part of this transition process. Right?

Kyle Rose:         Exactly. They're going to see that you've done the sufficient planning to make this transition and it's not something that was just, you know, thrown together at the last minute. And that includes the management review as well. So, one of the new updates to the standard is the new inputs and outputs for your management review. So, in your hopefully 2017, if not early 2018 management review, you would have done that to the new inputs to do updates as well as discussed your gap analysis and transition plan to the updated standard.

John Speer:       So talk about ... Like, management review, would you recommend that a company does a management review ... When should they do that? Should they do that once they've completed the gap analysis to identify the issues? Or, is that something they should do after they've implemented the different changes are impacting the quality system? Should they do both? What are your thoughts?

Kyle Rose:         Yes. So, we typically take the approach ... I know with Rook, we work with a lot of the smaller startup, medium sized companies that are typically easier to complete management review. But, we tell everybody would work with that we prefer quarterly rather than annually. And that's to get everybody involved and make sure all the management is committed to the [inaudible 00:09:14] system, and then in that situation you'd be able to do one, four, so you can plan the gap, plan the timeline and then do another one to review the results and see if there are any CAPAs or NCRs related to these gaps. So, I would say, you know, one before, one after. It's easy typically to increase the amount of management reviews. I think it looks good in audits as well; you're showing a clear commitment from the whole company, the whole management structure, and the quality system.

John Speer:       Yeah. And I think that that concept in general is ... It's not the main reason why 13485 is being updated, but a big part or a big message that I get when I read the changes to the 2016 standard is the growing expectation that executive management has their finger on the pulse of their business and the effectiveness of their quality management system. And, in my 20 year history, I've seen so many companies that do management review more because they have to, they're checking a box, you know. They're not getting a lot of value out of it and I think this is really the message that we should take as an industry. This quality system is not just a compliance thing, you know, this is the way to increase and improve your efficiency, and improve your best practices and to really run your business.

Kyle Rose:         Exactly. I definitely agree. And I would say that about other industries. I was like, I don't know how they exist without ... [crosstalk 00:10:34] it's kind of scary. But yes, I think being really involved in the Med Device and how it's changed and I definitely agree it's very important. It improves the quality of your product and the quality of your company. So, it should not be a burden or something that you don't like to do. I think it should be something that you're encouraged to do and you want the whole team to do. And that's [inaudible 00:10:54] why we team with is, our goal is to make it as simple and efficient as possible and that's a lot of stuff that we see with the product as well. So, if it's easy to do, then people are more likely to do it and you know, you stick with the standard and you improve your company and your product.

John Speer:       Yeah, that's great to hear. And that's a big part of our mission at; to improve the quality of life, not just the patients who are going to receive your medical devices and your technologies, but also you as a medical device professional. We've built the workflows with a purpose to meet certain needs. Management review can be one of those things that you dread, because, if you're dealing with a paper based approach or you've got spreadsheets to run your business, trying to collect data and information for that management review can be very time consuming. And this is why you should check out the Www.greenlight.gurupostmarket workflows. We've built in the workflows to help you better manage CAPAs and complaints and nonconformances, but we also have an analytics dashboard so you can track and trend what's happening in all these processes.

                        So, theoretically you could do a review every day. You can log into your system, you can see what's happening with those various key processes that make up your quality system. And it makes doing quarterly management reviews so much simpler. It's going to give you time back in your day, for sure. So, on that quality system, eQMS topic, there is an element that, that has found its way into the standard about a QMS software validation. Can you speak a little bit to that?

qms software validation

Kyle Rose:         Yes. So that's updated in section 4.1.6. Document procedures for the validation and use of electronic quality systems or software applications used in the quality system. So, this could be not just things like, but other softwares and databases, customer management, distribution softwares, stuff like that. Any of these companies might be using to either handle complaints or training. Those need to be validated. What we've done with our approach, and it's worked well with audits we've had, is to first write a procedure that outlines specifically this part of the standard, so, it's not your software development procedure if you're one of the device companies that are actually developing software. This is a validation of software used in a quality system procedure. So, add that to your quality system and then do another ... Gap analysis is a keyword, but do another one on your software systems and determine what needs to be validated, what's the highest risk to the quality system, and  then take, that risk-based approach of getting the highest ones completed as soon as you can before your audit.

                        So, in our experience, people will review the procedure and then review records of your EQMS or software using the quality system validations.

John Speer:       Yes. So, at this part 11, sometimes people will ask about that. This is analogous QMS software validation. Those are certainly things that you want to plan and define your requirements. And test, and prove, and demonstrate. Now, I talk to companies all the time that ... Smaller, startup companies ... Even larger companies, frankly. They may be using something like Dropbox, or Google Drive, or Box. How does that play into QMS software validation?

Kyle Rose:         Yes, that's been a question for a long time, and I think I always recommend keep a paper copy, and it's really hard to validate Dropbox or Box with the changes and stuff they roll out ... You know, it's a much broader scope than just Med Device companies. So, for softwares like the DocuSign and things like that, if you're using that, you need to have some sort of validation into what you're doing, and it can be done. I would typically recommend using a more streamlined solution for Med Devices, but it can be done but it needs to be documented and it needs to be worked through on what you use it for, how you use it and get as much information as you can about that software.

John Speer:       Yes. I think, folks, that's really tricky. Kyle's mentioning, or sharing, some of his experiences, so, you have to be deliberate and intentional about your quality system and the software tools that you're using and things like that. So, if you're using something like a Dropbox or a DocuSign or you've got a server where people access certain documents and records, those are examples of software that you're using for your quality system in some way, shape, or form. Uh, you cannot ignore the validation component. You need to do something about that. So, if this describes your company and how your team is accessing procedures ... Yes, you may have a paper copy and that may be the “master copy”, but you're still using these electronic systems, these software packages to access the information.

                        So, you need to devise a plan. You need to assess and evaluate what you need to do and it can be tricky, but you need to stay on top of it because you can expect auditors to look at those types of things and they'll want to see your evidence. Now, they may not have looked at it before and they may not look at it the next time, but it is a growing area of concern because more and more companies are relying on different software tools to help them better manage their business and the documents and the records. And it kind of leads me to the other area ... I know it was an increased in some scrutiny, is supplier-related topics in and how does that all play in? Because, if you're using different software packages ... I mean, technically, Dropbox kind of becomes a supplier to you as a company, right? How does that all play in?

Kyle Rose:         Yes. So, these new clauses in both the supplier side, and there's an additional one related to outsourcing of quality stuff ... So, this could be like, contractors like or Rook, and having ... The big thing is to have written agreements with all of these suppliers or contractors that outlined their role within the quality system. A lot of times, what we see with a lot of smaller companies is they're using big companies to source some of their products. It could be on Amazon, or Amazon Web Services, or other things, and it's not your Dropbox and it's not likely that they're going to get a signed agreement from these big companies.

                        So, the best plan is to do as much as you can to document what you're using. If you have any contractors or suppliers that [inaudible 00:16:47] and distributors, you should definitely do everything to get your completed agreement with them and have that signed. That it will be reviewed in your audit. It might not have reviewed before. Sometimes it's reviewed by the FDA but not ISO, but those will be reviewed going forward. [crosstalk 00:17:01] With the big companies, we complete surveys and kind of go on that step and show it's a low risk component, but getting agreements is definitely critical for high level and contractors.

John Speer:       Yes. And I think this is one of those areas that we're seeing with 13485:2016. It's much more in sync with FDA 20 [inaudible 00:17:21]. And there's a couple other areas I want to talk to you about today, but the supplier area is one of those areas that for a long time has been a focus during FDA inspections. So, having your approved supplier list and identifying key or critical suppliers or however you define those in making sure that you have agreements in place with those key or critical suppliers, is important and that you have done your proper due diligence, your evaluation, your qualification monitoring. You can't just sign up a supplier one time and say that you're done with it. You need to continually monitor your suppliers, too, and make sure that they're continuing to meet your requirements and the terms that you've specified in those agreements.

Kyle Rose:         And just to be clear, those agreements that should not just be about pricing figures, and sales, and stuff like that. You need to cover quality, as well. That's really the focus of what the ISO standard is looking for. Of course, your sales numbers, and price per unit, all that will be in there as well. But all of the quality related things need to be in that agreement as well.

John Speer:       Yeah. So, here's a scenario, and it's supplier-related, that I hear about sometimes where a company is maybe smaller in nature and they own the design or the IP of the product, but they're outsourcing a lot of the functions to different groups. Like, they outsource to a contract manufacturer. And the scenario that I hear sometimes is, “Oh, well, I don't need to worry about a quality system because I'm using a contract manufacturer that's 13485 certified”. How do you react and respond to that situation?

Kyle Rose:         Yes. We cover this a lot. This is always part of our initial training with all the teams we work with. You know, you're the company that is registered with the FDA, are registered with CE or Health Canada, so, it is on you to make sure that your device is safe and effective, not the contract manufacturer's. So, you were the one that has all the risk, and need to have the complete quality system, even if your entire company is virtual, you still are responsible for your product. So that's pretty straight forward from my perspective, but we do get that same question quite a lot. That's the answer. There's no getting around it. You're the one responsible. It's your company, it's your product.

John Speer:       Yes. So, folks, bottom line, if your name goes on that product, at the end of the day, you must have a quality system. and it is your responsibility to ensure that that product is safe and effective and meets the indications for use for the various clearances that you have throughout the world. So, you need to have a quality system in place. Now, it's okay that you use contract manufacturers. and it's great that your contract manufacturer is 13485 certified, but at the end of the day you'll need to have processes and procedures that describe your business processes, and supplier agreements will be important in this case as well, because you'll need to define what that contract manufacturer is doing for you and how they're meeting your quality criteria, and then also what it is that you're doing to ensure that the things that they're manufacturing for you continue to meet your quality requirements and specifications.

Kyle Rose:         On that same topic, we're also seeing a trend towards auditors wanting more information stored at the actual facility. Not saying, you know, the contract manufacturer has all these validation, [inaudible 00:20:23] records. A lot of it's at MDSAP, but some to ISO, as well as wanting more of that information onside with the regulatory holder of that device.

John Speer:       So, you mean like, contract manufacturer ... I mean historically, a company may say, “Oh, I'm using a contract manufacturer”, so a ISO auditor comes and says, “Where's your DMR, your device, your device master record?”. A common response to used to be, “Oh, well, that's kept and managed by my contract manufacturer”. So, if I'm reading between the lines, what you're observing is that's not going to pass muster these days.

Kyle Rose:         Yes, that's definitely moving away from that. And I think stuff like that should make that process easier. [inaudible 00:21:05] share information with your contractors, contract manufacturers, or any of your other parts that are outsourced for your device. But yes, it's definitely moving towards bringing as much of that information in as you can, in-house.

John Speer:       All right, so, it kind of leads me to this new term that we find in 13485 that hasn't been there before, and I want to get your take on this term 'medical device file'. What does that mean?

Kyle Rose:         Yes. So, this is kind of a merger between your typical technical file and your device master record. The approach really is to ... Like you would do with a technical file, is to have a specific procedure for creating your medical device file that includes everything from the standard. We also are putting a checklist in, that will reference, “This is the device, the device file, this number or name”, and this is where each section that's required is found. It's found in this document or this work instruction or this labeling specification. And that's how we're approaching it. I think the approach by ISO was ... For the companies that don't have the technical file specifications to kind of merge that into the ISO, but typically companies already have all this information, it's just making sure it's organized and documented in the right place for that meical device file requirement.

John Speer:       Right. So, there are lots of other nuances. There's a few subtleties and things that you'll find when you start to review 13485:2016, some of the changes that have been added. I'd like to point people to ... There is a really helpful annex toward the end of the standard that compares the 2003 version versus the 2016 version. And that's a really good guide. I also mentioned and Rook have checklists as well that you can compare all the different clauses, the 2016 version versus the 2003 version, also versus what's described in FDA Part 20. So, you know, this is going to be helpful for you doing that gap analysis. Now, considering ... We're kind of getting toward the end of our time today, and we've talked a little bit about some of the time constraints, you know, February, 2019.

                        Folks, it's right around the corner. It's not that far away. I know like, "Oh I got 10 months or so, give or take". But, if you start to put together a Gantt chart or a timeline of all the things that you need to do ... A gap analysis being important. Once you identify gaps, or the issues, or items that need to be updated from a gap analysis, now you've got work to do. You've got to go update procedures. How many procedures do you have to update? You know, there's a good chance you're going to be updating three fourths of your procedures. Some of them may be pretty benign as far as the changes, but others may be more significant.

Kyle Rose:         Yes. Reading through the annex, the design control, I mean there's a ton of new additions from the standard and that's pretty much a rewrite to make sure you have everything in there. And a few other ones ... Making sure that risk is incorporated in the majority of your procedures, as well, some of the things ... At this point, it's a full review, and all of these will be reviewed before the auditor comes on site. So if you don't have a section of the updated standard that's a major right off the bat, before auditors even show up at your door.

John Speer:       So, folks, we, Kyle, and Rook Quality, and, we want you to take this seriously because Kyle mentioned this towards the beginning of our podcast today. If you do not meet the timeline, your certification could go away, and that's impactful and meaningful because the patients who can benefit from your products and certain markets, Canada, Europe, and maybe other parts of the world, if you're no longer certified that may mean you can no longer sell and distribute products in those key markets. So, it's very important, and that's why we're spending time on this particular topic today. Kyle, before we wrap things up, what is one or two final tips that you would recommend to companies who are in this journey to pursue 13485:2016?

Kyle Rose:         Yeah. There's lots of specific ...  standard. One I've seen overlooked quite a bit is the [inaudible 00:25:06] general requirements is, they're wanting companies to define their role in each regulatory market. So, most companies have this information somewhere, but it's not typically very well organized, so, we're looking like a spreadsheet or a document that says, "In this country we do this and sell these devices", doing that for every country that you sell. A lot of companies have wide, international markets, so, definitely making sure you're documenting that. And then just packed to the same point we've talked about, we know all these companies ... If you're a quality manager, you're busy fighting fires all over the place. But this is definitely the time to ... if you haven't already, you're behind to get moving on this transition. So, definitely making plans for that.

John Speer:       But, folks, don't worry. That's what we're here for. This is what Rook Quality Systems does all day, every day. And this is what does all day, every day. If you're on this journey and you have any questions, comments, concerns, there is a path to do what you need to do to meet these timelines. There is a path to move from paper to an electronic quality system, and still meet these aggressive timelines. We can do it. We've done it, Rook Quality Systems has done it, so be sure you reach out to us if you have questions, comments, concerns. This is what we're here for. This is what we do this for a living, this is our chosen profession, it's to improve the quality of life and help companies navigate all of these changes in quality and regulatory, and all that seems to be a moving target.

                        We've got a lot of things happening in the medical device industry right now. We just touched on one of them was 13485:2016. But there are other things that are happening. The new medical device regulations and IBD regulations in Europe. Kyle touched on some of the MDSAP, the single audit program in Canada, so, leverage experts, leverage people like Kyle Rose and quality systems and people like to help you through this process.

                        Kyle, I want to thank you again for being my guest on the podcast, and I look forward to including you in some of future podcasts. I'm sure there's lots of things that we can dive into. But again, thank you so much for being part of today's recording.

Kyle Rose:         Definitely, John. Thanks for having me. It's always fun. Good luck to everyone out there. Don't hesitate to reach out to us if you need help.

John Speer:       All right. And folks, again, if you want to know more about award-winning medical device industry specific EQMS platform, I would encourage you to go to to learn more information. See how companies like yours are implementing the platform and getting ISO 13485 certified in a much simpler, much easier, much more organized fashion. Leverage to be your single source of truth. Thank you for listening to the Global Medical Device Podcast. This is your host. The founder and VP of Quality and Regulatory at, John Speer.



The Global Medical Device Podcast powered by Greenlight Guru is where today's brightest minds in the medical device industry go to get their most useful and actionable insider knowledge, direct from some of the world's leading medical device experts and companies.

Like this episode? Subscribe today on iTunes or SoundCloud.

Nick Tippmann is an experienced marketing professional lauded by colleagues, peers, and medical device professionals alike for his strategic contributions to Greenlight Guru from the time of the company’s inception. Previous to Greenlight Guru, he co-founded and led a media and event production company that was later...

Search Results for:
    Load More Results